JP5380786B2 - Network system - Google Patents

Description

In recent years, as a means for reducing office costs, a free address office that shares a seat among a plurality of users without using a fixed seat has been introduced. With the introduction of a free address office, office space can be significantly reduced, especially in departments with many business travelers, and office costs can be reduced. In addition, it is expected that wasteful documents can be organized by eliminating fixed seats.
However, if a fixed seat is not provided, the seat position of the user will not be specified, so where the presence of the user is required, or when a face-to-face conversation is required, where is the intended user sitting? There is a problem that it is necessary to specify whether or not. Therefore, a system for specifying and displaying the seat position of the user has been proposed.
For example, a technique described in Patent Document 1 has been proposed as a presence position identification technique.

JP 2002-259648 A

  As a user position specifying method, there is a method in which a database in which a MAC address of a device used by a user and a user ID are associated in advance is maintained, and the seat position of the user is specified using the database.

  However, when specifying the device and user to use with the MAC address, the user with the computer must be connected even if the user who actually uses the computer with the MAC address is a different user. Therefore, there is a first problem that the accuracy of the seat position of the user is lost.

  In addition, when specifying the seat position of the user using a device or the like that can be operated by another person, there is a second problem that the reliability of the specified position is lowered.

  In Patent Document 1, an IP address that is fixedly assigned to each user is used. However, the legitimacy of the user cannot be guaranteed.

  Further, in Patent Document 1, a DHCP server is used when specifying the seat position of the user, but this requires cooperation with the DHCP server and increases the complexity of the system.

  Further, Patent Document 1 does not clearly disclose a method for acquiring a port number of a switch to which a client terminal is connected.

In order to solve the above problem, in the seat position specifying system of the present invention,
As means for solving the first problem, when a user is authenticated using a personal certificate when using a computer, a user identifier stored in the computer is used to uniquely identify the user who uses the computer. Identify.

  As a means to solve the second problem, when the presence management server specifies the presence position using the IP address of the computer used by the user, the L3 switch managed by the network administrator Obtain the MAC address of the network interface to which the IP address has been assigned, and use the obtained MAC address to obtain the port number connected to the computer used by the user from the L2 switch managed by the network administrator. Then, the seat position of the user is specified.

According to the present invention, a user using a computer can be uniquely specified by using a user identifier that is securely authenticated by a personal certificate.
Further, by specifying the seat position of the user only with information that can be acquired from the network device managed by the network manager, the reliability of the specified seat position can be increased.

  Embodiments of the present invention will be described below with reference to the drawings.

  In this embodiment, a method in which the user starts using the thin client by user authentication using a personal certificate and the presence management server specifies the seat position of the user will be described.

  FIG. 1 shows an embodiment of a seat position specifying system according to the present invention. The presence management server 10 is a server that manages the presence position information of the user currently connected to the network. Reference numeral 11 denotes an IP segment database that stores a range of IP addresses assigned to each area. The area is a range that is divided into about the number of floors of each office base, and the range of IP addresses distributed to each area is different.

  FIG. 2 shows a configuration example of the IP segment database 11. The IP segment database 11 is composed of a set of IP segment database entries 101. The IP segment database entry 101 further includes a plurality of fields for storing actual data. The area ID 102 is a field for storing an identifier uniquely assigned in the presence management system for each area. The IP address (start) 103 is a field for storing the start address in the range of IP addresses assigned to the area. The IP address (end) 104 is a field for storing the last address in the range of IP addresses assigned to the area.

  The switch database 12 is a database that stores the IP addresses of switches arranged in each area divided by a certain range in the office.

  Reference numeral 13 denotes a switch position / database that stores a physical address indicating where each port number of the L2 switch arranged in the system exists in each area. As the stored physical address, there is a desk number to which a cable connected to each port of the switch is wired. Further, in each area, the area may be divided into specific ranges, and the numbers assigned to the respective ranges may be used, or the coordinates of the destination of the cable connected to the port of each switch in the area may be used.

  A user information / database 14 stores information such as the current user's seating position and information on the thin client used by the user.

  The L3 switch 20 is a switch arranged in each network area or in a network position where a plurality of areas are bundled. In order to transfer data to a thin client connected to a subordinate network, the IP address of each thin client It has an address conversion table for resolving the MAC address assigned to the network interface to which the address is assigned, and acquires the information of the address conversion table from the address conversion table using SNMP (Simple Network Management Protocol). Is a switch that is possible.

  The L2 switch 21 is a switch arranged in each area, and in order to transfer data to the thin client connected to the switch, the MAC address assigned to the network interface of the thin client and the MAC address It has a table that stores the correspondence with the number of the switch to which the network interface has. The switch can acquire the port number to be connected using SNMP from the MAC address of the thin client.

