CN113079505A - User authentication method, core network side device and computer readable storage medium - Google Patents

User authentication method, core network side device and computer readable storage medium Download PDF

Info

Publication number
CN113079505A
CN113079505A CN201911324272.6A CN201911324272A CN113079505A CN 113079505 A CN113079505 A CN 113079505A CN 201911324272 A CN201911324272 A CN 201911324272A CN 113079505 A CN113079505 A CN 113079505A
Authority
CN
China
Prior art keywords
user
identifier
core network
preset area
smf
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911324272.6A
Other languages
Chinese (zh)
Other versions
CN113079505B (en
Inventor
高有军
李申
任容玮
杨二兵
禄雨丛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Information System Integration Co ltd
China Mobile Communications Group Co Ltd
China Mobile Xiongan ICT Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Xiongan ICT Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Xiongan ICT Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201911324272.6A priority Critical patent/CN113079505B/en
Publication of CN113079505A publication Critical patent/CN113079505A/en
Application granted granted Critical
Publication of CN113079505B publication Critical patent/CN113079505B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/02Access restriction performed under specific conditions
    • H04W48/04Access restriction performed under specific conditions based on user or terminal location or mobility data, e.g. moving direction, speed
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/11Allocation or use of connection identifiers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/15Setup of multiple wireless link connections
    • H04W76/16Involving different core network technologies, e.g. a packet-switched [PS] bearer in combination with a circuit-switched [CS] bearer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention provides a user authentication method, core network side equipment and a computer readable storage medium, which relate to the technical field of communication, and the method comprises the following steps: if Protocol Data Unit (PDU) session request information sent by User Equipment (UE) is received, acquiring the position of the UE and the identifier of the UE, wherein the PDU session request information comprises the position of the UE and the identifier of the UE; and if the position of the UE is determined to be in the area range of a preset area and the user identification set comprises the identification of the UE, allowing the UE to access an edge computing platform corresponding to the preset area. The embodiment of the invention can improve the safety of authentication and authorization.

Description

User authentication method, core network side device and computer readable storage medium
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a user authentication method, a core network side device, and a computer-readable storage medium.
Background
The edge computing platform is an open platform integrating network, computing, storage and application core capabilities, and provides nearest-end service nearby. The edge computing platform is able to generate faster network service responses.
Currently, the authentication and authorization work for devices accessing an edge computing platform is usually performed by a third party authentication server. The third-party authentication server is deployed for authentication and authorization, user information needs to be sent to the third-party authentication server, privacy of a user cannot be protected, and therefore the security of authentication and authorization by the third-party authentication server is low.
Disclosure of Invention
The embodiment of the invention provides a user authentication method, core network side equipment and a computer readable storage medium, which aim to solve the problem of low security of authentication and authorization by adopting a third-party authentication server in the prior art.
In order to solve the technical problem, the invention is realized as follows:
in a first aspect, an embodiment of the present invention provides a user authentication method, which is applied to a core network side device, and the method includes:
if Protocol Data Unit (PDU) session request information sent by User Equipment (UE) is received, acquiring the position of the UE and the identifier of the UE, wherein the PDU session request information comprises the position of the UE and the identifier of the UE;
and if the position of the UE is determined to be in the area range of a preset area and the user identification set comprises the identification of the UE, allowing the UE to access an edge computing platform corresponding to the preset area.
Optionally, the obtaining the location of the UE and the identifier of the UE if receiving a protocol data unit PDU session request message sent by a user equipment UE includes:
if the mobility management function AMF of the core network side equipment receives PDU session request information sent by UE, the session management function SMF of the core network side equipment acquires the position of the UE and the identifier of the UE from the AMF;
if the position of the UE is determined to be in the area range of a preset area and the user identifier set comprises the identifier of the UE, allowing the UE to access an edge computing platform corresponding to the preset area, wherein the method comprises the following steps:
if the SMF determines that the position of the UE is in the area range of a preset area and the user identifier set comprises the identifier of the UE, the SMF allows the UE to access an edge computing platform corresponding to the preset area.
