WO2018196587A1

WO2018196587A1 - User authentication method and apparatus in converged network

Info

Publication number: WO2018196587A1
Application number: PCT/CN2018/082289
Authority: WO
Inventors: 李汉成; 于游洋
Original assignee: 华为技术有限公司
Priority date: 2017-04-25
Filing date: 2018-04-09
Publication date: 2018-11-01
Also published as: CN108738019A; CN108738019B

Abstract

Disclosed are a user authentication method and apparatus in a converged network. The method comprises: an access network element receives an authentication negotiation request from a terminal device, the authentication negotiation request being used for determining authentication parameters of the terminal device by negotiation, sends an authentication parameter request to a control network element, receives at least one authentication parameter from the control network element, determines, among the at least one authentication parameter, one of authentication parameters that both the terminal device and the control network element support, obtains user authentication information of the terminal device, sends the user authentication information and the authentication parameters determined by negotiation to the control network element for authentication, and receives an authentication result from the control element and sends same to the terminal device. Also disclosed is a corresponding apparatus. The present application implements user authentication during access of any terminal device to a converged network, so that any terminal device can securely and reliably access the converged network.

Description

User authentication method and device in converged network

This application claims the priority of the Chinese Patent Application filed on Apr. 25, 2017, the Chinese Patent Application No. PCT Application No. PCT Application No. In the application.

Technical field

The present invention relates to the field of communications technologies, and in particular, to a user authentication method and apparatus in a converged network.

Background technique

Currently, the mobile terminal device from the Third Generation Partnership Project ^{(3 rd Generation Partnership Project, 3GPP} ) network access bearer extensible authentication protocol (Extensible Authentication Protocol-based non-access stratum (Non-access stratum, NAS) , EAP) completes access authentication to the mobile core network.

The Customer Premises Equipment (CPE), also known as the customer front-end equipment, is based on Ethernet Point to Point Protocol over Ethernet (PPPoE) or Ethernet Protocol over Ethernet (IPoE). The network core network completes access authentication.

Since the fixed network terminal and the mobile terminal support different protocol stacks, the prior art cannot implement the fixed network terminal accessing the mobile core network. Therefore, for scenarios where both fixed and mobile networks need to be supported, two core networks need to be deployed to manage the mobile terminal and the fixed network terminal respectively, which will bring about a problem of high network cost.

In order to meet the challenges of wireless broadband technology and maintain the leading edge of 3GPP networks, the 3GPP standards group has developed a next-generation communication network architecture, as shown in the schematic diagram of the next-generation communication system architecture shown in FIG. The architecture supports not only standard 3GPP defined set of wireless technologies (e.g., long term evolution (Long Term Evolution, LTE), a fifth-generation mobile communication (5 ^th Generation, 5G), etc.) access the core network side (Core network), and supports non The 3GPP access technology can access the core network side through a non-3GPP Interworking Function (N3IWF) or a next generation packet data gateway (ngPDG) to implement a converged network. When accessing the network, user authentication is one of the necessary processes. Currently, there is no solution for how to perform user authentication in the converged network.

Summary of the invention

The application provides a user authentication method and device in a converged network to solve the user authentication problem in the converged network.

An aspect of the present application provides a user authentication method in a converged network, where the method includes: an access network element receives an authentication negotiation request from a terminal device, where the authentication negotiation request is used to negotiate to determine the terminal device. An authentication parameter; the access network element sends an authentication parameter request to the control network element, where the authentication parameter request includes: an access protocol type that the terminal device accesses the access network element; and the access network element receives At least one authentication parameter from the control network element and transmitting the at least one authentication parameter to the terminal device, the at least one authentication parameter corresponding to the access protocol type, each type of authentication parameter includes a type An authentication type, and/or a parameter corresponding to the authentication type; the access network element determines one of the authentication parameters supported by the terminal device and the control network element in the at least one authentication parameter, Obtaining the user authentication information of the terminal device, and sending the user authentication information and the determined one of the authentication parameters to the control network element for authentication; NE receives an authentication result from the control network element and transmitting the authentication result to the terminal device. In this implementation manner, user authentication when any terminal device accesses the converged network is implemented, so that any terminal device can access the converged network securely and reliably.

In an implementation manner, the authentication negotiation request and the authentication parameter request further include: an authentication type supported by the terminal device, where the parameter corresponding to the authentication type is a parameter corresponding to the authentication type supported by the terminal device. . In this implementation manner, the terminal device may also provide the supported authentication type, but the authentication type is used for the terminal device to negotiate with the access network element, and the control network element may preferably use the authentication supported by the terminal device. Types of.

In another implementation manner, the at least one type of authentication includes a simple password authentication protocol PAP, and the parameter corresponding to the authentication type is null. In this implementation, PAP is a simple type of authentication that enables fast authentication.

In still another implementation manner, the at least one type of authentication includes a challenge handshake protocol CHAP, and the parameters corresponding to the authentication type include: an algorithm, a challenge identifier, and/or a challenge identifier length. In this implementation, CHAP is a highly secure authentication type that enables secure and reliable authentication.

In still another implementation manner, the terminal device includes a mobile terminal device or a fixed network terminal device.

Another aspect of the present application provides a user authentication method in a converged network, where the method includes: the terminal device sends an authentication negotiation request to the access network element, where the authentication negotiation request is used to negotiate to determine the terminal device. An authentication parameter; the terminal device receives at least one authentication parameter from the access network element, the at least one authentication parameter corresponding to the access protocol type, each authentication parameter includes an authentication type, and/ Or a parameter corresponding to the authentication type; the terminal device determines one of the authentication parameters supported by the terminal device and the control network element in the at least one authentication parameter, and sends the authentication parameter to the access network The element transmits user authentication information; the terminal device receives an authentication result from the access network element. In this implementation manner, user authentication when any terminal device accesses the converged network is implemented, so that any terminal device can access the converged network securely and reliably.

In an implementation manner, the authentication negotiation request and the authentication parameter request further include: an authentication type supported by the terminal device, where the parameter corresponding to the authentication type is a parameter corresponding to the authentication type supported by the terminal device. . In this implementation manner, the terminal device may also provide the requested authentication type, but which authentication type is used for authentication, and the terminal device needs to negotiate with the access network element, and the control network element may preferably adopt the authentication supported by the terminal device. Types of.

A further aspect of the present application provides a user authentication method in a converged network, the method comprising: controlling a network element to receive an authentication parameter request from an access network element, where the authentication parameter request includes: a terminal device access station An access protocol type of the access network element, where the control network element generates at least one authentication parameter according to the authentication parameter request, and sends the at least one authentication parameter to the access network element, where At least one type of authentication parameter corresponding to the access protocol type, each type of authentication parameter includes a type of authentication supported by the authentication parameter request, and/or a parameter corresponding to the type of the authentication; the control network Receiving, by the UE, the user authentication information from the access network element, and one of the authentication parameters supported by the terminal device and the control network element in the at least one authentication parameter, and adopting the determined An authentication parameter is used to authenticate the user authentication information, and the authentication result is obtained; the control network element sends the authentication result to the access network element. In this implementation manner, user authentication when any terminal device accesses the converged network is implemented, so that any terminal device can access the converged network securely and reliably.

