ONBOARDING A DEVICE IN A MULTI-TENANT VIRTUAL NETWORK OF AN INDUSTRIAL NETWORK

Abstract

A method for onboarding a device in a multi-tenant virtual network of an industrial network is provided. The method includes: receiving an onboarding request of the device relating to an access to the multi-tenant virtual network of the industrial network; identifying and checking the device using an authentication module of the industrial network; transmitting a configuration file to the device in the event of a positive result of the check; configuring the device according to the configuration file received by the device; checking the access authorization of the configured device at an access point of the industrial network; and, in the event of a positive result of the check, granting the device access to the multi-tenant virtual network. An industrial network configured to carry out the aforementioned method is also provided.

Claims

1. A method for onboarding a device in a multi-tenant virtual network of an industrial network, comprising: receiving an onboarding request from the device regarding access to the multi-tenant virtual network of the industrial network, wherein the onboarding request is received in an access network of the industrial network assigned to an onboarding network of the industrial network; identifying and verifying the device using an authentication module of the industrial network; sending a configuration file to the device when a he verification result is positive, wherein the configuration file comprises data regarding an access authorization of the device to the multi-tenant virtual network; configuring the device according to the configuration file; verifying the access authorization of the device in an access point of the industrial network; and granting the device access to the multi-tenant virtual network when the verification result is positive.

2. The method of claim 1, further comprising: deploying the onboarding network, wherein the deploying comprises: generating the onboarding network and the authentication module; connecting the onboarding network to the authentication module; extending the onboarding network to the access point of the industrial network; generating the access network; connecting the access network to the onboarding network.

3. The method of claim 1, wherein the access network is only made available to receive onboarding requests for a limited period of time.

4. An industrial network comprising: a multi-tenant virtual network; an onboarding network; an access network assigned to the onboarding network, wherein the access network is configured to receive an onboarding request from a device regarding access to the multi-tenant virtual network; an authentication module configured to identify and verify the device; and an access point to which the onboarding network extends and which is configured to verify an access authorization of the device and grant the device access to the multi-tenant virtual network when a verification result is positive, wherein a configuration file comprises data regarding the access authorization of the device to the multi-tenant virtual network, and wherein the device is configured according to the configuration file.

5. The industrial network of claim 4, wherein the industrial network comprises at least one additional multi-tenant virtual network.

6. The industrial network of claim 5, wherein the onboarding network is configured to act as a common onboarding network for onboarding devices to the multi-tenant virtual network and to the additional multi-tenant virtual network.

7. The industrial network of claim 5, wherein the industrial network comprises at least one additional onboarding network, wherein the onboarding network is configured to onboard devices to the multi-tenant virtual network, and wherein the additional onboarding network is configured to onboard devices to the additional multi-tenant virtual network.

8. The industrial network of claim 7, wherein the industrial network comprises at least one additional authentication module configured to identify and verify a device that has made an onboarding request regarding access to the additional multi-tenant virtual network.

9. The industrial network of claim 8, wherein one unit in the industrial network houses the onboarding network, the at least one additional onboarding network, the authentication module, and the at least one additional authentication module.

10. The industrial network of claim 8, wherein the onboarding network and the at least one additional onboarding network and/or the the authentication module and the at least one additional authentication module are housed in a plurality of units of the industrial network.

11. The industrial network of claim 4, wherein the industrial network comprises at least one additional access point, and wherein the onboarding network extends to the access point and the at least one additional access point.

12. The industrial network of claim 11, wherein the access point and the at least one additional access point are spatially separated by several meters.

13. The industrial network of claim 11, wherein the access point and the at least one additional access point are configured for different access technologies.

14. The method of claim 1, wherein a communication interface of the device is configured according to the configuration file.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0034] The disclosure is illustrated in the following using the attached figures. These are purely schematic and show various embodiments by way of example and without limitation of the claimed scope of protection.

[0035] FIG. 1 depicts a first embodiment of the industrial network.