Optionally, if the SMF determines that the location of the UE is within the area range of a preset area and the user identifier set includes the identifier of the UE, the SMF allows the UE to access the edge computing platform corresponding to the preset area, including:
if the SMF determines that the position of the UE is in the area range of a preset area, the SMF sends the identifier of the UE to a Unified Data Management (UDM) of the core network side equipment;
the UDM sends the identifier of the UE to a unified data storage (UDR) of the core network side equipment, wherein the UDR stores the user identifier set;
the UDR matches the identity of the UE with the user identity set and sends a matching result to the UDM;
the UDM sends the matching result to the SMF;
if the SMF determines that the user identifier set comprises the identifier of the UE based on the matching result, the SMF allows the UE to access an edge computing platform corresponding to the preset area.
Optionally, before the UDR matches the identity of the UE with the user identity set and sends a matching result to the UDM, the method further includes:
a network open function (NEF) of the core network side equipment receives the user identification set sent by the edge computing platform;
and the UDR receives the user identification set sent by the NEF and stores the user identification set, wherein the position of the UDR is in the preset area.
Optionally, after the UDR receives the user identifier set sent by the NEF and stores the user identifier set, the method further includes:
the NEF receives a request sent by the edge computing platform for changing the user identification set;
and the UDR receives a request for changing the user identification set sent by the NEF and changes the user identification set.
Optionally, if the SMF determines that the user identifier set includes the identifier of the UE based on the matching result, the SMF allows the UE to access the edge computing platform corresponding to the preset area, including:
if the SMF determines that the user identifier set comprises the identifier of the UE based on the matching result, the SMF sends a policy request to a control policy function (PCF) of the core network side equipment, wherein the policy request is used for requesting to determine a target User Plane Function (UPF);
and the SMF receives a target UPF sent by the PCF and determines an edge computing platform corresponding to the target UPF, wherein the position of the target UPF is in the preset area.
Optionally, the method further includes:
and if the position of the UE is determined not to be in the area range of the preset area or the user identification set does not comprise the identification of the UE, accessing the UE to the core network side equipment.
In a second aspect, an embodiment of the present invention provides a core network side device, where the core network side device includes:
an obtaining module, configured to obtain a location of a User Equipment (UE) and an identifier of the UE if Protocol Data Unit (PDU) session request information sent by the UE is received, where the PDU session request information includes the location of the UE and the identifier of the UE;
and the processing module is used for allowing the UE to access to the edge computing platform corresponding to the preset area if the position of the UE is determined to be in the area range of the preset area and the user identification set comprises the identification of the UE.
Optionally, the obtaining module is configured to perform, by the SMF:
if a mobility management function (AMF) of the core network side equipment receives PDU session request information sent by UE, acquiring the position of the UE and an identifier of the UE from the AMF;
the processing module is further configured to perform, by the SMF:
and if the SMF determines that the position of the UE is in the area range of a preset area and the user identifier set comprises the identifier of the UE, allowing the UE to access an edge computing platform corresponding to the preset area.
Optionally, the processing module is further configured to execute, by the SMF:
if the SMF determines that the position of the UE is in the area range of a preset area, sending the identifier of the UE to a Unified Data Management (UDM) of the core network side equipment;
the processing module is further configured to perform, by the UDM:
sending the identifier of the UE to a unified data storage (UDR) of the core network side equipment, wherein the UDR stores the user identifier set;
the processing module is further configured to perform, by the UDR:
matching the identity of the UE with the user identity set, and sending a matching result to the UDM;
the processing module is further configured to perform, by the UDM:
sending the matching result to the SMF;
the processing module is further configured to perform, by the SMF:
and if the SMF determines that the user identifier set comprises the identifier of the UE based on the matching result, allowing the UE to access an edge computing platform corresponding to the preset area.
Optionally, the core network side device further includes:
a transceiver module to perform, by the NEF:
receiving the user identification set sent by the edge computing platform;
the transceiver module is further configured to perform, by the UDR:
and receiving the user identification set sent by the NEF, and storing the user identification set, wherein the position of the UDR is in the preset area.
Optionally, the core network side device further includes:
a change module to perform, by the NEF:
receiving a request sent by the edge computing platform for changing the user identification set;
the change module is further to perform, by the UDR:
and receiving a request for changing the user identification set sent by the NEF, and changing the user identification set.
