WO2001027709A2 - Access control of a service - Google Patents

Access control of a service Download PDF

Info

Publication number
WO2001027709A2
WO2001027709A2 PCT/FI2000/000875 FI0000875W WO0127709A2 WO 2001027709 A2 WO2001027709 A2 WO 2001027709A2 FI 0000875 W FI0000875 W FI 0000875W WO 0127709 A2 WO0127709 A2 WO 0127709A2
Authority
WO
WIPO (PCT)
Prior art keywords
server
user
service
terminal device
telecommunication network
Prior art date
Application number
PCT/FI2000/000875
Other languages
French (fr)
Other versions
WO2001027709A3 (en
WO2001027709A8 (en
Inventor
Ismo Heikkonen
Kimmo PITKÄNEN
Original Assignee
Sonera Oyj
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sonera Oyj filed Critical Sonera Oyj
Priority to AU77930/00A priority Critical patent/AU7793000A/en
Priority to EP00967941A priority patent/EP1248971A2/en
Publication of WO2001027709A2 publication Critical patent/WO2001027709A2/en
Publication of WO2001027709A3 publication Critical patent/WO2001027709A3/en
Publication of WO2001027709A8 publication Critical patent/WO2001027709A8/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer

Definitions

  • the invention relates to telecommunication systems.
  • the invention relates to a method and a system for the access control of a network service in a telecommunication system comprising a telecommunication network, a first server with a service arranged on it and which server has been connected to the telecommunication network; a terminal device by means of which the user has been connected to the telecommunication network; a directory which has been connected to the telecommunication network and which comprises information of the user's rights in the telecommunication network; and a control compo- nent which has been arranged on the first server.
  • a connection is established between the terminal device and the server, and the user is identified by means of a certificate, while the terminal device is establishing a connection with the first server.
  • the virtual private network (VPN, Virtual Private Network) is becoming common in solutions in which an advantageously implemented network is used that is protected from those not concerned.
  • the internet may be used for transmitting information, and this enables the remote use of a protected intranet used by a company, i.e. the extranet.
  • the extranet is used to mean a data network between companies which uses the internet as a means of data transfer and which enables one to combine the intranets of the companies involved.
  • IPSec Internet Protocol Security
  • IP IP- Sec standard
  • the IPSec standard defines protection procedures in an IP based data transfer (IP, Internet Protocol) .
  • IP IP based data transfer
  • the IPSec enables the access control, the integrity of the information, authentication and reliability. All the services are available on IP level, in which case the protection is available for IP and/or the protocols of an upper level .
  • the management of the virtual private networks hereinafter referred to as IPSec networks, has usually been centralized. In that case, a distributed management between the operator and, e.g. a provider of an extranet network has been troublesome.
  • the objective of the present invention is to eliminate or at least significantly to alleviate the drawbacks presented above.
  • One specific objective of the invention is to disclose a new kind of method and system that make it possible to dependably implement the access control of networks.
  • the invention enables a distributed control of access.
  • a new kind of control component is used in the access control of networks that makes it possible to combine the use of, e.g. the IPSec network and the directory.
  • the invention relates to a method in a telecommunication system as described above in which the telecommunication network is preferably an IP based network.
  • a connection is established between a terminal device and a telephone.
  • the user is identified by means of a certificate, i.e. an electronic identity, while the terminal device is establishing a connection with the first server.
  • the certificate used in the verification is transmitted to the control component.
  • a directory inquiry is generated that finds out whether the user is authorized to use the service, and the terminal device is connected to the service, if the user has got the access permission.
  • the directory is preferably in accordance with the LDAP protocol (LDAP, Lightweight Directory Access Protocol), e.g. the RFC2251.
  • the access control is distributed in such a way that at first a connection is established from the terminal device to the second server connected to the telecommunication network on which the user selects the service to be used on the first server.
  • the second server is preferably a WWW server (WWW, World Wide Web) .
  • the connection between the terminal device and the first or second server may be established as a VPN connection, in which case the user is authenticated in accordance with the IPSec standard.
  • the information about the transactions of the control component is saved to a log file.
  • the information at the disposal of the control component relating to the re-negotiating of the connection may be saved to the log file.
  • the log file is created at a predetermined moment, e.g. every time when starting the control component.
  • the invention relates to a system for the access control of a network service in a telecommunication system as described above.
  • the system comprises means for transmitting the certificate used in authentication to the control component and means for generating the directory inquiry about the user's rights to the service in response to the aforementioned certificate.
  • the system comprises means for connecting the terminal device to the service, if the user's rights are sufficient.
  • the present invention provides the advantage that it makes it possible to separate the access control of a device in a network and a service provided by the device. Since a directory is used in the management of access to a service, also the management may be distributed. In addition, via the aforementioned directory, the user may be given information as to how to connect to the other services available. Further, the invention en- ables the follow-up of the use of the services and more advanced measures of billing.
  • FIG. 1 schematically represents one system in accordance with the invention
  • Fig. 2 schematically represents one embodiment of the method in accordance with the invention.
  • Fig. 3 schematically represents one example of the directory system;
  • Fig. 4a - 4f illustrate, by way of example, the functions of the system in a situation where the user wishes to see the list of allowed services
  • Fig. 5a - 5d illustrate, by way of example, the functions of the system in a situation where the user selects a service.
  • Fig. 1 illustrates one system in accordance with the invention.
  • the terminal device TE has been connected to the first server 1 by means of a VPN connection, which uses the IPSec data security.
