JP2016110300A - Authentication system - Google Patents

Abstract

The present invention relates to an authentication system that provides a technique capable of reducing the labor of a user such as re-input of an account while ensuring security. An authentication system includes an authentication switch, an authentication server, a terminal authentication DB, and a user authentication DB connected to a network. When the user terminal receives access when logging in to the network, the authentication switch sends a terminal authentication request and the MAC address of the user terminal to the authentication server, and the authentication server performs terminal authentication with reference to the terminal authentication DB. When the terminal authentication fails, the authentication switch transmits the user authentication request, the input account, and the MAC address of the user terminal to the authentication server, and the authentication server performs user authentication with reference to the user authentication DB, If the user authentication is successful, the MAC address of the user terminal is registered in the terminal authentication DB as a MAC address for terminal authentication. [Selection] Figure 1

Description

  The present invention relates to an authentication system technique, and more particularly to an authentication technique when a user terminal connects to and logs into a network.

  A communication system including a network such as a LAN or the Internet may perform authentication when a user terminal connects to the network and logs in.

  An example of authentication is user authentication. User authentication is authentication using, for example, a combination of a user ID and a password as a user account. The user terminal accesses the authentication device when logging in. The authentication device performs user authentication based on communication with the authentication server, and permits or disallows login depending on the result. The authentication server performs user authentication with reference to an authentication DB in which a user account is set.

  An example of authentication is terminal authentication. The terminal authentication is authentication using, for example, a MAC address as user terminal identification information. The user terminal accesses the authentication device when logging in. The authentication device performs terminal authentication based on communication with the authentication server, and permits or disallows login depending on the result. The authentication server performs terminal authentication with reference to the authentication DB in which the identification information of the user terminal is set.

  JP-A-2007-208759 (Patent Document 1) is given as a prior art example related to authentication at the time of login. Japanese Patent Application Laid-Open No. 2004-228561 describes that after successful user authentication using a user ID and a password, an authentication switch further performs authentication using three types of data: a user ID, a password, and a MAC address. .

JP 2007-208759 A

  2. Description of the Related Art Conventionally, in an authentication system that performs user authentication when a user terminal logs in to a network, the user is required to perform operations such as re-input of an account for user authentication each time re-login or reconnection is performed. Therefore, the conventional authentication system may require a lot of work for the user, and there is room for improvement in terms of user convenience.

  Examples of re-login or reconnection include: The first example is an example of accessing the same authentication device. At the first login, the user terminal accesses the first authentication device, logs in through user authentication, logs out after using the service, or disconnects the connection while logged in. Thereafter, at the second login or connection, the user terminal accesses the same first authentication device and logs in through user authentication. The second example is an example of accessing a different authentication device among a plurality of authentication devices connected to the network. At the first login, the user terminal accesses the first authentication device, logs in through user authentication, logs out after using the service, or disconnects the connection while logged in. Thereafter, at the second login or connection, the user terminal accesses the second authentication device and logs in through user authentication. In both examples, re-entry of an account is required for each user authentication.

  An object of the present invention relates to an authentication system that performs authentication when a user terminal connects to a network and logs in, while ensuring network security and reducing user troubles such as re-input of an account, thereby improving user convenience. It is to provide technology that can be improved.

  A typical embodiment of the present invention is an authentication system having the following configuration.

  (1) An authentication system according to an embodiment is connected to a network and accessed when a user terminal logs in to the network, and connected to the network, and performs terminal authentication and user authentication when logging in. An authentication server, a terminal authentication DB in which a MAC address for terminal authentication is registered, and a user authentication DB in which an account for user authentication is registered. And the first process of transmitting the MAC address of the user terminal to the authentication server and the terminal authentication response from the authentication server. If the terminal authentication is successful, the login is permitted. If the terminal authentication is unsuccessful, the login is performed. In the case of the second processing to be disallowed and terminal authentication failure, the user authentication request, the account input by the user, and the user terminal The third process of transmitting the AC address to the authentication server and the user authentication response from the authentication server are received. If the user authentication is successful, the login is permitted, and if the user authentication is unsuccessful, the login is not permitted. The authentication server receives the terminal authentication request and the MAC address, performs terminal authentication with reference to the terminal authentication DB, and authenticates a terminal authentication response indicating success or failure of the terminal authentication. Processing to be transmitted to the device, user authentication request, account, and MAC address are received, user authentication is performed with reference to the user authentication DB, and a user authentication response indicating success or failure of the user authentication is transmitted to the authentication device. When the user authentication is successful, a process of registering the MAC address in the terminal authentication DB as a MAC address for terminal authentication is performed.

  (2) An authentication system according to an embodiment is connected to a network and accessed when a user terminal logs in to the network, and is connected to the network and performs terminal authentication and user authentication at the time of login. An authentication server, a terminal authentication DB in which a MAC address for terminal authentication is registered, and a user authentication DB in which an account for user authentication is registered. The authentication device includes a first authentication device and a second authentication device. When the first authentication device receives access, the first authentication device transmits a user authentication request, the account input by the user, and the MAC address of the user terminal to the authentication server, and the user from the authentication server. When an authentication response is received, if user authentication is successful, login is permitted, and if user authentication fails, login is not permitted. When the second authentication device receives access, the second authentication device receives the terminal authentication request and the MAC address of the user terminal to the authentication server, receives the terminal authentication response from the authentication server, and performs terminal authentication. If the authentication is successful, the login is permitted, and if the terminal authentication is unsuccessful, the login server is disabled. The authentication server receives the terminal authentication request and the MAC address from the second authentication device. , Terminal authentication with reference to the terminal authentication DB, a process of transmitting a terminal authentication response representing success or failure of the terminal authentication to the second authentication device, a user authentication request, an account, And the MAC address are received, user authentication is performed with reference to the user authentication DB, a user authentication response indicating success or failure of the user authentication is transmitted to the first authentication device, and the user authentication is performed. In the case of success, the MAC address is registered in the terminal authentication DB as a MAC address for terminal authentication.

  According to a typical embodiment of the present invention, with respect to an authentication system that performs authentication when a user terminal connects to a network and logs in, the user's trouble such as re-entry of an account is ensured while ensuring network security. This can be reduced and the convenience of the user can be improved.

It is a figure which shows the structure of the authentication system of Embodiment 1 of this invention. 3 is a diagram illustrating configurations of an authentication switch and an authentication server in Embodiment 1. FIG. FIG. 6 is a diagram illustrating a flow of an outline of control processing in an authentication switch in the first embodiment. 6 is a diagram illustrating a configuration example of a user authentication DB, a terminal authentication DB, and a list in the first embodiment. FIG. FIG. 11 is a diagram showing a communication processing sequence at the first login in the first example in the first embodiment. 6 is a diagram showing a communication processing sequence at the time of second login in the first example in the first embodiment. FIG. FIG. 10 is a diagram showing a communication processing sequence at the time of second login in the second example in the first embodiment. It is a figure which shows the structure of the authentication system of Embodiment 2 of this invention.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. Note that components having the same function are denoted by the same reference symbols throughout the drawings for describing the embodiment, and the repetitive description thereof will be omitted.

