CN111194095B

CN111194095B - Method and device for access control

Info

Publication number: CN111194095B
Application number: CN201811334554.XA
Authority: CN
Inventors: 柯小婉
Original assignee: Vivo Mobile Communication Co Ltd
Current assignee: Vivo Mobile Communication Co Ltd
Priority date: 2018-11-09
Filing date: 2018-11-09
Publication date: 2022-03-15
Anticipated expiration: 2038-11-09
Also published as: CN111194095A

Abstract

The embodiment of the invention provides an access control method and equipment, wherein the method comprises the following steps: determining operation of a second NAS based on factors associated with the first NAS and/or factors associated with a first Access Stratum (AS); the first AS is related to a first network, the terminal is provided with a first NAS and/or a second NAS, the first NAS is related to the first network, and the second NAS is related to a second network. By the embodiment of the invention, the network service of the second network is accessed through the first network, and the terminal can simultaneously use the network services of the first network and the second network when accessing the first network under the condition that the first network does not deploy the corresponding network service and the second network deploys the corresponding network service, so that the service experience of a user is ensured on one hand, and the service range of the network service is expanded on the other hand.

Description

Method and device for access control

Technical Field

The embodiment of the invention relates to the technical field of communication, in particular to a method and equipment for access control.

Background

Many vertical industries have communication requirements, such as: railway dispatching, automation control and the like. The Fifth generation mobile communication technology (5G) can provide a Non-Public Network (NPN for short) for the vertical industry, and meet the communication demand of the vertical industry. Non-public networks often provide service only in one area and are not full coverage.

There may be multiple deployments of non-public networks, such as: 1) an independent network; 2) dependent networks, such as: a) is part of the carrier's communication network; b) is a slice of the carrier's communication network.

A non-public network subscribing terminal may also subscribe to a public network (referred to as a public network). A subscribing terminal for a public network may also subscribe to a non-public network at the same time.

The terminal can access Public Network Services (e.g., Public Land Mobile Network (PLMN) Services) through the non-Public Network;

the terminal may access non-public network services (access to selected non-public network services via PLMN) via the public network.

When the private network is deployed, some complex network services are not deployed, and under the coverage of the private network, a private network user can access the public network service. On the contrary, when the public network is covered, the private network user can also access.

Therefore, how to access the network service of the second network through the first network is an urgent problem to be solved.

Disclosure of Invention

An object of the embodiments of the present invention is to provide an access control method and device, which solve the problem of how to access a network service of a second network through a first network.

According to a first aspect, an embodiment of the present invention provides an access control method, which is applied to a terminal, where the terminal has a first non-access stratum NAS and/or a second NAS, the first NAS is associated with a first network, and the second NAS is associated with a second network, and the method includes:

determining operation of the second NAS based on factors associated with the first NAS and/or factors associated with a first Access Stratum (AS);

wherein the first AS is associated with a first network.

According to a second aspect of the embodiments of the present invention, there is also provided an access control method, applied to a first communication network element, the method including:

establishing a first A interface connection related to a terminal and/or a second A interface connection related to the terminal for the terminal;

determining an operation with respect to the second A-interface of the terminal according to a factor associated with the first A-interface;

wherein the first a interface is an interface between network elements in the first network, the second a interface is an interface between the first network and a second network or a proxy network element, and the proxy network element is a proxy between the first network and the second network.

According to a third aspect of the embodiments of the present invention, there is further provided an access control method, applied to a proxy network element, where the method includes:

performing an operation of the second D interface according to a factor associated with the first D interface;

wherein the first D interface is an interface between the first network and a proxy network element, and the second D interface is an interface between the proxy network element and the second network; or the first D interface is an interface between the proxy network element and the second network, and the second D interface is an interface between the first network and the proxy network element;

the proxy network element is used for proxy of a first network and a second network, and the proxy network element is a network element in the first network, the second network or a third network.

According to a fourth aspect of the embodiments of the present invention, there is also provided an access control method, applied to a terminal, the method including:

acquiring authorization information accessed to a second network, wherein the authorization information accessed to the second network is authorization information of the terminal accessed to the second network through the first network;

and determining a first operation of accessing the second network through the first network according to the authorization information of accessing the second network.

According to a fifth aspect of the embodiments of the present invention, there is further provided an access control method, applied to a second communication network element, the method including:

acquiring authorization information for accessing a second network and/or access information of the second network, wherein the authorization information for accessing the second network is authorization information of a terminal for accessing the second network through the first network;

and determining whether to execute a second operation that the terminal accesses the second network through the first network according to the authorization information for accessing the second network and/or the access information of the second network.

According to a sixth aspect of the embodiments of the present invention, there is further provided an access control method, applied to a third communication network element, the method including:

obtaining first information, the first information comprising at least one of: the terminal accesses the second network through the first network, the RAN of the first network accesses the second network through the proxy network element, and the terminal accesses the subscription information of the second network through the first network;

and determining authorization information for accessing the second network according to the first information, wherein the authorization information for accessing the second network is authorization information for accessing the second network by the terminal through the first network.

A seventh aspect according to an embodiment of the present invention further provides a first communication network element, including:

the establishing module is used for establishing a first A interface connection related to the terminal and/or a second A interface connection related to the terminal for the terminal;

a second determining module for determining an operation with respect to the second a interface of the terminal according to a factor associated with the first a interface;

There is further provided, in accordance with an eighth aspect of the present embodiment, a proxy network element, including:

the execution module is used for executing the operation of the second D interface according to the factors related to the first D interface;

wherein the first D interface is an interface between a first network and a proxy network element, and the second D interface is an interface between the proxy network element and a second network; or the first D interface is an interface between the proxy network element and the second network, and the second D interface is an interface between the first network and the proxy network element;

wherein the proxy network element is used for proxy between the first network and the second network, and the proxy network element is a network element in the first network, the second network, or a third network.

There is also provided, in accordance with a ninth aspect of the embodiments of the present invention, a terminal, including:

the first obtaining module is used for obtaining authorization information for accessing a second network, wherein the authorization information for accessing the second network is authorization information for accessing the terminal to the second network through a first network;

and the third determining module is used for determining whether to execute the first operation of accessing the second network through the first network according to the authorization information of accessing the second network.

There is also provided, in accordance with a tenth aspect of the embodiments of the present invention, a second communication network element, including:

the second acquisition module is used for acquiring authorization information for accessing a second network and/or access information of the second network, wherein the authorization information for accessing the second network is authorization information of a terminal for accessing the second network through a first network;

and the fourth determining module is used for determining whether to execute a second operation that the terminal accesses the second network through the first network according to the authorization information for accessing the second network and/or the access information of the second network.

There is also provided, in accordance with an eleventh aspect of the embodiments of the present invention, a third communication network element, including:

a third obtaining module, configured to obtain first information, where the first information may include at least one of: the method comprises the following steps that the terminal has the capability of accessing a second network through a first network, the RAN of the first network has the capability of accessing the second network through a proxy network element, and the terminal has the subscription information of accessing the second network through the first network;

a fifth determining module, configured to determine, according to the first information, authorization information for accessing the second network, where the authorization information for accessing the second network is authorization information for the terminal to access the second network through the first network.

There is also provided, in accordance with a twelfth aspect of the embodiments of the present invention, communication apparatus including: a processor, a memory and a program stored on the memory and executable on the processor, which program, when executed by the processor, carries out the steps of the method of access control as described above.

There is also provided in accordance with the thirteenth aspect of the embodiments of the present invention a computer readable storage medium having stored thereon a computer program which, when executed by a processor, carries out the steps of the method of access control as described above.

In the embodiment of the invention, the network service of the second network is accessed through the first network, so that the terminal can simultaneously use the network services of the first network and the second network when accessing the first network under the condition that the first network does not deploy the corresponding network service and the second network deploys the corresponding network service, thereby ensuring the service experience of a user and expanding the service range of the network service.

Drawings

Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:

FIG. 1 is a schematic diagram of a non-public network and a public network in the prior art;

FIG. 2 is a diagram illustrating a conventional architecture for accessing public network services through a non-public network;

fig. 3 is a flowchart of an access control method according to an embodiment of the present invention;

fig. 4 is a second flowchart of an access control method according to an embodiment of the present invention;

fig. 5 is a third flowchart of a method of access control according to an embodiment of the present invention;

fig. 6 is a fourth flowchart of a method of access control according to an embodiment of the present invention;

fig. 7 is a fifth flowchart of an access control method according to an embodiment of the present invention;

fig. 8 is a sixth flowchart of a method of access control according to an embodiment of the present invention;

fig. 9 is a schematic diagram of accessing PLMN services through an NPN according to an embodiment of the present invention;

FIG. 10 is a protocol diagram of an embodiment of the invention;

fig. 11 is a diagram illustrating registration of a first network with a second network according to an embodiment of the present invention;

FIG. 12 is a diagram illustrating an embodiment of the present invention in which access to the first network is no longer allowed;

fig. 13 is a schematic structural diagram of a terminal according to an embodiment of the present invention;

fig. 14 is a schematic structural diagram of a first communication network element according to an embodiment of the present invention;

fig. 15 is a schematic structural diagram of a proxy network element according to an embodiment of the present invention;

fig. 16 is a second schematic structural diagram of a terminal according to an embodiment of the present invention;

fig. 17 is a schematic structural diagram of a second communications network element according to an embodiment of the present invention;

fig. 18 is a schematic structural diagram of a third communication network element according to an embodiment of the present invention;

fig. 19 is a schematic diagram of a communication device according to an embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The terms "comprises," "comprising," or any other variation thereof, in the description and claims of this application, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Furthermore, the use of "and/or" in the specification and claims means that at least one of the connected objects, such as a and/or B, means that three cases, a alone, B alone, and both a and B, exist.