  • the IPSec module has been arranged at both ends of a VPN connec- tion between two points.
  • Both the terminal device TE and the first server 1 have been connected to the telecommunication network which implements an IP based data transfer.
  • the telecommunication network comprises a second server 2, which is a WWW server.
  • the second server 2 comprises a graphic user interface 4 by means of which the user of the terminal device TE is given a visual feedback about the transactions and functions. The feedback is transmitted to the terminal device, e.g.
  • the telecommunication network comprises a directory 3, which in the example is a LDAP directory.
  • a log server 7 on the log file 6 of which, information may be saved that relates to the measures caused by the user, e.g. for the needs of billing or follow-up. Since the telecommunication network implements, e.g. an IP based data transfer, the components may be located in places physically independent of one another.
  • the first server 1 there is, e.g. a company extranet system arranged.
  • the first server 1 there may be some commercial server or confidential function the access to which is wished to be protected from unauthorized users.
  • Fig. 2 is a flow chart illustrating one embodiment of the method of the invention.
  • a connection is established from the terminal device TE to the first server 1.
  • the user is identified as defined in the IPSec, step 21.
  • block 22 is entered in which the certificate used in the authentication is transmitted to the control component 5.
  • the terminal device TE establishes a connection first with the second server 2, e.g. based on the HTTP address.
  • the user is displayed a list of allowed services.
  • the effective IPSec authentication as described above may be used also in this case.
  • the user is authenticated and the certificate is transmitted to the control component 5.
  • it is checked whether the user is authorized to use the service, which in the exemplary case is S2.
  • Based on the certificate in the possession of the control component the user is identified unambiguously.
  • a direc- tory inquiry is generated by the control component 5 that is addressed to the LDAP directory 3 which contains the profile of the user's rights stored on it.
  • the control component 5 returns the piece of information to the VPN software on the control component, which either permits or denies the access to the desired service S2. If the user has no right to the service in question, the terminal device TE may be sent information thereof . In case the user has the right to the service S2, the terminal device TE is connected to the service S2 , step 24.
  • a follow-up of use e.g. for billing or compiling statistics.
  • a follow-up of use e.g. for billing or compiling statistics.
  • the control component transfers a notification of the trans- actions to the log file 6.
  • the log file 6 may be a part of the first server 1, or it may belong to a separate log server 7.
  • Fig. 3 schematically represents one example of the directory to be used in conjunction with the invention.
  • Fig. 4a - 4f illustrate a functionality used by the system of the invention in a situation where the user wishes to see a list of allowed services.
  • the user selects on his or her terminal device TE a network address which is an identifier individualizing an internet file or directory as well as the communication protocol needed when using these, e.g. http: //www. sonera. fi/loota .
  • the user is authenticated and the certificate information is transmitted to the control component 5 which checks whether the user is permitted the access to the service. If the terminal device TE is allowed to use the WWW server 2, then the WWW server 2 performs a LDAP search as described in Fig. 4a. In that case, the WS1 is the individual name of the terminal device TE .
  • LDAP search operations as described in Fig. 4b in order to find allowed services.
  • a LDAP search may be performed for each level in order to find the common services for the subdirectory of the whole network address.
  • the features of the attribute userServicesList may be traced down based on the feedback of the searches. The possible double values of userServicesList may be eliminated after this.
  • LDAP searches are started in order to find out the detailed descriptions of the services allowed for the terminal device WS1.
  • the aforementioned searches have been presented in figures 4c - 4e. It must be noticed that it is also possible to se- lect a wider list of service attributes.
  • the values of the attributes selected are picked from the service feedback.
  • Fig. 4f illustrates the feedback generated by the graphic user interface 4 of the WWW server 2 which comprises the network address and the service attributes.
  • Figures 5a - 5f illustrate by way of example functions in accordance with the present invention in a situation where the user wishes to use the service S2.
  • the user selects the service on the WWW server 2 at the network address http : //www. org2. fi/S2.
  • the user is authenticated and the certificate is transmitted from the terminal device of the user TE to the control component 5, which for its part identifies the terminal device based on the WS1 certificate.
  • the terminal device performs the connection operations to the directory 3 by simple authorization.
  • the control component 5 performs also the LDAP search operations as described in figures 5a-5b in order to find out the services allowed for the terminal device WS1. Based on the search feedback it is possible to generate an attribute userServicesList.
  • LDAP comparison operations are started that are used to check whether the service to be ob- tained through the control component 5 is allowed for the aforementioned terminal device WS1.
  • the first comparison operation has been presented in Fig. 5c. If the search returns the value compareTrue, then there is no need for another LDAP operation. In that case, the control component returns a positive response after which the terminal device TE is connected to the service htt : //www.org2. fi/S2. If the search returns the value compareFalse, then a LDAP operation as described in Fig. 5d is performed, in which case it is checked whether there are enough rights for the service S2.
  • the loop as described above is repeated until as a result the value compareTrue is received or until all the values sAllowedService have been checked.
  • the control component 5 returns a negative response, if the value compareTrue is not received and all the values sAllowedServices have been checked.
  • the control component 5 gets an identifier of its own SEId from the management information base (MIB, Management Information Base) in conjunction with the startup. In case some of the services connected to the control component 5 are allowed for the terminal device TE, also other services connected to the control component 5 are allowed.
  • MIB Management Information Base