In a further aspect of the present application, an access network element is provided, and the access network element has a function of implementing access network element behavior in the foregoing method. The functions may be implemented by hardware or by corresponding software implemented by hardware. The hardware or software includes one or more modules corresponding to the functions described above.

Based on the same inventive concept, the method and the beneficial effects of the above-mentioned possible access network elements can be referred to the implementation of the method and the beneficial effects. Therefore, the implementation of the device can refer to the implementation of the method, and the method is repeated. I won't go into details here.

In a further aspect of the present application, a terminal device is provided, the terminal device having a function of implementing the behavior of the terminal device in the above method. The functions may be implemented by hardware or by corresponding software implemented by hardware. The hardware or software includes one or more modules corresponding to the functions described above.

Based on the same inventive concept, the principle and the beneficial effects of the device can be referred to the method embodiments of the foregoing possible terminal devices and the beneficial effects thereof. Therefore, the implementation of the device can refer to the implementation of the method, and the repetition is not Let me repeat.

In a further aspect of the present application, a control network element is provided, and the control network element has a function of implementing the behavior of controlling a network element in the foregoing method. The functions may be implemented by hardware or by corresponding software implemented by hardware. The hardware or software includes one or more modules corresponding to the functions described above.

Based on the same inventive concept, the principle and the beneficial effects of the device can be referred to the method embodiments of the foregoing possible control network elements and the beneficial effects thereof. Therefore, the implementation of the device can be referred to the implementation of the method. No longer.

In still another aspect of the present application, a user authentication method in a converged network is provided, the method comprising: an access network element receiving an authentication negotiation request from a terminal device, where the authentication negotiation request is used to request negotiation to determine the The type of authentication for the terminal device to perform user authentication; the access network element determines that the authentication type of the terminal device for user authentication is plaintext authentication; and the access network element receives user authentication information from the terminal device, and The user authentication information and the authentication type are sent to the control network element for authentication; the access network element receives the authentication result from the control network element and sends the authentication result to the terminal device. In this implementation manner, user authentication when any terminal device accesses the converged network is implemented, so that any terminal device can access the converged network securely and reliably; and the terminal device and the access network element directly determine that the authentication type is plaintext. Authentication eliminates the need to request authentication parameters from the control network element, simplifying the authentication process.

In an implementation manner, the access network element determines that the authentication type of the terminal device is plaintext authentication, and the method includes: configuring, by the access network element, that the authentication type of the terminal device is plaintext authentication; And sending, by the terminal device, an authentication type negotiation request, where the negotiation request is used to negotiate that the authentication type is plaintext authentication; and the access network element receives a first negotiation feedback message from the terminal device, where the A negotiation feedback message is used to indicate that the terminal device agrees that the authentication type is plain text authentication.

In another implementation manner, the access network element determines that the authentication type of the terminal device is plain text authentication, and the method includes: determining, by the access network element, that the authentication type of the terminal device is a plaintext according to the authentication negotiation request. Authentication, wherein the authentication negotiation request is further used to indicate that the authentication type supported by the terminal device is plaintext authentication; the access network element sends a second negotiation feedback message to the terminal device, where the second negotiation feedback is The message is used to indicate that the access network element agrees that the authentication type is plain text authentication.

A still further aspect of the present application provides a user authentication method in a converged network, where the method includes: the terminal device sends an authentication negotiation request to the access network element, where the authentication negotiation request is used to request negotiation to determine the terminal. The authentication type of the device for user authentication; the terminal device determines that the authentication type of the user authentication is plain text authentication; the terminal device sends user authentication information to the access network element; and the terminal device receives the access network element from the access network element. Certification results. In this implementation manner, user authentication when any terminal device accesses the converged network is implemented, so that any terminal device can access the converged network securely and reliably; and the terminal device and the access network element directly determine that the authentication type is plaintext. Authentication eliminates the need to request authentication parameters from the control network element, simplifying the authentication process.

In an implementation manner, the terminal device determines that the authentication type of the user authentication is plain text authentication, and the method includes: the terminal device receives a negotiation request from the access network element, and the negotiation request is used to negotiate the authentication type. The terminal device sends a first negotiation feedback message to the access network element, where the first negotiation feedback message is used to indicate that the terminal device agrees that the authentication type is plain text authentication.

In another implementation manner, the terminal device determines that the authentication type of the user authentication is plain text authentication, and the method includes: the terminal device receives a second negotiation feedback message from the access network element, and the second negotiation feedback message And indicating that the access network element agrees that the authentication type is plaintext authentication.

In still another aspect of the present application, an access network element is provided, and the access network element has a function of implementing access network element behavior in the foregoing method. The functions may be implemented by hardware or by corresponding software implemented by hardware. The hardware or software includes one or more modules corresponding to the functions described above.

In still another aspect of the present application, a terminal device having a function of implementing a behavior of a terminal device in the above method is provided. The functions may be implemented by hardware or by corresponding software implemented by hardware. The hardware or software includes one or more modules corresponding to the functions described above.

Yet another aspect of the present application provides a computer readable storage medium having instructions stored therein that, when executed on a computer, cause the computer to perform the methods described in the above aspects.

Yet another aspect of the present application provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the methods described in the various aspects above.

DRAWINGS

In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the background art, the drawings to be used in the embodiments of the present invention or the background art will be described below.

1 is a schematic diagram of an exemplary communication system architecture;

2 is a schematic diagram of interaction of a user authentication method in a converged network according to an embodiment of the present invention;

FIG. 3 is a schematic diagram of interaction of another user authentication method in a converged network according to an embodiment of the present disclosure;

FIG. 4 is a schematic diagram of a module for accessing a network element according to an embodiment of the present disclosure;

FIG. 5 is a schematic diagram of a module of a terminal device according to an embodiment of the present disclosure;

FIG. 6 is a schematic diagram of a module for controlling a network element according to an embodiment of the present disclosure;

FIG. 7 is a schematic diagram of another module for accessing a network element according to an embodiment of the present disclosure;

FIG. 8 is a schematic diagram of another terminal device according to an embodiment of the present disclosure;

FIG. 9 is a schematic diagram of a hardware architecture of an access network element/terminal device/control network element according to an embodiment of the present invention.

detailed description

The embodiments of the present invention are described below in conjunction with the accompanying drawings in the embodiments of the present invention.

The communication system involved in the embodiments of the present invention mainly includes: an access network element, a user plane function network element, and a control plane network element. The control plane network element may also be referred to as a control network element. The access network element is mainly responsible for access management of the terminal equipment (User Equipment, UE), and the user plane function network element is mainly responsible for packet data packet forwarding, QoS control, accounting information statistics, etc.; the control plane function network element is mainly responsible for User authentication, sending packet forwarding policies to users, QoS control policies, and so on. The communication system may be a 5G communication system (for example, a New Radio (NR) system, a communication system in which a plurality of communication technologies are integrated (for example, a communication system in which LTE technology and NR technology are integrated), or a subsequent evolved communication system. The terminal device in the example may be a fixed network terminal device; or may be a mobile terminal device, for example, a handheld device having a wireless communication function, an in-vehicle device, a wearable device, a computing device, or other processing device connected to the wireless modem. Terminal devices in different networks may be called different names, such as: user equipment, access terminals, subscriber units, subscriber stations, mobile stations, mobile stations, remote stations, remote terminals, mobile devices, user terminals, terminals, wireless communications. Device, user agent or user device, cellular phone, cordless phone, Session Initiation Protocol (SIP) phone, Wireless Local Loop (WLL) station, Personal Digital Assistant (PDA), Terminal equipment in a 5G network or a future evolution network.