In the embodiments of the present invention, words such as "exemplary" or "for example" are used to mean serving as examples, illustrations or descriptions. Any embodiment or design described as "exemplary" or "e.g.," an embodiment of the present invention is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present concepts related in a concrete fashion.

In the embodiment of the present invention, the public communication network, the public network, and the public network mean the same, and it is to be understood that specific names are not particularly limited.

In the embodiment of the present invention, the non-public communication network, the non-public network, and the non-public network mean the same, and it is understood that specific names are not specifically limited. The non-public network may include a physical non-public network and a virtual non-public network. In one embodiment, the non-public network may be a Closed Access Group (CAD), and a CAD may be composed of a Group of terminals.

In the embodiment of the present invention, the public network service may be referred to as one of the following: a public communication service.

In the embodiment of the present invention, the non-public network service may be referred to as one of the following: non-public communication services, private network services.

In the embodiment of the present invention, the first network may be a public network, and the second network may be a non-public network; or the first network may be a non-public network and the second network may be a public network; or the first network may be a first public network and the second network may be a second public network; or the first network may be a first non-public network and the second network may be a second non-public network.

In the embodiment of the present invention, the proxy network element may have the functions of a W interface, a Y interface and/or a Z interface proxy. In the embodiment of the present invention, the W interface represents a control plane interface between the RAN and the CN. For example, in a 5G System (5G System, 5GS) network, the W interface is referred to as an NG interface; for example, in an Evolved Packet System (EPS) network, the W interface is referred to as an S1-C interface. In the embodiment of the present invention, the Y interface represents a user plane interface between the RAN and the CN; for example, in a 5GS network, the Y interface is referred to as the N3 interface; for example, in an EPS network, the Y interface is referred to as an S1-U interface. In the embodiment of the present invention, the Z interface represents an interface between the RAN and the RAN. For example, in a 5GS network, the Z interface is called the Xn interface; for example, in an EPS network, the Y interface is referred to as the X2 interface. In the embodiment of the present invention, the name of the W interface, the Y interface, or the Z interface is not specifically limited.

For example: the proxy network element has the functions of NG interface, Xn interface and N3 interface proxy. I.e. the proxy network element has the functions of NG interface, Xn interface and N3 interface, or the proxy network element has the functions of NG interface and N3 interface proxy. I.e. the proxy network element has the functionality of an NG interface and an N3 interface.

In an embodiment of the present invention, the first NAS (Non Access Stratum) may represent one of the following in relation to the first network: the terminal is registered to the NAS of the first network, the NAS of the terminal, which communicates with the NAS of the first network core network, and the NAS signaling connection of the terminal and the first network. The second NAS may be associated with a second network and may represent one of: the NAS of the second network registered by the terminal, the NAS communicated with the NAS of the first network core network on the terminal, and the NAS signaling of the terminal and the second network are connected. The first AS (Access Stratum, AS) associated with the first network may represent one of: the AS in communication with the first network Radio access network at the terminal is a Radio Resource Control (RRC) Connection between the terminal and the first network.

In the embodiments of the present invention, the NAS connection may be referred to as a NAS signaling connection. The first NAS connection may be referred to as a first NAS signaling connection; the second NAS connection may be referred to as a second NAS signaling connection;

in the embodiment of the present invention, the mode of NAS connection may be referred to as a mode of NAS signaling connection. The mode of the first NAS connection may be referred to as a mode of the first NAS signaling connection; the mode of the second NAS connection may be referred to as a mode of the second NAS signaling connection.

In the embodiment of the present invention, accessing the second network through the first network may also be referred to as accessing a network service of the second network through the first network. Allowing the terminal to access the second network through the first network may also be referred to as allowing the terminal to access a network service of the second network through the first network; disallowing the terminal to access the second network through the first network may also be referred to as disallowing the terminal to access network services of the second network through the first network.

In the embodiment of the present invention, the obtaining may be understood as obtaining from configuration, receiving after a request, obtaining by self-learning, deriving from unreceived information, or obtaining after processing from received information, and may be determined according to actual needs, which is not limited in the embodiment of the present invention. For example, when a certain capability indication sent by the device is not received, it can be deduced that the device does not support the capability.

In the embodiment of the present invention, the communication network element may include at least one of the following: RAN (Radio Access Network) Network elements, and CN (Core Network) Network elements.

In this embodiment of the present invention, the core network element (CN element) may include, but is not limited to, at least one of the following: a core network device, a core network Node, a core network Function, a core network element, a Mobility Management Entity (MME), an Access Mobility Management Function (AMF), a Session Management Function (SMF), a User Plane Function (UPF), a Serving Gateway (Serving GW, SGW), a PDN Gateway (PDN Gateway), a Policy Control Function (Policy Control Function, PCF), a Policy and Charging Rules Function (Policy and Charging Rules Function, PCRF), a GPRS service Support Node (Serving GPRS Support Node, SGSN), a Gateway GPRS Support Node (Gateway GPRS Support Node, GGSN), and a wireless Access network device.

In this embodiment of the present invention, the radio access network element (RAN network element) may include, but is not limited to, at least one of the following: radio Access Network equipment, Radio Access Network nodes, Radio Access Network functions, Radio Access Network units, 3GPP Radio Access Networks, Non-3GPP Radio Access Networks, Centralized Units (CUs), Distributed Units (DU), base stations, evolved node bs (eNB), 5G base stations (gNB), Radio Network Controllers (RNC), base stations (NodeB), Non-3GPP Inter-Working functions (N3 IWF), Access Control (AC) nodes, Access Point (AP) devices, or Wireless Local Area Network (WLAN) nodes.

The Base Station may be a Base Transceiver Station (BTS) in GSM or CDMA, a Base Station (NodeB) in WCDMA, an evolved Node B (eNB or e-NodeB) in LTE, and a 5G Base Station (gNB), and embodiments of the present invention are not limited thereto.

In the embodiment of the present invention, the terminal may include a relay supporting the terminal function and/or a terminal supporting the relay function. The terminal may also be referred to as a terminal Device or a User Equipment (UE), where the terminal may be a Mobile phone, a Tablet Personal Computer (Tablet Personal Computer), a Laptop Computer (Laptop Computer), a Personal Digital Assistant (PDA), a Mobile Internet Device (MID), a Wearable Device (Wearable Device), or a vehicle-mounted Device, and it should be noted that a specific type of the terminal is not limited in the embodiment of the present invention.

Referring to fig. 1 and fig. 2, fig. 2 is a schematic diagram of an existing architecture for accessing a public network service through a non-public network, where the network service may include both a network characteristic and an application layer network service. Network characteristics may require the common completion of a Radio Access Network (RAN) and a Core Network (CN).

One existing architecture for accessing public network services via a non-public network (which may also be referred to as a private network) is: through a non-3GPP interworking Function (N3 GPP), the terminal establishes a Protocol Data Unit (PDU) session through the second network to connect to the N3IWK Function, and then the first PDU session connects to the Access mobility Management Function (AMF) and the User Plane Function (UPF) of the first network, respectively.

However, the drawback of this architecture is that the details of the public network Service are transparent to the private RAN, and cannot enforce Quality of Service (QoS) guarantees or Service requirements. In addition, the N3IWK function has no control plane for a Non-public network (NPN) RAN, and the N3IWK function cannot know whether the NPN RAN capability and the NPN UE wireless capability support a corresponding public network service. When the public network service is an IP Multimedia Subsystem (IMS) service, the performance and reliability of the IMS service cannot be guaranteed. IMS voice traffic is downgraded to OTT ("Over The Top" abbreviation, which refers to providing various application services to users Over The internet) voice traffic. When the public network service is a Location Services (LCS) service, the RAN in the private network cannot cooperate to measure the UE Location because the RAN in the public network cannot receive the Location acquisition signaling from the RAN in the public network. LCS services are degraded to only allow the use of RAN independent measurement techniques. Therefore, since the RAN is completely transparent to the public network service, the private network user has access to a degraded public network service.

Moreover, since the private RAN is transparent to the public network service, when the terminal moves from the private network to the public network, the private RAN cannot organize the AS context and AS configuration regarding the public network service, and cannot forward data to the public RAN. Public network services cannot be switched, and service continuity cannot be guaranteed.

Referring to fig. 3, an execution subject of the method may be a terminal, where the terminal has a first NAS and/or a second NAS, the first NAS is related to a first network, and the second NAS is related to a second network, and the specific steps are as follows:

step 301: determining operation of the second NAS based on factors associated with the first NAS and/or factors associated with the first AS; wherein the first AS is associated with the first network.

In the embodiment of the present invention, optionally, the factor associated with the first NAS may be related information and/or operation of the first NAS.

In the embodiment of the present invention, optionally, the factor associated with the first AS may be related information and/or operation of the first AS.

In the embodiment of the present invention, optionally, the second NAS may be located on the first AS, or the second NAS may be located on the first NAS.

In the embodiment of the present invention, optionally, the factor associated with the first NAS may include at least one of: a mode of the first NAS connection, an operation of the first NAS connection, a context of the first NAS.

Wherein the NAS may comprise at least one of: mobility Management (MM) and Session Management (SM). The mobility management MM is referred to in 5GS as 5G mobility management (5 GMM). Mobility management MM is referred to as Mobility Management (MM) in EPS networks. Mobility management is referred to as General Packet Radio Service (GPRS) mobility management (GMM) in GPRS networks.

In one embodiment, the connection mode of the NAS may be referred to as an MM connection mode.

Wherein, the context of the first NAS may refer to information received by the terminal from a core network element (e.g., AMF) of the first network; or the context of the first NAS may be information that the first network has preconfigured on the terminal.

In the embodiment of the present invention, optionally, the operation of the first NAS connection may include at least one of the following: NAS connection establishment, NAS connection release, NAS signaling disabled (Barring), NAS signaling disabled clocking.