Abstract

The invention relates to a method and a system for the access control of a service (S2) in a telecommunication system comprising a telecommunication network, a first server (1) on which a service (S2) has been arranged and which has been connected to the telecmmunication network, a terminal device (TE) by means of which the user has been connected to the telecommunication network, a directory (3) which has been connected to the telecommunication network and which comprises information about the user's rights in the telecommunication network, and a control component (5) which has been arranged on the first server (1); in which method a connection is established between the terminal device (TE) and the first server (1) and the user is identified by means of a certificate while the terminal device (TE) is establishing a connection with the first server (1). In the method, the certificate used in the authentication is transmitted to the control component (5), a directory inquiry about the user's rights to the service (S2) is generated in response to the aforementioned certificate, and the terminal device (TE) is connected to the service (S2), if the user's rights are sufficient.

Description

ACCESS CONTROL OF A SERVICE
FIELD OF THE INVENTION
The invention relates to telecommunication systems. In particular, the invention relates to a method and a system for the access control of a network service in a telecommunication system comprising a telecommunication network, a first server with a service arranged on it and which server has been connected to the telecommunication network; a terminal device by means of which the user has been connected to the telecommunication network; a directory which has been connected to the telecommunication network and which comprises information of the user's rights in the telecommunication network; and a control compo- nent which has been arranged on the first server. In the method, a connection is established between the terminal device and the server, and the user is identified by means of a certificate, while the terminal device is establishing a connection with the first server.
PRIOR ART
The virtual private network (VPN, Virtual Private Network) is becoming common in solutions in which an advantageously implemented network is used that is protected from those not concerned. In that case, e.g. the internet may be used for transmitting information, and this enables the remote use of a protected intranet used by a company, i.e. the extranet. The extranet is used to mean a data network between companies which uses the internet as a means of data transfer and which enables one to combine the intranets of the companies involved.
A specific problem in the extranet networks is becoming the access control. The right of access to the network has to be often carefully restricted to a predetermined group. As for the network services liable to a charge, it has to be made sure of the fact that the payment traffic is safe and that there is no malpractice or confusion in the final debiting. In the networks containing confidential information, all the network users have to be able to depend on its safety mechanisms so that the information would not fall into the wrong hands .
Previously known is a solution in which two machines may be safely connected by using the virtual private network and a protection as defined in the IP- Sec standard (IPSec, Internet Protocol Security) . The IPSec standard defines protection procedures in an IP based data transfer (IP, Internet Protocol) . The IPSec enables the access control, the integrity of the information, authentication and reliability. All the services are available on IP level, in which case the protection is available for IP and/or the protocols of an upper level . In order to ensure the information security, the management of the virtual private networks, hereinafter referred to as IPSec networks, has usually been centralized. In that case, a distributed management between the operator and, e.g. a provider of an extranet network has been troublesome. In addition, informing the clients about the services available and their qualities has been difficult. At first, the user has got to establish a connection with the service and only after gaining access to the desired service, the service menus have been displayed for him or her. Neither has the control of access based on the volume or time of the extranet services been successful in the prior-art solutions.
The objective of the present invention is to eliminate or at least significantly to alleviate the drawbacks presented above. One specific objective of the invention is to disclose a new kind of method and system that make it possible to dependably implement the access control of networks. In addition, the invention enables a distributed control of access.
BRIEF DESCRIPTION OF THE INVENTION
In the invention, a new kind of control component is used in the access control of networks that makes it possible to combine the use of, e.g. the IPSec network and the directory. The invention relates to a method in a telecommunication system as described above in which the telecommunication network is preferably an IP based network. In the method, a connection is established between a terminal device and a telephone. The user is identified by means of a certificate, i.e. an electronic identity, while the terminal device is establishing a connection with the first server. In accordance with the invention, the certificate used in the verification is transmitted to the control component. In response to the aforementioned certificate, a directory inquiry is generated that finds out whether the user is authorized to use the service, and the terminal device is connected to the service, if the user has got the access permission. The directory is preferably in accordance with the LDAP protocol (LDAP, Lightweight Directory Access Protocol), e.g. the RFC2251.