The embodiments of the present invention mainly relate to communication between a terminal device, an access network element, and a control network element, and perform user authentication. In the embodiment of the present invention, the terminal device requests the negotiation to determine the authentication parameter of the terminal device by sending an authentication negotiation request, where the authentication negotiation request includes the access protocol type of the terminal device, and the access network element sends an authentication parameter request to the control network element to control The network element generates at least one type of authentication parameter corresponding to the access protocol type of the terminal device, and sends the authentication parameter to the access network element, and the access network element negotiates with the terminal device to determine a type supported by the terminal device and the control network element. The authentication parameter, the access network element sends the determined authentication parameter and the user authentication information received from the terminal device to the control network element for user authentication, and obtains the authentication result. Therefore, the user authentication method and device in the converged network provided by the embodiment of the present invention enable user authentication when any terminal device accesses the converged network, so that any terminal device can access the converged network securely and reliably. .

FIG. 1 is a schematic diagram of an exemplary 5G communication system architecture. In the communication system architecture, the access network element (Access Network, AN) or the radio access network element (Radio Access Network, RAN), the user plane function network element (UPF), and the control plane function network are mainly included. Yuan (Control Plane, CP). The AN, the UPF, and the CP respectively correspond to the access network element, the user plane function network element, and the control plane function network element described above. Among them, UPF is mainly responsible for packet data packet forwarding, QoS control, accounting information statistics, etc. The CP is mainly responsible for sending data packet forwarding policies and QoS control policies to the user plane. The CP specifically includes an Access and Mobility Management Funnel (AMF), a Session Management Funnel (SMF), an Authentication Service Function (AUSF), and a unified data management network. Unified Data Management (UDM), Policy Control Function (PCF), and Application Function Network (Application Function, AF). Among them, AMF is used for access management in a converged network; UDM is used to manage user subscription information.

The types of access protocols that the UE accesses the converged network include PPPoE, 802.1X, and so on. For example, the PPPoE discovery process may be performed between the UE and the AN. The discovery process may include the following steps (not shown):

Step 1: The UE discovers the access network and sends a PPPoE Active Discovery Initiation (PADI) to the AN to initiate the PPPoE discovery process. The discovery of the access network is a logical process to illustrate the point in time when the PADI is initiated. Generally, when the UE is powered on and establishes a physical link, it is considered to be connected to the network; or it may be manual, such as clicking a PPPoE connection.

Step 2: AN selects AMF. Among them, AMF is a component of CP, responsible for access and mobility management, as shown in Figure 1, but this embodiment describes the CP as a whole, but only when it specifically refers to the AMF component of the CP, The interaction of the AN with the AMF component is described in this step. In addition, the AN may select the AMF based on a prior configuration or an access protocol type of the UE or the like.

Step 3: The AN generates a Registration NAS message according to the received PADI from the UE, and sends the message to the CP. Of course, the Registration NAS message can also be said to be generated by the UE and then sent to the AN, which is not limited herein. The registration NAS message carries the Network Access Identity (NAI), and the NAI contains user information from the PADI, such as: device identification, circuit ID, virtual local area network identifier (Vlan ID), user physics. At least one of the address (user MAC) and the host name.

Step 4: The AN and the core network side complete the authentication and registration process according to the existing definition, and then the AN and the UE side complete the PPPoE discovery process. Specifically, the method further includes: Step 41) completing the authentication process of the AN and the core network, where the AN replaces the UE in response to the NAS message; Step 42) The core network side answers the registration completion message; Step 43) The AN allocates the session identifier ( Session ID), completes the PPPoE discovery process with the UE.

After the PPPoE discovery process is completed, a PPPoE session process may be performed, where the PPPoE session process includes user authentication, IP address allocation, and formal session. Embodiments of the present invention generally relate to a user authentication process therein.

FIG. 2 is a schematic diagram of interaction of a user authentication method in a converged network according to an embodiment of the present invention, where the method is applicable to the foregoing communication system. Specifically, the method can include the following steps:

S101. The terminal device sends an authentication negotiation request to the access network element, where the authentication negotiation request is used to negotiate to determine an authentication parameter of the terminal device.

In this embodiment, the access protocol type of the UE accessing the converged network includes the PPPoE, the 802.1X, and the Dynamic Host Configuration Protocol (DHCP). The AN can configure the access protocol type of the UE, or can be an AN according to the AN. The user packet of the UE received in the PPPoE discovery process determines the access protocol type of the UE, which is not limited herein. Each access protocol type can correspond to one or more authentication parameters, and the same authentication parameters are required between the UE and the CP for authentication, so that the user authentication process can be successfully completed. Therefore, based on these protocols, the access network is used for user authentication. First, the authentication parameters are negotiated between the UE and the AN. For example, the PPPoE access protocol is used as an example, the UE sends a Link Control Protocol (LCP) negotiation request to the AN as an authentication negotiation request, and the LCP negotiation request is used to negotiate to determine the UE's authentication parameter, the LCP. The negotiation request includes the type of access protocol that the UE accesses the AN. The authentication parameter includes an authentication type and a parameter corresponding to the authentication type. The AN receives an LCP negotiation request from the UE.

Optionally, the LCP negotiation request may also include an authentication type supported by the UE, or an authentication type that the UE expects to perform.

S102: The access network element sends an authentication parameter request to the control network element, where the authentication parameter request includes: an access protocol type that the terminal device accesses the access network element.

The AN constructs an authentication parameter request, and the authentication parameter request includes an access protocol type in which the terminal device accesses the AN. The AN then sends an authentication parameter request to the CP. The CP receives an authentication parameter request from the AN.

Optionally, if the LCP negotiation request further includes the authentication type supported by the UE, the AN may choose to carry the authentication type supported by the UE in the authentication parameter request, or may choose not to carry the authentication type supported by the UE in the authentication parameter request. If the AN does not carry the authentication type supported by the UE, and the authentication parameter received by the AN from the CP is all the authentication parameters supported by the CP corresponding to the access protocol type, the authentication parameters received by the AN from the CP generally include the UE. The type of authentication supported.

S103. The control network element generates, according to the authentication parameter request, at least one type of authentication parameter, where each type of authentication parameter includes: determining, according to the authentication parameter request, a type of authentication supported, and/or corresponding to the type of authentication. Parameters.

The CP selects one or more types of authentication corresponding to the type of the access protocol according to the type of the access protocol included in the authentication parameter request. Then, since the CP has previously completed the authentication and registration process with the UE, the CP has been configured according to the UE. The user information obtains the user subscription information of the UE (the user subscription information is previously stored in the UDM), and therefore, the CP generates parameters corresponding to each authentication type according to the user subscription information of the UE and the selected authentication type. The CP itself stores the authentication parameters. Specifically, the authentication parameters are generated by the AUSF module in the CP.