The NAS connection may be an NAS signaling connection, for example, in a 5GS system, the NAS signaling connection is: n1NAS Signaling connection (Signaling connection).

In this embodiment of the present invention, optionally, the context of the first NAS may include: authorization information for accessing a second network; the authorization information for accessing the second network is authorization information for the terminal to access the second network through the first network, and the authorization information may be sent to the NAS through the CN or sent to the AS through the RAN.

In the embodiment of the present invention, optionally, the factor associated with the first AS may include at least one of: a state of the first AS connection, an operation of the first AS connection, a context of the first AS.

The AS may include Radio Resource Control (RRC). In contrast to NAS, AS may also be referred to AS lower layer (lower layer). In contrast to AS, NAS may also be referred to AS upper layer (upper layer).

Optionally, the authorization information for accessing the second network may include at least one of the following:

(1) whether to allow the terminal to access the second network through the first network;

(2) network identification information of the second network allowing access through the first network, such as: network identification of non-Public network (such as npn (non Public network) ID), or network identification of Public network (such as PLMN ID), etc.;

(3) network identification information of the second network that does not allow access through the first network, such as: network identification of non-Public network (such as npn (non Public network) ID), or network identification of Public network (such as PLMN ID), etc.;

(4) service type information of a network service of a second network allowing access through a first network, such as: IMS services, or Time Sensitive Networking (TSN) services, and/or LCS location services, etc.;

(5) service type information of a network service of a second network that does not allow access through the first network;

(6) the grant information for the first data channel (e.g., PDU session and/or QoS flow) may include at least one of: the number of the first data channels allowed to be established, the allowed Aggregate Maximum Bit Rate (AMBR) of the first data channels, QoS information allowed by the first data channels (such as a 5G QoS Identifier (5G QoS Identifier, 5QI) or a QoS Class Identifier (QCI); in one embodiment, the allowed 5QI or QCI may include 1 and/or 5; wherein the first data channels are data channels established in the first network for the terminal to access the second network;

(7) the grant information for the second data channel (e.g., PDU session and/or QoS flow) may include at least one of: the number of the second data channels allowed to be established, the allowed AMBR of the second data channels, and the allowed QoS information of the first data channels; and the second data channel is a data channel established by the terminal through the first network and the second network.

(8) The authorization information of the first Data Radio Bearer (DRB) may include at least one of: the number of the first DRBs allowed to be established, and allowed QoS information; wherein the first DRB is a DRB established in the first network and used for transmitting signaling and/or data between the terminal and the second network; and the number of the first and second groups,

(9) information of an area of the first network that grants access to the second network and/or a network service of the second network. The first AS connection may also be referred to AS a first Radio Resource Control (RRC) connection, where the first RRC connection is an RRC connection between the terminal and the first network.

In this embodiment of the present invention, optionally, the authorization information for accessing the second network is received and obtained from a communication network element of the first network.

Wherein the context of the first AS may include at least one of: and the terminal receives the information sent or broadcasted by the RAN network element of the first network and the information sent to the first AS by the first NAS.

In the embodiment of the present invention, optionally, the mode of the first NAS connection may include at least one of the following: IDLE mode (alternatively referred to as 5GMM-IDLE mode), CONNECTED mode (alternatively referred to as 5GMM-CONNECTED mode).

In the embodiment of the present invention, optionally, the state of the first AS connection (or referred to AS the first RRC connection) may include at least one of the following: an idle state, a connected state, and an inactive state.

In the embodiment of the present invention, optionally, the operation of the first AS connection may include at least one of the following: establishing RRC connection, releasing RRC connection, and suspending the RRC connection to enter an inactive state.

In the embodiment of the present invention, optionally, the context of the first AS may include at least one of the following: authorization information for accessing a second network; the authorization information for accessing the second network is the authorization information for the terminal to access the second network through the first network. Specifically, the information that may be included in the authorization information for accessing the second network is specifically described above, and is not described herein again. Authorization information for accessing the second network in the first AS context may be received from a RAN network element of the first network or obtained from the first NAS.

In this embodiment of the present invention, optionally, the authorization information for accessing the second network may be obtained from a communication network element (e.g., a RAN network element) of the first network.

In the embodiment of the present invention, optionally, step 301 may include at least one of the following:

(1) entering a mode of the second NAS connection into an idle mode or releasing the connection of the second NAS when a first condition is satisfied, wherein the first condition may include at least one of: (a) the connection state of the first AS enters an idle state, (b) the connection of the first AS is released, (c) the mode of the first NAS connection enters an idle mode, (d) the connection of the first NAS is released, (e) the authorization information for accessing the second network indicates that the terminal is not allowed to access the second network through the first network;

(2) when the signaling of the first NAS is forbidden or a NAS prohibit timer is running, forbidding the second NAS to send NAS signaling;

(3) when a second condition is met, determining that the connection of the second NAS can be established and/or determined to be established or confirming that the mode of the connection of the second NAS enters and/or can enter a connection mode; wherein the second condition may include at least one of: (a) the connection state of the first AS is in a connection state or connection establishment of the first AS, (b) the mode of the first NAS connection is in a connection mode or connection establishment of the first NAS, (c) authorization information for accessing the second network allows the terminal to access the second network through the first network; when the mode of the second NAS connection is in a connection mode or the connection of the second NAS is established, the connection state of the first AS is in a connection state or the connection of the first AS is established; or when the mode of the second NAS connection is in the connection mode or the connection of the second NAS is established, the mode of the first NAS connection is in the connection mode or the connection of the first NAS is established;

(4) when the second NAS sends NAS signaling and/or data to a second network and the connection state of the first AS is in an idle state, the second NAS requests the first NAS to trigger the connection establishment of the first AS or the second NAS directly triggers the connection establishment of the first AS; wherein when the mode of the second NAS connection is in a connected state, the mode of the first NAS connection is in a connected mode;

(5) when the second NAS sends NAS signaling and/or data to a second network and when the mode of the first NAS connection is in an idle mode, the second NAS requests the mode of the first NAS connection to enter a connected mode; the second NAS does not influence network selection and access control of the first AS, does not provide a terminal identifier of the second network and/or does not provide slice information of the second network;

(6) when the authorization information for accessing the second network indicates that the terminal is allowed to access the second network through the first network, at least one of the following is performed: (a) allowing the mode of the second NAS connection to enter a connection mode through the first AS and/or the first NAS, (b) allowing the second NAS to establish NAS connection through the first AS and/or the first NAS, (c) allowing the second NAS to send NAS signaling of the second network and/or data of the second network to the first AS and/or the first NAS; (d) allowing NAS signaling of the second network and/or data of the second network to trigger the first AS connection establishment;

(7) when the authorization information for accessing the second network indicates that the terminal is not allowed to access the second network through the first network, performing at least one of the following: (a) the mode of disallowing the second NAS connection enters a connection mode through the first AS and/or the first NAS, (b) the second NAS is disallowed to carry out NAS connection establishment through the first AS and/or the first NAS, (c) the second NAS is disallowed to send NAS signaling of the second network and/or data of the second network to the first AS; (d) the NAS signaling of the second network and/or the data of the second network are not allowed to trigger the connection establishment of the first AS.

By the embodiment of the invention, the network service of the second network is accessed through the first network, and the terminal can simultaneously use the network services of the first network and the second network when accessing the first network under the condition that the first network does not deploy the corresponding network service and the second network deploys the corresponding network service, so that the service experience of a user is ensured on one hand, and the service range of the network service is expanded on the other hand.

Referring to fig. 4, an embodiment of the present invention provides an access control method, where an execution subject of the method may be a first communication network element (e.g., a CN network element and/or a RAN network element); the first communication network element may include a first communication network element (e.g., a RAN network element) of the first network, and the specific steps are as follows:

step 401: establishing a first A interface connection related to the terminal and/or a second A interface connection related to the terminal for the terminal;

step 402: determining an operation with respect to a second a interface of the terminal according to a factor associated with the first a interface;

wherein, the a interfaces may respectively include at least one of the following: w interface, Y interface and Z interface.

In the embodiment of the present invention, the W interface represents a control plane interface between the RAN and the CN. For example, in a 5GS network, the W interface is called NG interface; for example, in an EPS network, the W interface is referred to as an S1-C interface. In the embodiment of the present invention, the Y interface represents a user plane interface between the RAN and the CN; for example, in a 5GS network, the Y interface is referred to as the N3 interface; for example, in an EPS network, the Y interface is referred to as an S1-U interface. In the embodiment of the present invention, the Z interface represents an interface between the RAN and the RAN. For example, in a 5GS network, the Z interface is called the Xn interface; for example, in an EPS network, the Y interface is referred to as the X2 interface.

The first a interface may be an interface between network elements in the first network, the second a interface may be an interface between the first network and the second network or a proxy network element, and the proxy network element may be a proxy between the first network and the second network.

It will be appreciated that the first a-interface and the second a-interface are two interfaces of the same type. For example, when the a interface is an NG interface, the first a interface is a first NG interface, which may be an NG interface between the first network RAN network element and the first network CN network element, and the second a interface is a second NG interface, which may be an NG interface between the second network RAN network element and the second network CN network element or the proxy network element. The second NG interface can be established through a proxy network element, namely the second NG interface is established between the RAN network elements of the first network; and a second NG interface is established between the proxy network element and the CN network element of the second network. In the embodiment of the present invention, names of the first a interface and the second a interface are not specifically limited.

In the embodiment of the present invention, the factor associated with the first a interface may be related information and/or operation of the first a interface.

In the embodiment of the present invention, optionally, the proxy network element may proxy signaling and/or data between the RAN of the first network and the CN of the second network, where the signaling may be signaling related to the terminal or signaling unrelated to the terminal.