In one embodiment, the access control is distributed in such a way that at first a connection is established from the terminal device to the second server connected to the telecommunication network on which the user selects the service to be used on the first server. The second server is preferably a WWW server (WWW, World Wide Web) . The connection between the terminal device and the first or second server may be established as a VPN connection, in which case the user is authenticated in accordance with the IPSec standard.
In another embodiment, the information about the transactions of the control component is saved to a log file. Also the information at the disposal of the control component relating to the re-negotiating of the connection may be saved to the log file. In yet another application the log file is created at a predetermined moment, e.g. every time when starting the control component.
In addition, the invention relates to a system for the access control of a network service in a telecommunication system as described above. The system comprises means for transmitting the certificate used in authentication to the control component and means for generating the directory inquiry about the user's rights to the service in response to the aforementioned certificate. In addition, the system comprises means for connecting the terminal device to the service, if the user's rights are sufficient.
As compared with prior art, the present invention provides the advantage that it makes it possible to separate the access control of a device in a network and a service provided by the device. Since a directory is used in the management of access to a service, also the management may be distributed. In addition, via the aforementioned directory, the user may be given information as to how to connect to the other services available. Further, the invention en- ables the follow-up of the use of the services and more advanced measures of billing.
BRIEF DESCRIPTION OF THE DRAWINGS
In the following section, the invention will be described by the aid of a few examples of its embodiments with reference to the attached drawing, in which Fig. 1 schematically represents one system in accordance with the invention;
Fig. 2 schematically represents one embodiment of the method in accordance with the invention. Fig. 3 schematically represents one example of the directory system;
Fig. 4a - 4f illustrate, by way of example, the functions of the system in a situation where the user wishes to see the list of allowed services; and Fig. 5a - 5d illustrate, by way of example, the functions of the system in a situation where the user selects a service.
DETAILED DESCRIPTION OF THE INVENTION Fig. 1 illustrates one system in accordance with the invention. The terminal device TE has been connected to the first server 1 by means of a VPN connection, which uses the IPSec data security. The IPSec module has been arranged at both ends of a VPN connec- tion between two points. Both the terminal device TE and the first server 1 have been connected to the telecommunication network which implements an IP based data transfer. In addition, the telecommunication network comprises a second server 2, which is a WWW server. The second server 2 comprises a graphic user interface 4 by means of which the user of the terminal device TE is given a visual feedback about the transactions and functions. The feedback is transmitted to the terminal device, e.g. in the HTML form to be read with a specific browser. Further the telecommunication network comprises a directory 3, which in the example is a LDAP directory. Connected to the first server 1 is also a log server 7 on the log file 6 of which, information may be saved that relates to the measures caused by the user, e.g. for the needs of billing or follow-up. Since the telecommunication network implements, e.g. an IP based data transfer, the components may be located in places physically independent of one another.
On the first server 1, there is, e.g. a company extranet system arranged. Correspondingly, on the first server 1, there may be some commercial server or confidential function the access to which is wished to be protected from unauthorized users.
Fig. 2 is a flow chart illustrating one embodiment of the method of the invention. At a step 20, a connection is established from the terminal device TE to the first server 1. When establishing the connection, the user is identified as defined in the IPSec, step 21. In case the authentication is successful, block 22 is entered in which the certificate used in the authentication is transmitted to the control component 5.
In another embodiment, the terminal device TE establishes a connection first with the second server 2, e.g. based on the HTTP address. In that case, the user is displayed a list of allowed services. The effective IPSec authentication as described above may be used also in this case. The user is authenticated and the certificate is transmitted to the control component 5. At a step 23, it is checked whether the user is authorized to use the service, which in the exemplary case is S2. Based on the certificate in the possession of the control component the user is identified unambiguously. By means of the identity, a direc- tory inquiry is generated by the control component 5 that is addressed to the LDAP directory 3 which contains the profile of the user's rights stored on it. The control component 5 returns the piece of information to the VPN software on the control component, which either permits or denies the access to the desired service S2. If the user has no right to the service in question, the terminal device TE may be sent information thereof . In case the user has the right to the service S2, the terminal device TE is connected to the service S2 , step 24.