(Embodiment 1)
The authentication system according to the first embodiment of the present invention will be described with reference to FIGS.

[Authentication system]
FIG. 1 shows the configuration of the authentication system of the first embodiment. The authentication system according to the first embodiment has a configuration in which other devices such as a plurality of user terminals 1, a plurality of authentication switches 2, an authentication server 3, and a Web server 8 are connected to a network 4.

  In the authentication system of the first embodiment, authentication is performed when the user terminal 1 connects to the network 4 and logs in. Authentication includes user authentication and terminal authentication. User authentication is authentication using a user ID and a password as a user account. The terminal authentication is authentication using a MAC address as user terminal identification information. When performing user authentication, the user needs to input an account. In terminal authentication, the user does not need to input identification information of the user terminal.

  The network 4 is a communication network such as a LAN or the Internet. In the first embodiment, the network 4 is one in-house LAN. The network 4 may be configured by connecting a plurality of networks. For example, the network 4 may be configured by connection of a first LAN including a first authentication switch, a second LAN including a second authentication switch, a LAN including an authentication server, and the like.

  The plurality of users are employees who use the in-house LAN. As a plurality of users, there are a user 9a, a user 9b, and the like. A user authentication account is assigned to the user in advance. The user account is configured by a combination of a user ID and a password. For example, the account of the user 9a is A1, the account of the user 9b is A2, and so on.

  The user terminal 1 is various terminal devices such as a PC and a smartphone used by the user. As the plurality of user terminals 1, there are a user terminal 1a of a user 9a, a user terminal 1b of a user 9b, and the like. The user terminal 1 includes hardware such as a processor, a memory, a communication interface device, an input device, and a display device (not shown), and includes software such as an OS and a Web browser. When connecting to the network 4, the user terminal 1 accesses the authentication switch 2 and communicates with the authentication switch 2. The user terminal 1 has a MAC address for communication. The MAC address of the user terminal 1 is used as identification information for terminal authentication. It is assumed that the MAC address of the user terminal 1a is Ma, the MAC address of the user terminal 1b is Mb, and so on.

  As a plurality of authentication switches 2 connected to the network 4, there are authentication switches 2a to 2m. The authentication switch 2 is an authentication device having a layer 2 and layer 3 switch function and a function of performing authentication based on communication with the authentication server 3. The authentication switch 2 is a node connected to the edge of the network 4 and connects the user terminal 1 to the network 4. The authentication switch 2 has an IP address. The IP address of the authentication switch 2a is IP1, the IP address of the authentication switch 2m is IPm, and so on.

  The user terminal 1 and the authentication switch 2 are connected by a predetermined communication interface, for example, Ethernet (registered trademark). This connection may be a wired connection or a wireless connection. In the case of wireless connection: The network 4 includes a wireless LAN. A wireless LAN access point device is connected to the authentication switch 2. The user terminal 1 is a portable terminal having a wireless communication function, and is connected to the authentication switch 2 through a wireless connection with a wireless LAN access point device. The authentication switch 2 may be a device having a wireless LAN access point function.

  The authentication switch 2 and the authentication server 3 have functions corresponding to both user authentication and terminal authentication. The authentication switch 2 is a user authentication client and a terminal authentication client, and the authentication server 3 is a user authentication server and a terminal authentication server. When the user terminal 1 logs into the network 4, user authentication processing is performed between the authentication switch 2 and the authentication server 3 by client-server communication based on the RADIUS protocol. Similarly, at the time of login, terminal authentication processing is performed between the authentication switch 2 and the authentication server 3 by client server communication.

  Further, the authentication switch 2 has a function of restricting connection using the MAC address of the user terminal 1. The connection restriction is restriction and control related to the connection of the user terminal 1 to the network 4. The authentication switch 2 performs connection restriction according to the result of user authentication and the result of terminal authentication. The authentication switch 2 holds a list 7 for managing connection restrictions. For example, the authentication switch 2a holds the list 7a, and the authentication switch 2m holds the list 7m. In the first embodiment, the list 7 is a connection permission MAC address list table. Based on the authentication result, the authentication switch 2 registers the MAC address of the user terminal 1 permitted to connect to the network 4 in the list 7 as a connection permission MAC address. In FIG. 1, as an initial setting, no connection permission MAC address is registered in the list 7 of each authentication switch 2.

  The authentication switch 2 and the authentication server 3 communicate on the network 4 using a predetermined protocol such as TCP / IP and UDP. The authentication server 3 has a predetermined IP address. Each authentication switch 2 accesses the authentication server 3 with a predetermined IP address as a destination.

  The authentication server 3 is a server device that includes a user authentication function, a terminal authentication function, a setting function, and the like. The setting function includes an account management function. In the first embodiment, the authentication server 3 holds a user authentication DB 5 and a terminal authentication DB 6. The user authentication DB 5 is a database in which an account 50 for user authentication is registered and managed. The terminal authentication DB 6 is a database in which the MAC address 60 for terminal authentication is registered and managed. The authentication server 3 performs user authentication while referring to the account 50 of the user authentication DB 5 based on communication with the authentication switch 2. The authentication server 3 performs terminal authentication while referring to the MAC address 60 of the terminal authentication DB 6 based on communication with the authentication switch 2.

  The account management function is a function for managing the account 50 of the user authentication DB 5. The setting function provides a setting screen as an interface to the outside including the administrator 90. The administrator 90 is, for example, an administrator of the network 4. The administrator 90 accesses the authentication server 3 from a terminal for operation management maintenance, and displays a setting screen by the setting function of the authentication server 3. The setting screen displays the setting contents of the account 50 of the user authentication DB 5. The administrator 90 can set and confirm the account 50 on the setting screen. The administrator 90 sets an account for user authentication related to a plurality of authorized users in the account 50 of the user authentication DB 5 in advance. An authorized user is permitted to log in to the network 4 and use services on the network 4. In FIG. 1, accounts A1, A2, etc. are registered in the account 50 of the user authentication DB 5 as an initial setting. In the initial setting, a MAC address for terminal authentication is not registered in the terminal authentication DB 6.

  The Web server 8 is an example of a device that provides a service on the network 4. The user terminal 1 can use the service by accessing the Web server 8 or the like in a login state after logging in to the network 4 through the authentication switch 2. The Web server 8 provides a Web page or the like for access from the user terminal 1 through the authentication switch 2.

  When the user terminal 1 connects and logs into the network 4, terminal authentication and user authentication are performed among the user terminal 1, the authentication switch 2, and the authentication server 3. The authentication switch 2 performs control in the order of terminal authentication and user authentication. The authentication server 3 performs user authentication using the account 50 of the user authentication DB 5 and performs terminal authentication using the MAC address 60 of the terminal authentication DB 6. In addition, connection restriction using the MAC address is performed between the user terminal 1 and the authentication switch 2 based on the result of authentication.

