Disclosure of Invention
The embodiment of the invention provides a user authentication method, core network side equipment and a computer readable storage medium, which aim to solve the problem of low security of authentication and authorization by adopting a third-party authentication server in the prior art.
In order to solve the technical problem, the invention is realized as follows:
in a first aspect, an embodiment of the present invention provides a user authentication method, which is applied to a core network side device, and the method includes:
if Protocol Data Unit (PDU) session request information sent by User Equipment (UE) is received, acquiring the position of the UE and the identifier of the UE, wherein the PDU session request information comprises the position of the UE and the identifier of the UE;
and if the position of the UE is determined to be in the area range of a preset area and the user identification set comprises the identification of the UE, allowing the UE to access an edge computing platform corresponding to the preset area.
Optionally, the obtaining the location of the UE and the identifier of the UE if receiving a protocol data unit PDU session request message sent by a user equipment UE includes:
if the mobility management function AMF of the core network side equipment receives PDU session request information sent by UE, the session management function SMF of the core network side equipment acquires the position of the UE and the identifier of the UE from the AMF;
if the position of the UE is determined to be in the area range of a preset area and the user identifier set comprises the identifier of the UE, allowing the UE to access an edge computing platform corresponding to the preset area, wherein the method comprises the following steps:
if the SMF determines that the position of the UE is in the area range of a preset area and the user identifier set comprises the identifier of the UE, the SMF allows the UE to access an edge computing platform corresponding to the preset area.
Optionally, if the SMF determines that the location of the UE is within the area range of a preset area and the user identifier set includes the identifier of the UE, the SMF allows the UE to access the edge computing platform corresponding to the preset area, including:
if the SMF determines that the position of the UE is in the area range of a preset area, the SMF sends the identifier of the UE to a Unified Data Management (UDM) of the core network side equipment;
the UDM sends the identifier of the UE to a unified data storage (UDR) of the core network side equipment, wherein the UDR stores the user identifier set;
the UDR matches the identity of the UE with the user identity set and sends a matching result to the UDM;
the UDM sends the matching result to the SMF;
if the SMF determines that the user identifier set comprises the identifier of the UE based on the matching result, the SMF allows the UE to access an edge computing platform corresponding to the preset area.
Optionally, before the UDR matches the identity of the UE with the user identity set and sends a matching result to the UDM, the method further includes:
a network open function (NEF) of the core network side equipment receives the user identification set sent by the edge computing platform;
and the UDR receives the user identification set sent by the NEF and stores the user identification set, wherein the position of the UDR is in the preset area.
Optionally, after the UDR receives the user identifier set sent by the NEF and stores the user identifier set, the method further includes:
the NEF receives a request sent by the edge computing platform for changing the user identification set;
and the UDR receives a request for changing the user identification set sent by the NEF and changes the user identification set.
Optionally, if the SMF determines that the user identifier set includes the identifier of the UE based on the matching result, the SMF allows the UE to access the edge computing platform corresponding to the preset area, including:
if the SMF determines that the user identifier set comprises the identifier of the UE based on the matching result, the SMF sends a policy request to a control policy function (PCF) of the core network side equipment, wherein the policy request is used for requesting to determine a target User Plane Function (UPF);
and the SMF receives a target UPF sent by the PCF and determines an edge computing platform corresponding to the target UPF, wherein the position of the target UPF is in the preset area.
Optionally, the method further includes:
and if the position of the UE is determined not to be in the area range of the preset area or the user identification set does not comprise the identification of the UE, accessing the UE to the core network side equipment.
In a second aspect, an embodiment of the present invention provides a core network side device, where the core network side device includes:
an obtaining module, configured to obtain a location of a User Equipment (UE) and an identifier of the UE if Protocol Data Unit (PDU) session request information sent by the UE is received, where the PDU session request information includes the location of the UE and the identifier of the UE;
and the processing module is used for allowing the UE to access to the edge computing platform corresponding to the preset area if the position of the UE is determined to be in the area range of the preset area and the user identification set comprises the identification of the UE.
