WO2009152676A1 - Aaa server, p-gw, pcrf, method and system for obtaining the ue's id - Google Patents

Aaa server, p-gw, pcrf, method and system for obtaining the ue's id Download PDF

Info

Publication number
WO2009152676A1
WO2009152676A1 PCT/CN2008/073647 CN2008073647W WO2009152676A1 WO 2009152676 A1 WO2009152676 A1 WO 2009152676A1 CN 2008073647 W CN2008073647 W CN 2008073647W WO 2009152676 A1 WO2009152676 A1 WO 2009152676A1
Authority
WO
WIPO (PCT)
Prior art keywords
user equipment
authentication
identifier
authorization
real
Prior art date
Application number
PCT/CN2008/073647
Other languages
French (fr)
Chinese (zh)
Inventor
霍玉臻
宗在峰
刘俊羿
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2009152676A1 publication Critical patent/WO2009152676A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W74/00Wireless channel access, e.g. scheduled or random access
    • H04W74/002Transmission of channel access control information
    • H04W74/006Transmission of channel access control information in the downlink, i.e. towards the terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/26Network addressing or numbering for mobility support

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method for obtaining the UE's ID is disclosed, which includes an AAA server processes authentication and authorization with an UE, and the AAA server sends an accessing accept message, which contains an UE's real ID, to a FA of a non-3GPP access network; during the authentication process between the AAA server and the P-GW, if the AAA server makes sure that the UE's ID is a pseudo ID, the AAA server sends the UE's real ID to the P-GW. This invention also provides an AAA server, a P-GW, a PCRF, a system for obtaining the UE's ID. Advantage of this invention: to ensure the non-3GPP UE directly access the EPC network.