  When the user terminal 1 logs into the network 4 for the first time, terminal authentication and user authentication are performed. If the user authentication is successful, the MAC address of the user terminal 1 is registered in the terminal authentication DB 6 as a MAC address for terminal authentication. When the same user terminal 1 logs in or connects to the same network 4 for the second time or later, terminal authentication is performed using the MAC address registered in the terminal authentication DB 6. User authentication is omitted due to the success of the terminal authentication.

  In the authentication system of the first embodiment, the security of the network 4 is secured by the functions of user authentication, terminal authentication, and connection restriction.

[Authentication switch and authentication server]
FIG. 2 shows the configuration of the authentication switch 2 and the authentication server 3 of FIG.

  The authentication switch 2 includes elements such as a processor, a memory, and a communication interface device (not shown). The authentication switch 2 implements a user authentication client unit 21, a terminal authentication client unit 22, and a connection restriction unit 23 by software processing or hardware processing by a processor or the like. The authentication switch 2 stores information including the list 7 in the memory. The communication interface device includes a plurality of ports. The plurality of ports include a port connected to the user terminal 1 and a port connected to the network 4, and performs communication processing by a predetermined communication interface for each port.

  The user authentication client unit 21 performs processing as a user authentication client. The user authentication client unit 21 communicates with the user authentication server unit 31 of the authentication server 3 when performing user authentication of the user terminal 1. The user authentication client unit 21 provides a user authentication page to the user terminal 1 and displays a user authentication screen by the user authentication page. The user authentication client unit 21 transmits the account input by the user on the user authentication screen and a user authentication request to the user authentication server unit 31. The user authentication client unit 21 receives a response representing the result of user authentication from the user authentication server unit 31, and permits or disallows login depending on the result.

  Further, when transmitting a user authentication request, the user authentication client unit 21 performs processing for attaching information including the MAC address of the user terminal 1 to the request.

  The terminal authentication client unit 22 performs processing as a terminal authentication client. The terminal authentication client unit 22 communicates with the terminal authentication server unit 32 of the authentication server 3 when performing terminal authentication of the user terminal 1. The terminal authentication client unit 22 transmits the MAC address of the accessing user terminal 1 and a request for terminal authentication to the terminal authentication server unit 32. The terminal authentication client unit 22 receives a response representing the result of terminal authentication from the terminal authentication server unit 32, and permits or disallows login depending on the result.

  The connection restriction unit 23 performs a connection restriction process using the MAC address of the user terminal 1 while reading and writing the memory list 7. The authentication switch 2 registers the connection permission MAC address in the list 7 when the user authentication is successful or the terminal authentication is successful. In other words, the connection permission MAC address is an authenticated MAC address. The state in which the connection-permitted MAC address is registered in the list 7 corresponds to a connection-permitted state and an authenticated state, and the state that is not registered corresponds to a connection-unpermitted state and an unauthenticated state.

  The connection restriction unit 23 recognizes the result of user authentication based on the notification from the user authentication client unit 21. Similarly, the connection restriction unit 23 recognizes the result of terminal authentication based on the notification from the terminal authentication client unit 22. When the user authentication is successful or the terminal authentication is successful, the connection restriction unit 23 registers the MAC address of the user terminal 1 in the list 7 as a connection permission MAC address.

  In addition, the connection restriction unit 23 has been in a non-communication state for a certain period of time when the user terminal 1 logs out from the network 4 and disconnects or when the user terminal 1 logs in and remains logged in without logging out. In this case, the connection permitted MAC address of the user terminal 1 registered in the list 7 is deleted.

  When receiving the access from the user terminal 1, the connection restriction unit 23 confirms the transmission source MAC address of the frame from the user terminal 1 and the list 7, and permits connection to the network 4 according to the confirmation result. Or disallow it. The connection restriction unit 23 permits the connection of the user terminal 1 when the source MAC address is registered as a connection-permitted MAC address in the list 7, and does not permit the connection when the source MAC address is not registered. The connection restricting unit 23 passes the frame received from the user terminal 1 at the port when it is permitted, and discards the frame when it is not permitted.

  For the access from the user terminal 1, the authentication switch 2 first performs connection restriction processing by the connection restriction unit 23. If the result of the connection restriction process is that the connection is not permitted, the authentication switch 2 transmits a terminal authentication request to the authentication server 3 as a terminal authentication process by the terminal authentication client unit 22. The authentication switch 2 performs user authentication of the user terminal 1 by the user authentication client unit 21 when the terminal authentication fails. Specifically, the user authentication client unit 21 provides a user authentication page to the user terminal 1, and sends the account input from the user terminal 1, the MAC address of the user terminal 1, and a user authentication request to the authentication server 3. Send.

  The authentication server 3 includes elements such as a processor, a memory, a communication interface device, and the like (not shown). The authentication server 3 implements a user authentication server unit 31, a terminal authentication server unit 32, and a setting unit 33 by software processing or hardware processing by a processor or the like. The setting unit 33 includes an account management unit 33A. The authentication server 3 stores information such as the user authentication DB 5 and the terminal authentication DB 6 in the memory. The communication interface device includes a port connected to the network 4 and performs communication processing using protocols such as TCP / IP and UDP.

  The user authentication server unit 31 performs processing as a user authentication server. The user authentication server unit 31 performs user authentication processing while referring to the account 50 of the user authentication DB 5 in the memory based on communication with the user authentication client unit 21. In response to the user authentication request, the user authentication server unit 31 compares the input account with the account 50 of the user authentication DB 5, and the user ID and password of the input account are registered in the account 50. If the ID and password match, the user authentication result is successful, and if they do not match, the result is failure. The user authentication server unit 31 transmits a response representing the result of user authentication to the user authentication client unit 21.

  In addition, when the user authentication is successful, the user authentication server unit 31 sets the MAC address of the user terminal 1 in which the login is permitted by the MAC address of the terminal authentication DB 6 as the MAC address for terminal authentication. Register at address 60.

  The terminal authentication server unit 32 performs processing as a terminal authentication server. The terminal authentication server unit 32 performs terminal authentication processing while referring to the MAC address 60 of the terminal authentication DB 6 in the memory based on communication with the terminal authentication client unit 22. In response to the request for terminal authentication, the terminal authentication server unit 32 compares the MAC address included in the request with the MAC address 60 registered in the terminal authentication DB 6. As a result, if the MAC address that matches the MAC address included in the request has been registered, the terminal authentication server unit 32 sets the result of terminal authentication to success, and if not registered, sets the result to failure. The terminal authentication server unit 32 transmits a response representing the result of terminal authentication to the terminal authentication client unit 22.