Optionally, the obtaining module is configured to perform, by the SMF:
if a mobility management function (AMF) of the core network side equipment receives PDU session request information sent by UE, acquiring the position of the UE and an identifier of the UE from the AMF;
the processing module is further configured to perform, by the SMF:
and if the SMF determines that the position of the UE is in the area range of a preset area and the user identifier set comprises the identifier of the UE, allowing the UE to access an edge computing platform corresponding to the preset area.
Optionally, the processing module is further configured to execute, by the SMF:
if the SMF determines that the position of the UE is in the area range of a preset area, sending the identifier of the UE to a Unified Data Management (UDM) of the core network side equipment;
the processing module is further configured to perform, by the UDM:
sending the identifier of the UE to a unified data storage (UDR) of the core network side equipment, wherein the UDR stores the user identifier set;
the processing module is further configured to perform, by the UDR:
matching the identity of the UE with the user identity set, and sending a matching result to the UDM;
the processing module is further configured to perform, by the UDM:
sending the matching result to the SMF;
the processing module is further configured to perform, by the SMF:
and if the SMF determines that the user identifier set comprises the identifier of the UE based on the matching result, allowing the UE to access an edge computing platform corresponding to the preset area.
Optionally, the core network side device further includes:
a transceiver module to perform, by the NEF:
receiving the user identification set sent by the edge computing platform;
the transceiver module is further configured to perform, by the UDR:
and receiving the user identification set sent by the NEF, and storing the user identification set, wherein the position of the UDR is in the preset area.
Optionally, the core network side device further includes:
a change module to perform, by the NEF:
receiving a request sent by the edge computing platform for changing the user identification set;
the change module is further to perform, by the UDR:
and receiving a request for changing the user identification set sent by the NEF, and changing the user identification set.
Optionally, the processing module is further configured to execute, by the SMF:
if the SMF determines that the user identification set comprises the identification of the UE based on the matching result, the SMF sends a policy request to a control policy function (PCF) of the core network side equipment, wherein the policy request is used for requesting to determine a target User Plane Function (UPF);
and receiving a target UPF sent by the PCF, and determining an edge computing platform corresponding to the target UPF, wherein the position of the target UPF is in the preset area.
Optionally, the core network side device further includes:
an access module to perform, by the SMF:
and if the position of the UE is determined not to be in the area range of the preset area or the user identification set does not comprise the identification of the UE, accessing the UE to the core network side equipment.
In a third aspect, an embodiment of the present invention provides a core network side device, including: a processor, a memory and a program stored on the memory and executable on the processor, which program, when executed by the processor, carries out the steps of the user authentication method according to the first aspect.
In a fourth aspect, the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the user authentication method according to the first aspect.
In the embodiment of the invention, if Protocol Data Unit (PDU) session request information sent by User Equipment (UE) is received, the position of the UE and the identification of the UE are obtained, wherein the PDU session request information comprises the position of the UE and the identification of the UE; and if the position of the UE is determined to be in the area range of a preset area and the user identification set comprises the identification of the UE, allowing the UE to access an edge computing platform corresponding to the preset area. Therefore, the core network side equipment authenticates and authorizes the UE which is allowed to access the edge computing platform, and the user information does not need to be sent to the third party authentication server, so that the security of authentication and authorization can be improved.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, fig. 1 is a flowchart of a user authentication method provided in an embodiment of the present invention, where the method is applied to a core network side device, as shown in fig. 1, and includes the following steps:
step 101, if receiving protocol data unit, PDU, session request information sent by a user equipment, UE, obtaining a location of the UE and an identifier of the UE, where the PDU session request information includes the location of the UE and the identifier of the UE.