Authentication types include the Password Authentication Protocol (PAP) or the Challenge Handshake Authentication Protocol (CHAP). For PAP, the corresponding parameter is null, that is, its parameter is: {PAP: NULL}, or the parameter corresponding to PAP is not included in the authentication parameter. For CHAP, its corresponding parameters include: algorithm, challenge identifier, and/or challenge identifier length, for example, its parameters are: {CHAP: {algorithm: 5 (MD5); Challenge ID Length: 16; Challenge ID: *** *}}. It should be noted that the parameter representation in the example is only for the purpose of exemplifying the parameter content, and the specific representation manner is not limited.

Optionally, if the authentication parameter request received by the CP includes an access protocol type and a supported authentication type, if the CP supports the authentication type, the CP priority response only supports the authentication type, and provides corresponding Parameter information. For example, if the authentication type requested by the UE is PAP, and the CP supports both the PAP and CHAP authentication types, the type of authentication that the CP can answer is PAP.

S104. The control network element sends the at least one authentication parameter to the access network element.

S105. The access network element sends the at least one authentication parameter to the terminal device.

The CP sends the generated one or more authentication parameters to the AN, and the AN receives at least one authentication parameter from the CP. The AN sends the received one or more authentication parameters to the UE, and the UE receives at least one authentication parameter from the AN.

S106. The access network element determines, in the at least one type of authentication parameter, one of the authentication parameters supported by the terminal device and the control network element.

Similarly, the terminal device determines, in the at least one authentication parameter, one of the authentication parameters supported by the terminal device and the control network element. In this step, the negotiation process may be implemented in multiple ways: the AN may send a negotiation request to the UE, the UE feeds back the authentication type supported by the UE, and then the AN responds; or the UE sends a negotiation request to the AN, the negotiation. The request carries the type of authentication supported by the UE, and the AN responds. Finally, the AN negotiates with the UE to determine one of the authentication parameters supported by the UE and the CP.

Optionally, in the case that the foregoing UE carries the authentication type requested by the UE in the LCP negotiation request, the AN may respond to the CP support or not support the authentication type, or the AN allows the UE to re-feed back one or more authentications sent. The type of authentication supported by the UE in the type.

S107. The terminal device sends user authentication information to the access network element.

After the UE negotiates with the AN to determine the authentication type, the UE sends the user authentication information corresponding to the authentication type to the AN. The user authentication information is, for example, a username and a password. The AN receives user authentication information from the UE.

S108. The access network element sends the user authentication information and the determined one of the authentication parameters to the control network element for authentication.

The AN will negotiate with the UE to determine the good authentication parameters (specifically, the authentication type is negotiated), and the user authentication information sent by the UE is sent to the CP for authentication. The CP receives user authentication information from the AN and one of the determined authentication parameters.

S109. The control network element authenticates the user authentication information by using the determined one of the authentication parameters, and obtains an authentication result.

The CP obtains the comparison information according to the authentication parameters. For example, if it is a CHAP authentication type, the authentication parameter determined by the negotiation and the user subscription information are used for calculation, and the comparison information is obtained; if it is the PAP authentication type, the user subscription information is directly obtained as the comparison information. The comparison process and the user authentication information are then used for comparison to complete the authentication process.

For example, for CHAP authentication, the comparison process is: user subscription information is (user name: A, password: B); authentication parameters are, for example, {algorithm: 5 (MD5); Change ID Length: 16; Change ID: C} When the CP receives the user authentication information as: (user name: A, password: D), the password B in the user subscription information and the challenge identifier C in the authentication parameter are used for MD5 calculation, and the digital string E is calculated, and then the ratio is calculated. Correct. The user name is A. If the password D and the numeric string E are equal, the user is legal, otherwise it is illegal.

For PAP authentication, if the comparison user name is A, the password D and the subscription information B are directly compared. If they are equal, the user is legal, otherwise it is illegal.

Of course, other existing authentication processes can also be used, which are not limited herein.

S110. The control network element sends the authentication result to the access network element.

The authentication result includes the authentication, the user is a legitimate user, or the authentication fails. The user is an illegal user. The CP sends the authentication result to the AN, and the AN receives the authentication result from the CP.

S111. The access network element sends the authentication result to the terminal device.

The AN notifies the UE of the authentication result of the CP, and the UE receives the authentication result from the AN. The UE can be a mobile terminal device or a fixed network terminal device. Any terminal device can access the converged network for user authentication in this manner, so that any terminal device can access the converged network securely and reliably.

The user authentication method in the converged network according to the embodiment of the present invention implements user authentication when any terminal device accesses the converged network, so that any terminal device can access the converged network securely and reliably.

FIG. 3 is a schematic diagram of interaction of another user authentication method in a converged network according to an embodiment of the present invention, where the method is applicable to the foregoing communication system. Specifically, the method can include the following steps:

S201. The terminal device sends an authentication negotiation request to the access network element.

The UE sends an authentication negotiation request to the AN to perform user authentication. The authentication negotiation request is used to request negotiation to determine the type of authentication in which the UE performs user authentication. Optionally, the authentication negotiation request may be used to indicate that the authentication type supported by the UE is plaintext authentication. In another implementation manner, the authentication negotiation request does not include the indication. The AN receives an authentication negotiation request from the UE.

S202. The access network element and the terminal device determine that the authentication type of the terminal device for user authentication is plaintext authentication.

In this embodiment, the authentication type of the plain text authentication (that is, PAP authentication) is adopted, and the AN does not need to obtain the authentication parameter from the CP, and the AN and the UE directly determine that the authentication type for performing user authentication is plain text authentication.

Specifically, as an implementation manner, for the AN side, the access network element determines that the authentication type of the terminal device is a plaintext authentication, and the method includes: configuring, by the access network element, that the authentication type of the terminal device is a plaintext The access network element sends an authentication type negotiation request to the terminal device, where the negotiation request is used to negotiate that the authentication type is plaintext authentication; and the access network element receives the first from the terminal device. Negotiating the feedback message, the first negotiation feedback message is used to indicate that the terminal device agrees that the authentication type is plaintext authentication. For the UE side, the terminal device determines that the authentication type of the user authentication is plain text authentication, and the method includes: the terminal device receives a negotiation request from the access network element, and the negotiation request is used to negotiate that the authentication type is plaintext. The terminal device sends a first negotiation feedback message to the access network element, where the first negotiation feedback message is used to indicate that the terminal device agrees that the authentication type is plaintext authentication.

In this implementation manner, the AN configures the authentication type of the UE to be plaintext authentication, and then negotiates with the UE.