  The thin client 30 is a client system that relies on a network that does not incorporate a hard disk. In the thin client 30, in order to use an application, the thin client 30 is realized by connecting to a blade PC 31 existing via a network and displaying a screen of an application executed on the blade PC 31 on the thin client 30.

  When connecting the thin client 30 and the blade PC 31, the validity of the connected user is confirmed using the personal certificate 40 possessed by each user. Furthermore, by authenticating with the personal certificate 40, it is guaranteed that the user himself / herself is connected. In addition, when the thin client 30 connects to the blade PC 31, the user identifier assigned to each user stored in the personal certificate is transmitted from the thin client 30 to the blade PC 31, and the user identifier is assigned to the blade PC 31. Stored. Here, as an example of the user identifier, there is an LDAP number assigned to each person.

  The blade PC 31 is installed with a program for transmitting the user connection status to the presence management server. FIG. 3 is a flowchart showing an example of processing of the program installed in the blade PC 31.

  The program periodically monitors the state of the thin client (1000). Here, the state of the thin client refers to a state in which the thin client is connected to the blade PC 31 for communication (during connection), a screen of the thin client is locked, or a screen saver is activated (leaves away). Middle), a state where there is no communication session between the thin client 30 and the blade PC 31 (disconnecting), and the like.

  The blade PC 31 stores the state of the immediately preceding thin client, and determines whether the state immediately before and the state of the acquired thin client are different (1001).

  If the state of the thin client is different from the previous state, the user identifier stored in the blade PC is acquired (1003), and if the state of the thin client is connected or away, the IP address of the thin client is acquired. Is acquired (1004). Then, the acquired user identifier, the IP address of the thin client, and other user information are transmitted to the presence management server (1005). Here, as the other user information, the version number of the program installed on the blade PC 31 or the MAC address assigned to the network interface of the thin client itself is authenticated on the blade PC side at the time of authentication with the personal certificate. In the case where the MAC address is stored on the blade PC side having a function capable of transmitting, there is a MAC address. Further, the acquired state of the thin client and the time when the state has changed are stored as the immediately preceding state.

  If the state of the thin client is the same as the previous state, the difference between the current time and the time when the state changed before is calculated. If the time difference is greater than a predetermined time, information is transmitted to the presence management server to the thin client as in the case where the state of the thin client is different from the previous state.

  Next, the flowchart which shows the Example of a process of the presence management server 10 in FIG. 4 is shown. The presence management server 10 monitors user information from the blade PC (2000). The presence / absence of user information from the blade PC is determined (2001), and if the user information from the blade PC does not exist, the process returns to monitoring the user information from the blade PC (2000).

  If the user information transmitted from the blade PC exists, the user status is extracted from the user information transmitted from the blade PC (2002). The state of the user is determined (2003).

  When the state of the thin client is disconnected, the presence management server 10 updates the state of the user identified by the user identifier included in the user information transmitted from the blade PC during disconnection (2010). Returning to the monitoring (2000) of the user information transmitted from the blade PC.

  When the state of the thin client is present or away, the IP address is extracted from the user information received from the blade PC, and the IP address including the IP address is included from the IP segment DB using the extracted IP address. A segment is searched and an area ID for identifying the segment is acquired (2004). Next, using the acquired area ID, the IP addresses of the L3 switch and L2 switch arranged in the area are acquired (2005).

  Then, in order to obtain the MAC address assigned to the network interface to which the IP address is assigned from the IP address of the thin client, by using the IP address as a key, the L3 switch is inquired by SNMP and a response is received. A corresponding MAC address is acquired (2006). Here, when the user information transmitted from the blade PC includes the MAC address of the thin client, it is not necessary to acquire the MAC address from the L3 switch.

  From the acquired MAC address, the L2 switch in the area is inquired about the port number to which the interface having the MAC address is connected by SNMP, and the port number to be connected is obtained (2007).

  Next, using the acquired port number and the IP address of the switch as a key, an identifier indicating the position assigned to the port is acquired from the switch position / database (2008).

  For the entry identified by the identifier of the user using the thin client in the user information / database, the IP address and MAC address of the thin client, the IP address and port of the switch to which the thin client is connected The number, the identifier obtained from the switch position / database and indicating the position to which the user connects, the state of the thin client, etc. are registered (2009).

  Next, referring to FIG. 5, the operation of the presence management system when the thin client 30-1 shown in FIG. 1 is connected will be described. Here, it is assumed that 10.0.1.1 is assigned as the IP address to the thin client 30-1. It is assumed that the segment information shown in FIG. 2 is registered in the IP segment database.

  First, when a user starts up a thin client, user authentication is performed on the blade PC assigned to the thin client using a personal certificate (S201). If the authenticity of the user using the thin client is confirmed as a result of the authentication, the connection of the thin client to the blade PC is permitted, and an application executed on the blade PC can be used thereafter (S202). ). Here, on the blade PC side, after user authentication using the thin client, a user identifier for identifying the user is stored in the blade PC.