The core network side device may be a 5G (5th-Generation) core network side device. The obtaining of the location of the UE may be obtaining DNN (Data Network Name) information of the UE, or may also be obtaining other information that may be used for characterizing the location of the UE. The UE id may be a SUPI (user Permanent Identifier) of the UE, an S-NSSAI (Single Network Slice Selection Assistance Information) of the UE, or a GUID (global Unique Identifier) of the UE, and all Information that may be used to identify the UE may be used as the UE id. The UE may send the PDU (Protocol Data Unit) session request information to an AMF (Access and Mobility Management Function) of the core network side device.
Step 102, if it is determined that the location of the UE is within the area range of a preset area and the user identifier set includes the identifier of the UE, allowing the UE to access an edge computing platform corresponding to the preset area.
The user identifier set may be pre-stored in the core network side device, and specifically, the UDR (Unified Data Repository, Unified Data storage) of the core network side device may store the user identifier set. The user identity set may include identities of UEs allowed to access the edge computing platform MEC corresponding to the preset area, and the user identity set may include SUPI, S-NSSAI, GUID, or the like of UEs allowed to access the edge computing platform MEC corresponding to the preset area.
In practical applications, taking an application scenario of edge computing, namely "smart campus", as an example, a campus side has a high requirement for authentication and authorization of UEs accessing an edge computing platform. In the prior art, a third-party server is deployed on the MEC side, and user information is sent to the third-party server for authentication and authorization. However, the user information is sent to the third-party server, so that the privacy of the user and the information security of the user cannot be protected. In the embodiment of the invention, the park party can provide the user identification set of the staff with the MEC access authority, and the core network side equipment completes authentication and authorization, so that the hidden danger of user information leakage can be avoided.
In the embodiment of the invention, if Protocol Data Unit (PDU) session request information sent by User Equipment (UE) is received, the position of the UE and the identification of the UE are obtained, wherein the PDU session request information comprises the position of the UE and the identification of the UE; and if the position of the UE is determined to be in the area range of a preset area and the user identification set comprises the identification of the UE, allowing the UE to access an edge computing platform corresponding to the preset area. Therefore, the core network side equipment authenticates and authorizes the UE which is allowed to access the edge computing platform, provides the white list authentication service, and does not need to send the user information to a third party authentication server, so that the security of authentication and authorization can be improved.
Optionally, the obtaining the location of the UE and the identifier of the UE if receiving a protocol data unit PDU session request message sent by a user equipment UE includes:
if the mobility management function AMF of the core network side equipment receives PDU session request information sent by UE, the session management function SMF of the core network side equipment acquires the position of the UE and the identifier of the UE from the AMF;
if the position of the UE is determined to be in the area range of a preset area and the user identifier set comprises the identifier of the UE, allowing the UE to access an edge computing platform corresponding to the preset area, wherein the method comprises the following steps:
if the SMF determines that the position of the UE is in the area range of a preset area and the user identifier set comprises the identifier of the UE, the SMF allows the UE to access an edge computing platform corresponding to the preset area.
As shown in fig. 2, UE201 may send PDU Session Request information to AMF202, for example, UE201 sends PDU Session Establishment Request message to AMF202, after receiving PDU Session Request information sent by UE201, AMF202 may perform SMF (Session Management Function) selection, and AMF202 may establish a connection requirement with SMF203 through Nsmf _ pdusessionjcreatesmcontextrequest message. SMF203 may respond to AMF202 with an Nsmf _ pdusesion _ CreateSMContext Request Response message, and SMF203 may create an SM context and respond to AMF202 by providing an SM context identifier. After AMF202 establishes a connection with SMF203, AMF202 may send the location of the UE and the identity of the UE to SMF 203.
In practical application, whether the UE is located in a preset area can be firstly screened through the position of the UE initiating the conversation, the identification of the UE is compared with a user identification set through the SMF, and if the user identification set comprises the identification of the UE, the UE can be allowed to access an edge computing platform corresponding to the preset area. And if the user identification set does not comprise the identification of the UE, not allowing the UE to access the edge computing platform corresponding to the preset area. Authentication is completed through core network side equipment, and user information and user privacy safety are protected; meanwhile, the stability of the authentication system depends on the stability of a core network, and the authentication system is safe and reliable; and the authentication is completed through the core network side equipment, the authentication speed is high, and the user experience of the user accessing the network is not influenced.