As another implementation manner, for the AN side, the access network element determines that the authentication type of the terminal device is plaintext authentication, and the method includes: determining, by the access network element, the terminal device according to the authentication negotiation request. The authentication type is a plain text authentication, where the authentication negotiation request is further used to indicate that the authentication type supported by the terminal device is plaintext authentication, and the access network element sends a second negotiation feedback message to the terminal device, where The second negotiation feedback message is used to indicate that the access network element agrees that the authentication type is plain text authentication. For the UE side, the terminal device determines that the authentication type of the user authentication is the plain text authentication, and the method includes: the terminal device receives a second negotiation feedback message from the access network element, where the second negotiation feedback message is used to indicate The access network element agrees that the authentication type is plain text authentication.

In this implementation manner, the UE indicates in the authentication negotiation request that the supported authentication type is plain text authentication, and then the AN feeds back whether it agrees to adopt the authentication type of the plain text authentication, thereby completing the negotiation process.

S203. The terminal device sends user authentication information to the access network element.

After the UE negotiates with the AN to determine that the authentication type is plaintext authentication, the UE sends the user authentication information corresponding to the authentication type to the AN. The AN receives user authentication information from the UE. The user authentication information is, for example, a username and a password.

S204. The access network element sends the user authentication information and the authentication type to the control network element for authentication.

The AN authenticates the user authentication information and the authentication type as a plain text authentication notification CP, and the user authenticates the user authentication information. The CP receives user authentication information and authentication type from the AN. For example, the user subscription information is (user name: A, password: B). When the CP receives the user authentication information as: (user name: A, password: D), then the comparison user name is A, and the password is directly compared. D and the contract information B are equal. If they are equal, the user is legal, otherwise it is illegal.

S205. The control network element authenticates the user authentication information according to the authentication type, and obtains an authentication result.

S206. The control network element sends the authentication result to the access network element.

The AN receives the authentication result from the CP.

S207. The access network element sends the authentication result to the terminal device.

The UE receives the authentication result from the AN.

In this embodiment, the terminal device and the access network element directly determine that the authentication type is plaintext authentication, and the authentication parameter is not required to be requested from the control network element, which simplifies the authentication process.

Optionally, the UE can directly configure the UE to perform the authentication without the need for the authentication, that is, the authentication is not required. When the AN receives the LCP negotiation request, the AN sends the indication that the UE does not need to be authenticated to the UE, and the UE can access the network for subsequent operations. .

The user authentication method in the converged network according to the embodiment of the present invention implements user authentication when any terminal device accesses the converged network, so that any terminal device can access the converged network securely and reliably; and the terminal device The access network element directly determines that the authentication type is plain text authentication, and does not need to request an authentication parameter from the control network element, which simplifies the authentication process.

The above describes the method of the embodiment of the present invention in detail, and the apparatus of the embodiment of the present invention is provided below.

FIG. 4 is a schematic diagram of a module for accessing a network element according to an embodiment of the present invention. The access network element may be an access network element described in the foregoing communication system. Specifically, the access network element 1000 includes: a receiving unit 11, a sending unit 12, and a determining unit 13; wherein:

The receiving unit 11 is configured to receive an authentication negotiation request from the terminal device, where the authentication negotiation request is used to negotiate to determine an authentication parameter of the terminal device;

The sending unit 12 is configured to send an authentication parameter request to the control network element, where the authentication parameter request includes: an access protocol type that the terminal device accesses the access network element;

The receiving unit 11 is further configured to receive at least one authentication parameter from the control network element, where the at least one authentication parameter corresponds to the access protocol type, and each type of authentication parameter includes an authentication type, and / or a parameter corresponding to the type of authentication;

The sending unit 12 is further configured to send the at least one authentication parameter to the terminal device;

The determining unit 13 is configured to determine, in the at least one authentication parameter, one of the authentication parameters supported by the terminal device and the control network element;

The receiving unit 11 is further configured to acquire user authentication information of the terminal device;

The sending unit 12 is further configured to send the user authentication information and the determined one of the authentication parameters to the control network element for authentication;

The receiving unit 11 is further configured to receive an authentication result from the control network element.

The sending unit 12 is further configured to send the authentication result to the terminal device.

In an implementation manner, the authentication negotiation request and the authentication parameter request further include: an authentication type supported by the terminal device, where the parameter corresponding to the authentication type is a parameter corresponding to the authentication type supported by the terminal device. .

In another implementation manner, the at least one type of authentication includes a simple password authentication protocol PAP, and the parameter corresponding to the authentication type is null.

In still another implementation manner, the at least one type of authentication includes a challenge handshake protocol CHAP, and the parameters corresponding to the authentication type include: an algorithm, a challenge identifier, and/or a challenge identifier length.

An access network element according to an embodiment of the present invention implements user authentication when any terminal device accesses the converged network, so that any terminal device can access the converged network securely and reliably.

FIG. 5 is a schematic diagram of a module of a terminal device according to an embodiment of the present invention. The terminal device may be a terminal device described in the foregoing communication system. Specifically, the terminal device 2000 includes: a sending unit 21, a receiving unit 22, and a determining unit 23; wherein:

The sending unit 21 is configured to send an authentication negotiation request to the access network element, where the authentication negotiation request is used to negotiate to determine an authentication parameter of the terminal device.

The receiving unit 22 is configured to receive at least one authentication parameter from the access network element, where the at least one authentication parameter corresponds to the access protocol type, each authentication parameter includes an authentication type, and/or a parameter corresponding to the authentication type;

a determining unit 23, configured to determine, in the at least one type of authentication parameter, one of the authentication parameters supported by the terminal device and the control network element;

The sending unit 21 is further configured to send user authentication information to the access network element.

The receiving unit 22 is further configured to receive an authentication result from the access network element.

A terminal device according to an embodiment of the present invention implements user authentication when any terminal device accesses the converged network, so that any terminal device can access the converged network securely and reliably.

FIG. 6 is a schematic diagram of a module for controlling a network element according to an embodiment of the present invention. The control network element may be a control network element described in the foregoing communication system. Specifically, the control network element 3000 includes: a receiving unit 31, a generating unit 32, a sending unit 33, and an authenticating unit 34; wherein:

The receiving unit 31 is configured to receive an authentication parameter request from the access network element, where the authentication parameter request includes: an access protocol type that the terminal device accesses the access network element;

The generating unit 32 is configured to generate, according to the authentication parameter request, at least one type of authentication parameter, where the at least one type of authentication parameter corresponds to the access protocol type, and each type of the authentication parameter comprises: supporting according to the authentication parameter request confirmation An authentication type, and/or a parameter corresponding to the authentication type;

The sending unit 33 is configured to send the at least one authentication parameter to the access network element;

The receiving unit 31 is further configured to receive user authentication information from the access network element, and the terminal device and the control network element in the at least one authentication parameter of the access network element An authentication parameter;

The authentication unit 34 is configured to authenticate the user authentication information by using the determined one of the authentication parameters to obtain an authentication result.

The sending unit 33 is further configured to send the authentication result to the access network element.

A control network element according to an embodiment of the present invention implements user authentication when any terminal device accesses the converged network, so that any terminal device can access the converged network securely and reliably.

FIG. 7 is a schematic diagram of another module of an access network element according to an embodiment of the present invention. The access network element may be an access network element in the foregoing communication system. Specifically, the access network element 4000 may include: a receiving unit 41, a determining unit 42 and a sending unit 43; wherein:

The receiving unit 41 is configured to receive an authentication negotiation request from the terminal device, where the authentication negotiation request is used to request the negotiation to determine the authentication type of the terminal device for performing user authentication.