Description

AAA JI 务器、 P-GW、 PCRF、 用户设备标识的获取  AAA JI server, P-GW, PCRF, user equipment identification
方法和系统  Method and system
技术领域 本发明涉及通信领域,尤其涉及认证授权计费服务器、分组数据网网关、 策略和计费控制功能实体、 用户设备标识的获取方法和系统。 背景技术 为了保持第三代移动通信系统在移动通信领域的竟争力,提高其网络性 能、 降低网络建设和运营成本, 第三代合作伙伴计划 ( 3rd Generation Partnership Project, 简称为 3GPP )的标准 4匕工作组目前正致力研究核心网系 统的演进的分组核心网 (Evolved Packet Core , 简称为 EPC ), EPC系统支持 非 3GPP无线接入网的接入, 并能够为用户设备 ( User Equipment, 简称为 UE )提供更高的传输速率和更短的传输时延。 非 3GPP 接入系统 (例如, 波接入全球互通系统 ( Worldwide Interoperability for Microwave Access , 简称为 WiMAX ) ) 与 3GPP系统之间 的网络互通, 有助于该两个网络的优势互补, 扩大网络的覆盖范围, 使得移 动 UE可以在不同的无线接入网络环境中, 利用两个网络各自不同的特性获 得一致的业务访问。 图 1是根据相关技术的非 3GPP无线接入网通过拜访公共陆地移动网络 ( Visited Public Land Mobile Network, 简称为 VPLMN )接入归属公共陆地 移动网络(Home PLMN, 简称为 HPLMN ) 的结构才匡图, 该网络架构包含下 歹' J网元: 分组数据网网关 ( Packet Data Network Gateway , 简称为 P-GW ), 位于 3GPP 网络, 用于负责 UE接入分组数据网 (Packet Data Network, 简称为 PDN ); 归属用户设备服务器( Home Subscriber Server,简称为 HSS ),位于 3GPP 网络, 用于永久保存 UE的签约数据和安全数据; 演进的分组数据网关 ( Evolved Packet Data Gateway , 简称为 ePDG ) , 位于 3GPP网络, 用于负责不信任的非 3GPP接入网接入 3GPP; 策略和计费控制功能 ( Policy and Charging Rules Function , 简称为 PCRF ), 位于 3GPP网络, 用于负责 UE业务的策略控制和计费功能, 在漫 游场景中, 分为归属策略控制和计费功能 (hPCRF ) 和拜访策略控制和计费 功能 (vPCRF ); 移动接入网关 ( Mobile Access Gateway , 简称为 MAG ) 及外部 4弋理 ( Foreign Agent , 简称为 FA ) , 位于非 3GPP接入系统中, 用于与 P-GW— 起实现代理移动 IPv6协议和移动 IPv4协议; 而且, 为了支持非 3GPP接入系统的接入, EPC系统还包括认证 4曼权计 费月艮务器 ( 3GPP Authentication、 Authorization and Accounting Server, 简称 为 3GPP AAA Server ) 和认证 4曼权计费 4弋理 (AAA Proxy )。 对于信任的非 3GPP接入网( Trusted Non 3GPP Access Network ), 3GPP 网络和该非 3GPP接入网之间存在信任关系, 非 3GPP接入网可以直接通过 S2a或 S2c接口接入 P-GW, 当 UE不支持移动 IP协议或移动 IPv4协议时, UE首先接入非 3GPP接入系统, 再通过 S2a接口接入 P-GW; 当 UE支持双 栈移动 IP协议时, UE直接通过 S2c接口接入 P-GW。 目前, 对于非 3GPP接入网接入 EPC系统的 UE, 其接入认证鉴权协议 釆用的是扩展鉴权十办议 ( Extensible Authentication Protocol, 简称为 EAP ), 从安全角度考虑, E AP协议要求 UE在接入认证过程中使用 UE的真实网络 接入标识 ( Network Access Identifier, 简称为 NAI ), 并在 EAP 文中^ "装并 加密,这样,只有 AAA月艮务器和 UE获知 UE 自身真实 NAI,对于其它网元, UE真实的 NAI均是不可见的, 在消息报文中釆用的都是伪随机 NAI, 在图 1所示的互通系统中, P-GW和 PCRF均需要获知 UE的唯一标识(例如国际 移动台身份码 ( International Mobile Subscriber Identity, 简称为 IMSI ) 或基 于 IMSI的 NAI等 UE的真实标识) 来标识 UE , 以便完成后续的业务。 目前, P-GW、 PCRF 可以通过以下的三种方式 (方式一至方式三) 获 取 UE的标识。 方式一, 图 2示出了根据相关技术的移动 IPv4模式下 UE标识的获取 方法流程, 其中, S2a接口支持移动 IPv4协议, 如图 2所示, 步骤 201 : 接 入认证和 4曼权, 步骤 202: 移动 IP代理通告, 步骤 203: 移动 IP注册请求, 步骤 204: 网关会话建立过程, 步骤 205: 移动 IP注册请求, 步骤 206: 移 动 IP认证和 4吏权, 步骤 207: P-GW地址更新, 步骤 208: P-GW会话建立 过程, 步骤 209: 移动 IP注册响应, 步骤 210: 网关会话策略提供过程, 步 骤 211 : 移动 IP注册响应。 其中, 在步骤 203中, UE向非 3GPP接入网发 起移动 IP 注册请求, 非 3GPP 接入网将上述移动 IP 注册请求转发给 FA/P-GW , FA/P-GW可以从移动 IP注册请求中获取用以标识 UE的标识。 方式二, 图 3示出了根据相关技术的移动 IPv6模式下 UE标识的获取 方法流程, 其中, S2a接口支持移动 IPv4协议, 如图 3所示, 步骤 301 : 接 入认证和授权, 步骤 301a: 接入接受信息, 步骤 302: 层 3接入触发, 步骤 303: 网关会话建立过程, 步骤 304: 移动 IP绑定更新请求, 步骤 305: 移动 IP认证和 4吏权, 步骤 306: P-GW地址更新, 步骤 307: P-GW会话建立过程, 步骤 308: 移动 IP绑定更新响应, 步骤 309: 网关会话策略提供过程, 步骤 310: 层 3接入结束。 其中, 在步骤 301a中, 由 AAA服务器在接入认证、 4曼权时将 UE的唯一标识(如 IMSI )发送给 MAG, MAG通过代理绑带更新 消息将 UE的标识发送给 P-GW,并在网关会话建立通知消息中将 UE的标识 发送给 PCRF。 方式三, 图 4示出了才艮据相关技术的双栈移动 IPv6模式下 UE标识的 获取方法流程,其中, S2c接口支持双栈移动 IP协议,如图 4所示,步骤 401 : 接入认证和 4曼权, 步骤 402: 层 3接入, 并获取本地 IP地址, 步骤 403: 网 关会话建立过程, 步骤 404: 建立安全联盟, 步骤 405: 认证和 4吏权, 步骤 406: 移动 IP绑定更新请求, 步骤 407: 互联网协议一连接接入网 (Internet Protocol— Connectivity Access Network, 简称为 IP-CAN )会话建立过程, 步 骤 408: 移动 IP更新绑定响应。 其中, 在步骤 404中, 当 UE和 P-GW建立 安全通道时, UE将自身唯一的标识发送给 P-GW , 用以标识 UE。 目前, 由于对 UE增加了新的需求, 要求 UE将自身的真实标识通过空 口传递给网络, 例如, 对于支持移动 IPv4协议的 S2a接口, 要求 UE发起的 移动 IP注册请求消息的 NAI必须 基于 IMSI的 NAI。 但是, 传统的非 3GPP的 UE (如 WiMAX的 UE ) 在发送移动 IP注册 请求时,该移动 IP注册请求中携带的 UE标识是伪标识而不是真实标识,即, 步骤 203中的移动 IP注册请求中携带的是 UE的伪标识; 对于支持双栈移动 IP协议的 S2c接口, 要求 UE在与 P-GW建立安全联盟过程中将 UE标识发 送给 P-GW, 但是这样存在一定风险, 例如, 可能会受到中间人的攻击, 而 且, 即使能够安全发送, 传统的非 3GPP仍然不希望直接发送真实标识, 因 此传统的非 3GPP的 UE必须满足该需求后才能接入 EPC, 否则无法正常使 用, 这样就限制了非 3GPP与 EPC系统互通技术的应用范围。 而且, 由于非 3GPP网络和 P-GW无法区分 UE发送的 UE标识是否是 UE的真实标识, 如果简单地^ i定 UE发送的标识是真实的 UE标识, 可能会 造成 UE的错误识别而导致业务的失败, 非 3GPP的 MAG由于原系统中不 需要使用真实 UE标识来识别 UE, 因此根据本地策略可能不会将 UE的真实 标识发送给 P-GW。 另一方面, 在 3GPP网络中, UE的真实标识被 3GPP中的网元 (例如 P-GW, PCRF )用来标识 UE, 相关技术中获取 UE的真实标识的方式为需要 非 3GPP的 UE通过空口发送给网络侧网元, 并要求无法识别 UE的真实标 识的网元 (例如 P-GW , PCRF ) 默认收到的是 UE的真实标识, 这样不仅限 制了非 3GPP的 UE直接接入 EPC网络,也为网元正确辨别 UE埋下了隐患。 发明内容 考虑到相关技术中存在的非 3GPP网络无法区分 UE发送的 UE标识是 否是 UE的真实标识的问题而提出本发明, 为此, 本发明的主要目的在于提 供一种改进的用户设备标识的获取方案, 以解决相关技术中的上述问题至少 之一。 为达到上述目的, 根据本发明的一个方面, 提供了一种用户设备标识的 获取方法, 该方法基于移动 IPv4†办议。 根据本发明的用户设备标识的获取方法包括:认证授权计费服务器与用 户设备进行接入认证和 4曼权, 认证 4曼权计费服务器向非 3GPP接入网的外部 代理发送接入接受消息, 并在接入接受消息中携带用户设备的真实标识; 在 认证授权计费服务器与分组数据网网关的认证过程中, 认证授权计费服务器 验证用户设备标识为伪用户设备标识的情况下, 将用户设备的真实标识发送 给分组数据网网关。 才艮据本发明的另一个方面, 还提供了一种用户设备标识的获取方法, 该 方法基于移动 IPv4协议。 根据本发明的用户设备标识的获取方法包括:认证授权计费服务器与用 户设备进行接入认证和 4曼权, 认证 4曼权计费服务器向非 3GPP接入网的外部 代理发送接入接受消息, 其中, 该接入接受消息中携带有用户设备的真实标 识。 才艮据本发明的另一个方面, 还提供了一种用户设备标识的获取方法, 该 方法基于移动 IPv6协议。 根据本发明的用户设备标识的获取方法包括:在认证授权计费服务器与 分组数据网网关的认证过程中, 认证授权计费服务器验证用户设备标识为伪 用户设备标识的情况下, 将用户设备的真实标识发送给分组数据网网关。 才艮据本发明的另一个方面, 还提供了一种用户设备标识的获取方法, 该 方法基于双栈移动 IP协议。 根据本发明的用户设备标识的获取方法包括:认证授权计费服务器与用 户设备进行接入认证和 4曼权, 认证 4曼权计费服务器向非 3GPP接入网发送接 入接受消息, 并在接入接受消息中携带用户设备的真实标识; 在认证 4曼权计 费服务器与分组数据网网关的认证过程中, 认证授权计费服务器验证用户设 备标识为伪用户设备标识的情况下, 将用户设备的真实标识发送给分组数据 网网关。 才艮据本发明的另一个方面, 提供了一种认证 4曼权计费服务器。 才艮据本发明的认证 4曼权计费服务器包括:认证 4曼权计费服务器用于与用 户设备进行接入认证和 4曼权, 获得用户设备的真实标识, 向非 3GPP接入网 发送接入接受消息, 并在接入接受消息中携带用户设备的真实标识。 才艮据本发明的另一个方面, 提供了一种分组数据网网关。 根据本发明的分组数据网网关包括:分组数据网网关用于在与认证授权 计费服务器的认证过程中, 向认证授权计费服务器发送请求消息, 并在请求 消息中携带分组数据网网关接收到的用户设备发送的用户设备标识, 以使认 证授权计费服务器验证用户设备标识是否是用户设备的真实标识; 以及用于 在认证授权计费服务器验证失败的情况下, 接收来自的认证授权计费服务器 发送的用户设备的真实标识。 根据本发明的另一个方面, 提供了一种策略和计费控制功能实体。 根据本发明的策略和计费控制功能实体包括:策略和计费控制功能实体 用于接收非 3GPP接入网发送的会话建立消息, 会话建立消息中携带用户设 备的真实标识, 其中, 用户设备的真实标识为非 3GPP接入网从认证 4曼权计 费服务器获取的; 并根据接收到的会话建立消息, 获取用户设备的真实标识。 才艮据本发明的另一个方面, 提供了一种用户设备标识的获取系统。 根据本发明的用户设备标识的获取系统包括: 包括认证授权计费服务 器、 非 3GPP接入网、 分组数据网网关和策略和计费控制功能实体, 其中, 认证授权计费服务器用于与用户设备进行接入认证和授权, 获得用户设备的 真实标识, 向非 3GPP接入网发送接入接受消息, 并在接入接受消息中携带 用户设备的真实标识; 非 3GPP接入网用于接收认证授权计费服务器发送的 接入接受消息, 并获取用户设备的真实标识; 分组数据网网关用于在与认证 授权计费服务器的认证过程中, 向认证授权计费服务器发送请求消息, 并在 请求消息中携带分组数据网网关接收到的用户设备发送的用户设备标识, 以 使认证授权计费服务器验证用户设备标识是否是用户设备的真实标识; 以及 用于在认证授权计费服务器验证失败的情况下, 接收来自认证授权计费服务 器发送的用户设备的真实标识; 策略和计费控制功能实体用于接收非 3GPP 接入网发送的会话建立消息, 会话建立消息中携带用户设备的真实标识, 其 中, 用户设备的真实标识为非 3GPP接入网从认证授权计费服务器获取的; 并根据接收到的会话建立消息, 获取用户设备的真实标识。 通过本发明的上述至少一个技术方案, 在终端入网流程的不同阶段, 非TECHNICAL FIELD The present invention relates to the field of communications, and in particular, to an authentication and authorization charging server, a packet data network gateway, a policy and charging control function entity, and a method and system for acquiring a user equipment identifier. BACKGROUND OF THE INVENTION In order to maintain the competitiveness of the third generation mobile communication system in the field of mobile communication, improve its network performance, and reduce network construction and operation costs, the 3rd Generation Partnership Project (3GPP) standard 4 The working group is currently working on the Evolved Packet Core (EPC), which is an evolution of the core network system. The EPC system supports access to non-3GPP radio access networks and can be used for user equipment (User Equipment, referred to as UE) provides higher transmission rates and shorter transmission delays. Network interworking between non-3GPP access systems (for example, Worldwide Interoperability for Microwave Access (WiMAX)) and 3GPP systems helps complement the advantages of the two networks and expand network coverage. The scope enables the mobile UE to obtain consistent service access by using different characteristics of the two networks in different wireless access network environments. 1 is a structural diagram of a non-3GPP radio access network accessing a Home Public Land Mobile Network (Home PLMN, referred to as HPLMN) by visiting a Public Land Mobile Network (VPLMN) according to the related art. The network architecture includes a 歹'J network element: a Packet Data Network Gateway (P-GW), located in the 3GPP network, and is used for the UE to access the packet data network (Packet Data Network, referred to as PDN). The Home Subscriber Server (HSS) is located in the 3GPP network and is used to permanently store the subscription data and security data of the UE. The Evolved Packet Data Gateway (ePDG) is used. Located in the 3GPP network, is used to be responsible for untrusted non-3GPP access network access 3GPP; Policy and Charging Rules Function (PCRF), located in the 3GPP network, used for policy control of UE services and The charging function is divided into a home policy control and accounting function (hPCRF) and a visited policy control and charging function (vPCRF) in the roaming scenario; a mobile access gateway (Mobile Access Gateway, abbreviated as MAG) and an external 4弋Foreign Agent (FA), located in a non-3GPP access system, is used to implement proxy mobile IPv6 protocol and mobile IPv4 protocol with P-GW; and, in order to support access of non-3GPP access systems, EPC The system also includes an authentication 4 3GPP Authentication, Authorization and Accounting Server (3GPP AAA Server for short) and an authentication 4 AAA Proxy. For a trusted non-3GPP access network, there is a trust relationship between the 3GPP network and the non-3GPP access network, and the non-3GPP access network can directly access the P-GW through the S2a or S2c interface. When the UE does not support the mobile IP protocol or the mobile IPv4 protocol, the UE first accesses the non-3GPP access system, and then accesses the P-GW through the S2a interface. When the UE supports the dual-stack mobile IP protocol, the UE directly accesses the P through the S2c interface. -GW. Currently, for a UE that accesses the EPC system by a non-3GPP access network, the access authentication authentication protocol uses an Extensible Authentication Protocol (EAP). From the perspective of security, the EAP protocol The UE is required to use the real network access identifier (NAI) of the UE in the access authentication process, and is installed and encrypted in the EAP text, so that only the AAA server and the UE know that the UE is authentic. NAI, for other network elements, the true NAI of the UE is invisible, and the pseudo-random NAI is used in the message packet. In the interworking system shown in Figure 1, both the P-GW and the PCRF need to know the UE. The unique identifier (such as the International Mobile Subscriber Identity (IMSI) or the real identity of the UE based on the IMSI-based NAI) identifies the UE to complete the subsequent service. Currently, the P-GW and the PCRF can pass The following three methods (methods 1 to 3) acquire the identifier of the UE. In a first method, FIG. 2 shows a method for acquiring a UE identifier in a mobile IPv4 mode according to the related art, where the S2a interface branch Mobile IPv4 protocol, as shown in step 201 in FIG. 2: right of access authentication and Mann 4, Step 202: Mobile IP Agent Advertisements, Step 203: the mobile IP registration request, Step 204: Gateway session establishment process, Step 205: Mobile IP registration request, Step 206: Mobile IP authentication and rights, Step 207: P-GW address update, Step 208: P-GW session establishment process, Step 209: Move IP registration response, step 210: Gateway session policy providing process, step 211: Mobile IP registration response. In step 203, the UE initiates a mobile IP registration request to the non-3GPP access network, and the non-3GPP access network forwards the mobile IP registration request to the FA/P-GW, and the FA/P-GW may request the mobile IP registration. The identifier used to identify the UE is obtained. Mode 2, FIG. 3 shows a flow of a method for acquiring a UE identity in a mobile IPv6 mode according to the related art, where the S2a interface supports a mobile IPv4 protocol, as shown in FIG. 3, step 301: access authentication and authorization, step 301a: Access acceptance information, step 302: Layer 3 access trigger, Step 303: Gateway session establishment procedure, Step 304: Mobile IP binding update request, Step 305: Mobile IP authentication and 4 吏, Step 306: P-GW address Update, step 307: P-GW