In this embodiment, if the mobility management function AMF of the core network side device receives PDU session request information sent by the UE, the session management function SMF of the core network side device obtains the location of the UE and the identifier of the UE from the AMF; if the SMF determines that the position of the UE is in the area range of a preset area and the user identifier set comprises the identifier of the UE, the SMF allows the UE to access an edge computing platform corresponding to the preset area. Therefore, the core network provides authentication and authorization service for the MEC by utilizing the original network element of the core network side equipment, and the cost for performing authentication and authorization can be reduced.
Optionally, if the SMF determines that the location of the UE is within the area range of a preset area and the user identifier set includes the identifier of the UE, the SMF allows the UE to access the edge computing platform corresponding to the preset area, including:
if the SMF determines that the position of the UE is in the area range of a preset area, the SMF sends the identifier of the UE to a Unified Data Management (UDM) of the core network side equipment;
the UDM sends the identifier of the UE to a unified data storage (UDR) of the core network side equipment, wherein the UDR stores the user identifier set;
the UDR matches the identity of the UE with the user identity set and sends a matching result to the UDM;
the UDM sends the matching result to the SMF;
if the SMF determines that the user identifier set comprises the identifier of the UE based on the matching result, the SMF allows the UE to access an edge computing platform corresponding to the preset area.
As shown in fig. 2, the SMF203 may initiate a request to the UDM204(Unified Data Management) through the numm _ SDM _ Get request message, request to acquire user Data, and carry the identifier of the UE in the request message. UDM204 may send an inquiry request to UDR205 through a nurr _ DM _ Query inquiry message, where the inquiry request carries the identity of the UE. After the UDR205 matches the UE identity with the user identity set, it may send the matching result to the UDM204 through a nurr _ DM _ Subscribe message. The UDM204 may send the matching result to the SMF203 through a nurm _ SDM _ Subscribe message.
The SMF may determine that the location of the UE is within an area range of a preset area, where the SMF determines that the DNN information of the UE is DNN information corresponding to the edge computing platform, and may access the UE to the core network-side device if the SMF determines that the DNN information of the UE is not DNN information corresponding to the edge computing platform.
In this embodiment, if the SMF determines that the location of the UE is within the area range of the preset area, the SMF sends the identifier of the UE to the unified data management UDM of the core network side device; the UDM sends the identifier of the UE to a unified data storage (UDR) of the core network side equipment, wherein the UDR stores the user identifier set; the UDR matches the identity of the UE with the user identity set and sends a matching result to the UDM; the UDM sends the matching result to the SMF; if the SMF determines that the user identifier set comprises the identifier of the UE based on the matching result, the SMF allows the UE to access an edge computing platform corresponding to the preset area. Therefore, the core network provides authentication and authorization service for the MEC by utilizing the original network element of the core network side equipment, and the cost for performing authentication and authorization can be reduced.
Optionally, before the UDR matches the identity of the UE with the user identity set and sends a matching result to the UDM, the method further includes:
a network open function (NEF) of the core network side equipment receives the user identification set sent by the edge computing platform;
and the UDR receives the user identification set sent by the NEF and stores the user identification set, wherein the position of the UDR is in the preset area.
As shown in fig. 3, before NEF210(Network Exposure Function) receives the user identifier set sent by the edge computing platform, MEC209 may send an access request to NEF210, where the access request indicates that a data set needs to be established on UDR 205. When NEF210 receives an access request from MEC209, it may select UDR205 in the preset area, and communicate with UDR205 through the nurr interface. NEF210 may send an access request to UDR205 in the preset area using a Nudr _ Udrelection _ Get message, UDR205 responds to NEF210 using a Nudr _ Udrelection _ Get response message, and NEF210 responds to the access request of MEC209 and allows MEC209 to access NEF 210.