In the embodiment of the present invention, optionally, the first a interface may include at least one of the following:

(1) the control plane interface between the first network RAN and the first network CN is, for example: NG interface, S1-C interface, IU-C interface, etc.;

(2) the user plane interface between the first network RAN and the first network CN, for example: an N3 interface, an S1-U interface, etc.;

(3) the interface between the first network RAN and the first network RAN, for example: an Xn interface, an X2 interface, etc.;

in the embodiment of the present invention, optionally, the second a interface may include at least one of the following:

(1) the control plane interface between the first network RAN and the second network CN is, for example: NG interface, etc.;

(2) the user plane interface between the first network RAN and the second network CN, for example: an N3 interface;

(3) the interface between the first network RAN and the second network RAN, for example: an Xn interface, an X2 interface, etc.;

(4) a W-interface between the first network RAN and the proxy network element, the W-interface representing a control plane interface between the RAN and the CN, for example: an NG interface;

(5) a Y-interface between the first network RAN and the proxy network element, the Y-interface representing a user plane interface between the RAN and the CN, for example: an N3 interface;

(6) a Z-interface between the first network RAN and the proxy network element, the Z-interface representing an interface between the RAN and the RAN, for example: an Xn interface, an X2 interface, etc.

In the embodiment of the present invention, optionally, the factor associated with the first a interface may include at least one of: a state regarding the first a-interface of the terminal, a terminal context regarding the first a-interface of the terminal, a connection operation regarding the first a-interface of the terminal.

The terminal context of the first a interface may be a terminal context established by other communication network elements of the first network or information related to the transmitted terminal.

In the embodiment of the present invention, optionally, the state of the first a interface related to the terminal may include at least one of the following: the first A interface connection related to the terminal is in an idle state, the first A interface connection related to the terminal is in a connected state, and the first A interface connection related to the terminal is in a connection suspension state.

In the embodiment of the present invention, optionally, the connection operation with respect to the first a interface of the terminal may include at least one of: the method comprises the steps of establishing connection of a first A interface of the terminal, releasing connection of the first A interface of the terminal and suspending connection of the first A interface of the terminal.

In the embodiment of the present invention, optionally, the terminal context regarding the first a interface of the terminal may include: and accessing the authorization information of the second network, wherein the authorization information accessing the second network is the authorization information of the terminal accessing the second network through the first network.

(6) grant information for a first data channel (e.g., a PDU session and/or QoS flow) including at least one of: the number of the first data channels allowed to be established, the allowed AMBR of the first data channels, the QoS information (such as a 5G QoS Identifier (5G QoS Identifier, 5QI) or a QoS Class Identifier (QCI)) allowed by the first data channels, wherein the allowed 5QI or QCI can comprise 1 and/or 5 in one embodiment, and the first data channels are the data channels which are established in the first network for the terminal to access the second network;

(7) grant information for a second data channel (e.g., a PDU session and/or a QoS flow), including at least one of: the number of the second data channels allowed to be established, the allowed AMBR of the second data channels, and the allowed QoS information of the first data channels; and the second data channel is a data channel established by the terminal through the first network and the second network.

(8) The authorization information of the first Data Radio Bearer (DRB) may include at least one of: the number of the first DRBs allowed to be established, and allowed QoS information; the first DRB is a DRB established at the first network and used to transmit signaling and/or data between the terminal and the second network;

and the number of the first and second groups,

(9) information of an area of the first network that grants access to the second network and/or a network service of the second network.

In the embodiment of the present invention, step 402 may optionally include at least one of the following:

(1) when the first A interface connection is released, requesting to release and/or release a second A interface connection related to the terminal;

(2) confirming that a second A interface connection related to the terminal can be established when the first A interface connection is established;

(3) when the authorization information for accessing the second network indicates that the terminal is allowed to access the second network or a network service of the second network through the first network, the second a-interface operation with respect to the terminal includes at least one of: (a) requesting to establish a second A interface connection with respect to the terminal; (b) establishing a second A interface connection for the terminal; (c) establishing a terminal context for a second A interface of the terminal; (d) receiving signaling and/or data of the terminal from a second a interface with respect to the terminal and transmitting the signaling and/or data to the terminal; (e) receiving signaling and/or data of a second network sent by the terminal, and sending the signaling and/or data to a second A interface related to the terminal;

(4) when the authorization information for accessing the second network indicates that the terminal is not allowed to access the second network or a network service of the second network through the first network, the second a-interface operation with respect to the terminal may include at least one of: (a) refusing the request and/or refusing to establish a second A interface connection related to the terminal; (b) requesting to release and/or release the second A interface connection already established with respect to the terminal; (c) refusing to establish a terminal context for the second A interface of the terminal; (d) requesting release and/or releasing of a terminal context that has been established with respect to a second a interface of the terminal; (e) ignoring or discarding the signaling and/or data of the terminal received from the second a interface with respect to the terminal; (f) ignoring or discarding the signaling and/or data of the second network received from the terminal.

Referring to fig. 5, an embodiment of the present invention provides an access control method, where an execution subject of the method may be a proxy network element, and the method includes the following specific steps:

step 501: performing an operation of the second D interface according to a factor associated with the first D interface;

the first D interface may be an interface between the first network and the proxy network element, and the second D interface may be an interface between the proxy network element and the second network; or the first D-interface may be an interface between the proxy network element and the second network, and the second D-interface may be an interface between the first network and the proxy network element.

The proxy network element may be used for proxy between the first network and the second network, and the proxy network element may be a network element in the first network, the second network, or a third network, where the third network is a network other than the first network and the second network.

It is understood that the first D interface and the second D interface are two interfaces of the same type, and names of the first D interface and the second D interface are not particularly limited in the embodiment of the present invention.

In the embodiment of the present invention, optionally, the factor associated with the first D interface may include related information and/or operation of the first D interface.

In this embodiment of the present invention, optionally, the interface between the first network and the proxy network element may include at least one of the following:

(1) a W-interface between the first network RAN and the proxy network element, the W-interface representing a control plane interface between the RAN and the CN, for example: an NG interface;

(2) a Y-interface between the first network RAN and the proxy network element, the Y-interface representing a user plane interface between the RAN and the CN, for example: an N3 interface;

(3) a Z-interface between the first network RAN and the proxy network element, the Z-interface representing an interface between the RAN and the RAN, for example: an Xn interface, an X2 interface, etc.

In this embodiment of the present invention, optionally, the interface between the proxy network element and the second network may include at least one of the following:

(1) a W interface between the proxy network element and the second network CN, the W interface representing a control plane interface between the RAN and the CN, such as an NG interface;

(2) a Y-interface between the proxy network element and the second network CN, the Y-interface representing a user plane interface between the RAN and the CN, for example: an N3 interface;

(3) a Z-interface between the proxy network element and the second network RAN, the Z-interface representing an interface between the RAN and the RAN, for example: an Xn interface, an X2 interface, etc.

In the embodiment of the present invention, optionally, the factor associated with the first D interface may include at least one of the following: a state of the first D-interface, signaling and/or data of the first D-interface, a connection operation of the first D-interface, a terminal context of the first D-interface with respect to the terminal.

In the embodiment of the present invention, optionally, the state of the first D interface may include at least one of the following: idle, connected, suspended.

In the embodiment of the present invention, optionally, the connection operation of the first D interface may include at least one of: establishing the connection of the first D interface, releasing the connection of the first D interface, and suspending the connection of the first D interface.

In this embodiment of the present invention, optionally, the terminal context regarding the first D interface of the terminal may include: authorization information for accessing a second network; the authorization information for accessing the second network is the authorization information for the terminal to access the second network through the first network.

In the embodiment of the present invention, step 501 may optionally include at least one of the following:

(1) requesting to establish a second D interface irrelevant to the terminal according to a received first D interface establishment request irrelevant to the terminal;

(2) requesting to establish a second D interface related to the terminal according to the received first D interface establishment request related to the terminal;

(3) and according to the received signaling and/or data of the first D interface, the signaling and/or data are sent to the second D interface.

Referring to fig. 6, an embodiment of the present invention provides an access control method, where an execution main body of the method may be a terminal, and the method includes the following specific steps:

step 601: acquiring authorization information accessed to a second network, wherein the authorization information accessed to the second network is authorization information of a terminal accessed to the second network through a first network;

for example, authorization information for accessing the second network is obtained from a communication network element (e.g., a RAN network element and/or a CN network element) of the first network.

and the number of the first and second groups,

Step 602: and determining a first operation of accessing the second network through the first network according to the authorization information of accessing the second network.

In the embodiment of the present invention, optionally, the authorization information for accessing the second network may indicate whether to allow the terminal to access the second network or the network service of the second network through the first network.

In the embodiment of the present invention, optionally, determining the first operation of accessing the second network through the first network may include at least one of the following:

(1) determining whether to allow the terminal to access the second network through the first network;

(2) determining whether NAS signaling and/or data of the second network can be sent to the first network;

(3) determining whether to send NAS signaling and/or data for the second network to the first network;

(4) determining whether to release the NAS context of the second network in which the terminal has been established;

(5) determining whether to release the NAS connection that has established the second network;

(6) determining whether to set a mode of NAS connection of the second network to an idle mode;

(7) determining whether to detach a NAS of the second network;

(8) determining whether to ignore or discard the cached NAS signaling and/or data to be sent to the second network;

(9) determining whether to end an ongoing signalling procedure in the second network NAS.

In the embodiment of the present invention, optionally, when the authorization information for accessing the second network indicates that the terminal is allowed to access the second network or a network service of the second network through the first network, determining a first operation for accessing the second network through the first network includes at least one of:

(1) determining to allow the terminal to access a second network through a first network;

(2) determining whether to perform an operation of accessing the second network through the first network;

(3) determining that NAS signaling and/or data of a second network can be sent to a first network;

(4) determining to send second network NAS signaling and/or data to a first network;

(5) determining to send request information for accessing the second network to the first network.