  The setting unit 33 performs processing corresponding to the setting function. The account management unit 33A performs processing corresponding to the account management function. The setting unit 33 accepts external instructions and notifications including the administrator 90. The account management unit 33A performs processing for setting the account 50 of the user authentication DB 5 in accordance with instructions and notifications.

[Control processing in the authentication switch]
FIG. 3 shows an outline of basic control processing in the authentication switch 2. S101 and the like represent steps. The authentication switch 2 performs connection restriction, terminal authentication, and user authentication in this order as the internal basic control order. Hereinafter, the processing of steps S101 to S113 in FIG. 3 will be described.

  (S101) The authentication switch 2 receives access from the user terminal 1. The authentication switch 2 refers to the transmission source MAC address of the frame received from the user terminal 1.

  (S102) The authentication switch 2 first performs connection restriction processing. The authentication switch 2 confirms whether or not the transmission source MAC address of the accessing user terminal 1 is registered as a connection permission MAC address in the list 7.

  (S103) When registered in the list 7 (S102-Y), since the connection permission state is indicated, the authentication switch 2 permits the user terminal 1 to connect to the network 4 and ends the process.

  (S104) If it is not registered in the list 7 (S102-N), since the connection is not permitted, the authentication switch 2 does not permit the user terminal 1 to connect to the network 4.

  (S100) Next, in S100, the authentication switch 2 performs an authentication process. The authentication processing in S100 includes terminal authentication in S105 and user authentication in S109.

  (S105) The authentication switch 2 first performs terminal authentication processing. The authentication switch 2 transmits the MAC address of the accessing user terminal 1 and a request for terminal authentication to the authentication server 3. The authentication server 3 performs terminal authentication by referring to the MAC address 60 of the terminal authentication DB 6 using the received MAC address. The authentication server 3 transmits a response representing the result of terminal authentication to the authentication switch 2.

  (S106 to S108) From the response of S105, if the result of terminal authentication is successful (S106-Y), the authentication switch 2 puts the MAC address of the user terminal 1 in the list 7 as a connection permission MAC address in S107. sign up. In step S108, the authentication switch 2 permits the user terminal 1 to connect to the network 4 and ends the process.

  (S109) If the result of terminal authentication is a failure from the response in S105 (S106-N), the authentication switch 2 then performs user authentication processing in S109. The authentication switch 2 provides a user authentication page to the accessing user terminal 1. The user terminal 1 displays a user authentication screen based on a user authentication page. The user inputs a user ID and password that are accounts on the user authentication screen. The user terminal 1 transmits the input account to the authentication switch 2. The authentication switch 2 transmits the input account, the request for user authentication, and the MAC address of the user terminal 1 to the authentication server 3. The authentication server 3 performs user authentication with reference to the account 50 of the user authentication DB 5 using the received account. The authentication server 3 transmits a response representing the result of user authentication to the authentication switch 2. Further, when the result of the user authentication is successful, the authentication server 3 registers the received MAC address in the terminal authentication DB 6 as a MAC address for terminal authentication.

  (S110 to S112) From the response of S109, if the result of user authentication is successful (S110-Y), the authentication switch 2 puts the MAC address of the user terminal 1 in the list 7 as a connection-permitted MAC address in S111. sign up. In step S112, the authentication switch 2 permits the user terminal 1 to connect to the network 4 and ends the process.

  (S113) If the result of the user authentication is a failure from the response of S109 (S110-N), the authentication switch 2 disallows the connection to the network 4 by the user terminal 1 and ends the process in S113. .

[User authentication DB]
FIG. 4A shows a table that is a configuration example of the user authentication DB 5. This table includes an “account for user authentication” column. The “user authentication account” column corresponds to the account 50, and stores a user ID and password as a user authentication account for each user. For example, IDa which is a user ID and PWa which is a password are set as the account A1 of the user 9a.

[Terminal authentication DB]
FIG. 4B shows a table that is a configuration example of the terminal authentication DB 6. This table includes a “MAC address for terminal authentication” column, a “user authentication success date and time” column, and an “expiration date” column. The “terminal authentication MAC address” column corresponds to the MAC address 60, and the MAC address which is identification information for terminal authentication is registered. For example, the MAC address “Ma” is registered for the user terminal 1a. No MAC address is registered for the user terminal 1b.

  The “user authentication success date and time” column stores the date and time when the result of user authentication in the authentication server 3 was successful, in other words, the date and time when the MAC address for terminal authentication was registered.

  The “expiration date” column stores information on the expiration date related to the MAC address for terminal authentication. Control related to the expiration date will be described later.

[list]
FIG. 4C shows a configuration example of the connection permission MAC address list table as the list 7. This list 7 has a “connection permitted MAC address” column. When the authentication switch 2 permits the user terminal 1 to connect to the network 4, the authentication switch 2 registers the MAC address of the user terminal 1 in the “connection permitted MAC address” column of the list 7. Further, when disabling the connection to the network 4 by the user terminal 1, the authentication switch 2 deletes the MAC address of the user terminal 1 in the “connection permitted MAC address” column of the list 7.

[Example of re-login and re-connection]
In the authentication system of the first embodiment, examples of re-login and reconnection include the following first example and second example.

  The first example is an example in which the user terminal 1 accesses the same authentication switch 2. For example, as shown in FIG. 5, when the user terminal 1a of the user 9a connects and logs in to the network 4 for the first time, the user terminal 1a accesses the authentication switch 2a, connects and logs in through terminal authentication and user authentication, Use. Then, based on the operation of the user 9a, the user terminal 1a logs out from the network 4 and disconnects from the authentication switch 2a, or disconnects while logged in. For example, when the user terminal 1a is turned off, the communication cable connecting the user terminal 1a and the authentication switch 2a is pulled out, or when the user terminal 1a leaves the wireless LAN access point. Etc. After that, as shown in FIG. 6, the user terminal 1a of the user 9a accesses the same authentication switch 2a at the second login or connection, and logs in or connects through terminal authentication.

  The second example is an example in which the user terminal 1 accesses a different authentication switch 2 among the plurality of authentication switches 2 of the network 4. For example, as in FIG. 5, the user terminal 1a of the user 9a accesses the authentication switch 2a at the first login, connects and logs in through terminal authentication and user authentication, and uses the service. Then, the user terminal 1a logs out and disconnects or disconnects while logged in. Thereafter, as shown in FIG. 7, the user terminal 1a of the user 9a accesses the authentication switch 2b different from the authentication switch 2a at the time of the second login or connection, and logs in or connects through terminal authentication.

  The authentication system of the first embodiment can cope with both the first example and the second example. The user terminal 1 can re-login or reconnect to the network 4 by either the first example or the second example.

[Communication Processing Sequence in First Example]
A communication processing sequence in the first example will be described with reference to FIGS. 5 and 6.