session establishment process, step 308: Mobile IP binding update response, step 309: gateway session policy providing process, step 310: Layer 3 access ends. The AAA server sends the unique identifier of the UE (such as the IMSI) to the MAG, and the MAG sends the identifier of the UE to the P-GW through the proxy strap update message in the AAA server. The identifier of the UE is sent to the PCRF in the gateway session establishment notification message. Mode 3, FIG. 4 shows a flow of a method for acquiring a UE identifier in a dual-stack mobile IPv6 mode according to the related art, where the S2c interface supports a dual-stack mobile IP protocol, as shown in FIG. 4, step 401: access authentication And 4 MANN, step 402: Layer 3 access, and obtain the local IP address, Step 403: Gateway session establishment process, Step 404: Establish security association, Step 405: Authentication and authentication, Step 406: Mobile IP binding The update request, step 407: Internet Protocol-Connected Access Network (IP-CAN) session establishment process, step 408: Mobile IP update binding response. The eNB sends a unique identifier to the P-GW to identify the UE. At present, due to the new requirement for the UE, the UE is required to transmit its own real identity to the network through the air interface. For example, for the S2a interface supporting the mobile IPv4 protocol, the NAI of the mobile IP registration request message initiated by the UE must be based on the IMSI. NAI. However, the traditional non-3GPP UE (such as the WiMAX UE) sends the mobile IP registration request, and the UE identifier carried in the mobile IP registration request is a pseudo identifier instead of the real identifier, that is, the mobile IP registration request in step 203. The UE carries the pseudo-identity of the UE. For the S2c interface that supports the dual-stack mobile IP protocol, the UE is required to send the UE identifier to the P-GW during the establishment of the security association with the P-GW. However, there is a certain risk, for example, Will be attacked by a middleman, and Moreover, even if it can be transmitted securely, the traditional non-3GPP still does not want to directly send the real identity. Therefore, the traditional non-3GPP UE must meet the requirement before accessing the EPC, otherwise it cannot be used normally, thus limiting the non-3GPP and EPC systems. The scope of application of interoperability technology. Moreover, since the non-3GPP network and the P-GW cannot distinguish whether the UE identifier sent by the UE is the real identifier of the UE, if the identifier sent by the UE is simply the real UE identifier, the UE may be misidentified and cause the service. The failure of the non-3GPP MAG does not require the use of the real UE identity in the original system to identify the UE, so the UE's real identity may not be sent to the P-GW according to the local policy. On the other hand, in the 3GPP network, the real identity of the UE is used by the network element (for example, P-GW, PCRF) in the 3GPP to identify the UE. In the related art, the real identity of the UE is obtained. The network element that is sent to the network side and requests the network element (such as P-GW, PCRF) that cannot identify the real identity of the UE to receive the real identity of the UE by default, which not only restricts the non-3GPP UE from directly accessing the EPC network. It also laid a hidden danger for the network element to correctly identify the UE. SUMMARY OF THE INVENTION The present invention has been made in view of the problem that the non-3GPP network existing in the related art cannot distinguish whether the UE identity transmitted by the UE is the real identity of the UE. To this end, the main object of the present invention is to provide an improved user equipment identity. Obtain a solution to solve at least one of the above problems in the related art. In order to achieve the above object, according to an aspect of the present invention, a method for acquiring a user equipment identifier is provided, and the method is based on a mobile IPv4 protocol. The method for obtaining the user equipment identifier according to the present invention includes: the authentication authorization charging server and the user equipment perform access authentication and 4 MANN, and the authentication 4 MANN charging server sends an access accept message to the external proxy of the non-3GPP access network. And carrying the real identity of the user equipment in the access accepting message; in the authentication process of the authentication and authorization charging server and the packet data network gateway, when the authentication and authorization charging server verifies that the user equipment identifier is a pseudo user equipment identifier, The real identity of the user equipment is sent to the packet data network gateway. According to another aspect of the present invention, there is also provided a method for obtaining a user equipment identity, the method being based on a Mobile IPv4 protocol. The method for obtaining the user equipment identifier according to the present invention includes: authenticating an authorized charging server and using The user equipment performs access authentication and 4 MANN, and the authentication 4 MANN charging server sends an access accept message to the external proxy of the non-3GPP access network, where the access accept message carries the real identifier of the user equipment. According to another aspect of the present invention, there is also provided a method for obtaining a user equipment identity, the method being based on a Mobile IPv6 protocol. The method for obtaining the user equipment identifier according to the present invention includes: in the authentication process of the authentication and authorization charging server and the packet data network gateway, when the authentication and authorization accounting server verifies that the user equipment identifier is a pseudo user equipment identifier, the user equipment is The real identity is sent to the packet data network gateway. According to another aspect of the present invention, there is also provided a method for obtaining a user equipment identity, the method being based on a dual stack mobile IP protocol. The method for obtaining the user equipment identifier according to the present invention includes: the authentication and authorization charging server and the user equipment perform access authentication and 4 MANN, and the authentication 4 MANN charging server sends an access accept message to the non-3GPP access network, and The access accept message carries the real identity of the user equipment; in the authentication process of the authentication 4 MANN charging server and the packet data network gateway, when the authentication and authorization charging server verifies that the user equipment identifier is a pseudo user equipment identifier, the user is The real identity of the device is sent to the packet data network gateway. According to another aspect of the present invention, an authentication 4 MANN charging server is provided. The authentication 4 MANN charging server according to the present invention includes: the authentication 4 MANN charging server is configured to perform access authentication and 4 MANN with the user equipment, obtain the real identity of the user equipment, and send to the non-3GPP access network. The access accept message is sent, and the real identity of the user equipment is carried in the access accept message. According to another aspect of the present invention, a packet data network gateway is provided. The packet data network gateway according to the present invention includes: a packet data network gateway, configured to send a request message to the authentication and authorization charging server during the authentication process with the authentication and authorization accounting server, and receive the packet data network gateway in the request message. The user equipment identifier sent by the user equipment, so that the authentication and authorization charging server verifies whether the user equipment identifier is the real identifier of the user equipment; and is used to receive the authentication authorization charging in case the authentication and authorization accounting server fails to verify. The real identity of the user device sent by the server. According to another aspect of the present invention, a policy and charging control function entity is provided. The policy and charging control function entity according to the present invention includes: the policy and charging control function entity is configured to receive a session establishment message sent by the non-3GPP access network, where the session establishment message carries the real identity of the user equipment, where the user equipment The real identity is obtained by the non-3GPP access network from the authentication 4 Manpower Accounting Server; and the real identity of the user equipment is obtained according to the received session establishment message. According to another aspect of the present invention, an acquisition system for user equipment identification is provided. The acquiring system of the user equipment identifier according to the present invention includes: an authentication and authorization charging server, a non-3GPP access network, a packet data network gateway, and a policy and charging control function entity, wherein the authentication and authorization charging server is used for the user equipment Performing access authentication and authorization, obtaining the real identity of the user equipment, sending an access accept message to the non-3GPP access network, and carrying the real identity of the user equipment in the access accept message; the non-3GPP access network is configured to receive the authentication and authorization The access accept message sent by the billing server, and obtains the real identifier of the user equipment; the packet data network gateway is configured to send a request message to the authentication and authorization billing server during the authentication process with the authentication and authorization billing server, and in the request message And carrying the user equipment identifier sent by the user equipment received by the packet data network gateway, so that the authentication and authorization accounting server verifies whether the user equipment identifier is a real identifier of the user equipment; and is used in the case that the authentication and authorization accounting server fails to verify. , receiving the user sent from the authentication and authorization accounting server The real identity of the device; the policy and charging control function entity is configured to receive a session establishment message sent by the non-3GPP access network, where the session establishment message carries the real identity of the user equipment, where the real identity of the user equipment is a non-3GPP access network. Obtained from the authentication and authorization accounting server; and obtains the real identifier of the user equipment according to the received session establishment message. Through the above at least one technical solution of the present invention, at different stages of the terminal access network process,