Optionally, the processing module is further configured to execute, by the SMF:
if the SMF determines that the user identification set comprises the identification of the UE based on the matching result, the SMF sends a policy request to a control policy function (PCF) of the core network side equipment, wherein the policy request is used for requesting to determine a target User Plane Function (UPF);
and receiving a target UPF sent by the PCF, and determining an edge computing platform corresponding to the target UPF, wherein the position of the target UPF is in the preset area.
Optionally, the core network side device further includes:
an access module to perform, by the SMF:
and if the position of the UE is determined not to be in the area range of the preset area or the user identification set does not comprise the identification of the UE, accessing the UE to the core network side equipment.
In a third aspect, an embodiment of the present invention provides a core network side device, including: a processor, a memory and a program stored on the memory and executable on the processor, which program, when executed by the processor, carries out the steps of the user authentication method according to the first aspect.
In a fourth aspect, the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the user authentication method according to the first aspect.
In the embodiment of the invention, if Protocol Data Unit (PDU) session request information sent by User Equipment (UE) is received, the position of the UE and the identification of the UE are obtained, wherein the PDU session request information comprises the position of the UE and the identification of the UE; and if the position of the UE is determined to be in the area range of a preset area and the user identification set comprises the identification of the UE, allowing the UE to access an edge computing platform corresponding to the preset area. Therefore, the core network side equipment authenticates and authorizes the UE which is allowed to access the edge computing platform, and the user information does not need to be sent to the third party authentication server, so that the security of authentication and authorization can be improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments of the present invention will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without inventive exercise.
Fig. 1 is a flowchart of a user authentication method according to an embodiment of the present invention;
fig. 2 is a schematic diagram of information interaction between network elements of a core network side device according to an embodiment of the present invention;
fig. 3 is a second schematic diagram of information interaction between network elements of a core network side device according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a core network side device according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of another core network-side device according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of another core network side device according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of another core network-side device according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of another core network device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, fig. 1 is a flowchart of a user authentication method provided in an embodiment of the present invention, where the method is applied to a core network side device, as shown in fig. 1, and includes the following steps:
step 101, if receiving protocol data unit, PDU, session request information sent by a user equipment, UE, obtaining a location of the UE and an identifier of the UE, where the PDU session request information includes the location of the UE and the identifier of the UE.
The core network side device may be a 5G (5th-Generation) core network side device. The obtaining of the location of the UE may be obtaining DNN (Data Network Name) information of the UE, or may also be obtaining other information that may be used for characterizing the location of the UE. The UE id may be a SUPI (user Permanent Identifier) of the UE, an S-NSSAI (Single Network Slice Selection Assistance Information) of the UE, or a GUID (global Unique Identifier) of the UE, and all Information that may be used to identify the UE may be used as the UE id. The UE may send the PDU (Protocol Data Unit) session request information to an AMF (Access and Mobility Management Function) of the core network side device.
Step 102, if it is determined that the location of the UE is within the area range of a preset area and the user identifier set includes the identifier of the UE, allowing the UE to access an edge computing platform corresponding to the preset area.
The user identifier set may be pre-stored in the core network side device, and specifically, the UDR (Unified Data Repository, Unified Data storage) of the core network side device may store the user identifier set. The user identity set may include identities of UEs allowed to access the edge computing platform MEC corresponding to the preset area, and the user identity set may include SUPI, S-NSSAI, GUID, or the like of UEs allowed to access the edge computing platform MEC corresponding to the preset area.
In practical applications, taking an application scenario of edge computing, namely "smart campus", as an example, a campus side has a high requirement for authentication and authorization of UEs accessing an edge computing platform. In the prior art, a third-party server is deployed on the MEC side, and user information is sent to the third-party server for authentication and authorization. However, the user information is sent to the third-party server, so that the privacy of the user and the information security of the user cannot be protected. In the embodiment of the invention, the park party can provide the user identification set of the staff with the MEC access authority, and the core network side equipment completes authentication and authorization, so that the hidden danger of user information leakage can be avoided.