In addition, MEC209 may send the set of user identities to NEF210 via an Nnef _ parameterprovisionupdate message, NEF210 may Create a data set on UDR205 via a nurr _ DM _ Create message, the data set including the set of user identities and may establish a data set ID, the data set ID being associated with the MEC209, and the UDR205 may respond to NEF210 via a nurr _ DM _ Notify message, informing NEF210 that the creation of the data set was successful.
In this embodiment, the network open function NEF of the core network side device receives the user identifier set sent by the edge computing platform; and the UDR receives the user identification set sent by the NEF and stores the user identification set, wherein the position of the UDR is in the preset area. Therefore, a user information pool allowing users to access the edge computing platform corresponding to the preset area is established on the UDR through the NEF, deployment is convenient and rapid, user information can be uploaded to the UDR through the MEC, a third-party server is not needed, and safety is high.
Optionally, after the UDR receives the user identifier set sent by the NEF and stores the user identifier set, the method further includes:
the NEF receives a request sent by the edge computing platform for changing the user identification set;
and the UDR receives a request for changing the user identification set sent by the NEF and changes the user identification set.
As shown in fig. 3, MEC209 may send a message to NEF210 to change the user identifier set, for example, MEC209 may send a request to NEF210 to change the user identifier set, NEF210 may Delete the user identifier set stored in UDR205 through nurr _ DM _ Delete, or may change or add the user identifier set stored in UDR205 through nurr _ DM _ Subscribe. NEF210 may send a Nnef _ EventExposure _ Notify message to Notify MEC209 in the event of a change in the user identity set stored by UDR 205.
In this embodiment, the NEF receives a request sent by the edge computing platform to change the user identifier set; and the UDR receives a request for changing the user identification set sent by the NEF and changes the user identification set. Therefore, the user identification set can be updated in real time through the MEC, operation is convenient, and user experience is good.
Optionally, if the SMF determines that the user identifier set includes the identifier of the UE based on the matching result, the SMF allows the UE to access the edge computing platform corresponding to the preset area, including:
if the SMF determines that the user identifier set comprises the identifier of the UE based on the matching result, the SMF sends a policy request to a control policy function (PCF) of the core network side equipment, wherein the policy request is used for requesting to determine a target User Plane Function (UPF);
and the SMF receives a target UPF sent by the PCF and determines an edge computing platform corresponding to the target UPF, wherein the position of the target UPF is in the preset area.
As shown in fig. 2, SMF203 may send a Policy request to PCF206(Policy Control Function) through an Npcf _ SMPolicyControl _ Create message, where PCF206 stores a local Policy related to MEC access. PCF206, upon receiving the policy request sent by SMF203, may send an Npcf _ SMPolicyControl _ Create Response message to SMF203, make authorization and policy decisions, and send target UPF207(User Plane Function) to SMF 203.
In addition, after determining the target UPF207, a session channel between the UE and the target UPF207 may be established, and the SMF203 may send related information of the session channel establishment, for example, a network address of an N3 channel corresponding to the PDU session, accept a session request, and the like, to the AMF202 through a Namf _ Communication _ N1N2MessageTransfer message. The AMF202 may send (R) the information related to the establishment of the Session tunnel to the AN208 via AN N2 PDU Session Request (NAS msg) message. (R) AN208 may send AN AN-specific resource setup (PDU Session Establishment Accept) message to UE201 informing UE201 that the (R) AN N3 channel has been allocated for the PDU Session.
In this embodiment, if the SMF determines that the user identifier set includes the identifier of the UE based on the matching result, the SMF sends a policy request to a control policy function PCF of the core network side device, where the policy request is used to request to determine a target user plane function UPF; and the SMF receives a target UPF sent by the PCF and determines an edge computing platform corresponding to the target UPF, wherein the position of the target UPF is in the preset area. Therefore, the PCF is used for determining the target UPF and further determining the edge computing platform corresponding to the preset area, and the response speed of authentication and authorization can be improved.