3GPP接入网、 3GPP系统的相关网元分别与认证授权计费服务器进行交互认 证, 从认证授权计费服务器获取 UE的真实标识, 解决了相关技术中存在的 非 3GPP网络无法区分终端发送的 UE标识是否是 UE的真实标识的问题, 从而可以确保非 3GPP终端直接接入 EPC网络。 本发明的其它特征和优点将在随后的说明书中阐述, 并且, 部分地从说 明书中变得显而易见, 或者通过实施本发明而了解。 本发明的目的和其他优 点可通过在所写的说明书、 权利要求书、 以及附图中所特别指出的结构来实 现和获得。 附图说明 附图用来提供对本发明的进一步理解, 并且构成说明书的一部分, 与本 发明的实施例一起用于解释本发明, 并不构成对本发明的限制。 在附图中: 图 1是根据相关技术的非 3GPP接入网与 3GPP的 EPC网络互通的网络 架构图; 图 2是根据相关技术的移动 IPv4模式下用户设备标识的获取方法流程 图; 图 3是根据相关技术的移动 IPv6模式下用户设备标识的获取方法流程 图; 图 4是才艮据相关技术的双栈移动 IPv6模式下用户设备标识的获取方法 流程图; 图 5是根据本发明方法实施例一的用户设备标识的获取方法的流程图; 图 6 是根据本发明方法实施例一的用户设备标识的获取方法的详细处 理流程图; 图 7 是根据本发明方法实施例三的用户设备标识的获取方法的详细处 理流程图; 图 8是根据本发明方法实施例四的用户设备标识的获取方法的流程图; 图 9 是根据本发明方法实施例四的用户设备标识的获取方法的详细处 理流程图; 图 10 是根据本发明系统实施例的用户设备标识的获取系统的结构框 图。 具体实施方式 功能相无述 考虑到相关技术中存在的非 3GPP网络无法区分 UE发送的 UE标识是 否是 UE的真实标识的问题, 本发明的实施例提供了一种改进的用户设备标 识的获取方案, 在本发明的实施例中, 在 UE入网流程的不同阶段, 非 3GPP 接入网、 3GPP 系统的相关网元分别与认证授权计费服务器进行交互认证, 能够从认证授权计费服务器获取 UE的真实标识。 下面将结合附图详细描述本发明的实施例, 应当理解, 此处所描述的优 选实施例仅用于说明和解释本发明, 并不用于限定本发明。 如果不冲突, 本 发明实施例以及实施例中的特征可以相互组合。 需要说明的是,在附图的流程图示出的步骤可以在诸如一组计算机可执 行指令的计算机系统中执行, 并且, 虽然在流程图中示出了逻辑顺序, 但是 在某些情况下, 可以以不同于此处的顺序执行所示出或描述的步骤。 方法实施例一 根据本发明实施例, 提供了一种用户设备标识的获取方法, 该方法基于 移动 IPv4 ¼、议。 图 5是根据本发明实施例的用户设备标识的获取方法的流程图, 如图 5 所示, 根据本发明实施例的 UE 标识的获取方法包括以下步骤 (步骤 S502 至步骤 S504 ): 步骤 S502, AAA服务器与 UE进行接入认证和 4曼权, AAA服务器向非 3GPP接入网的外部代理发送接入接受消息, 并在接入接受消息中携带用 UE 的真实标只; 对于外部代理而言, 其接收接入接受消息, 获取 UE 的真实标识, 向 PCRF发送会话建立信息, 并在会话建立信息中携带 UE的真实标识; PCRF 接收会话建立信息, 并获取 UE的真实标识; 步骤 S504, 在 AAA服务器与 P-GW的认证过程中, AAA服务器验证 UE标识为伪 UE标识的情况下,将 UE的真实标识发送给 P-GW;之后, P-GW 向 PCRF发送会话建立请求, 并在会话建立请求携带 UE的真实标识; PCRF 接收会话建立请求, 才艮据 UE的真实标识, 将 UE的策略信息发送给 P-GW。 其中, AAA服务器与 P-GW的认证过程具体包括: AAA服务器接收来 自 P-GW的接入请求, 其中, 接入请求中携带有 P-GW接收到的 UE发送的 UE标识。 通过本发明实施例提供的技术方案, 在 UE 入网流程的不同阶段, 非 3GPP接入网、 3GPP系统的相关网元分别与 AAA月艮务器进行交互认证, 从 AAA服务器获取 UE的真实标识, 能够确保非 3GPP的 UE直接接入 EPC网 络。 图 6是才艮据本发明方法实施例基于移动 IPv4模式下的 UE标识的获取 方法的详细处理流程图, 如图 6所示, 该方法包括以下步骤 (步骤 S601 至 步骤 S611 ): 步骤 S601 , 非 3GPP的 UE初始化接入网络, 进行 UE的接入认证与 4曼 权-, 步骤 S601a, 上述接入认证与 4曼权流程完成后, AAA服务器向非 3GPP 接入网的鉴权器发送 AAA协议消息接入接受消息 (即, 上文所述的接入接 受消息),该消息中携带该用户设备的真实标识,在由于进行接入认证与授权 时, FA位于鉴权器中, 所以 FA同时获得了 UE的真实标识; 步骤 S602 , 位于非 3GPP接入网的 FA向 UE发送移动 IP代理通告; 步骤 S603 , UE收到代理通告后, 向非 3GPP接入网发送移动 IP注册 请求 (即, 上文中提到的接入请求;), 其中, 该移动 IP注册请求携带 UE标 识, 该 UE标识可能是伪 UE标识, 也可能是 UE的真实标识, 例如, 传统 的非 3GPP的 UE可以使用伪 UE标识; 步骤 S604, 非 3GPP接入网和 PCRF交互完成网关会话建立过程, 在 该过程中, 非 3GPP接入网将通过步骤 S601a获得的真实 UE 标识发送给 PCRF, 以标识 UE; 步骤 S605 , 位于非 3GPP网络的 FA将 UE发起的移动 IP注册请求转 发给 P-GW, 将来自于 UE的 UE标识转发给 P-GW; 步骤 S606, P-GW收到移动 IP注册请求后, 与 AAA服务器交互, 进 行移动 IP认证和 4曼权, 由于 P-GW无法识别来自 UE的 UE标识是否是 UE 的真实标识, 因此在该移动 IP认证和 4曼权过程中, P-GW向 AAA月艮务器发 送请求消息, 其中, 该请求消息中携带来自于 UE的用户设备标识; 步骤 S606a, AAA服务器接收上述请求消息,获得来自 UE的 UE标识, 并判断该 UE标识是否是 UE的真实标识, 即, AAA服务器判断 P-GW获取 的 UE标识是否是 UE的真实标识; 步骤 S606b, 如果 P-GW获取的 UE标识为伪 UE标识, 则移动 IP认证 与 4曼权流程完成后, AAA服务器向 P-GW发送 AAA协议消息接入接受消息, 其中, 该消息中携带 UE的真实标识; 如果 P-GW获取的 UE标识为 UE的 真实标识, 则 AAA服务器才艮据策略, 可以向 P-GW发送 UE的真实标识 , 也可以不向 P-GW发送 UE的真实标只; 步骤 S607 , P-GW与 AAA服务器交互进行 P-GW地址的更新; 步骤 S608 , P-GW使用 S606b步骤中获取的真实 UE标识与 PCRF交互, 完成 IP-CAN ( IP连接接入网络) 会话建立过程, 获取 UE的策略; 步骤 S609, P-GW发送移动 IP注册响应消息给 FA, 完成移动 IP注册 流程; 步骤 S610 , 非 3GPP接入网与 PCRF交互完成网关会话策略提供过程; 步骤 S611 , FA将移动 IP注册响应消息转发给 UE , 完成移动 IP注册。 依照以上实施步骤, FA和 P-GW均可以通过与 AAA月艮务器认证 4曼权 流程,从 AAA服务器获得正确的 UE的真实标识来标识 UE,确保了非 3GPP 的 UE能够直接接入 EPC网络。 方法实施例二 根据本发明实施例, 提供了一种用户设备标识的获取方法, 该方法基于 移动 IPv4协议。 才艮据本发明实施例的 UE标识的获取方法包括: AAA服务器与 UE进 行接入认证和 4曼权, AAA服务器向非 3GPP接入网的外部代理发送接入接受 消息, 其中, 该接入接受消息中携带有 UE的真实标识。 对于外部代理而言, 其接收到接入接受消息, 获取 UE的真实标识, 向 PCRF发送会话建立信息, 并在会话建立信息中携带 UE的真实标识; PCRF 接收会话建立信息, 并获取 UE的真实标识。 接着, AAA月艮务器与 P-GW进行认证, 并且在 AAA月艮务器 3 证 UE标 识为伪 UE标识的情况下, 将 UE的真实标识发送给 P-GW。 之后, P-GW向 PCRF发送会话建立请求, 并在会话建立请求携带 UE的真实标识; PCRF接 收会话建立请求, 才艮据 UE的真实标识, 将 UE的策略信息发送给 P-GW。 其中, AAA服务器与 P-GW的认证过程具体包括: AAA服务器接收来 自 P-GW的接入请求, 其中, 接入请求中携带有 P-GW接收到的 UE发送的 UE标识。 通过本发明实施例提供的技术方案, 在 UE 入网流程的不同阶段, 非 3GPP接入网、 3GPP系统的相关网元分别与 AAA月艮务器进行交互认证, 从 AAA服务器获取 UE的真实标识, 能够确保非 3GPP的 UE直接接入 EPC网 络。 方法实施例三 根据本发明实施例, 提供了一种用户设备标识的获取方法, 该方法基于 移动 IPv6协议,包括以下步骤:在 AAA月艮务器与 P-GW的认证过程中, AAA 月艮务器 3 证 UE标识为伪 UE标识的情况下,将 UE的真实标识发送给 P-GW。 之后, P-GW向 PCRF发送会话建立请求, 并在会话建立请求携带 UE 的真实标识; PCRF接收会话建立请求, 才艮据 UE的真实标识, 将 UE的策略 信息发送给 P-GW。 图 7是才艮据本发明方法实施例三的基于移动 IPv6模式下标识的获取方 法的详细处理流程图, 如图 7所示, 该方法包括以下步骤 (步骤 S701 至步 骤 S710 ): 步骤 S701 , 非 3GPP的 UE初始化接入网络, 进行 UE的接入认证与 4曼 权; 步骤 S701a, 上述接入认证与 4曼权流程完成后, AAA服务器向非 3GPP 接入网的 MAG发送 AAA协议消息接入接受消息 (即, 上文所述的接入接 受消息), 在该消息中携带该 UE的真实标识; 步骤 S702, UE发起层 3接入触发流程, 不支持移动 IP的 UE可以通 过动态主机配置十办议 ( Dynamic Host Configuration Protocol , 简称为 DHCP ) 流程来触发层 3的接入; 步骤 S703 , 非 3GPP接入网和 PCRF交互完成网关会话建立过程, 在 该过程中, 非 3GPP接入网将通过步骤 S701a获得的真实 UE 标识发送给 PCRF, 以标识 UE; 步骤 S704,位于非 3GPP网络的 MAG向 P-GW发送代理绑定更新请求, 才艮据本地策略, MAG在该代理绑定更新请求中可以不携带 UE的真实 UE标 识; 步骤 S705 , P-GW收到移动 IP注册请求后, 与 AAA服务器交互, 进 行移动 IP认证和 4曼权, 由于 P-GW无法识别来自 UE的 UE标识是否是 UE 的真实标识, 因此在该移动 IP认证和 4曼权过程中, P-GW向 AAA月艮务器发 送请求消息, 其中, 该请求消息中携带来自于 UE的 UE标识; 步骤 S705a, AAA服务器接收上述请求消息,获得来自 UE的 UE标识, 即 P-GW获取的 UE标识是否是 UE的真实标识; 步骤 S705b, 如果 P-GW获取的 UE标识为伪 UE标识, 则移动 IP认证 与 4曼权流程完成后, AAA服务器向 P-GW发送 AAA协议消息接入接受消息, 其中, 该消息中携带 UE的真实标识; 如果 P-GW获取的 UE标识为 UE的 真实标识, 则才艮据策略, AAA服务器可以向 P-GW发送 UE的真实标识, 也 可以不向 P-GW发送 UE的真实标识; 步骤 S706 , P-GW与 AAA服务器交互进行 P-GW地址的更新; 步骤 S707 , P-GW使用 S705b步骤中获取的真实 UE标识与 PCRF交互, 完成 IP-CAN会话建立过程, 获取 UE的策略; 步骤 S708 , P-GW发送代理绑定更新响应消息给 MAG , 完成代理移动 IP注册流程; 步骤 S709 , 非 3GPP接入网与 PCRF交互完成网关会话策略提供过程; 步骤 S710, 与非 3GPP接入网交互完成层 3接入。 依照以上实施步骤, 非 3GPP的 UE通过非 3GPP接入网通过 S2a接口 接入 EPC网络, S2a接口上的协议为代理移动 IP6,使用 P-GW与 AAA服务 器认证 4曼权流程, 使得没有从 MAG获得 UE的真实标识的 P-GW获得 UE 的真实标识, 用以标识 UE。 方法实施例四 根据本发明实施例的提供了一种用户设备标识的获取方法,该方法基于 双栈移动 IP协议,图 8是根据本发明方法实施例四的用户设备标识的获取方 法的流程图, 如图 8所示, 该方法包括以下步骤 (步骤 S802至步骤 S804 ): 步骤 S802, AAA服务器与 UE进行接入认证和 4曼权, AAA服务器向非 3GPP接入网发送接入接受消息, 并在接入接受消息中携带 UE的真实标识。 进一步地, 非 3GPP接入网接收到接入接受消息,获取 UE的真实标识, 向 PCRF发送会话建立信息,并在会话建立信息中携带 UE的真实标识; PCRF 接收会话建立信息, 并获取 UE的真实标识。 步骤 S804, 在 AAA服务器与 P-GW的认证过程中, AAA服务器验证 UE标识为伪 UE标识的情况下, 将 UE的真实标识发送给 P-GW。 其中, AAA服务器与 P-GW的认证过程具体包括: AAA服务器接收来 自 P-GW的建立安全联盟请求, 其中, 建立安全联盟请求中携带有 P-GW接 收到的 UE发送的 UE标识。 进一步地, 该方法还包括: P-GW向 PCRF发送会话建立请求, 并在会 话建立请求携带 UE的真实标识; PCRF接收会话建立请求, 才艮据 UE的真实 标识, 将 UE的策略信息发送给 P-GW。 通过本发明实施例提供的技术方案, 在 UE 入网流程的不同阶段, 非 3GPP接入网、 3GPP系统的相关网元分别与 AAA月艮务器进行交互认证, 从 AAA服务器获取 UE的真实标识, 确保了非 3GPP的 UE能够直接接入 EPC 网络。 图 9是根据本发明方法实施例的基于双栈移动 IP模式下用户设备标识 的获取方法的详细处理流程图,如图 9所示,该方法包括以下步骤(步骤 S901 至步骤 S908 ): 步骤 S901 , 非 3GPP的 UE初始化接入网络, 进行 UE的接入认证与 4曼 权; 步骤 S901a, 上述接入认证与 4曼权流程完成后, AAA服务器向非 3GPP 接入网发送 AAA协议消息接入接受消息 (即, 上文所述的接入接受消息), 在该消息中携带该 UE的真实标识; 步骤 S902, UE在非 3GPP接入网发起层 3接入流程并获取本地 IP地 址; 步骤 S903 , 非 3GPP接入网和 PCRF交互完成网关会话建立过程, 在 该过程中, 非 3GPP接入网将通过步骤 S901a获得的真实 UE 标识发送给 PCRF, 以标识 UE; 步骤 S904, UE与 P-GW建立安全联盟, 在安全联盟建立过程中, UE 向 P-GW发送建立安全联盟请求, 该安全联盟请求中携带用户设备标识, 该 UE标识可能是伪 UE标识, 也可能是 UE的真实标识, 例如传统的 UE发送 的是伪 UE标识; 步骤 S905 , 在安全联盟建立过程中, P-GW与 AAA服务器交互, 进行 认证和 4曼权, 由于 P-GW无法识别来自 UE的 UE标识是否是 UE的真实标 识, 因此在该移动 IP认证和 4曼权过程中, P-GW向 AAA月艮务器发送请求消 息, 其中, 该请求消息中携带来自于 UE的 UE标识; 步骤 S905a, AAA服务器接收上述请求消息,获得来自 UE的 UE标识, 即 P-GW获取的 UE标识是否是 UE的真实标识; 步骤 S905b, 如果 P-GW获取的 UE标识为伪 UE标识, 则移动 IP认证 与 4曼权流程完成后, AAA服务器向 P-GW发送 AAA协议消息接入接受消息, 其中, 该消息中携带 UE的真实标识; 如果 P-GW获取的 UE标识为 UE的 真实标识, 则 AAA服务器才艮据策略可以向 P-GW发送 UE的真实标识, 也 可以不向 P-GW发送 UE的真实标识; 步骤 S906, UE发起移动 IP绑定流程, 向 P-GW发送移动 IP绑定更新 请求; 步骤 S907 , P-GW使用 705b步骤中获取的 UE的真实标识与 PCRF交 互, 完成 IP-CAN会话建立过程, 获取 UE的策略; 步骤 S908 , P-GW发送移动 IP绑定更新响应消息给 UE, 完成移动 IP 绑定流程。 依照以上实施步骤, 非 3GPP的 UE通过非 3GPP接入网通过 S2c接口 接入 EPC网络, S2c接口上的十办议为双栈移动 IPv6 ,非 3GPP接入网和 P-GW 均可以通过与 AAA服务器认证 4曼权流程, 从 AAA月艮务器获得正确的真实 UE标识, 用以标识 UE。 装置实施例一 根据本发明实施例,还提供了一种认证授权计费服务器( AAA服务器), 该 AAA服务器用于与 UE进行接入认证和 4曼权, 获得 UE的真实标识, 向非 3GPP接入网发送接入接受消息, 并在接入接受消息中携带 UE的真实标识, 另外该 AAA服务器还用于对 P-GW发送的 UE标识进行验证, 并且在验证 UE标识不是 UE的真实标识的情况下, 将 UE的真实标识发送到 P-GW。 装置实施例二 根据本发明实施例, 还提供了一种分组数据网网关( P-GW ), 该 P-GW 用于在与 AAA服务器的认证过程中, 向 AAA服务器发送请求消息, 并在请 求消息中携带 P-GW接收到的 UE发送的 UE标识, 用以 AAA服务器验证 UE标识是否是 UE的真实标识;以及用于在 AAA服务器验证失败的情况下, 接收来自的 AAA服务器发送的 UE的真实标识。 装置实施例三 才艮据本发明实施例, 还提供了一种策略和计费控制功能实体 ( PCRF ) , 该 PCRF用于接收非 3GPP接入网发送的会话建立消息, 会话建立消息中携 带 UE的真实标识, 其中, UE的真实标识为非 3GPP接入网从 AAA月艮务器 获取的; 并根据接收到的会话建立消息, 获取 UE的真实标识。 系统实施例 根据本发明实施例, 提供了一种用户设备标识的获取系统。 图 10是根据本发明实施例的用户设备标识的获取系统的结构框图, 如 图 10所示, 该系统包括认证授权计费服务器 (AAA服务器) 10、 非 3GPP 接入网 20、分组数据网网关( P-GW ) 30和策略和计费控制功能实体( PCRF ) 40。 该系统实施例中所使用的 AAA月艮务器 10、 P-GW 30、 PCRF 40中的至 少一个可以釆用上述装置实施例中提供的对应的装置来实现。 下面具体描述 上述各个组成部分。 AAA服务器 10用于与 UE进行接入认证和 4曼权,获得 UE的真实标识, 向非 3GPP接入网 20发送接入接受消息, 并在接入接受消息中携带 UE的真 实标识; 另外, AAA服务器 10还用于对 P-GW 30发送的 UE标识进行验证, 并且在 3 证 UE标识不是 UE的真实标识的情况下, 将 UE的真实标识发送 到 P-GW 30; 非 3GPP接入网 20,连接至 AAA月艮务器 10和 PCRF 40,用于接收 AAA 月艮务器 10发送的接入接受消息, 并获取 UE的真实标识。 The related network elements of the 3GPP access network and the 3GPP system are mutually authenticated with the authentication and authorization accounting server, and the real identification of the UE is obtained from the authentication and authorization accounting server, and the non-3GPP network existing in the related technology cannot be distinguished from the UE transmitted by the terminal. The problem of whether the identity is a true identity of the UE can ensure that the non-3GPP terminal directly accesses the EPC network. Other features and advantages of the invention will be set forth in the description which follows, and The objectives and other advantages of the invention will be realized and attained by the <RTI BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings are included to provide a further understanding of the invention The embodiments of the invention are used to explain the invention, and are not intended to limit the invention. In the drawings: FIG. 1 is a network architecture diagram of a non-3GPP access network and a 3GPP EPC network according to the related art; FIG. 2 is a flowchart of a method for acquiring a user equipment identifier in a mobile IPv4 mode according to the related art; FIG. 4 is a flowchart of a method for acquiring user equipment identifiers in a dual-stack mobile IPv6 mode according to the related art; FIG. 5 is a flowchart of a method for acquiring user equipment identifiers according to the related art; FIG. 6 is a flowchart of a detailed process of acquiring a user equipment identifier according to Embodiment 1 of the method of the present invention; FIG. 7 is a user equipment identifier according to Embodiment 3 of the method according to the present invention; FIG. 8 is a flowchart of a method for acquiring user equipment identifier according to Embodiment 4 of the method of the present invention; FIG. 9 is a detailed processing method for acquiring user equipment identifier according to Embodiment 4 of the method of the present invention; FIG. 10 is a structural block diagram of an acquisition system for user equipment identification according to an embodiment of the system of the present invention. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS The present invention provides an improved acquisition scheme of user equipment identity, in view of the fact that the non-3GPP network existing in the related art cannot distinguish whether the UE identity sent by the UE is the real identity of the UE. In the embodiment of the present invention, the relevant network elements of the non-3GPP access network and the 3GPP system are mutually authenticated with the authentication and authorization accounting server, and the UE can be obtained from the authentication and authorization accounting server. Real identity. The embodiments of the present invention are described in detail below with reference to the accompanying drawings, which are intended to illustrate and illustrate the invention. The features of the embodiments of the present invention and the embodiments may be combined with each other if they do not conflict. It should be noted that the steps shown in the flowchart of the accompanying drawings may be executed in a computer system such as a set of computer executable instructions, and, although the logical order is shown in the flowchart, in some cases, The steps shown or described may be performed in an order different than that herein. Method Embodiment 1 According to an embodiment of the present invention, a method for acquiring a user equipment identifier is provided, and the method is based on mobile IPv4. FIG. 5 is a flowchart of a method for acquiring a user equipment identifier according to an embodiment of the present invention. As shown in FIG. 5, a method for acquiring a UE identifier according to an embodiment of the present invention includes the following steps (step S502 to step S504): Step S502, The AAA server performs access authentication and 4 MANN rights with the UE, and the AAA server sends an access accept message to the external proxy of the non-3GPP access network, and carries the real target of the UE in the access accept message; Receiving