In the embodiment of the invention, if Protocol Data Unit (PDU) session request information sent by User Equipment (UE) is received, the position of the UE and the identification of the UE are obtained, wherein the PDU session request information comprises the position of the UE and the identification of the UE; and if the position of the UE is determined to be in the area range of a preset area and the user identification set comprises the identification of the UE, allowing the UE to access an edge computing platform corresponding to the preset area. Therefore, the core network side equipment authenticates and authorizes the UE which is allowed to access the edge computing platform, provides the white list authentication service, and does not need to send the user information to a third party authentication server, so that the security of authentication and authorization can be improved.
Optionally, the obtaining the location of the UE and the identifier of the UE if receiving a protocol data unit PDU session request message sent by a user equipment UE includes:
if the mobility management function AMF of the core network side equipment receives PDU session request information sent by UE, the session management function SMF of the core network side equipment acquires the position of the UE and the identifier of the UE from the AMF;
if the position of the UE is determined to be in the area range of a preset area and the user identifier set comprises the identifier of the UE, allowing the UE to access an edge computing platform corresponding to the preset area, wherein the method comprises the following steps:
if the SMF determines that the position of the UE is in the area range of a preset area and the user identifier set comprises the identifier of the UE, the SMF allows the UE to access an edge computing platform corresponding to the preset area.
As shown in fig. 2, UE201 may send PDU Session Request information to AMF202, for example, UE201 sends PDU Session Establishment Request message to AMF202, after receiving PDU Session Request information sent by UE201, AMF202 may perform SMF (Session Management Function) selection, and AMF202 may establish a connection requirement with SMF203 through Nsmf _ pdusessionjcreatesmcontextrequest message. SMF203 may respond to AMF202 with an Nsmf _ pdusesion _ CreateSMContext Request Response message, and SMF203 may create an SM context and respond to AMF202 by providing an SM context identifier. After AMF202 establishes a connection with SMF203, AMF202 may send the location of the UE and the identity of the UE to SMF 203.
In practical application, whether the UE is located in a preset area can be firstly screened through the position of the UE initiating the conversation, the identification of the UE is compared with a user identification set through the SMF, and if the user identification set comprises the identification of the UE, the UE can be allowed to access an edge computing platform corresponding to the preset area. And if the user identification set does not comprise the identification of the UE, not allowing the UE to access the edge computing platform corresponding to the preset area. Authentication is completed through core network side equipment, and user information and user privacy safety are protected; meanwhile, the stability of the authentication system depends on the stability of a core network, and the authentication system is safe and reliable; and the authentication is completed through the core network side equipment, the authentication speed is high, and the user experience of the user accessing the network is not influenced.
In this embodiment, if the mobility management function AMF of the core network side device receives PDU session request information sent by the UE, the session management function SMF of the core network side device obtains the location of the UE and the identifier of the UE from the AMF; if the SMF determines that the position of the UE is in the area range of a preset area and the user identifier set comprises the identifier of the UE, the SMF allows the UE to access an edge computing platform corresponding to the preset area. Therefore, the core network provides authentication and authorization service for the MEC by utilizing the original network element of the core network side equipment, and the cost for performing authentication and authorization can be reduced.
Optionally, if the SMF determines that the location of the UE is within the area range of a preset area and the user identifier set includes the identifier of the UE, the SMF allows the UE to access the edge computing platform corresponding to the preset area, including:
if the SMF determines that the position of the UE is in the area range of a preset area, the SMF sends the identifier of the UE to a Unified Data Management (UDM) of the core network side equipment;
the UDM sends the identifier of the UE to a unified data storage (UDR) of the core network side equipment, wherein the UDR stores the user identifier set;
the UDR matches the identity of the UE with the user identity set and sends a matching result to the UDM;
the UDM sends the matching result to the SMF;
if the SMF determines that the user identifier set comprises the identifier of the UE based on the matching result, the SMF allows the UE to access an edge computing platform corresponding to the preset area.
As shown in fig. 2, the SMF203 may initiate a request to the UDM204(Unified Data Management) through the numm _ SDM _ Get request message, request to acquire user Data, and carry the identifier of the UE in the request message. UDM204 may send an inquiry request to UDR205 through a nurr _ DM _ Query inquiry message, where the inquiry request carries the identity of the UE. After the UDR205 matches the UE identity with the user identity set, it may send the matching result to the UDM204 through a nurr _ DM _ Subscribe message. The UDM204 may send the matching result to the SMF203 through a nurm _ SDM _ Subscribe message.