Optionally, the method further includes:
and if the position of the UE is determined not to be in the area range of the preset area or the user identification set does not comprise the identification of the UE, accessing the UE to the core network side equipment.
In this embodiment, if it is determined that the location of the UE is not within the area range of the preset area or the user identifier set does not include the identifier of the UE, the UE is accessed to the core network side device. In this way, if the UE is not allowed to access the edge computing platform corresponding to the preset area, the UE can access the network through the core network side device.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a core network device according to an embodiment of the present invention, and as shown in fig. 4, the core network device 300 includes:
an obtaining module 301, configured to obtain a location of a user equipment UE and an identifier of the UE if protocol data unit PDU session request information sent by the UE is received, where the PDU session request information includes the location of the UE and the identifier of the UE;
a processing module 302, configured to allow the UE to access an edge computing platform corresponding to a preset area if it is determined that the location of the UE is within an area range of the preset area and a user identifier set includes an identifier of the UE.
Optionally, the obtaining module 301 is configured to perform, by the SMF:
if a mobility management function (AMF) of the core network side equipment receives PDU session request information sent by UE, acquiring the position of the UE and an identifier of the UE from the AMF;
the processing module 302 is further configured to perform, by the SMF:
and if the SMF determines that the position of the UE is in the area range of a preset area and the user identifier set comprises the identifier of the UE, allowing the UE to access an edge computing platform corresponding to the preset area.
Optionally, the processing module 302 is further configured to perform, by the SMF:
if the SMF determines that the position of the UE is in the area range of a preset area, sending the identifier of the UE to a Unified Data Management (UDM) of the core network side equipment;
the processing module 302 is further configured to perform, by the UDM:
sending the identifier of the UE to a unified data storage (UDR) of the core network side equipment, wherein the UDR stores the user identifier set;
the processing module 302 is further configured to perform, by the UDR:
matching the identity of the UE with the user identity set, and sending a matching result to the UDM;
the processing module 302 is further configured to perform, by the UDM:
sending the matching result to the SMF;
the processing module 302 is further configured to perform, by the SMF:
and if the SMF determines that the user identifier set comprises the identifier of the UE based on the matching result, allowing the UE to access an edge computing platform corresponding to the preset area.
Optionally, as shown in fig. 5, the core network side device 300 further includes:
a transceiver module 303, the transceiver module 303 configured to perform, by the NEF:
receiving the user identification set sent by the edge computing platform;
the transceiver module 303 is further configured to perform, by the UDR:
and receiving the user identification set sent by the NEF, and storing the user identification set, wherein the position of the UDR is in the preset area.
Optionally, as shown in fig. 6, the core network side device 300 further includes:
a change module 304, the change module 304 to perform, by the NEF:
receiving a request sent by the edge computing platform for changing the user identification set;
the change module 304 is further configured to perform, by the UDR:
and receiving a request for changing the user identification set sent by the NEF, and changing the user identification set.
Optionally, the processing module 302 is further configured to perform, by the SMF:
if the SMF determines that the user identification set comprises the identification of the UE based on the matching result, the SMF sends a policy request to a control policy function (PCF) of the core network side equipment, wherein the policy request is used for requesting to determine a target User Plane Function (UPF);
and receiving a target UPF sent by the PCF, and determining an edge computing platform corresponding to the target UPF, wherein the position of the target UPF is in the preset area.
Optionally, as shown in fig. 7, the core network side device 300 further includes:
an access module 305, the access module 305 configured to perform, by the SMF:
and if the position of the UE is determined not to be in the area range of the preset area or the user identification set does not comprise the identification of the UE, accessing the UE to the core network side equipment.
The core network side device can implement each process implemented by the core network side device in the method embodiment shown in fig. 1, and is not described here again to avoid repetition.