In this embodiment of the present invention, optionally, when the authorization information for accessing the second network indicates that the terminal is not allowed to access the second network or a network service of the second network through the first network, determining a first operation for accessing the second network through the first network includes at least one of:

(1) determining that the terminal is not allowed to access the second network through the first network;

(2) determining that NAS signaling and/or data of the second network cannot be sent to the first network;

(3) determining not to send NAS signaling and/or data of the second network to the first network;

(4) determining to release the NAS context of the second network that has established the first communication device;

(5) determining to release the NAS connection that has established the second network;

(6) determining to set a mode of NAS connection of the second network to an idle mode;

(7) determining a NAS to detach the second network;

(8) determining to ignore or discard the cached NAS signaling and/or data to be sent to the second network;

(9) determining to end an ongoing signaling procedure in the second network NAS.

Referring to fig. 7, an embodiment of the present invention provides an access control method, where an execution subject of the method may be a second communication network element (e.g., a CN network element and/or a RAN network element); the second communication network element may include a second communication network element of the first network (for example, a RAN network element of the first network), and the specific steps include:

step 701: acquiring authorization information for accessing a second network and/or access information of the second network, wherein the authorization information for accessing the second network is authorization information for accessing the second network through a first network of a terminal;

step 702: and determining whether to execute a second operation of the terminal accessing the second network through the first network according to the authorization information of accessing the second network and/or the access information of the second network.

(7) grant information for a second data channel (e.g., a PDU session and/or a QoS flow), including at least one of: the number of the second data channels allowed to be established, the allowed AMBR of the second data channels, and the allowed QoS information of the first data channels; the second data channel is a data channel established by the terminal through the first network and the second network;

(8) authorization information of a first Data Radio Bearer (DRB) comprising at least one of: the number of the first DRBs allowed to be established, and allowed QoS information; the first DRB is a DRB established at the first network and used to transmit signaling and/or data between the terminal and the second network; and the number of the first and second groups,

In the embodiment of the present invention, optionally, the access information of the second network may include at least one of the following:

(1) a paging request about the terminal sent by a proxy network element of the second network or the second network;

(2) the terminal sends NAS signaling of the second network and/or data of the second network;

(3) request information for accessing the terminal to the second network;

(4) a data channel establishing request of the first network is sent by a terminal, and the data channel is used for accessing a second network;

(5) identification of the second network, for example: network identification of non-Public network (such as npn (non Public network) ID), or network identification of Public network (such as PLMN ID), etc.;

(6) indication information for accessing a second network;

(7) a terminal Temporary Mobile Subscriber Identity (S-TMSI) of the second network, such as S-TMSI, or 5G S-TMSI, etc.;

(8) an identification of a communication network element of the second network, for example: 5G-S-TMSI; and the number of the first and second groups,

(9) network Slice Selection Assistance Information (NSSAI) of the second Network.

In the embodiment of the present invention, optionally, the authorization information for accessing the second network indicates whether to allow the terminal to access the second network or the network service of the second network through the first network.

In this embodiment of the present invention, optionally, the authorization information for accessing the second network is received and acquired from other communication network elements of the first network.

In the embodiment of the present invention, optionally, determining whether to perform the second operation of accessing the second network by the terminal through the first network may include at least one of:

(2) determining whether to send an initial terminal message to a proxy network element or the second network;

(3) determining whether establishment and/or request of a second a interface connection with respect to the terminal is requested;

(4) determining whether to establish a terminal context with respect to a second a interface of the terminal;

(5) determining whether to send second A-interface signaling to a proxy network element, the second network, or a second A-interface for a terminal;

(6) determining whether second A-interface signaling is received from a proxy network element, the second network, or a second A-interface for a terminal;

(7) determining whether to forward NAS signaling of the second network and/or data of the second network received from a terminal to a proxy network element, the second network, or a second A interface for the terminal;

(8) determining whether to forward NAS signaling of the second network and/or data of the second network received from a proxy network element, the second network, or a second a interface with respect to a terminal to the terminal;

(9) determining whether to release the second a interface connection already established with respect to the terminal;

(10) determining whether to release an already established terminal context with respect to a second a interface of the terminal;

(11) determining whether to ignore or discard NAS signaling and/or data of the second network sent by a terminal;

(12) determining whether to ignore or discard a proxy network element of the second network, or second A-interface signaling sent by a second A-interface for a terminal;

(13) determining whether to ignore or discard NAS signaling and/or data of the second network sent by the terminal, a proxy network element of the second network, or a second A interface related to the terminal;

(14) determining whether to return a paging rejection to a proxy network element of a second network or the second network when receiving a paging request about a terminal sent by the proxy network element of the second network or the second network, wherein the reason for the rejection is not to allow the terminal to access the second network through a first network;

wherein the second a interface is an interface between the first network and a second network or a proxy network element.

In this embodiment of the present invention, optionally, when the authorization information for accessing the second network indicates that the terminal is allowed to access the second network through the first network, determining whether to perform a second operation for accessing the second network through the first network by the terminal may include at least one of the following:

(2) determining to send an initial terminal message to a proxy network element or a second network;

(3) determining to request establishment and/or request a second A interface connection with respect to the terminal;

(4) determining to establish a terminal context with respect to a second A interface of the terminal;

(5) determining to send a second A interface signaling to a proxy network element, a second network, or a second A interface for the terminal;

(6) determining to receive second a-interface signaling from a proxy network element, a second network, or a second a-interface for the terminal;

(7) determining to forward NAS signaling of the second network and/or data of the second network received from the terminal to a proxy network element, the second network or a second A interface related to the terminal;

(8) determining whether to forward NAS signaling of the second network and/or data of the second network received from the proxy network element, the second network, or a second a interface with respect to the terminal;

It will be appreciated that the first a-interface and the second a-interface are two interfaces of the same type. For example, when the a interface is an NG interface, the first a interface is a first NG interface, which is an NG interface between the first network RAN network element and the first network CN network element, and the second a interface is a second NG interface, which may be an NG interface between the first network and the second network or the proxy network element.

In this embodiment of the present invention, optionally, when the authorization information for accessing the second network indicates that the terminal is not allowed to access the second network through the first network, determining whether to perform a second operation for accessing the second network through the first network by the terminal may include at least one of the following:

(2) determining not to send an initial terminal message to the proxy network element or the second network;

(3) determining to reject the request to establish and/or request a second A interface connection with respect to the terminal;

(4) determining to refuse to establish a terminal context with respect to a second A interface of the terminal;

(5) determining not to send second A-interface signaling to a proxy network element, the second network, or a second A-interface for a terminal;

(6) determining not to forward NAS signaling of the second network and/or data of the second network received from the terminal to the proxy network element, the second network, or a second a-interface with respect to the terminal;

(7) determining not to forward to the terminal the NAS signaling of the second network and/or data of the second network received from the proxy network element, the second network or a second A interface with respect to the terminal;

(8) determining to release the established second A interface connection with respect to the terminal;

(9) determining to release the terminal context that has been established with respect to the second a interface of the terminal;

(10) determining to ignore or discard NAS signaling and/or data of a second network sent by the terminal;

(11) determining to ignore or discard a proxy network element of a second network, the second network, or second a-interface signaling sent by a second a-interface for the terminal;

(12) determining to ignore or discard the terminal, a proxy network element of the second network, NAS signaling and/or data of the second network sent by the second network or a second a interface related to the terminal;

(13) determining whether to return a paging rejection to a proxy network element of a second network or the second network when receiving a paging request about a terminal sent by the proxy network element of the second network or the second network, wherein the reason for the rejection may be that the terminal is not allowed to access the second network through the first network;

wherein the second a interface is an interface between the first network and the second network or the proxy network element.

In the embodiment of the present invention, optionally, the method further includes: and sending authorization information for accessing the second network to the terminal and/or the proxy network element.

In the embodiment of the present invention, optionally, the proxy network element may be a proxy between the first network and the second network.

In this embodiment of the present invention, optionally, the proxy network element may be a network element in the first network, the second network, or a third network, where the third network refers to a network other than the first network and the second network.

In the embodiment of the present invention, optionally, the authorization information for accessing the second network may include at least one of the following:

Referring to fig. 8, an embodiment of the present invention provides an access control method, where an execution subject of the method may be a third communication network element (e.g., a CN network element and/or a RAN network element); the third communication network element may include a third communication network element of the first network (e.g., a core network element of the first network), and the specific steps are as follows:

step 801: obtaining first information, the first information may include at least one of: the method comprises the following steps that the terminal has the capability of accessing a second network through a first network, the RAN of the first network has the capability of accessing the second network through a proxy network element, and the terminal has the subscription information of accessing the second network through the first network;

the third communication network element may obtain the first information from one of: a terminal, a RAN network element of a first network, a Unified Data Manager (UDM) of the first network, and a Policy Control Function (PCF) of the first network.

Step 802: and determining authorization information for accessing a second network according to the first information, wherein the authorization information for accessing the second network is authorization information for accessing the second network by the terminal through the first network.

(8) Authorization information of a first Data Radio Bearer (DRB) comprising at least one of: the number of the first DRBs allowed to be established, and allowed QoS information; the first DRB is a DRB established at the first network and used to transmit signaling and/or data between the terminal and the second network;

and the number of the first and second groups,

(9) information of an area of the first network that grants access to the second network and/or a network service of the second network. In the embodiment of the present invention, optionally, the method may further include: and sending authorization information for accessing the second network to the terminal and/or a RAN network element of the first network.

In the embodiment of the present invention, optionally, the capability of the terminal to access the second network through the first network may refer to a capability of activating the second NAS on the first NAS or the first AS.

