1. Technical Field
The present invention relates to a communication apparatus and an authentication apparatus that are connected through a network, and a communication method and an authentication method in those apparatuses.
2. Background Art
In order to prevent communication apparatuses which are not allowed to be connected in advance from being connected to a LAN (Local Area Network), IEEE (The Institute of Electrical and Electronics Engineers, Inc.) defines the IEEE Std. 802.1X-2004 for authentication of communication apparatuses. A variety of techniques relating to IEEE 802.1X have been disclosed (for example, see JP-A-2007-68161).
IEEE 802.1X defines a communication apparatus which is called a supplicant, an authentication LAN switch which is called an authenticator and an authentication server which is called an authenticator server, and further defines the format of frames which are communicated between the supplicant, the authenticator and the authenticator server, a state transition of each apparatus, and the like. Further, in the definition of IEEE 802.1X, a technique of communication using the multicast address at layer 2 (01-80-C2-00-00-03) is specified. As a middle-sized network configuration, a configuration may be considered in which a plurality of communication apparatuses is connected to a hub and a single authentication LAN switch is connected to the hub. FIG. 27 is a diagram illustrating a network configuration in the related art. This configuration includes two communication apparatuses, one hub, one authentication LAN switch, and one authentication server.
However, if an EAPOL non-forwarding hub which does not forward multicast of EAPOL (EAP over LAN) is used as the hub, authentication based on IEEE 802.1X may not be performed.
(First Problem)
FIG. 25 is a diagram illustrating a sequence in the related art. The flow will be described with reference to FIG. 25. In a case where authentication based on IEEE 802.1X is started, a communication apparatus transmits an EAPOL-Start frame in a multicast mode. An EAPOL non-forwarding hub discards the EAPOL-Start frame without being forwarded since a transmission destination is a multicast address. In a case where an authentication LAN switch starts authentication, the communication apparatus transmits EAP-Identity Request frame in a multicast mode. Since the transmission destination is a multicast address, the EAPOL non-forwarding hub discards the EAP-Identity Request frame without being forwarded. In this way, in a case where the EAPOL non-forwarding hub is present between the communication apparatus and the authentication LAN switch, communication based on IEEE 802.1X may not be performed.
(Second Problem)
Further, a technique in which IEEE 802.1X authentication is performed using a unicast address as a transmission destination address instead of a multicast address is generally known as one of the functions of the authentication LAN switch. However, in a case where IEEE 802.1X authentication in which the communication apparatus uses a multicast address as a transmission destination address is performed, communication may not be performed in a similar way to the first problem. FIG. 26 is a diagram illustrating another example of a sequence in the related art. Description will be made with reference to the flow in FIG. 26. For example, even in a case where an authentication LAN switch transmits EAP-Identity Request to a transmission destination address using unicast, since a communication apparatus uses a multicast address as the transmission destination address, EAP-Identity Response is discarded in an EAPOL non-forwarding hub, so that communication cannot be performed. Further, when the authentication LAN switch uses the unicast address as the transmission destination address, a preparation process of registering a MAC address of the communication apparatus in advance is necessary. Thus, it is necessary to register the MAC addresses corresponding to the number of communication apparatuses, which is undesirable.
(Third Problem)
Referring to FIG. 27, an EAPOL forwarding hub allows multicast forwarding will be described. Since the EAPOL forwarding hub allows multicast forwarding, a frame is forwarded to all apparatuses which are connected to the hub. Thus, a communication apparatus receives an unnecessary frame, and communication of other communication apparatuses is interfered with the forwarded frames.
Description will be made with reference to FIG. 28. For example, since a multicast address is used as a transmission destination address, EAPOL-Start (EAPOL-Start frame) of a communication apparatus (Supp1) reaches an authentication LAN switch and a communication apparatus (Supp2). The communication apparatus (Supp2) discards EAPOL-Start according to the stipulation of IEEE 802.1X. The authentication LAN switch receives EAPOL-Start and then transmits EAP-Identity Request using a unicast address as a transmission destination address. Here, a case where the authentication LAN switch has the function of performing authentication using a unicast address, as mentioned in the second problem, is described. The communication apparatus (Supp1) sends EAP-Identity Response using a multicast address as a transmission destination address in response to EAP-Identity Request. Since the multicast address is used as the transmission destination address, EAP-Identity Response of the communication apparatus (Supp1) reaches the authentication LAN switch and the communication apparatus (Supp2). When received EAP according to the stipulation of IEEE 802.1X, the communication apparatus (Supp2) is subject to a state transition. As a result of the state transition, the communication apparatus (Supp2) succeeds in authentication, but results in authentication being performed twice. In this way, there is a problem that unnecessary authentication is performed as the communication of the communication apparatus (Supp1) interferes with the communication apparatus (Supp2).
As described above, the problems to be solved are that authentication is not performed in a network environment where the EAPOL non-forwarding hub is connected and that the multicast address is used to interfere with other communication apparatuses in a network environment where the EAPOL forwarding hub is connected.