In an embodiment of the invention, connected to the access control is a follow-up of use, e.g. for billing or compiling statistics. At a step 25, it is checked whether a notification of the transaction is entered up in the log file 6. At a step 26, the control component transfers a notification of the trans- actions to the log file 6. The log file 6 may be a part of the first server 1, or it may belong to a separate log server 7.
Fig. 3 schematically represents one example of the directory to be used in conjunction with the invention. In the boxes, there are detailed specifications presented that correspond to the units appearing in the directory CN=Org2 , CN=S2 and CN=Org3.
Fig. 4a - 4f illustrate a functionality used by the system of the invention in a situation where the user wishes to see a list of allowed services. The user selects on his or her terminal device TE a network address which is an identifier individualizing an internet file or directory as well as the communication protocol needed when using these, e.g. http: //www. sonera. fi/loota . The user is authenticated and the certificate information is transmitted to the control component 5 which checks whether the user is permitted the access to the service. If the terminal device TE is allowed to use the WWW server 2, then the WWW server 2 performs a LDAP search as described in Fig. 4a. In that case, the WS1 is the individual name of the terminal device TE . In the exemplary system, the search gives a response "Response: C=FI , 0=Orgl, CN=WS1" . By using the found network identifier, it is possible to use LDAP search operations as described in Fig. 4b in order to find allowed services. In case there are several parallel levels found in the network address, a LDAP search may be performed for each level in order to find the common services for the subdirectory of the whole network address. The features of the attribute userServicesList may be traced down based on the feedback of the searches. The possible double values of userServicesList may be eliminated after this.
Based on the content of the attribute user- ServicesList , three LDAP searches are started in order to find out the detailed descriptions of the services allowed for the terminal device WS1. The aforementioned searches have been presented in figures 4c - 4e. It must be noticed that it is also possible to se- lect a wider list of service attributes. The values of the attributes selected are picked from the service feedback. Fig. 4f illustrates the feedback generated by the graphic user interface 4 of the WWW server 2 which comprises the network address and the service attributes.
Figures 5a - 5f illustrate by way of example functions in accordance with the present invention in a situation where the user wishes to use the service S2. The user selects the service on the WWW server 2 at the network address http : //www. org2. fi/S2. The user is authenticated and the certificate is transmitted from the terminal device of the user TE to the control component 5, which for its part identifies the terminal device based on the WS1 certificate. After this, the terminal device performs the connection operations to the directory 3 by simple authorization. The control component 5 performs also the LDAP search operations as described in figures 5a-5b in order to find out the services allowed for the terminal device WS1. Based on the search feedback it is possible to generate an attribute userServicesList. The value of the attribute userServicesList C=FI , 0=Org3 , CN=S3 is not generated because the access control will not allow it. By using the content of the attribute userServicesList, LDAP comparison operations are started that are used to check whether the service to be ob- tained through the control component 5 is allowed for the aforementioned terminal device WS1. The first comparison operation has been presented in Fig. 5c. If the search returns the value compareTrue, then there is no need for another LDAP operation. In that case, the control component returns a positive response after which the terminal device TE is connected to the service htt : //www.org2. fi/S2. If the search returns the value compareFalse, then a LDAP operation as described in Fig. 5d is performed, in which case it is checked whether there are enough rights for the service S2.
The loop as described above is repeated until as a result the value compareTrue is received or until all the values sAllowedService have been checked. The control component 5 returns a negative response, if the value compareTrue is not received and all the values sAllowedServices have been checked.
The control component 5 gets an identifier of its own SEId from the management information base (MIB, Management Information Base) in conjunction with the startup. In case some of the services connected to the control component 5 are allowed for the terminal device TE, also other services connected to the control component 5 are allowed. The invention is not restricted to the examples of its embodiments presented above, instead many variations are possible within the scope of the inventive idea defined by the claims.