The first NAS is related to a first network, the second NAS is related to a second network, and the first AS is an AS of the first network of the terminal.

In this embodiment of the present invention, optionally, the second NAS may be located on the first AS, or the second NAS may be located on the first NAS.

In this embodiment of the present invention, optionally, the capability of the RAN of the first network accessing the second network through the proxy network element refers to a capability of establishing a first a interface and a second a interface for the terminal, where the first a interface is an interface between communication network elements in the first network, and the second a interface is an interface between the first network and the second network or the proxy network element.

In this embodiment of the present invention, optionally, the subscription information that the terminal accesses the second network through the first network includes at least one of the following:

(8) Authorization information of a first Data Radio Bearer (DRB): the number of the first DRBs allowed to be established, and allowed QoS information; the first DRB is a DRB established at the first network and used to transmit signaling and/or data between the terminal and the second network;

and the number of the first and second groups,

(9) information of an area of the first network that grants access to the second network and/or a network service of the second network. By the embodiment of the invention, the network service of the second network is accessed through the first network, and the terminal can simultaneously use the network services of the first network and the second network when accessing the first network under the condition that the first network does not deploy the corresponding network service and the second network deploys the corresponding network service, so that the service experience of a user is ensured on one hand, and the service range of the network service is expanded on the other hand.

Referring to fig. 9 and 10, a proxy network element, such as an interworking Function (IWK), acts as a proxy between a first network and a second network to support authorized access to the second network through the first network.

In the embodiment of the present invention, the proxy network element may be a proxy of the NG interface, the Xn interface, and the N3 interface, or a proxy of the NG interface and the N3 interface.

In an embodiment of the present invention, the proxy network element may proxy signaling and/or data between the first network RAN and a core network of the second network. The signaling may be terminal-related signaling or terminal-independent signaling.

In the embodiment of the present invention, the terminal has a first NAS and/or a second NAS, the first NAS is related to the first network, the second NAS is a NAS of a second network of the terminal, and the second NAS is located on the first AS, or the second NAS is located on the first NAS, where the first AS is an AS of the first network of the terminal.

Referring to fig. 11, a schematic diagram of registering a first network through a second network according to an embodiment of the present invention includes the following specific steps:

step 1101: the terminal sends an RRC connection establishment request message to a network element of a radio access network (such as NPN RAN) of a first network;

in the embodiment of the present invention, the terminal has a first NAS and/or a second NAS, the first NAS is related to the first network, the second NAS is related to the second network, and the second NAS is located on the first AS, or the second NAS is located on the first NAS, where the first AS is related to the first network.

Step 1102: a RAN network element of a first network sends an RRC connection establishment response message to a terminal;

step 1103: the terminal sends RRC connection completion information to a RAN network element of a first network;

step 1104: a RAN network element of a first network sends an initial UE message to a first AMF of the first network;

step 1105: a first AMF network element of a first network and a UDM of the first network complete registration, subscription information or subscription process;

step 1106: the method comprises the steps that a first AMF of a first network and a PCF of a second network complete a strategy correlation establishing process;

step 1107: a first AMF of a first network sends an initial context establishment request message to a RAN of the first network;

optionally, the initial context setup request message may include: authorization information to access the second network;

step 1108: an RRC reconfiguration process between the terminal and a RAN network element of the first network;

optionally, the terminal acquires authorization information for accessing the second network through the first NAS.

Step 1109: a RAN network element of a first network sends an initial context establishment response message to a first CN network element of a second network;

a RAN network element of a first network establishes a first NG connection and related context for a UE;

step 1110: and the terminal sends uplink Information (UL Information) to a RAN network element of the first network.

For example, the uplink information is sent to the NPN RAN network element by the RRC, and the uplink information may include: NAS signaling of the second network.

The RAN network element of the first network judges whether to allow to access the second network according to the authorization information of accessing the second network;

step 1111: a RAN network element of a first network sends an initial UE message to an AMF of a second network through a proxy network element;

step 1112: optionally, the AMF of the second network sends a UE RADIO CAPABILITY checking REQUEST message (UE RADIO CAPABILITY CHECK REQUEST) to the RAN network element of the first network through the proxy network element;

step 1113: a RAN network element of a first network sends a UE wireless capability checking response message to an AMF of a second network through a proxy network element;

optionally, the UE wireless capability checking response message may include: IMS voice Support indication (IMS voice Support Indicator).

Step 1114: the AMF of the second network sends an initial context establishment request message to the RAN network element of the first network through the proxy network element;

step 1115: a RAN network element of a first network sends downlink Information (DL Information) to a terminal;

step 1116: a RAN network element of a first network sends an initial context establishment response message to an AMF of a second network through a proxy network element;

the RAN network element of the first network establishes a second NG connection and related context for the UE.

It should be noted that fig. 11 shows a procedure of registering from a non-public network to a public network, and a procedure of registering from a public network to a non-public network, or a procedure of registering from a non-public network to a non-public network, or a procedure of registering from a public network to a public network is similar thereto, and will not be described herein again.

By the embodiment of the invention, the network service of the second network is accessed through the first network, and the terminal can simultaneously use the network services of the first network and the second network when accessing the first network under the condition that the first network does not deploy the corresponding network service and the second network deploys the corresponding network service, so that the service experience of a user is ensured on one hand, and the service range of the network service is expanded on the other hand. Referring to fig. 12, a schematic diagram of an embodiment of the present invention that no longer allows the first network to access is shown, which includes the following specific steps:

step 1201: a first CN network element of the first network does not allow the terminal to access the first network; a first CN network element of a first network sends a UE context updating request message to a RAN network element of the first network, wherein the message comprises authorization information for accessing the second network, and the authorization information for accessing the second network indicates that a terminal is not allowed to access the first network;

step 1202: a RAN network element of a first network judges whether a terminal is allowed to access the first network or not; a RAN network element of a first network sends a UE context release request to a proxy network element;

step 1203: the proxy network element sends a UE context release request to an AMF of a second network;

step 1204: the AMF of the second network sends a terminal context release command to the agent network element;

step 1205: the proxy network element sends a UE context release command to a RAN network element of a first network;

step 1206: the RAN network element of the first network sends UE context release completion to the proxy network element;

step 1207: and the proxy network element sends the UE context release completion to the AMF of the second network.

The embodiment of the invention also provides a terminal, and as the principle of solving the problem of the terminal is similar to the method for access control in the embodiment of the invention, the implementation of the terminal can refer to the implementation of the method, and repeated parts are not described again.

Referring to fig. 13, an embodiment of the present invention provides a terminal 1300 having a first non-access stratum NAS and/or a second NAS, where the first NAS is associated with a first network and the second NAS is associated with a second network, where the terminal 1300 includes:

a first determining module 1301, configured to determine an operation of the second NAS according to a factor associated with the first NAS and/or a factor associated with the first AS; the first AS is the AS of the terminal in the RAN of the first network; wherein the first AS is associated with a first network.

In this embodiment of the present invention, optionally, the first determining module 1301 may further perform at least one of the following:

The terminal provided by the embodiment of the present invention can execute the above method embodiment, and the implementation principle and technical effect are similar, which are not described herein again.

The embodiment of the present invention further provides a first communication network element, and since the principle of solving the problem of the first communication network element is similar to the method for access control in the embodiment of the present invention, the implementation of the first communication network element may refer to the implementation of the method, and the repetition part is not described again.

Referring to fig. 14, an embodiment of the present invention further provides a first communication network element, where the first communication network element 1400 includes:

an establishing module 1401, configured to establish a first a interface connection and/or a second a interface connection for a terminal;

a second determining module 1402 for determining an operation of a second a interface with respect to the terminal according to a factor associated with the first a interface;

and the number of the first and second groups,

The first communication network element provided in the embodiment of the present invention may execute the foregoing method embodiment, and the implementation principle and technical effect are similar, which is not described herein again.

The embodiment of the present invention further provides a proxy network element, and as the principle of solving the problem of the proxy network element is similar to the method for access control in the embodiment of the present invention, the implementation of the proxy network element may refer to the implementation of the method, and repeated parts are not described again.

Referring to fig. 15, an embodiment of the present invention provides a proxy network element, where the proxy network element 1500 includes:

an executing module 1501, configured to execute an operation of the second D interface according to a factor associated with the first D interface;

the first D interface may be an interface between the first network and the proxy network element, and the second D interface may be an interface between the proxy network element and the second network; or the first D interface may be an interface between the proxy network element and the second network, and the second D interface may be an interface between the first network and the proxy network element;

In this embodiment of the present invention, optionally, the executing module 1501 may further execute at least one of the following:

The proxy network element provided in the embodiment of the present invention may execute the above method embodiment, and its implementation principle and technical effect are similar, which are not described herein again.

Referring to fig. 16, an embodiment of the present invention further provides a terminal, where the terminal 1600 includes:

a first obtaining module 1601, configured to obtain authorization information for accessing a second network, where the authorization information for accessing the second network is authorization information for accessing the second network by a terminal through a first network;

a third determining module 1602, configured to determine, according to the authorization information for accessing the second network, a first operation for accessing the second network through the first network.

and the number of the first and second groups,

(7) determining whether to detach a NAS of the second network;

(1) determining to allow the terminal to access a second network through a first network; (2) determining whether to perform an operation of accessing the second network through the first network;

(7) determining a NAS to detach the second network;

The embodiment of the present invention further provides a second communication network element, and as the principle of solving the problem of the second communication network element is similar to the method for access control in the embodiment of the present invention, the implementation of the second communication network element may refer to the implementation of the method, and the repeated parts are not described again.