Referring to fig. 8, fig. 8 is a schematic structural diagram of a core network device according to an embodiment of the present invention, and as shown in fig. 8, the core network device 400 includes: a memory 402, a processor 401, and a program stored on the memory 402 and executable on the processor 401, wherein:
the processor 401 reads the program in the memory 402 for executing:
if Protocol Data Unit (PDU) session request information sent by User Equipment (UE) is received, acquiring the position of the UE and the identifier of the UE, wherein the PDU session request information comprises the position of the UE and the identifier of the UE;
and if the position of the UE is determined to be in the area range of a preset area and the user identification set comprises the identification of the UE, allowing the UE to access an edge computing platform corresponding to the preset area.
Optionally, the processor 401 is configured to perform, by the SMF:
if a mobility management function (AMF) of the core network side equipment receives PDU session request information sent by UE, acquiring the position of the UE and an identifier of the UE from the AMF;
the processor 401 is further configured to perform, by the SMF:
and if the SMF determines that the position of the UE is in the area range of a preset area and the user identifier set comprises the identifier of the UE, allowing the UE to access an edge computing platform corresponding to the preset area.
Optionally, the processor 401 is further configured to perform, by the SMF:
if the SMF determines that the position of the UE is in the area range of a preset area, sending the identifier of the UE to a Unified Data Management (UDM) of the core network side equipment;
the processor 401 is further configured to perform, by the UDM:
sending the identifier of the UE to a unified data storage (UDR) of the core network side equipment, wherein the UDR stores the user identifier set;
the processor 401 is further configured to perform, by the UDR:
matching the identity of the UE with the user identity set, and sending a matching result to the UDM;
the processor 401 is further configured to perform, by the UDM:
sending the matching result to the SMF;
the processor 401 is further configured to perform, by the SMF:
and if the SMF determines that the user identifier set comprises the identifier of the UE based on the matching result, allowing the UE to access an edge computing platform corresponding to the preset area.
Optionally, the processor 401 is further configured to perform, by the NEF:
receiving the user identification set sent by the edge computing platform;
the processor 401 is further configured to perform, by the UDR:
and receiving the user identification set sent by the NEF, and storing the user identification set, wherein the position of the UDR is in the preset area.
Optionally, the processor 401 is configured to perform, by the NEF:
receiving a request sent by the edge computing platform for changing the user identification set;
the processor 401 is further configured to perform, by the UDR:
and receiving a request for changing the user identification set sent by the NEF, and changing the user identification set.
Optionally, the processor 401 is further configured to perform, by the SMF:
if the SMF determines that the user identification set comprises the identification of the UE based on the matching result, the SMF sends a policy request to a control policy function (PCF) of the core network side equipment, wherein the policy request is used for requesting to determine a target User Plane Function (UPF);
and receiving a target UPF sent by the PCF, and determining an edge computing platform corresponding to the target UPF, wherein the position of the target UPF is in the preset area.
Optionally, the processor 401 is further configured to perform, by the SMF:
and if the position of the UE is determined not to be in the area range of the preset area or the user identification set does not comprise the identification of the UE, accessing the UE to the core network side equipment.
In FIG. 8, the bus architecture may include any number of interconnected buses and bridges, with one or more processors, represented by processor 401, and various circuits, represented by memory 402, being linked together. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface.
The processor 401 is responsible for managing the bus architecture and general processing, and the memory 402 may store data used by the processor 401 in performing operations.
It should be noted that any implementation manner in the method embodiment of the present invention may be implemented by the user authentication method in this embodiment, and the same beneficial effects are achieved, and details are not described here.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the computer program implements each process of the user authentication method embodiment, and can achieve the same technical effect, and in order to avoid repetition, details are not repeated here. The computer-readable storage medium may be a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
While the present invention has been described with reference to the embodiments shown in the drawings, the present invention is not limited to the embodiments, which are illustrative and not restrictive, and it will be apparent to those skilled in the art that various changes and modifications can be made therein without departing from the spirit and scope of the invention as defined in the appended claims.