Claims

1. A method for the access control of a network service (S2) in a telecommunication system comprising; a telecommunication network; a first server (1) on which there is a service (S2) arranged and which has been connected to the telecommunication network; a terminal device (TE) by means of which the user has been connected to the telecommunication network; a directory (3) which has been connected to the telecommunication network and which comprises information of the user's rights in the telecommunication system; and a control component (5) which has been arranged on the first server (1) ; in which method: a connection is established between the terminal device (TE) and the first server (1) ; and the user is identified by means of a certificate while the terminal device is establishing a connection with the first server (1) ; c h a r a c t e r i s e d in that the method comprises the steps of: transmitting the certificate used in the authenti- cation to the control component (5) ; generating a directory inquiry about the user's rights to the service (S2) in response to the aforementioned certificate; and connecting the terminal device (TE) to the service (S2), if the user's rights are sufficient.
2. A method as defined in claim 1, c h a r a c t e r i s e d in that the access control is distributed in such a way that a connection is established on the terminal device (TE) first with the sec- ond server (2) connected to the telecommunication network on which the user selects the service (S2) to be used on the first server (1) .
3. A method as defined m claim 1 or 2, c h a r a c t e r i s e d in that a connection is established between the terminal device (TE) and the server (1, 2) as a VPN connection, m which case the user is authenticated in accordance with the IPSec standard.
4. A method as defined m claim 1, 2, or 3 , c h a r a c t e r i s e d in that information of the transactions of the control component (5) is saved to the log file (6) , which is connected to the telecommunication network.
5. A method as defined m claim 1, 2, 3, or
4, c h a r a c t e r i s e d m that information of the control component (5) relating to the re-negotiation of the connection is saved to the log file (6) .
6. A method as defined m claim 1, 2, 3, 4, or 5, c h a r a c t e r i s e d m that the log file
(6) is created at a predetermined moment.
7. A method as defined in claim 1, 2, 3, 4, 5, or 6, c h a r a c t e r i s e d m that the second server (2) is a WWW server.
8. A method as defined m claim 1, 2, 3, 4,
5, 6, or 7, c h a r a c t e r i s e d m that the telecommunication network is an IP based network.
9. A method as defined in claim 1, 2, 3, 4,
5, 6, 7, or 8, c h a r a c t e r i s e d m that the directory (3) is m accordance with the LDAP protocol.
10. A system for the access control of a network service m a telecommunication system comprising: a telecommunication network; a first server (1) on which there is the service (S2) arranged and which has been connected to the telecommunication network; a terminal device (TE) by means of which the user is connected to the telecommunication network; a directory (3) which has been connected to the telecommunication network and which contains mforma- tion about the user's rights in the telecommunication network; and a control component (5) which has been arranged on the first server (1), in which case: it is possible to establish a connection between the first server (1) and the terminal device (TE) ; and to verify the identity of the user with a certificate while the terminal device (TE) is establishing a connection with the first server (1) ; c h a r a c t e r i s e d in that the system comprises : means for transmitting the certificate used in the authentication to the control component (5) ; means for generating the directory inquiry about the user's rights to the service in response to the aforementioned certificate; and means for connecting the terminal device to the service, if the user's rights are sufficient.
11. A system as defined in claim 10, c h a r a c t e r i s e d in that connected to the telecommunication network is a second server (2) with which the connection is first established and on which the service (S2) of the first server (1) may be selected.
12. A system as defined in claim 10 or 11, c h a r a c t e r i s e d in that the terminal device (TE) and the server (1, 2) have been connected with a VPN connection enabling the authentication of the user in accordance with the IPSec standard.
13. A system as defined in claim 10, 11, or
12, c h a r a c t e r i s e d in that the system comprises means for saving the information about the transactions of the control component (5) to the log file (6), which has been connected to the telecommuni- cation network.
14. A system as defined in claim 10, 11, 12, or 13, c h a r a c t e r i s e d in that the system comprises means for saving the re-negotiation of the data-communication link of the control component (5) to the log file (6) .
15. A system as defined in claim 10, 11, 12, 13, or 14, c h a r a c t e r i s e d in that the system comprises means for saving the log file (6) at a predetermined moment .
16. A system as defined in claim 10, 11, 12, 13, 14, or 15, c h a r a c t e r i s e d in that the second server (2) is a WWW server.
17. A system as defined in claim 10, 11, 12, 13, 14, 15, or 16, c h a r a c t e r i s e d in that the telecommunication network is an IP based network.
18. A system as defined in claim 10, 11, 12, 13, 14, 15, 16, or 17, c h a r a c t e r i s e d in that the directory (3) is in accordance with the LDAP protocol .
PCT/FI2000/000875 1999-10-12 2000-10-11 Access control of a service WO2001027709A2 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
AU77930/00A AU7793000A (en) 1999-10-12 2000-10-11 Access control of a service
EP00967941A EP1248971A2 (en) 1999-10-12 2000-10-11 Access control of a service

