1. Field of the Invention
The present invention relates to an apparatus, a method and a computer program product for performing an authentication of a network access of a terminal apparatus by using a signaling protocol.
2. Description of the Related Art
Devices called as authentication agents have been recently used to perform network access authentication. Network access authentication is a process of permitting an access to an internal network from a terminal that is connected to an external network. A communication device that is connected to the external network cannot utilize a service on the internal network until the authentication agent decides that the communication device is authentic.
A session initiation protocol (SIP) is widely known as a signaling protocol that acts between communication devices for controlling or relaying a communication. As a service using the SIP, a communication system such as an Internet telephone system has been developed.
In the communication system using the SIP, after a SIP terminal acting as the communication terminal is authenticated by the authentication agent or the like, the SIP terminal selects a specific proxy out of SIP proxies that relay a communication as an outbound proxy and makes a communication using the outbound proxy.
The outbound proxy receives all SIP messages transmitted from the SIP terminal directly, and transmits a SIP message to the SIP terminal exclusively.
There may be various types of the SIP proxies on a network operated by an association, and a SIP function available for the SIP terminal may vary depending on the types of the SIP proxies. In such a case, the SIP terminal needs to check the SIP function (capability data) of each of the SIP proxies, before the SIP terminal selects the outbound proxy.
According to the conventional technique, because the SIP terminal cannot acquire the capability data of the SIP proxies before the access authentication, the SIP terminal needs to perform a process of searching for a proper SIP proxy having a required capability. The SIP terminal performs the process by, for example, exchanging a SIP OPTIONS request message with a plurality of SIP proxies to be searched at several times.
As described above, if a service of a server is provided via the network, an amount of the pre-processing including the authentication process is usually large. This is why a technique concerning an improvement of such a pre-processing has been proposed.
For example, JP-A 2006-121698 (KOKAI) discloses a method of performing a flexible authentication that is required for utilizing a service provided on a wireless communication network, by performing an authentication process and tunnel setting, that is, a data link for providing the service, using different channels.
However, the pre-processing required for utilizing the service cannot be performed in an effective manner according to the above method. More particularly, it is necessary to acquire addresses of devices to be connected such as a plurality of authentication servers and a plurality of packet-data gateways required for utilizing the service in advance. Moreover, it is impossible to perform a process such as register for utilizing the service in association with the authentication.
The SIP system also has problems that the pre-processing required before starting utilizing the SIP function is ineffective. For example, if it is found that there is no proper SIP proxy having the required capability as a result of the search, the access authentication process and the search process proves fruitless. Even worse, in this case, the SIP terminal additionally requires a process of disconnecting from the network to which the access authentication is performed or another authentication or search process on another network.
In addition, the SIP terminal has to acquire addresses of the SIP proxies in advance to check the capability data of the SIP proxies. Conventionally, such a method is taken that the SIP terminal acquires the addresses of the SIP proxies in advance, or the SIP terminal acquires the addresses using a domain name system (DNS). However, the former method lacks of flexibility. The latter method causes a size of the system to increase, which makes it difficult to apply the latter method to the network operated by a small association such as a company.
Moreover, after connecting to the network, the SIP terminal has to perform an address register process required for utilizing the SIP function and a subscription process to the service to utilize. Furthermore, to strengthen security of the SIP message communicated between the SIP terminal and the SIP proxies, a secured connection is built in most cases by performing authentication for a transport layer security (TLS) and key exchange. Such a SIP system requires more complicated pre-processing for utilizing the service.