the access accept message, obtaining the real identity of the UE, sending the session establishment information to the PCRF, and carrying the real identity of the UE in the session establishment information; the PCRF receiving the session establishment information, and acquiring the real identity of the UE; Step S504, In the authentication process of the AAA server and the P-GW, when the AAA server verifies that the UE identifier is a pseudo UE identifier, the AAA server sends the real identifier of the UE to the P-GW; after that, the P-GW sends a session establishment request to the PCRF, and is in the session. The request establishes the real identity of the UE. The PCRF receives the session establishment request, and sends the policy information of the UE to the P-GW according to the real identity of the UE. The authentication process of the AAA server and the P-GW includes: The AAA server receives the access request from the P-GW, where the access request carries the UE identifier sent by the UE received by the P-GW. According to the technical solution provided by the embodiment of the present invention, the relevant network elements of the non-3GPP access network and the 3GPP system are mutually authenticated with the AAA server, and the real identifier of the UE is obtained from the AAA server. It can ensure that non-3GPP UEs directly access the EPC network. FIG. 6 is a detailed processing flowchart of a method for acquiring a UE identifier based on a mobile IPv4 mode according to an embodiment of the method of the present invention. As shown in FIG. 6, the method includes the following steps (step S601 to step S611): Step S601, The non-3GPP UE initializes the access network, performs UE access authentication and 4 MANN-, step S601a, after the access authentication and the 4 MANN flow are completed, the AAA server sends AAA to the non-3GPP access network authenticator. The protocol message access accept message (that is, the access accept message described above), the message carries the real identity of the user equipment, and the FA is located in the authenticator when performing access authentication and authorization, so the FA Obtaining the real identity of the UE at the same time; Step S602, the FA located in the non-3GPP access network sends a mobile IP proxy advertisement to the UE; Step S603, after receiving the proxy advertisement, the UE sends a mobile IP registration request to the non-3GPP access network (ie, The access request mentioned in the above;), wherein the mobile IP registration request carries a UE identifier, and the UE identifier may be a pseudo UE identifier, or may be a real identifier of the UE. For example, a traditional non-3GPP UE may Using the pseudo UE identifier; Step S604, the non-3GPP access network and the PCRF interact to complete the gateway session establishment process, in the process, the non-3GPP access network sends the real UE identifier obtained in step S601a to the PCRF to identify the UE; S605, the FA that is located in the non-3GPP network forwards the UE-initiated mobile IP registration request to the P-GW, and forwards the UE identifier from the UE to the P-GW. Step S606: After receiving the mobile IP registration request, the P-GW receives the mobile IP registration request, AAA server interaction, mobile IP authentication and 4 MANN rights, since the P-GW cannot identify whether the UE identity from the UE is the real identity of the UE, in the mobile IP authentication and 4 MANN rights process, the P-GW to the AAA month The server sends a request message, where the request message carries the user equipment identifier from the UE. Step S606a, the AAA server receives the request message, obtains the UE identifier from the UE, and determines whether the UE identifier is the real identifier of the UE. That is, the AAA server determines whether the UE identity acquired by the P-GW is the real identity of the UE; Step S606b, if the UE identity acquired by the P-GW is a pseudo UE identity, after the mobile IP authentication and the 4 MAN rights process are completed, the AAA server To P-GW Sending an AAA protocol message access accept message, where the message carries the real identity of the UE; if the UE identity acquired by the P-GW is the UE The AAA server may send the real identity of the UE to the P-GW, or may not send the real target of the UE to the P-GW. Step S607: The P-GW interacts with the AAA server to perform P-GW. Update of the address; Step S608, the P-GW uses the real UE identifier obtained in the step S606b to interact with the PCRF, completes the IP-CAN (IP connection access network) session establishment process, and acquires the policy of the UE; Step S609, the P-GW sends The mobile IP registration response message is sent to the FA to complete the mobile IP registration process. Step S610, the non-3GPP access network and the PCRF interact to complete the gateway session policy providing process. Step S611, the FA forwards the mobile IP registration response message to the UE, and completes the mobile IP registration. . According to the above implementation steps, both the FA and the P-GW can identify the UE by obtaining the correct identity of the correct UE from the AAA server by authenticating with the AAA server, and ensuring that the non-3GPP UE can directly access the EPC. The internet. Method Embodiment 2 According to an embodiment of the present invention, a method for acquiring a user equipment identifier is provided, and the method is based on a mobile IPv4 protocol. The method for obtaining the UE identifier according to the embodiment of the present invention includes: the AAA server and the UE perform access authentication and 4 MANN, and the AAA server sends an access accept message to the external proxy of the non-3GPP access network, where the access The acceptance message carries the real identity of the UE. For the external proxy, it receives the access accept message, obtains the real identity of the UE, sends session establishment information to the PCRF, and carries the real identity of the UE in the session establishment information; the PCRF receives the session establishment information, and obtains the reality of the UE. Logo. Then, the AAA server and the P-GW perform authentication, and in the case that the AAA server 3 identifies the UE identity as a pseudo UE identity, the real identity of the UE is sent to the P-GW. Then, the P-GW sends a session establishment request to the PCRF, and carries the real identity of the UE in the session establishment request. The PCRF receives the session establishment request, and sends the policy information of the UE to the P-GW according to the real identity of the UE. The AAA server and the P-GW authentication process specifically include: the AAA server receives an access request from the P-GW, where the access request carries the UE sent by the P-GW. UE identification. According to the technical solution provided by the embodiment of the present invention, the relevant network elements of the non-3GPP access network and the 3GPP system are mutually authenticated with the AAA server, and the real identifier of the UE is obtained from the AAA server. It can ensure that non-3GPP UEs directly access the EPC network. Method Embodiment 3 According to an embodiment of the present invention, a method for acquiring a user equipment identifier is provided. The method is based on a mobile IPv6 protocol, and includes the following steps: in the authentication process of the AAA server and the P-GW, the AAA calendar The server 3 sends the real identity of the UE to the P-GW in the case that the UE identity is a pseudo UE identity. Then, the P-GW sends a session establishment request to the PCRF, and carries the real identity of the UE in the session establishment request. The PCRF receives the session establishment request, and sends the policy information of the UE to the P-GW according to the real identity of the UE. FIG. 7 is a detailed processing flowchart of the method for obtaining an identifier based on the mobile IPv6 mode according to the third embodiment of the method of the present invention. As shown in FIG. 7, the method includes the following steps (step S701 to step S710): Step S701, The non-3GPP UE initializes the access network, performs the access authentication of the UE and the 4 MANN rights; Step S701a, after the access authentication and the 4 MANN flow are completed, the AAA server sends the AAA protocol message to the MAG of the non-3GPP access network. The incoming message (ie, the access accept message described above) carries the real identity of the UE in the message; in step S702, the UE initiates a layer 3 access triggering process, and the UE that does not support the mobile IP can pass the dynamic host. The Dynamic Host Configuration Protocol (DHCP) process is configured to trigger the access of the layer 3; Step S703, the non-3GPP access network and the PCRF interact to complete the gateway session establishment process, in the process, the non-3GPP access network Sending the real UE identifier obtained in step S701a to the PCRF to identify the UE; Step S704, the MAG located in the non-3GPP network sends a proxy binding update request to the P-GW, according to the local policy, the MAG is The proxy binding update request may not carry the real UE label of the UE. Step S705: After receiving the mobile IP registration request, the P-GW interacts with the AAA server to perform mobile IP authentication and 4 Manchester rights. Since the P-GW cannot identify whether the UE identity from the UE is the real identity of the UE, In the process of the mobile IP authentication and the 4 MANN, the P-GW sends a request message to the AAA server, where the request message carries the UE identifier from the UE. In step S705a, the AAA server receives the request message and obtains the The UE identifier of the UE, that is, whether the UE identifier acquired by the P-GW is the real identifier of the UE; Step S705b, if the UE identifier acquired by the P-GW is a pseudo UE identifier, after the mobile IP authentication and the 4 MAN rights process are completed, the AAA server Sending an AAA protocol message access accept message to the P-GW, where the message carries the real identity of the UE; if the UE identity acquired by the P-GW is the real identity of the UE, then the AAA server can forward to the P- The GW sends the real identity of the UE, and may not send the real identity of the UE to the P-GW. In step S706, the P-GW exchanges with the AAA server to update the P-GW address. Step S707: The P-GW uses the step S705b to obtain the P-GW address. Real UE identity and PCRF Mutual, complete the IP-CAN session establishment process, acquire the UE's policy; Step S708, the P-GW sends a proxy binding update response message to the MAG to complete the proxy mobile IP registration procedure; Step S709, the non-3GPP access network and the PCRF interact with each other. The gateway session policy providing process is performed; Step S710, interacting with the non-3GPP access network to complete layer 3 access. According to the above implementation steps, the non-3GPP UE accesses the EPC network through the non-3GPP access network through the S2a interface, the protocol on the S2a interface is the proxy mobile IP6, and the P-GW and the AAA server are used to authenticate the 4 MANN flow, so that no MAG is obtained from the MAG. The P-GW that obtains the real identity of the UE obtains the real identity of the UE, and is used to identify the UE. Method Embodiment 4 provides a method for obtaining a user equipment identifier according to an embodiment of the present invention, which is based on a dual-stack mobile IP protocol, and FIG. 8 is a flowchart of a method for acquiring a user equipment identifier according to Embodiment 4 of the method of the present invention. As shown in FIG. 8, the method includes the following steps (step S802 to step