1. Field of the Invention
The present invention relates to an authentication system for authenticating a supplicant to confirm the legitimacy of the supplicant, and more particularly to an authentication system for authenticating a supplicant again upon elapse of a predetermined period of time after the supplicant has first been authenticated.
2. Description of the Related Art
When a network is to be accessed, it is important for the network to have enhanced security, and the network performs an authentication process. For wireless LANs, standards such as IEEE802.1x, WPA (Wi-Fi Protected Access), and WPA2 have been established as user authentication/encryption processes. An authentication system based on those standards has been proposed in the art (see, for example, JP-A No. 2003-259417).
FIG. 1 of the accompanying drawings is a block diagram of a conventional authentication system. As shown in FIG. 1, the conventional authentication system has supplicant 90 and authenticator 91. Authenticator 91 can be connected to RADIUS server 92.
Supplicant 90 comprises a terminal used by a user, such as a wireless LAN terminal, for example. Supplicant 90 can connect to a network when it is authenticated by authenticator 91.
Authenticator 91 is an authenticating device such as a wireless LAN access point, and authenticates supplicant 90 serving as a terminal. It is assumed that authenticator 91 uses a RADIUS protocol for authentication, and operates as a RADIUS client. When accessed by supplicant 90, authenticator 91 exchanges authentication information with RADIUS server 92. If the authentication is successful, then authenticator 91 sends a successful authentication message to supplicant 90.
An authentication has an authenticate life time. After supplicant 90 is authenticated, authenticator 91 authenticates supplicant 90 repeatedly at given time intervals.
RADIUS server 92 performs an authentication process for supplicant 90 according to a request from authenticator 91. RADIUS server 92 uses a RADIUS protocol for authentication. When RADIUS server 92 receives a request from authenticator 91 which is a RADIUS client, RADIUS server 92 exchanges authentication information with authenticator 91, and determines whether the authentication is successful or not.
FIG. 2 of the accompanying drawings is a sequence diagram of operation of the conventional authentication system. As shown in FIG. 2, for a first authentication cycle, supplicant 90 sends EAPOL (PPP Extensible Authentication Protocol over Local Area Networks)-Start packet 901 to authenticator 91.
When authenticator 91 receives EAPOL-Start packet 901, authenticator 91 starts an authentication process, and sends EAP-Request packet 902 to supplicant 90. In response to EAP-Request packet 902, supplicant 90 sends EAP-response packet 903 to authenticator 91.
When authenticator 91 receives EAP-Response packet 903, authenticator 91 sends Access-Request packet 904 to RADIUS server 92, requesting RADIUS server 92 to authenticate supplicant 90. If the authentication subsequently proves to be successful through an authentication sequence, then RADIUS server 92 sends Access-Accept packet 905 indicative of the successful authentication to the authenticator 91.
When authenticator 91 receives Access-Accept packet 905, authenticator 91 sends EAP-Success packet 906 to supplicant 90, informing supplicant 90 of the successful authentication. Now, supplicant 90 can be connected to a network through authenticator 91.
At this time, authenticator 91 registers the account of supplicant 90 in an internal authentication table (not shown), and starts counting down a reauthentication timer (not shown) corresponding to the account. The reauthentication timer is a timer for counting up to an authentication time limit.
When a certain period of time elapses after the above authentication is successful, the reauthentication timer expires, i.e., the period of time in which the previous authentication is valid, or an authenticated period, elapses. Then, authenticator 91 initiates a reauthentication process. The reauthentication process is a process for reauthenticating supplicant 90 whose authentication period has elapsed. The reauthentication process will be described below.
When the reauthentication timer expires, autothenticator 91 recognizes that the authenticated period of supplicant 90 has elapsed. Authenticator 91 sends EAP-Request packet 907 to supplicant 90 whose authenticated period has elapsed.
When supplicant 90 receives EAP-Request packet 907, supplicant 90 sends EAPOL-Start packet 908 to autothenticator 91. Subsequently, the authentication system operates in the same manner as with the first authentication cycle.
In response to EAPOL-Start packet 908, autothenticator 91 starts an authentication process, and sends EAP-Request packet 909 to supplicant 90. In response to EAP-Request packet 909, supplicant 90 sends EAP-response packet 910 to authenticator 91.
When authenticator 91 receives EAP-Response packet 910, authenticator 91 sends Access-Request packet 911 to RADIUS server 92, requesting RADIUS server 92 to authenticate supplicant 90. If the authentication subsequently proves to be successful through an authentication sequence, then RADIUS server 92 sends Access-Accept packet 912 indicative of the successful authentication to the authenticator 91.