The determining unit 42 is configured to determine that the authentication type of the terminal device is plain text authentication;

The receiving unit 41 is further configured to receive user authentication information from the terminal device;

The sending unit 43 is configured to send the user authentication information and the authentication type to the control network element for authentication;

The receiving unit 41 is further configured to receive an authentication result from the control network element.

The sending unit 43 is further configured to send the authentication result to the terminal device.

An access network element according to an embodiment of the present invention implements user authentication when any terminal device accesses the converged network, so that any terminal device can access the converged network securely and reliably; and the terminal device and the access device The network element directly determines that the authentication type is plain text authentication, and does not need to request authentication parameters from the control network element, which simplifies the authentication process.

FIG. 8 is a schematic diagram of another terminal device according to an embodiment of the present disclosure, where the terminal device may be a terminal device in the foregoing communication system. Specifically, the terminal device 5000 may include: a sending unit 51, a determining unit 52, and a receiving unit 53; wherein:

The sending unit 51 is configured to send an authentication negotiation request to the access network element, where the authentication negotiation request is used to request the negotiation to determine the authentication type of the terminal device for performing user authentication.

a determining unit 52, configured to determine that the authentication type of the user authentication is plaintext authentication;

The sending unit 51 is further configured to send user authentication information to the access network element.

The receiving unit 53 is configured to receive an authentication result from the access network element.

According to an embodiment of the present invention, a terminal device implements user authentication when any terminal device accesses a converged network, so that any terminal device can access the converged network securely and reliably; and the terminal device and the access network element The authentication type is directly determined to be plain text authentication, and the authentication parameters are not required to be requested from the control network element, which simplifies the authentication process.

The embodiment of the present invention further provides an access network element, where the access network element can be an access network element in the foregoing communication system, and the access network element can adopt the hardware architecture shown in FIG. The access network element can include a receiver, a transmitter, a memory, and a processor, the receiver, transmitter, memory, and processor being interconnected by a bus. The related functions implemented by the receiving unit 11 in FIG. 4 may be implemented by a receiver, and related functions implemented by the transmitting unit 12 may be implemented by a transmitter, and related functions implemented by the determining unit 13 may pass through one or more processors. to realise.

The memory includes, but is not limited to, a random access memory (RAM), a read-only memory (ROM), an Erasable Programmable Read Only Memory (EPROM), or a portable Compact Disc Read-Only Memory (CD-ROM), which is used for related instructions and data.

The receiver is for receiving data and/or signals, and the transmitter is for transmitting data and/or signals. The transmitter and receiver can be separate devices or a single device.

The processor may include one or more processors, for example, including one or more central processing units (CPUs). In the case where the processor is a CPU, the CPU may be a single-core CPU, or may be Multi-core CPU.

The memory is used to store program code and data of the network device.

Specifically, the receiver is configured to receive an authentication negotiation request from a terminal device, where the authentication negotiation request is used to negotiate to determine an authentication parameter of the terminal device;

The transmitter is configured to send an authentication parameter request to the control network element, where the authentication parameter request includes: an access protocol type that the terminal device accesses the access network element;

The receiver is further configured to receive at least one authentication parameter from the control network element, where the at least one authentication parameter corresponds to the access protocol type, each authentication parameter includes an authentication type, and/or a parameter corresponding to the authentication type;

The transmitter is further configured to send the at least one authentication parameter to the terminal device;

The processor is configured to determine, in the at least one authentication parameter, one of the authentication parameters supported by the terminal device and the control network element;

The receiver is further configured to acquire user authentication information of the terminal device;

The transmitter is further configured to send the user authentication information and the determined one of the authentication parameters to the control network element for authentication;

The receiver is further configured to receive an authentication result from the control network element;

The transmitter is further configured to send the authentication result to the terminal device.

For details, refer to the description in the method embodiment, and details are not described herein again.

It will be appreciated that Figure 9 only shows a simplified design of the access network element. In an actual application, the access network element may further include other necessary components, including but not limited to any number of transceivers, processors, controllers, memories, etc., and all access network elements that can implement the embodiments of the present invention. All are within the scope of the invention.

The embodiment of the present invention further provides a terminal device, which may be a terminal device in the foregoing communication system, and the terminal device may adopt the hardware architecture shown in FIG. The terminal device may include a receiver, a transmitter, a memory, and a processor, the receiver, the transmitter, the memory, and the processor being connected to each other by a bus. The related functions implemented by the transmitting unit 21 in FIG. 5 may be implemented by a transmitter, and related functions implemented by the receiving unit 22 may be implemented by a receiver, and related functions implemented by the determining unit 23 may pass through one or more processors. to realise.

The memory includes, but is not limited to, RAM, ROM, EPROM, CD-ROM, which is used for related instructions and data.

The processor may include one or more processors, for example including one or more CPUs. In the case where the processor is a CPU, the CPU may be a single core CPU or a multi-core CPU.

The memory is used to store program code and data of the terminal device.

Specifically, the transmitter is configured to send an authentication negotiation request to the access network element, where the authentication negotiation request is used to negotiate to determine an authentication parameter of the terminal device;

The receiver is configured to receive at least one authentication parameter from the access network element, the at least one authentication parameter corresponding to the access protocol type, each authentication parameter including an authentication type, and/or a parameter corresponding to the authentication type;

The transmitter is further configured to send user authentication information to the access network element;

The receiver is further configured to receive an authentication result from the access network element.

It will be understood that Figure 9 only shows a simplified design of the terminal device. In practical applications, the terminal device may also include other necessary components, including but not limited to any number of transceivers, processors, controllers, memories, etc., and all terminal devices that can implement the present invention are protected by the present invention. Within the scope.

The embodiment of the present invention further provides a hardware architecture diagram of the control network element, where the control network element may be a control network element in the foregoing communication system, and the control network element may adopt the hardware architecture shown in FIG. The control network element can include a receiver, a transmitter, a memory, and a processor, the receiver, transmitter, memory, and processor being interconnected by a bus. The related functions implemented by the receiving unit 31 in FIG. 6 may be implemented by a receiver, and related functions implemented by the transmitting unit 33 may be implemented by a transmitter, and related functions implemented by the generating unit 32 and the authenticating unit 34 may be performed by one or Implemented by multiple processors.

The memory is used to store program code and data for controlling the network element.

Specifically, the receiver is configured to receive an authentication parameter request from an access network element, where the authentication parameter request includes: an access protocol type that the terminal device accesses the access network element;

The processor is configured to generate, according to the authentication parameter request, at least one type of authentication parameter, where the at least one type of authentication parameter corresponds to the access protocol type, and each type of the authentication parameter includes a request for confirmation according to the authentication parameter request. An authentication type, and/or a parameter corresponding to the authentication type;

The transmitter is configured to send the at least one authentication parameter to the access network element;

The receiver is further configured to receive user authentication information from the access network element, and one of the terminal device and the control network element supported by the at least one authentication parameter of the access network element. Authentication parameter

The processor is further configured to perform authentication on the user authentication information by using the determined one of the authentication parameters to obtain an authentication result;

The transmitter is further configured to send the authentication result to the access network element.