S804): Step S802, the AAA server performs access authentication and 4 MANN rights, and the AAA server sends an access accept message to the non-3GPP access network, and carries the real identity of the UE in the access accept message. Further, the non-3GPP access network receives the access accept message, obtains the real identity of the UE, sends the session establishment information to the PCRF, and carries the real identity of the UE in the session establishment information; the PCRF receives the session establishment information, and acquires the UE's Real identity. Step S804: In the process of authenticating the AAA server and the P-GW, if the AAA server verifies that the UE identifier is a pseudo UE identifier, the AAA server sends the real identifier of the UE to the P-GW. The AAA server and the P-GW authentication process specifically include: The AAA server receives the establishment of the security association request from the P-GW, where the establishment of the security association request carries the UE identity sent by the UE received by the P-GW. Further, the method further includes: the P-GW sends a session establishment request to the PCRF, and carries the real identity of the UE in the session establishment request; the PCRF receives the session establishment request, and sends the policy information of the UE to the UE according to the real identity of the UE. P-GW. According to the technical solution provided by the embodiment of the present invention, the relevant network elements of the non-3GPP access network and the 3GPP system are mutually authenticated with the AAA server, and the real identifier of the UE is obtained from the AAA server. It ensures that non-3GPP UEs can directly access the EPC network. FIG. 9 is a detailed processing flowchart of a method for acquiring a user equipment identifier in a dual-stack mobile IP mode according to an embodiment of the method of the present invention. As shown in FIG. 9, the method includes the following steps (step S901 to step S908): Step S901 The non-3GPP UE initializes the access network, performs UE access authentication and 4 MANN rights; Step S901a, after the access authentication and the 4 MANN flow are completed, the AAA server sends AAA protocol message access to the non-3GPP access network. Accepting the message (ie, the access accept message described above), in the message carrying the real identity of the UE; Step S902, the UE initiates the layer 3 access procedure in the non-3GPP access network and obtains the local IP address; S903, the non-3GPP access network and the PCRF interact to complete the gateway session establishment process, where In the process, the non-3GPP access network sends the real UE identifier obtained in step S901a to the PCRF to identify the UE. In step S904, the UE establishes a security association with the P-GW. In the security association establishment process, the UE sends the P-GW to the P-GW. And sending a security association request, where the security association request carries a user equipment identifier, where the UE identifier may be a pseudo UE identifier, or may be a real identifier of the UE, for example, the traditional UE sends a pseudo UE identifier; Step S905, in the security alliance During the establishment process, the P-GW interacts with the AAA server to perform authentication and 4 MANN rights. Since the P-GW cannot identify whether the UE identity from the UE is the real identity of the UE, in the mobile IP authentication and the 4 MANN rights process, The P-GW sends a request message to the AAA server, where the request message carries the UE identifier from the UE. Step S905a, the AAA server receives the request message, and obtains the UE identifier from the UE, that is, the P-GW acquires. Whether the UE identity is the real identity of the UE; Step S905b, if the UE identity acquired by the P-GW is a pseudo UE identity, after the mobile IP authentication and the 4 MAN rights process are completed, the AAA server sends an AAA protocol message to the P-GW. Accepting the message, where the message carries the real identity of the UE; if the UE identity acquired by the P-GW is the real identity of the UE, the AAA server may send the real identity of the UE to the P-GW according to the policy, or may not The P-GW sends the real identity of the UE. In step S906, the UE initiates a mobile IP binding process, and sends a mobile IP binding update request to the P-GW. Step S907: The P-GW uses the real identity of the UE and the PCRF obtained in step 705b. The IP-CAN session establishment process is completed, and the UE's policy is obtained. Step S908: The P-GW sends a mobile IP binding update response message to the UE to complete the mobile IP binding process. According to the above implementation steps, the non-3GPP UE accesses the EPC network through the S3c interface through the non-3GPP access network, and the ten-node on the S2c interface is dual-stack mobile IPv6, and the non-3GPP access network and the P-GW can pass the AAA. The server authenticates the 4 MANN flow, and obtains the correct real UE identifier from the AAA server to identify the UE. Device embodiment 1 According to an embodiment of the present invention, an authentication and authorization charging server (AAA server) is further provided, where the AAA server is configured to perform access authentication and 4 MANN rights with the UE, obtain the real identity of the UE, and send the message to the non-3GPP access network. Accessing the acceptance message, and carrying the real identity of the UE in the access accept message, and the AAA server is further configured to verify the UE identity sent by the P-GW, and in the case that the UE identity is not the real identity of the UE, The real identity of the UE is sent to the P-GW. Device Embodiment 2 According to an embodiment of the present invention, a packet data network gateway (P-GW) is further provided, where the P-GW is configured to send a request message to an AAA server during the authentication process with the AAA server, and request The message carries the UE identifier sent by the UE received by the P-GW, used by the AAA server to verify whether the UE identifier is the real identifier of the UE, and used to receive the UE sent by the AAA server if the AAA server fails to be verified. Real identity. The third embodiment of the present invention provides a policy and charging control function entity (PCRF) for receiving a session establishment message sent by a non-3GPP access network, where the session setup message carries the UE. The real identity of the UE is obtained by the non-3GPP access network from the AAA server; and the real identity of the UE is obtained according to the received session establishment message. System Embodiment According to an embodiment of the present invention, an acquisition system for user equipment identification is provided. FIG. 10 is a structural block diagram of an apparatus for acquiring a user equipment identifier according to an embodiment of the present invention. As shown in FIG. 10, the system includes an authentication and authorization charging server (AAA server) 10, a non-3GPP access network 20, and a packet data network gateway. (P-GW) 30 and Policy and Charging Control Function Entity (PCRF) 40. At least one of the AAA server 10, the P-GW 30, and the PCRF 40 used in the embodiment of the system can be implemented by using the corresponding device provided in the above device embodiment. The above various components are specifically described below. The AAA server 10 is configured to perform access authentication and 4 MANN rights with the UE, obtain the real identity of the UE, send an access accept message to the non-3GPP access network 20, and carry the real identity of the UE in the access accept message; The AAA server 10 is further configured to verify the UE identity sent by the P-GW 30, and send the real identity of the UE to the P-GW 30 if the 3 identity UE identity is not the real identity of the UE; The non-3GPP access network 20 is connected to the AAA server 10 and the PCRF 40 for receiving the access accept message sent by the AAA server 10 and acquiring the real identity of the UE.
P-GW 30, 连接至 AAA服务器 10和 PCRF 40, 用于在与 AAA服务器 10的认证过程中, 向 AAA服务器 10发送请求消息, 并在请求消息中携带 P-GW 30接收到的 UE发送的 UE标识, 用以 AAA月艮务器 10 3 证 UE标识 是否是 UE的真实标识; 以及用于在 AAA服务器 10验证失败的情况下, 接 收来自 AAA月艮务器 10发送的 UE的真实标识;此外, P-GW 30还用于向 PCRF 40发送会话建立请求, 并在会话建立请求携带 UE的真实标识。 The P-GW 30 is connected to the AAA server 10 and the PCRF 40, and is configured to send a request message to the AAA server 10 during the authentication process with the AAA server 10, and carry the UE received by the P-GW 30 in the request message. The UE identifier is used by the AAA server to verify whether the UE identity is the real identity of the UE; and for receiving the real identity of the UE sent by the AAA server 10 in case the AAA server 10 fails to verify; In addition, the P-GW 30 is further configured to send a session establishment request to the PCRF 40, and carry the true identity of the UE in the session establishment request.
PCRF 40, 连接至非 3GPP接入网 20 和 P-GW 30, 用于接收非 3GPP 接入网 20发送的会话建立消息,会话建立消息中携带 UE的真实标识,其中, UE的真实标识为非 3GPP接入网从 AAA服务器 10获取的; 并才艮据接收到 的会话建立消息,获取 UE的真实标识;此外, PCRF 40还用于接收 P-GW 30 向其发送的会话建立请求, 并根据会话建立请求中携带的 UE的真实标识, 将 UE的策略信息发送给 P-GW 30。 通过本发明实施例提供的 UE标识的获取系统, 在 UE入网流程的不同 阶段, 非 3GPP接入网、 3GPP系统的相关网元分别与认证授权计费服务器进 行交互认证, 从认证授权计费服务器获取 UE的真实标识, 能够确保非 3GPP 的 UE能够直接接入 EPC网络。 如上所述, 借助于本发明提供的用户设备标识的获取方法和 /或系统, 位于非 3GPP接入网的 FA和位于 3GPP网络的 P-GW , 在入网流程的不同阶 段, 通过与 AAA服务器进行认证与授权流程的交互, 由 AAA服务器下发 UE 的真实标识给相关网元, 不仅可以保证网络侧的网元可以准确获得真实 UE标识, 而且,可以不再限制 UE必须发送真实 UE标识,使得传统非 3GPP 的 UE可以直接接入 3GPP的 EPC网络。 以上所述仅为本发明的优选实施例而已, 并不用于限制本发明, 对于本 领域的技术人员来说, 本发明可以有各种更改和变^^ 凡在本发明的^^申和 原则之内, 所作的任何修改、 等同替换、 改进等, 均应包含在本发明的保护 范围之内。 The PCRF 40 is connected to the non-3GPP access network 20 and the P-GW 30, and is configured to receive a session setup message sent by the non-3GPP access network 20. The session setup message carries the real identity of the UE, where the real identity of the UE is non- The 3GPP access network obtains the real identity of the UE according to the received session establishment message; in addition, the PCRF 40 is further configured to receive the session establishment request sent by the P-GW 30, and according to The real identity of the UE carried in the session establishment request is sent to the P-GW 30. According to the UE identity acquisition system provided by the embodiment of the present invention, the relevant network elements of the non-3GPP access network and the 3GPP system are mutually authenticated with the authentication and authorization accounting server at different stages of the UE network access process, and the authentication and authorization accounting server is authenticated. Obtaining the real identity of the UE ensures that the non-3GPP UE can directly access the EPC network. As described above, the acquisition method and/or system of the user equipment identifier provided by the present invention, the FA located in the non-3GPP access network and the P-GW located in the 3GPP network, are performed by the AAA server at different stages of the network access process. The interaction between the authentication and the authorization process is performed by the AAA server to deliver the real identity of the UE to the relevant network element, which not only ensures that the network element on the network side can accurately obtain the real UE identifier, but also can no longer restrict the UE from transmitting the real UE identifier. Traditional non-3GPP UEs can directly access the 3GPP EPC network. The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention. For those skilled in the art, the present invention can be variously modified and modified. Any modifications, equivalent substitutions, improvements, etc. made therein are intended to be included within the scope of the present invention.