  FIG. 5 shows a communication processing sequence at the first login in the first example. S11 and the like represent steps. As a precondition, as shown in FIG. 1, the accounts A1, A2, etc. are registered in the user authentication DB 5, the MAC address is not registered in the terminal authentication DB 6, and connected to the list 7 of each authentication switch 2. The permitted MAC address is not registered. Hereinafter, steps S11 to S19 in FIG. 5 will be described in order.

  (S11) When logging in to the network 4 for the first time, the user 9a accesses the authentication switch 2a from the user terminal 1a and tries to log in.

  (S12) The authentication switch 2a receives access from the user terminal 1a in S11. As described above, the authentication switch 2a first performs connection restriction processing according to the order of internal control. In this example, the MAC address “Ma” of the user terminal 1a is not registered in the list 7a of the authentication switch 2a, and the connection is not permitted. Therefore, the authentication switch 2a next performs terminal authentication processing. Although not shown, the authentication switch 2a performs terminal authentication processing based on communication with the authentication server 3. In this example, since the MAC address “Ma” of the user terminal 1a is not registered in the terminal authentication DB 6, the result of terminal authentication fails. Therefore, the authentication switch 2a next performs user authentication processing.

  (S13) The authentication switch 2a provides a user authentication page to the user terminal 1a of the user 9a based on communication with the authentication server 3. The user terminal 1a displays a user authentication screen based on the received user authentication page. The user authentication screen includes information such as a message prompting the user to input an account for user authentication. The user 9a inputs the user ID and password of his / her account on the user authentication screen. In this example, it is assumed that an account A1 {IDa, PWa} registered in the user authentication DB 6 is input. The user terminal 1a transmits the input account A1 to the authentication switch 2a, and the authentication switch 2a receives the account A1.

  (S14) User authentication processing is performed between the authentication switch 2a and the authentication server 3 in communication connection using an IP address. The authentication switch 2a attaches the MAC address “Ma” of the user terminal 1a accessed in S11 to the request for user authentication and the account A1, and transmits the request to the authentication server 3. At this time, the authentication switch 2a includes the account A1 and the MAC address “Ma” in the user authentication request packet. The packet includes the IP address “IP1” of the authentication switch 2a as the source IP address of the header.

  (S15) The authentication server 3 receives the information including the user authentication request in S14, the account A1, and the MAC address “Ma”. The authentication server 3 performs user authentication with respect to the request and the account A1 with reference to the account 50 of the user authentication DB 5. In this example, since the input account A1 matches the account A1 set in the account 50 of the user authentication DB 5, the result of user authentication is successful.

  (S16) The authentication server 3 transmits a response indicating success as a result of the user authentication in S15 to the authentication switch 2a. The authentication server 3 transmits the response of S16 to the authentication switch 2a with the IP address “IP1” that is the transmission source IP address of the request of S14 as the destination.

  (S17) When the user authentication is successful in S15, the authentication server 3 uses the MAC address “Ma” attached to the request in S14 as the terminal authentication MAC address for the user terminal 1a. Register in the MAC address 60 of the authentication DB 6. This registration is performed in preparation for terminal authentication at the second and subsequent logins or connections.

  Further, the authentication server 3 stores in the terminal authentication DB 6 information on the date and time of successful user authentication and the expiration date determined accordingly. As a result, information is registered in the terminal authentication DB 6 as in the example of the first row in FIG.

  (S18) On the other hand, the authentication switch 2a receives the response of S16 and recognizes the result of user authentication from the response. When the user authentication is successful, the authentication switch 2a permits the first login by the user terminal 1a of the user 9a. The authentication switch 2a registers the MAC address “Ma” of the user terminal 1a in the list 7a as a connection-permitted MAC address as connection restriction processing according to the success of user authentication.

  (S19) By S18, the user terminal 1a enters the connection permission state and the authenticated state, establishes connection with the network 4 through the authentication switch 2a, and enters the login state. In the login state, the user terminal 1a is permitted to access and communicate with the Web server 8 on the network 4 through the authentication switch 2a and can use the service. When the authentication switch 2a receives a frame from the user terminal 1a at the port, since the transmission source MAC address “Ma” is registered in the list 7a, the authentication switch 2a passes the frame through the port and forwards it toward the destination. .

  Thereafter, the user 9a logs out from the network 4 as necessary, and disconnects the connection between the user terminal 1a and the authentication switch 2a. The authentication switch 2a deletes the MAC address “Ma” from the list 7a when the user terminal 1a logs out, or when the communication state continues without logging out after logging in. As a result, the user terminal 1a enters a connection non-permission state and an unauthenticated state.

  As a modification, in S14, the authentication switch 2a may transmit a packet including the MAC address “Ma” separately from the packet for requesting user authentication. Further, the authentication server 3 may perform the registration in S17 before transmitting the response in S16.

  FIG. 6 shows a communication processing sequence at the time of the second login in the first example following FIG. As a precondition, information including the MAC address “Ma” in FIG. 5 has been registered in the terminal authentication DB 6. For example, the user terminal 1a has already logged out, and therefore the MAC address “Ma” is not registered in the list 7a of the authentication switch 2a. Hereinafter, steps S21 to S27 in FIG. 6 will be described in order.

  (S21) At the time of the second login to the network 4, the user 9a accesses the authentication switch 2a from the user terminal 1a and tries to log in.

  (S22) The authentication switch 2a receives access from the user terminal 1a in S21. The authentication switch 2a first performs connection restriction processing as in the first login. In this example, the MAC address “Ma” is not registered in the list 7a and the connection is not permitted. Therefore, the authentication switch 2a next performs terminal authentication processing.

  (S23) The authentication switch 2a uses the transmission source MAC address of the frame received from the user terminal 1a for terminal authentication. The authentication switch 2 a transmits a request for terminal authentication and the MAC address “Ma” of the terminal 1 a to the authentication server 3. At this time, the authentication switch 2a includes the MAC address “Ma” in the terminal authentication request packet. Further, the packet includes the IP address “IP1” of the authentication switch 2a as the source IP address of the header.

  (S24) The authentication server 3 receives the terminal authentication request in S23. The authentication server 3 performs terminal authentication by searching and comparing the MAC address 60 of the terminal authentication DB 6 using the MAC address “Ma” included in the request. If the MAC address “Ma” included in the request has already been registered in the terminal authentication DB 6, the authentication server 3 sets the result of terminal authentication to success, and if not registered, sets the result to failure. In this example, since the MAC address “Ma” has been registered in S17 of FIG. 5, the result of terminal authentication is successful.

  (S25) The authentication server 3 transmits a response indicating success as a result of the terminal authentication to the authentication switch 2a. The authentication server 3 transmits the response of S25 to the authentication switch 2a with the IP address “IP1” that is the transmission source IP address of the request of S23 as the destination.

  (S26) The authentication switch 2a receives the response of S25 and recognizes the result of terminal authentication from the response. The authentication switch 2a registers the MAC address “Ma” of the user terminal 1a in the list 7a as a connection-permitted MAC address as a connection restriction process according to the success of the terminal authentication. The authentication switch 2a omits user authentication because terminal authentication is successful. That is, the user 9a does not need to input an account.