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FI19992196 1999-10-12
FI992196A FI108184B (en) 1999-10-12 1999-10-12 Service access control

Publications (3)

Publication Number Publication Date
WO2001027709A2 true WO2001027709A2 (en) 2001-04-19
WO2001027709A3 WO2001027709A3 (en) 2002-08-01
WO2001027709A8 WO2001027709A8 (en) 2004-04-22

Family

ID=8555436

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2000/000875 WO2001027709A2 (en) 1999-10-12 2000-10-11 Access control of a service

Country Status (4)

Country Link
EP (1) EP1248971A2 (en)
AU (1) AU7793000A (en)
FI (1) FI108184B (en)
WO (1) WO2001027709A2 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002086715A2 (en) * 2001-04-18 2002-10-31 Emc Corporation Integrated procedure for partitioning network data services among multiple subscribers
NL1018494C2 (en) * 2001-07-09 2003-01-10 Koninkl Kpn Nv Method and system for delivering a service to a client through a service process.
GB2400268A (en) * 2001-04-18 2004-10-06 Emc Corp Partitioning network data services amongst multiple subscribers
WO2007109999A1 (en) * 2006-03-29 2007-10-04 Huawei Technologies Co., Ltd Method, system, subscriber equipment and multi-media server for digital copyright protection

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0813327A2 (en) * 1996-06-14 1997-12-17 Canon Kabushiki Kaisha Access control system and method
EP0862105A2 (en) * 1997-02-28 1998-09-02 Xcert Software, Inc. Method of and apparatus for providing secure distributed directory services and public key infrastructure
WO1998058473A2 (en) * 1997-06-18 1998-12-23 Alfred Nickles Network security and integration method and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0813327A2 (en) * 1996-06-14 1997-12-17 Canon Kabushiki Kaisha Access control system and method
EP0862105A2 (en) * 1997-02-28 1998-09-02 Xcert Software, Inc. Method of and apparatus for providing secure distributed directory services and public key infrastructure
WO1998058473A2 (en) * 1997-06-18 1998-12-23 Alfred Nickles Network security and integration method and system