It will be appreciated that Figure 9 only shows a simplified design of the control network element. In practical applications, the control network element may also include other necessary components, including but not limited to any number of transceivers, processors, controllers, memories, etc., and all control network elements that can implement the present invention are in the present invention. Within the scope of protection.

The embodiment of the present invention further provides another access network element, where the access network element may be an access network element in the foregoing communication system, and the access network element may adopt the hardware architecture shown in FIG. The access network element can include a receiver, a transmitter, a memory, and a processor, the receiver, transmitter, memory, and processor being interconnected by a bus. The related functions implemented by the receiving unit 41 in FIG. 7 may be implemented by a receiver, the related functions implemented by the transmitting unit 43 may be implemented by a transmitter, and the related functions implemented by the determining unit 42 may be passed through one or more processors. to realise.

The memory is used to store program code and data of the access network element.

Specifically, the receiver is configured to receive an authentication negotiation request from a terminal device, where the authentication negotiation request is used to request negotiation to determine an authentication type of the terminal device to perform user authentication.

The processor is configured to determine that the authentication type of the terminal device is plain text authentication;

The receiver is further configured to receive user authentication information from the terminal device;

The transmitter is configured to send the user authentication information and the authentication type to a control network element for authentication;

The transmitter is further configured to receive an authentication result from the control network element;

It will be appreciated that Figure 9 only shows a simplified design of the access network element. In an actual application, the access network element may also include other necessary components, including but not limited to any number of transceivers, processors, controllers, memories, etc., and all access network elements that can implement the present invention are Within the scope of protection of the present invention.

The embodiment of the present invention further provides a schematic diagram of a hardware architecture of another terminal device, where the terminal device may be a terminal device in the foregoing communication system, and the terminal device may adopt the hardware architecture shown in FIG. The terminal device can include a receiver, a transmitter, a memory, and a processor, the receiver, transmitter, memory, and processor being interconnected by a bus 118. The related functions implemented by the receiving unit 53 in FIG. 8 may be implemented by a receiver, the related functions implemented by the transmitting unit 51 may be implemented by a transmitter, and the related functions implemented by the determining unit 52 may be passed through one or more processors. to realise.

The memory is used to store program code and data of the terminal device.

Specifically, the transmitter is configured to send an authentication negotiation request to the access network element, where the authentication negotiation request is used to request the negotiation to determine the authentication type of the terminal device for performing user authentication.

The processor is configured to determine that the authentication type of the user authentication is plain text authentication;

The receiver is configured to receive an authentication result from the access network element.

A person skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the system, the device and the unit described above can refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.

Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the various examples described in connection with the embodiments disclosed herein can be implemented in electronic hardware or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods to implement the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present application.

In the several embodiments provided by the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.

The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions described in accordance with embodiments of the present invention are generated in whole or in part. The computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable device. The computer instructions can be stored in or transmitted by a computer readable storage medium. The computer instructions can be from a website site, computer, server or data center to another website site by wire (eg, coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (eg, infrared, wireless, microwave, etc.) Transfer from a computer, server, or data center. The computer readable storage medium can be any available media that can be accessed by a computer or a data storage device such as a server, data center, or the like that includes one or more available media. The usable medium may be a magnetic medium (eg, a floppy disk, a hard disk, a magnetic tape), an optical medium (eg, a DVD), or a semiconductor medium (such as a Solid State Disk (SSD)) or the like.

One of ordinary skill in the art can understand all or part of the process of implementing the above embodiments, which can be completed by a computer program to instruct related hardware, the program can be stored in a computer readable storage medium, when the program is executed The flow of the method embodiments as described above may be included. The foregoing storage medium includes various media that can store program codes, such as a ROM or a random access memory RAM, a magnetic disk, or an optical disk.

Claims

A user authentication method in a converged network, the method comprising:

The access network element receives an authentication negotiation request from the terminal device, where the authentication negotiation request is used to negotiate to determine an authentication parameter of the terminal device;

The access network element sends an authentication parameter request to the control network element, where the authentication parameter request includes: an access protocol type that the terminal device accesses the access network element;

The access network element receives at least one authentication parameter from the control network element and sends the at least one authentication parameter to the terminal device, where the at least one authentication parameter corresponds to the access protocol type, Each authentication parameter includes an authentication type, and/or a parameter corresponding to the authentication type;

Determining, in the at least one type of the authentication parameter, one of the authentication parameters supported by the terminal device and the control network element, and acquiring user authentication information of the terminal device, and User authentication information and one of the determined authentication parameters are sent to the control network element for authentication;

The access network element receives an authentication result from the control network element and sends the authentication result to the terminal device.
The method according to claim 1, wherein the authentication negotiation request and the authentication parameter request further comprise: an authentication type supported by the terminal device, and the parameter corresponding to the authentication type is supported by the terminal device. The parameter corresponding to the type of authentication.
The method according to claim 1 or 2, wherein the at least one authentication type comprises a simple password authentication protocol PAP, and the parameter corresponding to the authentication type is empty.
The method according to claim 1 or 2, wherein the at least one authentication type comprises a challenge handshake protocol CHAP, and the parameters corresponding to the authentication type include: an algorithm, a challenge identifier, and/or a challenge identifier length.
A user authentication method in a converged network, the method comprising:

The terminal device sends an authentication negotiation request to the access network element, where the authentication negotiation request is used to negotiate to determine an authentication parameter of the terminal device;

Receiving, by the terminal device, at least one type of authentication parameter from the access network element, where the at least one authentication parameter corresponds to the access protocol type, and each type of authentication parameter includes an authentication type, and/or Describe the parameters corresponding to the authentication type;

Determining, by the terminal device, one of the authentication parameters supported by the terminal device and the control network element, and sending the user authentication information to the access network element;

The terminal device receives an authentication result from the access network element.
The method according to claim 5, wherein the authentication negotiation request and the authentication parameter request further comprise: an authentication type supported by the terminal device, and the parameter corresponding to the authentication type is supported by the terminal device. The parameter corresponding to the type of authentication.
A user authentication method in a converged network, the method comprising:

The control network element receives the authentication parameter request from the access network element, where the authentication parameter request includes: an access protocol type in which the terminal device accesses the access network element;

The control network element generates at least one authentication parameter according to the authentication parameter request, and sends the at least one authentication parameter to the access network element, the at least one authentication parameter and the access protocol Corresponding to each type, each authentication parameter includes an authentication type supported by the authentication parameter request, and/or a parameter corresponding to the authentication type;

The control network element receives the user authentication information from the access network element, and one of the authentication parameters supported by the terminal device and the control network element in the at least one authentication parameter of the access network element. And authenticating the user authentication information by using the determined one of the authentication parameters to obtain an authentication result;

The control network element sends the authentication result to the access network element.
The method according to claim 7, wherein the authentication negotiation request and the authentication parameter request further comprise: an authentication type supported by the terminal device, and the parameter corresponding to the authentication type is supported by the terminal device. The parameter corresponding to the type of authentication.
The method according to claim 7 or 8, wherein the at least one authentication type comprises a simple password authentication protocol PAP, and the parameter corresponding to the authentication type is empty.
The method according to claim 7 or 8, wherein the at least one authentication type comprises a challenge handshake protocol CHAP, and the parameters corresponding to the authentication type include: an algorithm, a challenge identifier, and/or a challenge identifier length.
A user authentication method in a converged network, the method comprising:

The access network element receives an authentication negotiation request from the terminal device, where the authentication negotiation request is used to request negotiation to determine the authentication type of the terminal device for performing user authentication.