  The blade PC that monitors the state of the thin client detects the connection of the thin client, and the IP address assigned to the thin client that can be acquired from the user identifier stored in the blade PC and the communication information of the thin client (in this embodiment, 10.0.1.1), the state of the thin client (connected) is transmitted to the presence management server side (S203).

  The presence management server that has received the user information from the blade PC obtains the area ID 2 of the segment to which the IP address (10.0.1.1) of the thin client belongs from the IP segment database (S204, S205).

  Next, using the acquired area ID 2 as a key, the IP addresses of the L3 switch and L2 switch arranged in the area are acquired from the switch database (S206, S207).

  For the L3 switch, the MAC address corresponding to the IP address is acquired by SNMP using the IP address 10.0.1.1 of the thin client as a key. Specifically, from the IP address stored in the L3 switch, identified by the IP-MIB ipNetToMediaPhysAddress (1.3.3.6.1.2.1.4.2.2.1.2), to the physical address. This is realized by obtaining the information in the mapping table (S209, S210).

  Then, using the acquired MAC address as a key, the port number of the switch to which the MAC address is connected is acquired by SNMP. Specifically, it is acquired from MIB information identified by dot1dTpFdbPort (1.3.3.6.1.2.1.17.4.3.1.2) of BRIDGE-MIB (S210, S211).

  Next, using the acquired port number and the IP address of the switch as a key, an identifier indicating the position assigned to the port is acquired from the switch position / database (S212, S213).

  For the entry identified by the identifier of the user using the thin client in the user information / database, the IP address and MAC address of the thin client, the IP address and port of the switch to which the thin client is connected Register the number, the switch position / identifier indicating the position where the user connects from the database, the state of the thin client, and the time when the user information was registered (S214, S215).

  In the modification of this embodiment, when acquiring the MAC address from the IP address, the PC is arranged in each area, not from the L3 switch, and the PC is arranged in the IP segment to which the thin client is connected. There is a method of obtaining a MAC address corresponding to the IP address by referring to the ARP table after pinging the IP address of the thin client.

  As described above, according to the first embodiment, by using the user identifier securely authenticated by the personal certificate, the user who uses the computer is uniquely identified, and the network device managed by the network administrator is used. By specifying the seat position of the user using only the information that can be acquired, the reliability of the specified seat position can be increased.

  By accurately grasping the position where the user is present, it becomes possible to appropriately select a means of communication with the user with whom the user wants to communicate, thereby improving the productivity of work.

It is a figure which shows the structural example of a seat position specific system. It is a figure which shows the structural example of the IP segment database in a presence management system. It is a figure which shows the flowchart of a process of blade PC in an attendance management system. It is a figure which shows the flowchart of a process of the presence management server in a presence management system. In a presence management system, it is a figure which shows the sequence of a process after a user connects a thin client until it specifies the seat position of the said user.

Explanation of symbols

10 presence management server 11 IP segment database 12 switch database 13 switch position database 14 user information database 20 L3 switch 21 L2 switch 30 thin client 31 blade PC
40 Personal certificate.

Claims (4)

A client device used by the user;
An L2 switch and an L3 switch connected to the client device and the network;
A computer to which the client device connects via the network;
A network system comprising an attendance management computer connected to the network,
The client device performs an authentication procedure with the computer using a personal certificate owned by the user, and transmits the user identification information of the user to the computer upon completion of the user authentication procedure.
The calculator is
Obtaining the user identification information and the IP address of the client device, sending the IP address of the client device and the user identification information to the presence management computer,
The presence management computer is
IP segment information indicating correspondence between the information of the L3 and L2 switches and the IP address of the client device connected to the L3 and L2 switches;
Switch position information indicating correspondence between the IP address and port number of the L2 switch and the position of the device connected to the port of the L2 switch;
Receiving the user identification information and the IP address of the client device, obtaining the IP address of the L3 and L2 switches to which the client device is connected based on the IP segment information using the IP address of the client device; The hardware identifier of the interface to which the IP address of the client device is assigned is acquired from the L3 switch, the port number of the L2 switch to which the interface is connected is acquired from the hardware identifier, and the acquired IP of the L2 switch A network system characterized in that location information of the client device is acquired from the switch location information using an address and the acquired port number, and the identification information of the user and the location information of the client device are associated with each other. The network system according to claim 1, wherein
The computer system stores the identifier of the user authenticated by the personal certificate in a storage device. The network system according to claim 1, wherein
When the status of the client device or the user changes, the computer transmits the user identifier held by the device, the IP address of the client device, and the status of the client device to the presence management computer. A network system characterized by this. The network system according to claim 1, wherein
The presence management computer acquires an IP address and a MAC address of the client device from the network connection device, and acquires a port number of the network connection device to which the client device is connected from the MAC address. Network system.

Images