Claims

权 利 要 求 书 Claim
1. 一种用户设备标识的获取方法,基于移动 IPv4协议,其特征在于, 包括: 认证授权计费服务器与用户设备进行接入认证和授权,所述认证授 权计费服务器向非 3GPP接入网的外部代理发送接入接受消息, 并在所 述接入接受消息中携带所述用户设备的真实标识; A method for obtaining a user equipment identifier, which is based on the mobile IPv4 protocol, and includes: the authentication and authorization charging server and the user equipment perform access authentication and authorization, and the authentication and authorization charging server is to the non-3GPP access network. The external proxy sends an access accept message, and carries the real identifier of the user equipment in the access accept message;
在所述认证授权计费服务器与分组数据网网关的认证过程中,所述 认证授权计费服务器验证所述用户设备标识为伪用户设备标识的情况 下, 将所述用户设备的真实标识发送给所述分组数据网网关。  In the authentication process of the authentication and authorization accounting server and the packet data network gateway, if the authentication and authorization accounting server verifies that the user equipment identifier is a pseudo user equipment identifier, the real identifier of the user equipment is sent to The packet data network gateway.
2. 根据权利要求 1所述的方法, 其特征在于, 所述方法还包括: 2. The method according to claim 1, wherein the method further comprises:
所述外部代理接收到所述接入接受消息,获取所述用户设备的真实 标识, 向策略和计费控制功能实体发送会话建立信息, 并在所述会话建 立信息中携带所述用户设备的真实标识;  The external proxy receives the access accept message, obtains the real identity of the user equipment, sends session establishment information to the policy and charging control function entity, and carries the reality of the user equipment in the session establishment information. Identification
所述策略和计费控制功能实体接收所述会话建立信息,并获取所述 用户设备的真实标识。  The policy and charging control function entity receives the session establishment information and obtains the real identity of the user equipment.
3. 根据权利要求 1或 2所述的方法, 其特征在于, 所述认证授权计费服务 器与分组数据网网关的认证过程具体包括: The method according to claim 1 or 2, wherein the authentication process of the authentication and authorization charging server and the packet data network gateway specifically includes:
所述认证授权计费服务器接收来自所述分组数据网网关的接入请 求, 其中, 所述接入请求中携带有所述分组数据网网关接收到的所述用 户设备发送的用户设备标识。  The authentication and authorization charging server receives an access request from the packet data network gateway, where the access request carries the user equipment identifier sent by the user equipment received by the packet data network gateway.
4. 根据权利要求 1或 2所述的方法, 其特征在于, 所述方法还包括: The method according to claim 1 or 2, wherein the method further comprises:
所述分组数据网网关向所述策略和计费控制功能实体发送会话建 立请求, 并在所述会话建立请求携带所述用户设备的真实标识;  Transmitting, by the packet data network gateway, a session establishment request to the policy and charging control function entity, and carrying the real identity of the user equipment in the session establishment request;
所述策略和计费控制功能实体接收所述会话建立请求,根据所述用 户设备的真实标识, 将所述用户设备的策略信息发送给所述分组数据网 网关。  The policy and charging control function entity receives the session establishment request, and sends policy information of the user equipment to the packet data network gateway according to the real identifier of the user equipment.
5. 一种用户设备标识的获取方法,基于移动 IPv4协议,其特征在于, 包括: 认证授权计费服务器与用户设备进行接入认证和授权,所述认证授 权计费服务器向非 3GPP接入网的外部代理发送接入接受消息, 其中, 所述接入接受消息中携带有所述用户设备的真实标识。 A method for obtaining a user equipment identifier, which is based on a mobile IPv4 protocol, and includes: The authentication and authorization accounting server performs access authentication and authorization with the user equipment, and the authentication and authorization charging server sends an access accept message to the external proxy of the non-3GPP access network, where the access accept message carries the The true identity of the user device.
6. 根据权利要求 5所述的方法, 其特征在于, 所述方法还包括: The method according to claim 5, wherein the method further comprises:
在所述认证授权计费服务器与分组数据网网关的认证过程中,所述 认证授权计费服务器验证所述用户设备标识为伪用户设备标识的情况 下, 将所述用户设备的真实标识发送给所述分组数据网网关。  In the authentication process of the authentication and authorization accounting server and the packet data network gateway, if the authentication and authorization accounting server verifies that the user equipment identifier is a pseudo user equipment identifier, the real identifier of the user equipment is sent to The packet data network gateway.
7. 一种用户设备标识的获取方法,基于移动 IPv6协议,其特征在于, 包括: 在所述认证授权计费服务器与分组数据网网关的认证过程中,所述 认证授权计费服务器验证所述用户设备标识为伪用户设备标识的情况 下, 将所述用户设备的真实标识发送给所述分组数据网网关。 A method for obtaining a user equipment identifier, which is based on the mobile IPv6 protocol, and includes: in the authentication process of the authentication and authorization charging server and the packet data network gateway, the authentication and authorization charging server verifies the If the user equipment identifier is a pseudo user equipment identifier, the real identifier of the user equipment is sent to the packet data network gateway.
8. 根据权利要求 7所述的方法, 其特征在于, 所述方法还包括: The method according to claim 7, wherein the method further comprises:
所述分组数据网网关向所述策略和计费控制功能实体发送会话建 立请求, 并在所述会话建立请求携带所述用户设备的真实标识;  Transmitting, by the packet data network gateway, a session establishment request to the policy and charging control function entity, and carrying the real identity of the user equipment in the session establishment request;
所述策略和计费控制功能实体接收所述会话建立请求,根据所述用 户设备的真实标识, 将所述用户设备的策略信息发送给所述分组数据网 网关。  The policy and charging control function entity receives the session establishment request, and sends policy information of the user equipment to the packet data network gateway according to the real identifier of the user equipment.
9. 一种用户设备标识的获取方法, 基于双栈移动 IP协议, 其特征在于, 包 括: A method for obtaining a user equipment identifier, based on a dual stack mobile IP protocol, characterized in that:
认证授权计费服务器与用户设备进行接入认证和授权,所述认证授 权计费服务器向非 3GPP接入网发送接入接受消息, 并在所述接入接受 消息中携带所述用户设备的真实标识;  The authentication and authorization accounting server performs access authentication and authorization with the user equipment, and the authentication and authorization charging server sends an access acceptance message to the non-3GPP access network, and carries the reality of the user equipment in the access acceptance message. Identification
在所述认证授权计费服务器与分组数据网网关的认证过程中,所述 认证授权计费服务器验证所述用户设备标识为伪用户设备标识的情况 下, 将所述用户设备的真实标识发送给所述分组数据网网关。  In the authentication process of the authentication and authorization accounting server and the packet data network gateway, if the authentication and authorization accounting server verifies that the user equipment identifier is a pseudo user equipment identifier, the real identifier of the user equipment is sent to The packet data network gateway.
10. 才艮据权利要求 9所述的方法, 其特征在于, 所述方法还包括: 10. The method according to claim 9, wherein the method further comprises:
所述非 3GPP接入网接收到所述接入接受消息, 获取所述用户设备 的真实标识, 向策略和计费控制功能实体发送会话建立信息, 并在所述 会话建立信息中携带所述用户设备的真实标识; 所述策略和计费控制功能实体接收所述会话建立信息,并获取所述 用户设备的真实标识。 The non-3GPP access network receives the access accept message, obtains the real identity of the user equipment, sends session establishment information to the policy and charging control function entity, and carries the user in the session establishment information. The true identity of the device; The policy and charging control function entity receives the session establishment information and obtains a real identifier of the user equipment.
11. 根据权利要求 9或 10所述的方法, 其特征在于,所述认证授权计费服务 器与分组数据网网关的认证过程具体包括: The method according to claim 9 or 10, wherein the authentication process of the authentication and authorization charging server and the packet data network gateway specifically includes:
所述认证授权计费服务器接收来自所述分组数据网网关的建立安 全联盟请求, 其中, 所述建立安全联盟请求中携带有所述分组数据网网 关接收到的所述用户设备发送的用户设备标识。  The authentication and authorization accounting server receives the establishment of a security association request from the packet data network gateway, where the establishment of the security association request carries the user equipment identifier sent by the user equipment received by the packet data network gateway .
12. 根据权利要求 9或 10所述的方法, 其特征在于, 所述方法还包括: 所述分组数据网网关向所述策略和计费控制功能实体发送会话建 立请求, 并在所述会话建立请求携带所述用户设备的真实标识; The method according to claim 9 or 10, wherein the method further comprises: the packet data network gateway sending a session establishment request to the policy and charging control function entity, and establishing the session in the session Requesting to carry the real identity of the user equipment;
所述策略和计费控制功能实体接收所述会话建立请求,根据所述用 户设备的真实标识, 将所述用户设备的策略信息发送给所述分组数据网 网关。  The policy and charging control function entity receives the session establishment request, and sends policy information of the user equipment to the packet data network gateway according to the real identifier of the user equipment.
13. 一种认证授权计费服务器, 其特征在于, 所述认证授权计费服务器用于 与用户设备进行接入认证和授权, 获得所述用户设备的真实标识, 向非 3GPP接入网发送接入接受消息,并在所述接入接受消息中携带所述用户 设备的真实标识。 An authentication and authorization accounting server, wherein the authentication and authorization accounting server is configured to perform access authentication and authorization with a user equipment, obtain a real identifier of the user equipment, and send the connection to a non-3GPP access network. And accepting the message, and carrying the real identity of the user equipment in the access accept message.
14. 根据权利要求 13所述的认证授权计费服务器, 其特征在于, 所述认证授 权计费服务器还用于对分组数据网网关发送的用户设备标识进行验证, 并且在验证所述用户设备标识不是用户设备的真实标识的情况下, 将所 述用户设备的真实标识发送到所述分组数据网网关。 The authentication and authorization charging server according to claim 13, wherein the authentication and authorization charging server is further configured to verify the user equipment identifier sent by the packet data network gateway, and verify the user equipment identifier. In the case of not being the real identity of the user equipment, the real identity of the user equipment is sent to the packet data network gateway.
15. 一种分组数据网网关, 其特征在于, 所述分组数据网网关用于在与认证 授权计费服务器的认证过程中, 向所述认证授权计费服务器发送请求消 息, 并在所述请求消息中携带所述分组数据网网关接收到的用户设备发 送的用户设备标识, 以使所述认证授权计费服务器验证所述用户设备标 识是否是用户设备的真实标识; 以及用于在所述认证授权计费服务器验 证失败的情况下, 接收来自所述的认证授权计费服务器发送的所述用户 设备的真实标识。 A packet data network gateway, wherein the packet data network gateway is configured to send a request message to the authentication and authorization charging server during an authentication process with an authentication and authorization accounting server, and in the request The message carries the user equipment identifier sent by the user equipment received by the packet data network gateway, so that the authentication and authorization charging server verifies whether the user equipment identifier is a real identifier of the user equipment, and is used for the authentication. If the authentication and accounting server fails to be authenticated, the real identifier of the user equipment sent by the authentication and authorization accounting server is received.
16. 一种策略和计费控制功能实体, 其特征在于, 所述策略和计费控制功能 实体用于接收非 3GPP接入网发送的会话建立消息, 所述会话建立消息 中携带所述用户设备的真实标识, 其中, 所述用户设备的真实标识为所 述非 3GPP接入网从认证授权计费服务器获取的; 并根据接收到的所述 会话建立消息, 获取所述用户设备的真实标识。 A policy and charging control function entity, wherein the policy and charging control function entity is configured to receive a session establishment message sent by a non-3GPP access network, where the session establishment message is And carrying the real identity of the user equipment, where the real identity of the user equipment is obtained by the non-3GPP access network from the authentication and authorization accounting server; and acquiring the message according to the received session establishment message. The true identity of the user device.
17. 一种用户设备标识的获取系统, 其特征在于, 包括认证授权计费服务器、 非 3GPP接入网、 分组数据网网关和策略和计费控制功能实体, 其中, 所述认证授权计费服务器用于与用户设备进行接入认证和授权,获 得所述用户设备的真实标识, 向非 3GPP接入网发送接入接受消息, 并 在所述接入接受消息中携带所述用户设备的真实标识; An acquisition system for a user equipment identifier, comprising: an authentication and authorization charging server, a non-3GPP access network, a packet data network gateway, and a policy and charging control function entity, wherein the authentication and authorization charging server And performing the access authentication and authorization with the user equipment, obtaining the real identity of the user equipment, sending an access accept message to the non-3GPP access network, and carrying the real identifier of the user equipment in the access accept message ;
所述非 3GPP接入网用于接收所述认证授权计费服务器发送的接入 接受消息, 并获取所述用户设备的真实标识;  The non-3GPP access network is configured to receive an access accept message sent by the authentication and authorization charging server, and obtain a real identifier of the user equipment;
所述分组数据网网关用于在与认证授权计费服务器的认证过程中, 向所述认证授权计费服务器发送请求消息, 并在所述请求消息中携带所 述分组数据网网关接收到的用户设备发送的用户设备标识, 以使所述认 证授权计费服务器验证所述用户设备标识是否是用户设备的真实标识; 以及用于在所述认证授权计费服务器验证失败的情况下, 接收来自所述 的认证 4曼权计费月艮务器发送的所述用户设备的真实标识;  The packet data network gateway is configured to send a request message to the authentication and authorization charging server during the authentication process with the authentication and authorization accounting server, and carry the user received by the packet data network gateway in the request message. The user equipment identifier sent by the device, so that the authentication and authorization accounting server verifies whether the user equipment identifier is a real identifier of the user equipment, and is used to receive the source information if the authentication and authorization accounting server fails to verify The authentic identification of the user equipment sent by the authentication 4 Manchester right billing server;
所述策略和计费控制功能实体用于接收非 3GPP接入网发送的会话 建立消息, 所述会话建立消息中携带所述用户设备的真实标识, 其中, 所述用户设备的真实标识为所述非 3GPP接入网从认证授权计费服务器 获取的; 并根据接收到的所述会话建立消息, 获取所述用户设备的真实 标识。  The policy and charging control function entity is configured to receive a session establishment message sent by a non-3GPP access network, where the session establishment message carries a real identifier of the user equipment, where the real identifier of the user equipment is the The non-3GPP access network obtains the real identity of the user equipment according to the received session establishment message.
PCT/CN2008/073647 2008-06-17 2008-12-22 Aaa server, p-gw, pcrf, method and system for obtaining the ue's id WO2009152676A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200810128801.0 2008-06-17
CN2008101288010A CN101459904B (en) 2008-06-17 2008-06-17 AAA server, P-GW, PCRF, obtaining method and system for customer equipment identification