Determining, by the access network element, that the authentication type of the terminal device is plaintext authentication;

The access network element receives the user authentication information from the terminal device, and sends the user authentication information and the authentication type to the control network element for authentication;

The access network element receives an authentication result from the control network element and sends the authentication result to the terminal device.
A user authentication method in a converged network, the method comprising:

The terminal device sends an authentication negotiation request to the access network element, where the authentication negotiation request is used to request the negotiation to determine the authentication type of the terminal device for performing user authentication.

The terminal device determines that the authentication type of the user authentication is plain text authentication;

Transmitting, by the terminal device, user authentication information to the access network element;

The terminal device receives an authentication result from the access network element.
An access network element, comprising:

a receiving unit, configured to receive an authentication negotiation request from the terminal device, where the authentication negotiation request is used to negotiate to determine an authentication parameter of the terminal device;

a sending unit, configured to send an authentication parameter request to the control network element, where the authentication parameter request includes: an access protocol type that the terminal device accesses the access network element;

The receiving unit is further configured to receive at least one authentication parameter from the control network element, where the at least one authentication parameter corresponds to the access protocol type, and each type of authentication parameter includes an authentication type, and/ Or a parameter corresponding to the authentication type;

The sending unit is further configured to send the at least one authentication parameter to the terminal device;

a determining unit, configured to determine, in the at least one authentication parameter, one of the authentication parameters supported by the terminal device and the control network element;

The receiving unit is further configured to acquire user authentication information of the terminal device;

The sending unit is further configured to send the user authentication information and the determined one of the authentication parameters to the control network element for authentication;

The receiving unit is further configured to receive an authentication result from the control network element;

The sending unit is further configured to send the authentication result to the terminal device.
The access network element according to claim 13, wherein the authentication negotiation request and the authentication parameter request further comprise: an authentication type supported by the terminal device, and the parameter corresponding to the authentication type is the The parameter corresponding to the authentication type supported by the terminal device.
The access network element according to claim 13 or 14, wherein the at least one type of authentication comprises a simple password authentication protocol PAP, and the parameter corresponding to the authentication type is empty.
The access network element according to claim 13 or 14, wherein the at least one authentication type comprises a challenge handshake protocol CHAP, and the parameters corresponding to the authentication type include: an algorithm, a challenge identifier, and/or a challenge identifier. length.
A terminal device, comprising:

a sending unit, configured to send an authentication negotiation request to the access network element, where the authentication negotiation request is used to negotiate to determine an authentication parameter of the terminal device;

a receiving unit, configured to receive at least one authentication parameter from the access network element, where the at least one authentication parameter corresponds to the access protocol type, each authentication parameter includes an authentication type, and/or a parameter corresponding to the authentication type;

a determining unit, configured to determine, in the at least one authentication parameter, one of the authentication parameters supported by the terminal device and the control network element;

The sending unit is further configured to send user authentication information to the access network element;

The receiving unit is further configured to receive an authentication result from the access network element.
The terminal device according to claim 17, wherein the authentication negotiation request and the authentication parameter request further comprise: an authentication type supported by the terminal device, and the parameter corresponding to the authentication type is the terminal device The parameters corresponding to the supported authentication type.
A control network element, comprising:

a receiving unit, configured to receive an authentication parameter request from the access network element, where the authentication parameter request includes: an access protocol type that the terminal device accesses the access network element;

a generating unit, configured to generate, according to the authentication parameter request, at least one type of authentication parameter, where the at least one type of authentication parameter corresponds to the access protocol type, and each type of the authentication parameter includes a request for confirmation according to the authentication parameter request An authentication type, and/or a parameter corresponding to the authentication type;

a sending unit, configured to send the at least one authentication parameter to the access network element;

The receiving unit is further configured to receive user authentication information from the access network element, and one of the terminal device and the control network element supported by the access network element and the at least one authentication parameter. Kind of authentication parameters;

An authentication unit, configured to authenticate the user authentication information by using the determined one of the authentication parameters, to obtain an authentication result;

The sending unit is further configured to send the authentication result to the access network element.
The control network element according to claim 19, wherein the authentication negotiation request and the authentication parameter request further comprise: an authentication type supported by the terminal device, and the parameter corresponding to the authentication type is the terminal The parameter corresponding to the authentication type supported by the device.
The control network element according to claim 19 or 20, wherein the at least one type of authentication comprises a simple password authentication protocol PAP, and the parameter corresponding to the authentication type is empty.
The control network element according to claim 19 or 20, wherein the at least one authentication type comprises a challenge handshake protocol CHAP, and the parameters corresponding to the authentication type include: an algorithm, a challenge identifier, and/or a challenge identifier length. .
An access network element, comprising:

a receiving unit, configured to receive an authentication negotiation request from the terminal device, where the authentication negotiation request is used to request negotiation to determine an authentication type of the terminal device for performing user authentication;

a determining unit, configured to determine that the authentication type of the terminal device is plain text authentication;

The receiving unit is further configured to receive user authentication information from the terminal device;

a sending unit, configured to send the user authentication information and the authentication type to a control network element for authentication;

The receiving unit is further configured to receive an authentication result from the control network element;

The sending unit is further configured to send the authentication result to the terminal device.
A terminal device, comprising:

a sending unit, configured to send an authentication negotiation request to the access network element, where the authentication negotiation request is used to request negotiation to determine an authentication type of the terminal device for performing user authentication;

a determining unit, configured to determine that the authentication type of the user authentication is plain text authentication;

The sending unit is further configured to send user authentication information to the access network element;

And a receiving unit, configured to receive an authentication result from the access network element.
An access network element, comprising: a processor, the processor for coupling with a memory, and reading an instruction in the memory and performing the method according to any one of claims 1-4 or 11 according to the instruction The method described.
A terminal device, comprising: a processor, the processor for coupling with a memory, and reading an instruction in the memory and performing the method according to any one of claims 5-6 or 12 according to the instruction method.
A control network element, comprising a processor, the processor for coupling with a memory, and reading instructions in the memory and performing the method of any one of claims 7-10 according to the instructions .
A computer readable storage medium, wherein the computer readable storage medium stores instructions that, when run on a computer, cause the computer to perform the method of any one of claims 1-4 or method.
A computer readable storage medium, wherein the computer readable storage medium stores instructions that, when run on a computer, cause the computer to perform the method of any one of claims 5-6 or 12 method.
A computer readable storage medium, wherein the computer readable storage medium stores instructions that, when run on a computer, cause the computer to perform the method of any one of claims 7-10.