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002086715A2 (en) * 2001-04-18 2002-10-31 Emc Corporation Integrated procedure for partitioning network data services among multiple subscribers
WO2002086715A3 (en) * 2001-04-18 2003-03-20 Cereva Networks Inc Integrated procedure for partitioning network data services among multiple subscribers
GB2386291A (en) * 2001-04-18 2003-09-10 Emc Corp Integrated procedure for partitioning network data services among multiple subscribers
GB2400268A (en) * 2001-04-18 2004-10-06 Emc Corp Partitioning network data services amongst multiple subscribers
GB2386291B (en) * 2001-04-18 2004-11-17 Emc Corp Integrated procedure for partitioning network data services among multiple subscribers
GB2400268B (en) * 2001-04-18 2005-03-23 Emc Corp Integrated procedure for partitioning network data services among multiple subscribers
US7277953B2 (en) 2001-04-18 2007-10-02 Emc Corporation Integrated procedure for partitioning network data services among multiple subscribers
NL1018494C2 (en) * 2001-07-09 2003-01-10 Koninkl Kpn Nv Method and system for delivering a service to a client through a service process.
WO2003007571A1 (en) * 2001-07-09 2003-01-23 Koninklijke Kpn N.V. Method and system for a service process to provide a service to a client
US7565554B2 (en) 2001-07-09 2009-07-21 Nederlandse Organisatie Voor Toegepast-Natuurwetenschappelijk Onderzoek Tno Method and system for a service process to provide a service to a client
WO2007109999A1 (en) * 2006-03-29 2007-10-04 Huawei Technologies Co., Ltd Method, system, subscriber equipment and multi-media server for digital copyright protection
US8510824B2 (en) 2006-03-29 2013-08-13 Huawei Technologies Co., Ltd. Method, system, subscriber equipment and multi-media server for digital copyright protection

Also Published As

Publication number Publication date
FI19992196A (en) 2001-04-13
WO2001027709A3 (en) 2002-08-01
AU7793000A (en) 2001-04-23
EP1248971A2 (en) 2002-10-16
WO2001027709A8 (en) 2004-04-22
FI108184B (en) 2001-11-30

Similar Documents

Publication Publication Date Title
US5960177A (en) System for performing remote operation between firewall-equipped networks or devices
US6662228B1 (en) Internet server authentication client
CA2514004C (en) System and method for controlling network access
US7856016B2 (en) Access control method, access control system, and packet communication apparatus
US20020042883A1 (en) Method and system for controlling access by clients to servers over an internet protocol network
WO2001011450A1 (en) Single sign-on framework with trust-level mapping to authentication requirements
EP1075748B1 (en) Method, arrangement and apparatus for authentication
KR20060044494A (en) Network management system and network management server of co-operating with authentication server
JPH11187016A (en) Network authenticating system
WO2001027709A2 (en) Access control of a service
EP1530343B1 (en) Method and system for creating authentication stacks in communication networks
JPH1028144A (en) System for constituting network with access control function
KR20070009490A (en) System and method for authenticating a user based on the internet protocol address
JPH11203248A (en) Authentication device and recording medium for storing program for operating the device
Cisco Configuring Authentication
Cisco Network Access Security Commands
Cisco Strategies Applying Attributes
Cisco Configuring Network Security
JP2002084326A (en) Device to be serviced, central unit and servicing device
Cisco Configuring Authentication
Cisco Strategies for Applying Attributes
Cisco Configuring Network Security
Cisco Configuring Network Security
Cisco Configuring Network Security
Cisco Configuring Network Security

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ CZ DE DE DK DK DM DZ EE EE ES FI FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
WWE Wipo information: entry into national phase

Ref document number: 2000967941

Country of ref document: EP

AK Designated states

Kind code of ref document: A3

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

WWP Wipo information: published in national office

Ref document number: 2000967941

Country of ref document: EP

CFP Corrected version of a pamphlet front page
CR1 Correction of entry in section i

Free format text: IN PCT GAZETTE 16/2001 DUE TO A TECHNICAL PROBLEMAT THE TIME OF INTERNATIONAL PUBLICATION, SOME INFORMATION WAS MISSING UNDER (81). THE MISSING INFORMATION NOW APPEARS IN THE CORRECTED VERSION

NENP Non-entry into the national phase in:

Ref country code: JP

WWR Wipo information: refused in national office

Ref document number: 2000967941

Country of ref document: EP

WWW Wipo information: withdrawn in national office

Ref document number: 2000967941

Country of ref document: EP