Publications (1)

Publication Number Publication Date
WO2009152676A1 true WO2009152676A1 (en) 2009-12-23

Family

ID=40770471

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/073647 WO2009152676A1 (en) 2008-06-17 2008-12-22 Aaa server, p-gw, pcrf, method and system for obtaining the ue's id

Country Status (2)

Country Link
CN (1) CN101459904B (en)
WO (1) WO2009152676A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103781048A (en) * 2012-10-19 2014-05-07 电信科学技术研究院 Addressing method and device for policy and charging control function

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101945449B (en) * 2009-07-10 2015-06-03 中兴通讯股份有限公司 Method and device for switching terminal to home base station
CN101998444B (en) * 2009-08-14 2014-02-05 中国电信股份有限公司 Proxy mobile IPv4 processing method and system
CN102413452B (en) * 2010-09-20 2016-08-03 中兴通讯股份有限公司 A kind of method and system obtaining ID
CN105553923A (en) * 2014-11-04 2016-05-04 中兴通讯股份有限公司 Method for obtaining user identifier and network side equipment
CA2985663C (en) * 2015-05-12 2020-04-14 Telefonaktiebolaget Lm Ericsson (Publ) Method and nodes for handling access to epc services via a non-3gpp network
CN108848112B (en) * 2015-09-22 2019-07-12 华为技术有限公司 Cut-in method, equipment and the system of user equipment (UE)
EP3151599A1 (en) * 2015-09-30 2017-04-05 Apple Inc. Authentication failure handling for cellular network access through wlan
CN109768947A (en) * 2017-11-09 2019-05-17 中国移动通信有限公司研究院 A kind of method for authenticating user identity, device and medium
US11736484B2 (en) * 2017-12-28 2023-08-22 Paxgrid Cdn Inc. System for authenticating and authorizing access to and accounting for wireless access vehicular environment consumption by client devices
CN115396866A (en) * 2019-06-04 2022-11-25 华为技术有限公司 Method, device and system for sending terminal strategy

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007071275A1 (en) * 2005-12-22 2007-06-28 Telefonaktiebolaget L.M. Ericsson Subscriber authentication in mobile communication networks using unlicensed access networks
CN101159679A (en) * 2004-01-14 2008-04-09 华为技术有限公司 Method to obtaining user identification sign of packet data interface in wireless LAN

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
ES2236471T3 (en) * 2002-06-04 2005-07-16 Alcatel A METHOD, A NETWORK ACCESS SERVER, AN AUTHENTICATION-AUTHORIZATION-ACCOUNTING SERVER AND A COMPUTER PROGRAM PRODUCT TO SUPPORT USER AUTHENTICATION-AUTHORIZATION-ACCOUNTING MESSAGES VIA A NETWORK ACCESS SERVER.
CN100370767C (en) * 2003-09-30 2008-02-20 华为技术有限公司 Management method for wireless LAN service usage by mobile subscriber
CN100355251C (en) * 2003-11-10 2007-12-12 华为技术有限公司 Method for sending a ata of user mark after renewing
CN100411335C (en) * 2004-01-14 2008-08-13 华为技术有限公司 Method for obtaiing user identification by packet data gate for wireless LAN
CN101159625B (en) * 2007-11-07 2011-04-20 中兴通讯股份有限公司 System and method of implementing monitor for police for WiMAX

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101159679A (en) * 2004-01-14 2008-04-09 华为技术有限公司 Method to obtaining user identification sign of packet data interface in wireless LAN
WO2007071275A1 (en) * 2005-12-22 2007-06-28 Telefonaktiebolaget L.M. Ericsson Subscriber authentication in mobile communication networks using unlicensed access networks

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"3GPP 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Architecture Enhancements for non-3GPP accesses", 3GPP TS 23.402 V1.5.1,, November 2007 (2007-11-01) *
"ZTE. Informing UE permanent ID to FA/PDN GW", CHANGE REQUEST S2-084587, 27 June 2008 (2008-06-27), pages - 084587 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103781048A (en) * 2012-10-19 2014-05-07 电信科学技术研究院 Addressing method and device for policy and charging control function

Also Published As

Publication number Publication date
CN101459904A (en) 2009-06-17
CN101459904B (en) 2010-12-29

Similar Documents

Publication Publication Date Title
WO2009152676A1 (en) Aaa server, p-gw, pcrf, method and system for obtaining the ue&#39;s id
US8769626B2 (en) Web authentication support for proxy mobile IP
EP3160176B1 (en) Using a service of a mobile packet core network without having a sim card
US7545768B2 (en) Utilizing generic authentication architecture for mobile internet protocol key distribution
KR101814969B1 (en) Systems and methods for accessing a network
JP4723158B2 (en) Authentication methods in packet data networks
RU2491733C2 (en) Method for user terminal authentication and authentication server and user terminal therefor
US10432632B2 (en) Method for establishing network connection, gateway, and terminal
KR102390380B1 (en) Support of emergency services over wlan access to 3gpp evolved packet core for unauthenticated users
US9226153B2 (en) Integrated IP tunnel and authentication protocol based on expanded proxy mobile IP
EP1770940A1 (en) Method and apparatus for establishing a communication between a mobile device and a network
US20060294363A1 (en) System and method for tunnel management over a 3G-WLAN interworking system
US20070022476A1 (en) System and method for optimizing tunnel authentication procedure over a 3G-WLAN interworking system
WO2012145134A1 (en) Method of and system for utilizing a first network authentication result for a second network
WO2013189217A1 (en) Method for updating identity information about packet gateway, aaa server and packet gateway
WO2016155012A1 (en) Access method in wireless communication network, related device and system
US20140307651A1 (en) Internet Protocol Address Registration
WO2011127774A1 (en) Method and apparatus for controlling mode for user terminal to access internet
WO2009135371A1 (en) Network connection mode determining method
WO2014005267A1 (en) Method, apparatus, and system for accessing mobile network
WO2014048197A1 (en) Method, system and device for user equipment to select visited public land mobile network
WO2008099254A2 (en) Authorizing n0n-3gpp ip access during tunnel establishment
TWI428031B (en) Authentication method and apparatus for user equipment and lipa network eneities
WO2013107243A1 (en) Session establishing method and device
KR100668660B1 (en) User authentication method for roaming service between portable internet and 3g network, and router of performing the same

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08874680

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08874680

Country of ref document: EP

Kind code of ref document: A1