[0036] FIG. 2 depicts a second embodiment of the industrial network.

[0037] FIG. 3 depicts a third embodiment of the industrial network.

[0038] FIG. 4 depicts a fourth embodiment of the industrial network.

[0039] FIG. 5 depicts a fifth embodiment of the industrial network.

DETAILED DESCRIPTION

[0040] Identical or similar elements are marked with the same reference signs in different figures. To avoid repetition, elements with the same reference signs are not named and explained separately for each figure. For these, reference may be made to the preceding figures.

[0041] FIG. 1 (also referred to as FIG. 1) shows an industrial network 10 with a first industrial network node 11. For example, the industrial network 10 is a communication network in a production hall; the first industrial network node 11 is an industrial PC in the mentioned communication network, for example. The industrial network 10 also includes a plurality of other industrial network nodes, which for the sake of clarity are not shown in FIG. 1.

[0042] The first industrial network node 11 includes an interface 111 that represents an actual, e.g., physical, interface to the rest of the industrial network 10. By the interface 111, the first industrial network node 11 is connected in particular to an access point 60. The access point 60, in turn, acts as an interface or “anchor point” for devices 90 that are seeking access to the industrial network 10 or parts thereof.

[0043] The industrial network 10 includes a multi-tenant virtual network 20 and an additional multi-tenant virtual network 21. Applications 201 and 211, abbreviated to “apps”, run on both multi-tenant virtual networks 20, 21. The multi-tenant virtual network 20 extends up to the access point 60. A device 90 that has made an onboarding request, has received a configuration file with data relating to the authorization of the device 90 to access the multi-tenant virtual network 20, and is configured according to the configuration file received may then contact the access point 60 where, in particular, it may contact the multi-tenant virtual network 20 that extends up to that point. At the access point 60 the access authorization of the device 90 to the virtual network 20 is verified. If the verification result is positive, the device 90 is granted access to the virtual network 20.

[0044] The additional multi-tenant virtual network 21 also extends up to an access point. This may be the same access point 60 as for the multi-tenant virtual network 20, or a different access point. For the sake of clarity, the part of the additional multi-tenant virtual network 21 which is located outside the first industrial network node 11 is not shown in FIG. 1.

[0045] The first industrial network node 11 additionally includes an onboarding network 30. The onboarding network 30 is assigned an access network 50, which is located in particular at the access point 60. The onboarding network 30 is connected (or may be temporarily connected) to an authentication module 40. In turn, the authentication module may access a database 42 in order to perform the identification and verification of a device 90 making an onboarding request.

[0046] The industrial network 10 also has an administration unit 43, which is configured to generate onboarding networks. The onboarding networks may be generated by the administration unit 43 continuously, on demand, or according to a predefined schedule.

[0047] FIG. 2 (also referred to as FIG. 2) shows an industrial network 10 according to a second embodiment. In contrast to the first embodiment, in this example, the onboarding network 30 is assigned multiple access networks, the access network 50, and the additional access network 51. The access network 50 is located at the access point 60 and the additional access network 51 is located at another access point 61. There may be different reasons for the presence of multiple access points 60, 61 and access networks 50, 51. The access points 60, 61, for example, may be located a considerable distance apart, e.g., several meters apart. Alternatively, the various access points 60, 61 may also be addressed by different access technologies (e.g., WLAN, 5G, wired).

[0048] The characteristic feature of the second embodiment is that both access networks 50, 51 are assigned to a common onboarding network 30 and that onboarding requests, regardless of the access network 50, 51 at which they are received, are verified by a common authentication module 40. Such a structure may also be called an “as a central service” onboarding mechanism.