Referring to fig. 17, an embodiment of the present invention further provides a second communication network element, where the second communication network element 1700 includes:

a second obtaining module 1701, configured to obtain authorization information for accessing to a second network and/or access information of the second network, where the authorization information for accessing to the second network is authorization information of the terminal for accessing to the second network through the first network;

a fourth determining module 1702, configured to determine whether to perform a second operation that the terminal accesses the second network through the first network according to the authorization information for accessing the second network and/or the access information of the second network.

(3) request information for accessing the terminal to the second network;

(6) indication information for accessing a second network;

The second communication network element provided in the embodiment of the present invention may execute the foregoing method embodiment, and the implementation principle and technical effect are similar, which are not described herein again.

The embodiment of the present invention further provides a third communication network element, and as the principle of solving the problem of the third communication network element is similar to the method for access control in the embodiment of the present invention, the implementation of the third communication network element may refer to the implementation of the method, and the repeated parts are not described again.

Referring to fig. 18, an embodiment of the present invention further provides a third communication network element of the first network, where the third communication network element 1800 includes:

a third obtaining module 1801, configured to obtain first information, where the first information may include at least one of: the method comprises the following steps that the terminal has the capability of accessing a second network through a first network, the RAN of the first network has the capability of accessing the second network through a proxy network element, and the terminal has the subscription information of accessing the second network through the first network;

a fifth determining module 1802, configured to determine, according to the first information, authorization information for accessing the second network, where the authorization information for accessing the second network is authorization information for accessing the second network by the terminal through the first network.

and the number of the first and second groups,

The third communication network element provided in the embodiment of the present invention may execute the foregoing method embodiment, and the implementation principle and technical effect are similar, which are not described herein again.

Referring to fig. 19, fig. 19 is a structural diagram of a communication device to which the embodiment of the present invention is applied, and as shown in fig. 19, a communication device 1900 includes: a processor 1901, a transceiver 1902, a memory 1903, and a bus interface, wherein:

in one embodiment of the invention, the communication device 1900 further comprises: a program stored on the memory 1903 and executable on the processor 1901, the program when executed by the processor 1901 performing the steps of: determining operation of the second NAS based on factors associated with the first NAS and/or factors associated with a first Access Stratum (AS); the terminal is provided with a first non-access stratum (NAS) and/or a second NAS, the first NAS is related to a first network, the second NAS is related to a second network, and a first AS is related to the first network.

In another embodiment of the present invention, the network device 1900 further includes: a program stored on the memory 1903 and executable on the processor 1901, the program when executed by the processor 1901 performing the steps of: establishing a first A interface connection related to a terminal and/or a second A interface connection related to the terminal for the terminal; determining an operation with respect to the second A-interface of the terminal according to a factor associated with the first A-interface; wherein the first a interface is an interface between network elements in the first network, the second a interface is an interface between the first network and a second network or a proxy network element, and the proxy network element is a proxy between the first network and the second network.

In yet another embodiment of the present invention, the network device 1900 further includes: a program stored on the memory 1903 and executable on the processor 1901, the program when executed by the processor 1901 performing the steps of: performing an operation of the second D interface according to a factor associated with the first D interface; wherein the first D interface is an interface between the first network and a proxy network element, and the second D interface is an interface between the proxy network element and the second network; or the first D interface is an interface between the proxy network element and the second network, and the second D interface is an interface between the first network and the proxy network element; the proxy network element is used for proxy of a first network and a second network, and the proxy network element is a network element in the first network, the second network or a third network.

In yet another embodiment of the present invention, the network device 1900 further includes: a program stored on the memory 1903 and executable on the processor 1901, the program when executed by the processor 1901 performing the steps of: acquiring authorization information accessed to a second network, wherein the authorization information accessed to the second network is authorization information of the terminal accessed to the second network through the first network; and determining a first operation of accessing the second network through the first network according to the authorization information of accessing the second network.

In yet another embodiment of the present invention, the network device 1900 further includes: a program stored on the memory 1903 and executable on the processor 1901, the program when executed by the processor 1901 performing the steps of: acquiring authorization information for accessing a second network and/or access information of the second network, wherein the authorization information for accessing the second network is authorization information of a terminal for accessing the second network through the first network; and determining whether to execute a second operation that the terminal accesses the second network through the first network according to the authorization information for accessing the second network and/or the access information of the second network.

In yet another embodiment of the present invention, the network device 1900 further includes: a program stored on the memory 1903 and executable on the processor 1901, the program when executed by the processor 1901 performing the steps of: obtaining first information, the first information comprising at least one of: the terminal accesses the second network through the first network, the RAN of the first network accesses the second network through the proxy network element, and the terminal accesses the subscription information of the second network through the first network; and determining authorization information for accessing the second network according to the first information, wherein the authorization information for accessing the second network is authorization information for accessing the second network by the terminal through the first network.

In FIG. 19, the bus architecture may include any number of interconnected buses and bridges, with one or more processors, represented by processor 1901, and various circuits, represented by memory 1903, being linked together. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface. The transceiver 1902 may be a plurality of elements including a transmitter and a receiver providing a means for communicating with various other apparatus over a transmission medium.

The processor 1901 is responsible for managing the bus architecture and general processing, and the memory 1903 may store data used by the processor 1901 in performing operations.

The communication device provided by the embodiment of the present invention may execute the above method embodiment, and the implementation principle and technical effect are similar, which are not described herein again.

The steps of a method or algorithm described in connection with the disclosure herein may be embodied in hardware or in software instructions executed by a processor. The software instructions may consist of corresponding software modules that may be stored in RAM, flash memory, ROM, EPROM, EEPROM, registers, hard disk, a removable hard disk, a compact disk, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. Of course, the storage medium may also be integral to the processor. The processor and the storage medium may reside in an ASIC. Additionally, the ASIC may reside in a core network interface device. Of course, the processor and the storage medium may reside as discrete components in a core network interface device.

Those skilled in the art will recognize that, in one or more of the examples described above, the functions described in this invention may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.

The above-mentioned embodiments, objects, technical solutions and advantages of the present invention are further described in detail, it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the present invention should be included in the scope of the present invention.

As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

It will be apparent to those skilled in the art that various changes and modifications may be made in the embodiments of the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the embodiments of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to encompass such modifications and variations.

Claims

1. A method for access control, applied to a terminal, wherein the terminal has a first non-access stratum (NAS) and/or a second NAS, the first NAS being related to a first network, and the second NAS being related to a second network, the method comprising:

wherein the first AS is associated with a first network;

the factors associated with the first NAS include: a context of the first NAS; the factors associated with the first AS include: a context of the first AS;

the context of the first NAS includes: authorization information to access the second network, and/or the context of the first AS includes: authorization information to access the second network;

the authorization information for accessing the second network is the authorization information for the terminal to access the second network through the first network;

the first network is a public network, and the second network is a non-public network; or the first network is a non-public network and the second network is a public network; or the first network is a first public network and the second network is a second public network; or the first network is a first non-public network and the second network is a second non-public network.

2. The method of claim 1, wherein the second NAS is located on the first AS or the second NAS is located on the first NAS.

3. The method according to claim 1 or 2,

the factors associated with the first NAS further include at least one of: a mode of the first NAS connection, operation of the first NAS connection;

and/or the presence of a gas in the gas,

the factors associated with the first AS further include at least one of: a state of the first AS connection, an operation of the first AS connection.

4. The method of claim 3,

the mode of the first NAS connection comprises at least one of: idle mode, connected mode;

and/or the presence of a gas in the gas,

the operation of the first NAS connection comprises at least one of: NAS connection is established, NAS connection is released, NAS signaling is forbidden, and NAS signaling forbids clock running;

and/or the presence of a gas in the gas,

the status of the first AS connection includes at least one of: an idle state, a connected state, an inactive state;

and/or the presence of a gas in the gas,

the operation of the first AS connection includes at least one of: and establishing a Radio Resource Control (RRC) connection, releasing the RRC connection, and suspending the RRC connection to enter an inactive state.

5. The method of claim 4, wherein the authorization information to access the second network comprises at least one of:

whether to allow the terminal to access the second network through the first network;

network identification information of the second network allowed to be accessed through the first network;

network identification information of the second network that is not allowed to be accessed through the first network;

service type information of a network service of a second network allowed to access through the first network;

service type information of a network service of a second network that does not allow access through the first network;

information of an area of the first network authorizing access to the second network and/or a network service of the second network;

and/or the presence of a gas in the gas,

the authorization information for accessing the second network is received and obtained from a communication network element of the first network.

6. The method of claim 1, 2, 4 or 5, wherein the determining the operation of the second NAS based on factors associated with the first NAS and/or factors associated with the first AS comprises at least one of:

entering a mode of the second NAS connection into an idle mode or releasing the second NAS connection when a first condition is satisfied, wherein the first condition includes at least one of: the connection state of the first AS enters an idle state, the connection of the first AS is released, the mode of the first NAS connection enters an idle mode, the connection of the first NAS is released, and authorization information for accessing a second network indicates that the terminal is not allowed to access the second network through the first network;

when the signaling of the first NAS is forbidden or a NAS prohibit timer is running, forbidding the second NAS to send NAS signaling;

when a second condition is met, determining that the connection of the second NAS can be established and/or determined to be established or confirming that the mode of the connection of the second NAS enters and/or can enter a connection mode; wherein the second condition comprises at least one of: the connection state of the first AS is in a connection state or the connection of the first AS is established, the mode of the first NAS connection is in a connection mode or the connection of the first NAS is established, and the authorization information for accessing the second network allows the terminal to access the second network through the first network;

when the second NAS sends NAS signaling and/or data to a second network and when the connection state of the first AS is in an idle state, the second NAS requests the first NAS to trigger the connection establishment of the first AS or the second NAS directly triggers the connection establishment of the first AS;

when the second NAS sends NAS signaling and/or data to a second network and when the mode of the first NAS connection is in an idle mode, the second NAS requesting the mode of the first NAS connection to enter a connected mode;

when the authorization information for accessing the second network indicates that the terminal is allowed to access the second network through the first network, performing at least one of the following: allowing the mode of the second NAS connection to enter a connected mode through the first AS and/or the first NAS, allowing the second NAS to perform NAS connection establishment through the first AS and/or the first NAS, and allowing the second NAS to send NAS signaling of the second network and/or data of the second network to the first AS and/or the first NAS; allowing NAS signaling of the second network and/or data of the second network to trigger the first AS connection establishment;

when the authorization information for accessing the second network indicates that the terminal is not allowed to access the second network through the first network, performing at least one of the following: the mode of disallowing the second NAS connection to enter a connected mode through the first AS and/or the first NAS, disallowing the second NAS to perform NAS connection establishment through the first AS and/or the first NAS, disallowing the second NAS to send NAS signaling of the second network and/or data of the second network to the first AS; not allowing NAS signaling of the second network and/or data of the second network to trigger connection establishment of the first AS.