  (S27) By S26, the user terminal 1a of the user 9a enters the connection permission state and the authenticated state, establishes the connection with the network 4 through the authentication switch 2a, and enters the login state again. Thereafter, the user 9a logs out from the network 4 as necessary, and disconnects the connection between the user terminal 1a and the authentication switch 2a. When the user terminal 1a logs out, the authentication switch 2a deletes the MAC address “Ma” from the list 7a.

  The above example is an example in which the user logs out and disconnects the first time, and then re-login the second time. Is realized.

  Furthermore, after that, the user terminal 1a of the user 9a may perform the third or subsequent login or connection through access to an arbitrary authentication switch 2. In the third or subsequent login or connection, if the MAC address “Ma” that is within the validity period has already been registered in the terminal authentication DB 6, the terminal authentication succeeds in the same manner and the user authentication is omitted. .

[Communication Processing Sequence in Second Example]
A communication processing sequence in the second example will be described with reference to FIGS. 5 and 7. In the second example, the user terminal 1a of the user 9a is in the vicinity of the authentication switch 2a at the time of the first login as shown in FIG. The user 9a moves with the user terminal 1a, and in the state after the movement, is in the vicinity of the authentication switch 2b as shown in FIG.

  The communication processing sequence at the first login before the movement in the second example is the same as that in FIG. The user terminal 1a has logged out, for example, after the first login.

  FIG. 7 shows a communication processing sequence at the second login after movement in the second example. As a precondition, information including the MAC address “Ma” in FIG. 5 has been registered in the terminal authentication DB 6. The user terminal 1a of the user 9a becomes the first access to the authentication switch 2b. Therefore, the MAC address “Ma” is not registered in the list 7b of the authentication switch 2b. Hereinafter, steps S31 to S37 in FIG. 7 will be described in order.

  (S31) When logging in to the network 4 for the second time, the user 9a accesses the authentication switch 2b from the user terminal 1a and tries to log in.

  (S32) The authentication switch 2b receives access from the user terminal 1a in S31. Similar to the authentication switch 2a, the authentication switch 2b first performs connection restriction processing. In this example, the MAC address “Ma” is not registered in the list 7b, and the connection is not permitted. Therefore, the authentication switch 2b next performs terminal authentication processing.

  (S33) The authentication switch 2b uses the transmission source MAC address of the frame received from the user terminal 1a for terminal authentication. The authentication switch 2 b transmits a request for terminal authentication and the MAC address “Ma” of the user terminal 1 a to the authentication server 3. At this time, the authentication switch 2b includes the MAC address “Ma” in the packet for requesting terminal authentication. Further, the packet includes the IP address “IP2” of the authentication switch 2b as the source IP address of the header.

  (S34) The authentication server 3 receives the terminal authentication request in S33. The authentication server 3 performs terminal authentication by searching and comparing the MAC address 60 of the terminal authentication DB 6 using the MAC address “Ma” included in the request. If the MAC address “Ma” included in the request has already been registered in the terminal authentication DB 6, the authentication server 3 sets the result of terminal authentication to success, and if not registered, sets the result to failure. In this example, since the MAC address “Ma” has been registered in S17 of FIG. 5, the result of terminal authentication is successful.

  (S35) The authentication server 3 transmits a response indicating success as a result of the terminal authentication to the authentication switch 2b. The authentication server 3 sends the response of S35 to the authentication switch 2b with the IP address “IP2” that is the transmission source IP address of the request of S33 as the destination.

  (S36) The authentication switch 2b receives the response of S35 and recognizes the result of terminal authentication from the response. The authentication switch 2b registers the MAC address “Ma” of the user terminal 1a in the list 7b as a connection-permitted MAC address as a connection restriction process according to the success of the terminal authentication. The authentication switch 2b omits user authentication because terminal authentication is successful. That is, the user does not need to input an account.

  (S37) By S36, the user terminal 1a of the user 9a enters the connection permission state and the authenticated state, establishes connection with the network 4 through the authentication switch 2b, and enters the login state. Thereafter, the user 9a logs out from the network 4 as necessary, and disconnects the connection between the user terminal 1a and the authentication switch 2b. When the user terminal 1a logs out, the authentication switch 2b deletes the MAC address “Ma” from the list 7b.

  Furthermore, after that, the user terminal 1a can log in or connect for the third and subsequent times in the same manner through access to an arbitrary authentication switch 2. Similarly to the user terminal 1a, the user terminal 1b and the like can log in to the network 4 through an arbitrary authentication switch 2.

  As described above, in the authentication system according to the first embodiment, the MAC address for terminal authentication is registered by the success of user authentication at the first login, and the terminal authentication is performed at the second login or connection. User authentication is omitted due to success. When the user re-logs in or reconnects to the same network 4, user authentication is omitted, so that the user can log in immediately without having to re-enter the account.

[Control on expiration date]
Control related to the expiration date will be described. The authentication system of the first embodiment provides an expiration date with a predetermined validity period for the MAC address for terminal authentication. As shown in FIG. 4B, the authentication server 3 manages expiration date information for each MAC address for terminal authentication in the terminal authentication DB 6.

  When the user authentication at the time of the first login is successful, the authentication server 3 registers the MAC address of the user terminal 1 in the “MAC address for terminal authentication” column in FIG. The date and time at that time is stored in the “user authentication success date and time” column. The authentication server 3 applies a predetermined validity period starting from the date and time, and stores the date and time of the end point in the “expiration date” column as the expiration date related to the MAC address.

  The predetermined effective period is set to an arbitrary value such as 8 hours or 1 day. The administrator 90 can set the valid period using the setting function. The valid period may be a uniform set value for all user terminals 1 or may be a different set value for each user terminal 1.

  In the example of FIG. 4B, the user authentication success date and time is September 1 for the MAC address “Ma” of the user terminal 1a in the first row. The set value of the effective period is, for example, one day. Thus, the expiration date of the MAC address “Ma” is September 2.

  The authentication server 3 invalidates the MAC address registered in the terminal authentication DB 6 when the expiration date has passed. As an example of the processing, when the expiration date has passed, the authentication server 3 is invalidated by deleting the MAC address. That is, in the terminal authentication DB 5, the MAC address is registered when it is within the validity period, and the MAC address is not registered when it is outside the validity period.

  When the authentication server 3 receives a request for terminal authentication, the authentication server 3 checks whether or not a MAC address that is within the validity period is registered in the terminal authentication DB 6. If the MAC address that matches the requested MAC address has already been registered, the authentication server 3 is within the validity period, so that the terminal authentication is validated and the result of the terminal authentication is successful. Further, when the authentication server 3 receives the request and the MAC address matching the requested MAC address is not registered in the terminal authentication DB 6, the authentication server 3 is out of the expiration date, and thus the terminal authentication is invalidated. The authentication result is considered as failure.