[0049] FIG. 3 (also referred to as FIG. 3) shows an industrial network 10 according to a third embodiment. In this example, the industrial network 10, more precisely the first industrial network node 11, has one onboarding network for each multi-tenant virtual network: the onboarding network 30 for the multi-tenant virtual network 20 and the additional onboarding network 31 for the additional multi-tenant virtual network 21. Each onboarding network 30, 31 is assigned an individual access network 50, 51 in an individual access point 60, 61. Also, each onboarding network 30, 31 is, or at least may be, connected to an individual authentication module 40, 41. If one access network is not available (intentionally or unintentionally), this does not affect the onboarding of a device 90 to the other access network/onboarding network and ultimately to the other virtual network. Such a structure may also be called a “per tenant network” onboarding mechanism.

[0050] FIG. 4 (also referred to as FIG. 4) shows an industrial network 10 according to a fourth embodiment. In contrast to the previous exemplary embodiments, here two industrial network nodes are shown: a first industrial network node 11 and a second industrial network node 12. The two industrial network nodes 11 and 12 represent, for example, two different industrial PCs in a communication network. The industrial network 10 has two multi-tenant virtual networks 20, 21. Both virtual networks 20, 21 are located on an industrial network node, in the example shown on the first industrial network node 11. The industrial network 10 also has two onboarding networks 30, 31 and two authentication modules 40, 41. The two onboarding networks 30, 31 and the two authentication modules 40, 41 are all located on the second industrial network node 12. Thus, a single unit, namely the second industrial network node 12, houses all the onboarding networks 30, 31 and authentication modules 40, 41. Such a structure may also be referred to as “centralized deployment”.

[0051] In contrast, the fifth exemplary embodiment shows a structure that may be called “distributed deployment”. Here, the onboarding network 30 and the authentication module 40 for the multi-tenant virtual network 20 are located on a first unit, namely the (first) access point 60, and the additional onboarding network 31 and the additional authentication module 41 for the additional multi-tenant virtual network 21 are located on a second unit, namely the additional access point 61.

[0052] The fifth exemplary embodiment shown in FIG. 5 (also referred to as FIG. 5) also shows the variant in which a multi-tenant virtual network may extend over a plurality of industrial network nodes. For example, the virtual network 30 is located on both the first industrial network node 11 and on the second industrial network node 12. FIG. 5 also illustrates that an onboarding network does not necessarily have to be localized on an industrial network node. In FIG. 5, the onboarding network 30, 31 and the authentication module 40, 41 are located on the access point 50 or the additional access point 51 for both the multi-tenant virtual network 20 and the additional multi-tenant virtual network 21.

[0053] In summary, it may be concluded that the concept of the onboarding of devices in a multi-tenant virtual network of an industrial network may be applied extremely flexibly to the specific configuration of the relevant industrial network.

[0054] It is to be understood that the elements and features recited in the appended claims may be combined in different ways to produce new claims that likewise fall within the scope of the present disclosure. Thus, whereas the dependent claims appended below depend on only a single independent or dependent claim, it is to be understood that these dependent claims may, alternatively, be made to depend in the alternative from any preceding or following claim, whether independent or dependent, and that such new combinations are to be understood as forming a part of the present specification.

[0055] While the present disclosure has been described above by reference to various embodiments, it may be understood that many changes and modifications may be made to the described embodiments. It is therefore intended that the foregoing description be regarded as illustrative rather than limiting, and that it be understood that all equivalents and/or combinations of embodiments are intended to be included in this description.

LIST OF REFERENCE SIGNS

[0056] 10 industrial network

[0057] 11 first industrial network node

[0058] 111 interface (of the first industrial network node)

[0059] 12 second industrial network node

[0060] 20 multi-tenant virtual network

[0061] 201 application

[0062] 21 additional multi-tenant virtual network

[0063] 211 application

[0064] 30 onboarding network

[0065] 31 additional onboarding network

[0066] 40 authentication module

[0067] 41 additional authentication module

[0068] 42 database

[0069] 43 administration unit

[0070] 50 access network

[0071] 51 additional access network

[0072] 60 access point

[0073] 61 additional access point

[0074] 90 device