When authenticator 91 receives Access-Accept packet 912, authenticator 91 sends EAP-Success packet 913 to supplicant 90, informing supplicant 90 of the successful authentication. Now, supplicant 90 can be connected to the network through authenticator 91.
At this time, authenticator 91 reregisters the account of supplicant 90 or keeps the account of supplicant 90 registered in the internal authentication table, and resets and starts counting down the reauthentication timer corresponding to the account.
The same reauthentication process as described above is repeated each time the authenticated period elapses.
FIG. 3 of the accompanying drawings is a sequence diagram showing the first authentication cycle of the conventional authentication system. FIG. 3 shows in detail the authentication process that is performed by the exchange of packets 901 through 906 shown in FIG. 2. As shown in FIG. 3, the authentication process is started by the EAPOL-Start packet sent from supplicant 90 to authenticator 91 and the EAP-Request(Identity) sent from authenticator 91 to supplicant 90.
In the authentication process, Challenge packets are repeatedly sent from RADIUS server 92 to supplicant 90 and Message Digest packets are repeatedly sent from supplicant 90 to RADIUS server 92 as responses to the Challenge packets.
If the authentication is successful, the successful authentication is indicated from RADIUS server 92 through authenticator 91 to supplicant 90, and the reauthentication timer of authenticator 91 starts to count down. Authenticator 91 sends an encryption key to supplicant 90.
FIG. 4 of the accompanying drawings is a sequence diagram showing the reauthentication cycle of the conventional authentication system. FIG. 4 shows in detail the authentication process that is performed by the exchange of packets 907 through 913 shown in FIG. 2. As shown in FIG. 4, the authentication process is started by the EAP-Request(Identity) sent from authenticator 91 to supplicant 90 when the timer expires.
The reauthentication cycle is the same as the first authentication cycle. In the reauthentication cycle, Challenge packets are repeatedly sent from RADIUS server 92 to supplicant 90 and Message Digest packets are repeatedly sent from supplicant 90 to RADIUS server 92 as responses to the Challenge packets.
If the authentication is successful, a successful authentication message is sent from RADIUS server 92 through authenticator 91 to supplicant 90, and authenticator 91 resets and starts to count down the reauthentication timer. Authenticator 91 sends an encryption key to supplicant 90.
However, the conventional authentication system suffers the following problems:
Supplicant 90 may change from an ordinary operational state to a suspended state, a hibernated state, or a shutdown state depending on an operating action made by the user, how the user uses supplicant 90, or a charged state of the battery thereof.
The suspended state is a state in which a program being executed by supplicant 90 is temporarily suspended. The hibernated state is a state in which the data in a main memory is stored into a hard disk and supplicant 90 enters an energy-saving mode. The shutdown state is a state in which a program being executed by supplicant 90 is terminated and supplicant 90 is turned off. All of the suspended state, the hibernated state, and the shutdown state are collectively referred to as “aborted state”.
There is a function known as Wake-on LAN (registered trademark) for resuming or activating a computer in the suspended state, the hibernated state, or the shutdown state through a network. Changing from the aborted state to the operational state, by way of resumption or activation, is collectively referred to as “wake-up”.
FIG. 5 of the accompanying drawings is a view showing a general Wake-on LAN. As shown in FIG. 5, terminal 93 is connected to network 95 by LAN card 94, and terminal 96 is also connected to network 95.
It is assumed that terminal 93 is in the aborted state. Even though terminal 93 is in the aborted state, LAN card 94 remains energized and is linked to network 95 through a MAC layer. When LAN card 94 receives a wake-on packet, it wakes up terminal 93.
To wake up terminal 93, terminal 96 sends a wake-on packet through network 95 to LAN card 94. In response to the wake-on packet, LAN card 94 wakes up terminal 93.
The Wake-on LAN function is performed in the manner described above.
If supplicant 90 in the authentication system shown in FIG. 1 is in the aborted state, supplicant 90 is unable to receive packets from authenticator 91 until supplicant 90 is waked up. When the reauthentication timer expires, authenticator 91 starts an authentication cycle. However, since supplicant 90 cannot perform the authentication process, the authentication fails. As a result, the link that supplicant 90 has to the network is disconnected, and supplicant 90 cannot be waked up by another terminal (not shown) according to the Wake-on LAN function.