  In the terminal authentication at the time of the second login, if the result fails because the validity period of the MAC address has passed, the authentication switch 2 performs user authentication next. When the result of this user authentication is successful, the authentication server 3 re-registers the MAC address for terminal authentication and resets its expiration date.

[Effects]
As described above, according to the authentication system of the first embodiment, when the user terminal 1 connects to the network 4 and logs in, the authentication is controlled by combining terminal authentication and user authentication. Thereby, while ensuring the security of the network 4, the user's troubles such as re-input of the account can be reduced, and the convenience of the user can be improved. When the user logs in for the second time and thereafter, user authentication is omitted and terminal authentication is sufficient. Therefore, the time required for authentication is short, and the user can log in immediately and use the service.

  As a modification of the first embodiment, user authentication is not limited to authentication using a user ID and password, and other types of authentication are also applicable. Other methods include authentication using an electronic certificate, authentication using biometric information, authentication using a token key, and the like. The authentication switch 2 and the authentication server 3 perform authentication processing according to the user authentication method. The user authentication DB 5 manages authentication information corresponding to a user authentication method, such as an electronic certificate, biometric information, or a token key. The authentication switch 2 transmits the authentication information input from the user terminal 1, the request for user authentication, and the MAC address of the user terminal 1 to the authentication server 3. The authentication server 3 refers to the authentication information in the user authentication DB 5 and performs user authentication.

  Similarly, terminal authentication is not limited to authentication using a MAC address as identification information of the user terminal 1, and authentication using other identification information is also applicable.

  As a modification of the first embodiment, the authentication server 3 may store an account at the time of user authentication in association with the MAC address when registering the MAC address in the terminal authentication DB 6. That is, in the table of the terminal authentication DB 6 in FIG. 4B, an “account for user authentication” column may be added. Alternatively, a column for storing an address or the like indicating the value of the “user authentication account” column in FIG. 4A may be added to the table. Or the authentication server 3 may hold | maintain the management table | surface containing the correlation information of a MAC address and an account separately from user authentication DB5 and terminal authentication DB6. In the case of these modified examples, the correspondence between the user terminal 1 and the user can be easily understood.

(Embodiment 2)
The authentication system according to the second embodiment of the present invention will be described with reference to FIG. The basic configuration of the authentication system of the second embodiment is the same as the configuration of the first embodiment. In the following, portions of the configuration of the second embodiment that are different from the configuration of the first embodiment will be described.

  In the authentication system of the second embodiment, the types of the plurality of authentication switches 2 connected to the network 4 are different.

  In the first embodiment described above, the plurality of authentication switches 2 connected to the network 4 are all the same type of devices having the same function. That is, each authentication switch 2 has a user authentication function, a terminal authentication function, and the like. In the first embodiment, terminal authentication and user authentication are performed at the first login, and the MAC address for terminal authentication is registered upon successful user authentication. In the second and subsequent logins, terminal authentication is performed using the MAC address for terminal authentication, and user authentication is omitted. In order to realize this operation, the authentication switch 2 accessed after the second time requires a terminal authentication function, but a user authentication function is not essential.

  FIG. 8 shows the configuration of the authentication system of the second embodiment. The authentication system of the second embodiment includes an authentication switch 2A, an authentication switch 2B-1, an authentication switch 2B-2, and the like as a plurality of authentication switches 2 connected to the network 4.

  The authentication system according to the second embodiment includes a first authentication switch and a second authentication switch as devices having different functions. The first authentication switch includes a user authentication function and a terminal authentication function as the function KA, similar to the authentication switch 2 of the first embodiment. The second authentication switch does not have a user authentication function but has a terminal authentication function as the function KB. One authentication switch 2A is a first authentication switch. A plurality of authentication switches such as the authentication switch 2B-1 and the authentication switch 2B-2 are second authentication switches.

  In the operation of the authentication system according to the second embodiment, when the user terminal 1 logs in for the first time, the first authentication switch is accessed. Thereafter, when logging in or connecting for the second time or later, it is possible to access both the first authentication switch and the second authentication switch.

  In the example of FIG. 8, the user terminal 1a of the user 9a accesses the authentication switch 2A, which is the first authentication switch having the function KA, at the first login. The authentication switch 2A performs processing in the order of connection restriction, terminal authentication, and user authentication. The authentication switch 2A first performs terminal authentication with the authentication server 3 and then performs user authentication. At the time of user authentication, the user 9a inputs the account A1. The authentication server 3 refers to the account 50 in the user authentication DB 5 and performs user authentication. In this example, since the account A1 is set in the user authentication DB 5, the result of the user authentication is successful. The authentication server 3 registers the MAC address “Ma” of the user terminal 1 a in the terminal authentication DB 6 as a MAC address for terminal authentication. The user terminal 1a is permitted to log in for the first time.

  Thereafter, the user terminal 1a of the user 9a accesses one of the authentication switches at the second login or connection. In this example, the user 9a moves with the user terminal 1a and accesses the authentication switch 2B-1. The authentication switch 2B-1 performs processing in the order of connection restriction and terminal authentication. The authentication switch 2B-1 transmits the MAC address “Ma” of the user terminal 1a to the authentication server 3 during terminal authentication. The authentication server 3 performs terminal authentication with reference to the MAC address 60 of the terminal authentication DB 6. In this example, since the MAC address “Ma” has already been registered in the terminal authentication DB 6, the result of terminal authentication is successful. The user terminal 1a is permitted to log in or connect for the second time.

  As in the above example, when the user terminal 1 accesses the first authentication switch at the first login and accesses the second authentication switch at the second and subsequent logins, the same as in the first embodiment Thus, the same effect can be obtained.

  According to the authentication system of the second embodiment, as in the first embodiment, it is possible to reduce the time and effort of the user such as re-input of an account while ensuring the security of the network 4.

[Modification]
The following is mentioned as an authentication system of the modification of Embodiment 2. In the authentication system of the modified example, the first authentication switch is an authentication switch that has a user authentication function and does not have a terminal authentication function. The second authentication switch does not have a user authentication function but is an authentication switch having a terminal authentication function. In operation, the user terminal 1 is accessed to the first authentication switch at the first login, and to the second authentication switch at the second and subsequent logins or connections. Even in the authentication system of this modification, the same effects as those of the first and second embodiments can be realized.

(Embodiment 3)
An authentication system according to Embodiment 3 of the present invention will be described. Hereinafter, a different part from the structure of Embodiment 1 in the structure of Embodiment 3 is demonstrated.

  In the first embodiment described above, the authentication server 3 holds and manages the user authentication DB 5 and the terminal authentication DB 6. Not only this but user authentication DB5 and terminal authentication DB6 may exist in places other than the authentication server 3 on the network 4. FIG.