7. A method for access control, applied to a first communication network element, the method comprising:

the first interface A is an interface between network elements in a first network, the second interface A is an interface between the first network and a second network or a proxy network element, and the proxy network element is a proxy between the first network and the second network;

wherein the factor associated with the first A-interface comprises a terminal context for the first A-interface of the terminal; the terminal context regarding the first A interface of the terminal includes: the authorization information of accessing the second network is the authorization information of accessing the terminal to the second network through the first network;

8. The method according to claim 7, wherein the proxy network element has the functions of NG interface, Xn interface and/or N3 interface proxy;

and/or the presence of a gas in the gas,

the proxy network element proxies signaling and/or data between the RAN of the first network and the core network CN of the second network, wherein the signaling is signaling related to the terminal or signaling unrelated to the terminal.

9. The method of claim 7,

the first A interface includes at least one of:

a control plane interface between the first network RAN and the first network CN;

a user plane interface between the first network RAN and the first network CN;

an interface between the first network RAN and the first network RAN;

and/or the presence of a gas in the gas,

the second A interface includes at least one of:

a control plane interface between the first network RAN and the second network CN;

a user plane interface between the first network RAN and the second network CN;

an interface between the first network RAN and the second network RAN;

a W interface between the first network RAN and the proxy network element, the W interface representing a control plane interface between the RAN and the CN;

a Y interface between the first network RAN and the proxy network element, the Y interface representing a user plane interface between the RAN and the CN;

a Z-interface between the first network RAN and the proxy network element, the Z-interface representing an interface between the RAN and the RAN.

10. The method of claim 7, wherein the association with the first A-interface further comprises at least one of:

a state regarding the first A interface of the terminal, a connection operation regarding the first A interface of the terminal.

11. The method of claim 10,

the state regarding the first A-interface of the terminal includes at least one of: the first A interface connection of the terminal is in an idle state, the first A interface connection of the terminal is in a connected state, and the first A interface connection of the terminal is in a connection suspension state;

and/or the presence of a gas in the gas,

the connection operation with respect to the first a interface of the terminal includes at least one of: connection establishment with respect to the first A interface of the terminal, connection release with respect to the first A interface of the terminal, connection suspension with respect to the first A interface of the terminal.

12. The method according to any of claims 7 to 11, wherein determining the operation of the second a-interface with respect to the terminal based on factors associated with the first a-interface comprises at least one of:

when the first A interface connection is released, requesting to release and/or release the second A interface connection related to the terminal;

confirming that the second A interface connection with respect to the terminal can be established when the first A interface connection is established;

when the authorization information for accessing the second network indicates that the terminal is allowed to access the second network or a network service of the second network through the first network, the operation regarding the second a interface of the terminal includes at least one of: requesting to establish the second A interface connection with respect to the terminal; establishing the second A interface connection with the terminal; establishing a terminal context for the second A interface of the terminal; receiving signaling and/or data of the terminal from the second A interface related to the terminal and transmitting the signaling and/or data to the terminal; receiving signaling and/or data of the second network sent by the terminal, and sending the signaling and/or data to the second A interface related to the terminal;

when the authorization information for accessing the second network indicates that the terminal is not allowed to access the second network or a network service of the second network through the first network, the operation regarding the second a interface of the terminal includes at least one of: rejecting the request and/or rejecting the establishment of the second A interface connection with respect to the terminal; requesting release and/or releasing the second A interface connection already established with respect to the terminal; refusing to establish a terminal context for the second A interface of the terminal; requesting release and/or releasing of a terminal context that has been established with respect to the second a interface of the terminal; ignoring or discarding the signalling and/or data received from the second A interface in respect of the terminal; ignoring or discarding signalling and/or data of the second network received from the terminal.

13. An access control method applied to a proxy network element, the method comprising:

the proxy network element is used for proxy of a first network and a second network, and the proxy network element is a network element in the first network, the second network or a third network;

the factors associated with the first D-interface include a terminal context for the first D-interface of a terminal, the terminal context for the first D-interface of a terminal including: authorization information to access the second network; the authorization information for accessing the second network is the authorization information for accessing the second network by the terminal through the first network;

14. The method of claim 13, wherein the interface between the first network and the proxy network element comprises at least one of:

a Z-interface between the first network RAN and the proxy network element, the Z-interface representing an interface between the RAN and the RAN;

and/or the presence of a gas in the gas,

the interface between the proxy network element and the second network comprises at least one of:

a W interface between the proxy network element and the second network CN, the W interface representing a control plane interface between the RAN and the CN;

a Y interface between the proxy network element and the second network CN, the Y interface representing a user plane interface between the RAN and the CN;

a Z-interface between the proxy network element and the second network RAN, the Z-interface representing an interface between the RAN and the RAN.

15. The method of claim 13,

the factors associated with the first D-interface further include at least one of: a state of the first D-interface, signaling and/or data of the first D-interface, and a connection operation of the first D-interface.

16. The method of claim 15, wherein the state of the first D-interface comprises at least one of: idle state, connected state, suspended;

and/or the presence of a gas in the gas,

the connecting operation of the first D interface includes at least one of: the method comprises the following steps of establishing connection of the first D interface, releasing connection of the first D interface and suspending connection of the first D interface.

17. The method of any of claims 13 to 11, wherein performing the operation of the second D-interface based on the factor associated with the first D-interface comprises at least one of:

requesting to establish a second D interface irrelevant to the terminal according to a received first D interface establishment request irrelevant to the terminal;

requesting to establish a second D interface related to a terminal according to a received first D interface establishment request related to the terminal;

and sending the signaling and/or data to the second D interface according to the received signaling and/or data of the first D interface.

18. A method for access control, applied to a third communication network element, the method comprising:

obtaining first information, the first information comprising at least one of: the method comprises the following steps that the terminal has the capability of accessing a second network through a first network, the RAN of the first network has the capability of accessing the second network through a proxy network element, and the terminal has the subscription information of accessing the second network through the first network;

determining authorization information for accessing the second network according to the first information, wherein the authorization information for accessing the second network is authorization information for accessing the terminal to the second network through the first network; the method further comprises the following steps:

sending the authorization information for accessing the second network to a terminal and/or a RAN network element of the first network;

19. The method of claim 18, wherein the authorization information to access the second network comprises at least one of:

information of an area of the first network authorizing access to the second network and/or a network service of the second network.

20. The method of claim 18,

the capability of the terminal for accessing the second network through the first network refers to the capability of activating the second NAS on the first NAS or the first AS;

and/or the presence of a gas in the gas,

the capability of the RAN of the first network accessing the second network through the proxy network element refers to the capability of establishing a first interface a and a second interface a related to the terminal for the terminal, wherein the first interface a is an interface between communication network elements in the first network, and the second interface a is an interface between the first network and the second network or the proxy network element;

and/or the presence of a gas in the gas,

the subscription information of the terminal accessing the second network through the first network comprises at least one of the following items:

the first NAS is a NAS of the first network of the terminal, the second NAS is a NAS of the second network of the terminal, and the first AS is an AS of a RAN of the first network of the terminal.

21. The method of claim 20, wherein the second NAS is located on the first AS or wherein the second NAS is located on the first NAS.

22. A terminal having a first non-access stratum, NAS, associated with a first network and/or a second NAS, associated with a second network, the terminal comprising:

a first determining module, configured to determine an operation of the second NAS according to a factor associated with the first NAS and/or a factor associated with a first access stratum, AS;

wherein the first AS is associated with a first network, the factors associated with the first NAS including: a context of the first NAS; the factors associated with the first AS include: a context of the first AS;

the context of the first NAS comprises at least one of: the authorization information for accessing the second network, and/or the context of the first AS includes: authorization information to access the second network;

23. A first communications network element, comprising:

24. A proxy network element, comprising:

wherein the proxy network element is for proxy of the first network and the second network, the proxy network element is a network element in the first network, the second network, or a third network, the factor associated with the first D-interface includes a terminal context for the first D-interface of a terminal, and the terminal context for the first D-interface of a terminal includes: authorization information to access the second network; the authorization information for accessing the second network is the authorization information for accessing the second network by the terminal through the first network;

25. A third communications network element, comprising:

a fifth determining module, configured to determine, according to the first information, authorization information for accessing the second network, where the authorization information for accessing the second network is authorization information for the terminal to access the second network through the first network;

the third communication network element further comprises a sending module, configured to send authorization information for accessing the second network to a terminal and/or a RAN network element of the first network;

26. A communication device, comprising: processor, memory and program stored on the memory and executable on the processor, which when executed by the processor implements the steps of the method of access control according to any one of claims 1 to 21.

27. A computer-readable storage medium, characterized in that a computer program is stored thereon, which computer program, when being executed by a processor, carries out the steps of the method of access control according to one of claims 1 to 21.