  In the authentication system of the third embodiment, the user authentication DB 5 is held in an account management server (not shown). The account management server is connected to the network 4 and has a setting function including an account management function, and manages the user authentication DB 5. The account management server sets an account for user authentication in the user authentication DB 5 based on an instruction from the administrator 90 or the like.

  The authentication server 3 according to the third embodiment holds a terminal authentication DB 6 and cooperates with an account management server. When receiving a user authentication request, the authentication server 3 accesses the account management server and refers to the user authentication DB 5 to perform user authentication. When the user authentication is successful, the authentication server 3 registers the MAC address for terminal authentication in its own terminal authentication DB 6. When receiving the request for terminal authentication, the authentication server 3 refers to its own terminal authentication DB 6 and performs terminal authentication.

  According to the authentication system of the third embodiment, the same effect as in the first embodiment can be obtained.

(Other embodiments)
The following is mentioned as an authentication system of other embodiment.

  As another embodiment, the user authentication DB 5 and the terminal authentication DB 6 are not limited to a method in which registration and deletion are performed for accounts and MAC addresses, but a method in which validation and invalidation are performed for accounts and MAC addresses held in advance. But you can. In this case, for example, in the user authentication DB 5, user authentication accounts for a plurality of authorized users are set as initial settings in advance, and this information is basically retained. This account is set to the “valid” state by a flag. In the terminal authentication DB 6, as initial settings, MAC addresses for terminal authentication related to a plurality of authorized user terminals 1 are set in advance, and this information is basically retained. This MAC address is set to an “invalid” state by a flag.

  When the user authentication is successful, the authentication server 3 validates the MAC address for terminal authentication related to the user terminal 1 in the terminal authentication DB 6, that is, changes from “invalid” to “valid”, and sets the validity period. Set. When the expiration date has passed, the authentication server 3 invalidates the MAC address for user terminal authentication, that is, changes from “valid” to “invalid”.

  Similarly, the list 7 of the authentication switch 2 is not limited to a method for registering and deleting a connection permission MAC address, and may be a method for enabling and disabling a preset MAC address.

  Although the present invention has been specifically described above based on the embodiments, the present invention is not limited to the above-described embodiments, and various modifications can be made without departing from the scope of the invention.

  DESCRIPTION OF SYMBOLS 1, 1a, 1b ... User terminal, 2, 2a, 2m ... Authentication switch, 3 ... Authentication server, 4 ... Network, 5 ... User authentication DB, 6 ... Terminal authentication DB, 7, 7a, 7m ... List, 8 ... Web Server, 9a, 9b ... user, 50 ... account, 60 ... MAC address, 90 ... administrator

Claims (8)

An authentication device connected to a network and accessed when a user terminal logs into the network;
An authentication server connected to the network and performing terminal authentication and user authentication at the time of login;
A terminal authentication DB in which the MAC address for terminal authentication is registered;
A user authentication DB in which the user authentication account is registered;
With
The authentication device is
When receiving the access, a first process of transmitting a terminal authentication request and the MAC address of the user terminal to the authentication server;
A second process of receiving a terminal authentication response from the authentication server, permitting the login if the terminal authentication is successful, and disallowing the login if the terminal authentication fails;
A third process of transmitting a user authentication request, an account input by a user, and the MAC address of the user terminal to the authentication server when the terminal authentication fails;
A fourth process of receiving a user authentication response from the authentication server, permitting the login if the user authentication is successful, and disallowing the login if the user authentication fails;
And
The authentication server is
A process of receiving the terminal authentication request and the MAC address, performing the terminal authentication with reference to the terminal authentication DB, and transmitting the terminal authentication response indicating success or failure of the terminal authentication to the authentication device;
The user authentication request, the account, and the MAC address are received, the user authentication is performed with reference to the user authentication DB, and the user authentication response indicating success or failure of the user authentication is transmitted to the authentication device. If the user authentication is successful, the MAC address is registered in the terminal authentication DB as the MAC address for the terminal authentication;
I do,
Authentication system. An authentication device connected to a network and accessed when a user terminal logs into the network;
An authentication server connected to the network and performing terminal authentication and user authentication at the time of login;
A terminal authentication DB in which the MAC address for terminal authentication is registered;
A user authentication DB in which the user authentication account is registered;
With
As the authentication device, it has a first authentication device and a second authentication device,
The first authentication device includes:
When receiving the access, a process of transmitting a user authentication request, an account input by the user, and the MAC address of the user terminal to the authentication server;
A process of receiving a user authentication response from the authentication server, permitting the login if the user authentication is successful, and disallowing the login if the user authentication is unsuccessful;
And
The second authentication device is:
When receiving the access, a process of transmitting a terminal authentication request and the MAC address of the user terminal to the authentication server;
A process of receiving a terminal authentication response from the authentication server, allowing the login if the terminal authentication is successful, and disabling the login if the terminal authentication is unsuccessful;
And
The authentication server is
The terminal authentication request and the MAC address are received from the second authentication device, the terminal authentication is performed with reference to the terminal authentication DB, and the terminal authentication response indicating success or failure of the terminal authentication is received. Processing to send to the second authentication device;
Receiving the user authentication request, the account, and the MAC address from the first authentication device, performing the user authentication with reference to the user authentication DB, and indicating the success or failure of the user authentication; A process of transmitting a response to the first authentication device and registering the MAC address in the terminal authentication DB as the MAC address for the terminal authentication when the user authentication is successful;
I do,
Authentication system. The authentication system according to claim 1 or 2,
The authentication server holds the terminal authentication DB and the user authentication DB.
Authentication system. The authentication system according to claim 1 or 2,
The authentication server is
If the user authentication is successful, set an expiration date for the MAC address for terminal authentication;
If the expiration date has passed, delete or invalidate the MAC address for the terminal authentication,
When the terminal authentication request is received, the terminal authentication is performed using the MAC address for the terminal authentication within the validity period.
Authentication system. The authentication system according to claim 1 or 2,
The authentication device is
If the user authentication is successful and if the terminal authentication is successful, the MAC address of the user terminal is registered or validated in a list as a MAC address allowed to connect to the network;
When the user terminal logs out from the network and disconnects from the authentication device, or when no communication state continues for a certain time without logging out after the login, the MAC address of the user terminal is As a MAC address that is not allowed to connect to the network, deleted or invalidated in the list,
When receiving access from the user terminal, based on the result of confirming the MAC address and the list of the user terminal, permit or disallow connection to the network by the user terminal,
When disabling the connection, the terminal authentication request is transmitted, and when the terminal authentication fails, the user authentication request is transmitted.
Authentication system. The authentication system according to claim 1 or 2,
The user authentication is authentication using a combination of a user ID and a password as the account.
Authentication system. The authentication system according to claim 1 or 2,
The user authentication is authentication using an electronic certificate, biometric information, or a token key as the account.
Authentication system. The authentication system according to claim 1,
Having a second authentication device;
The second authentication device performs the first process and the second process, and does not perform the third process and the fourth process.
Authentication system.

Images