The SMF may determine that the location of the UE is within an area range of a preset area, where the SMF determines that the DNN information of the UE is DNN information corresponding to the edge computing platform, and may access the UE to the core network-side device if the SMF determines that the DNN information of the UE is not DNN information corresponding to the edge computing platform.
In this embodiment, if the SMF determines that the location of the UE is within the area range of the preset area, the SMF sends the identifier of the UE to the unified data management UDM of the core network side device; the UDM sends the identifier of the UE to a unified data storage (UDR) of the core network side equipment, wherein the UDR stores the user identifier set; the UDR matches the identity of the UE with the user identity set and sends a matching result to the UDM; the UDM sends the matching result to the SMF; if the SMF determines that the user identifier set comprises the identifier of the UE based on the matching result, the SMF allows the UE to access an edge computing platform corresponding to the preset area. Therefore, the core network provides authentication and authorization service for the MEC by utilizing the original network element of the core network side equipment, and the cost for performing authentication and authorization can be reduced.
Optionally, before the UDR matches the identity of the UE with the user identity set and sends a matching result to the UDM, the method further includes:
a network open function (NEF) of the core network side equipment receives the user identification set sent by the edge computing platform;
and the UDR receives the user identification set sent by the NEF and stores the user identification set, wherein the position of the UDR is in the preset area.
As shown in fig. 3, before NEF210(Network Exposure Function) receives the user identifier set sent by the edge computing platform, MEC209 may send an access request to NEF210, where the access request indicates that a data set needs to be established on UDR 205. When NEF210 receives an access request from MEC209, it may select UDR205 in the preset area, and communicate with UDR205 through the nurr interface. NEF210 may send an access request to UDR205 in the preset area using a Nudr _ Udrelection _ Get message, UDR205 responds to NEF210 using a Nudr _ Udrelection _ Get response message, and NEF210 responds to the access request of MEC209 and allows MEC209 to access NEF 210.
In addition, MEC209 may send the set of user identities to NEF210 via an Nnef _ parameterprovisionupdate message, NEF210 may Create a data set on UDR205 via a nurr _ DM _ Create message, the data set including the set of user identities and may establish a data set ID, the data set ID being associated with the MEC209, and the UDR205 may respond to NEF210 via a nurr _ DM _ Notify message, informing NEF210 that the creation of the data set was successful.
In this embodiment, the network open function NEF of the core network side device receives the user identifier set sent by the edge computing platform; and the UDR receives the user identification set sent by the NEF and stores the user identification set, wherein the position of the UDR is in the preset area. Therefore, a user information pool allowing users to access the edge computing platform corresponding to the preset area is established on the UDR through the NEF, deployment is convenient and rapid, user information can be uploaded to the UDR through the MEC, a third-party server is not needed, and safety is high.
Optionally, after the UDR receives the user identifier set sent by the NEF and stores the user identifier set, the method further includes:
the NEF receives a request sent by the edge computing platform for changing the user identification set;
and the UDR receives a request for changing the user identification set sent by the NEF and changes the user identification set.
As shown in fig. 3, MEC209 may send a message to NEF210 to change the user identifier set, for example, MEC209 may send a request to NEF210 to change the user identifier set, NEF210 may Delete the user identifier set stored in UDR205 through nurr _ DM _ Delete, or may change or add the user identifier set stored in UDR205 through nurr _ DM _ Subscribe. NEF210 may send a Nnef _ EventExposure _ Notify message to Notify MEC209 in the event of a change in the user identity set stored by UDR 205.
In this embodiment, the NEF receives a request sent by the edge computing platform to change the user identifier set; and the UDR receives a request for changing the user identification set sent by the NEF and changes the user identification set. Therefore, the user identification set can be updated in real time through the MEC, operation is convenient, and user experience is good.
Optionally, if the SMF determines that the user identifier set includes the identifier of the UE based on the matching result, the SMF allows the UE to access the edge computing platform corresponding to the preset area, including:
if the SMF determines that the user identifier set comprises the identifier of the UE based on the matching result, the SMF sends a policy request to a control policy function (PCF) of the core network side equipment, wherein the policy request is used for requesting to determine a target User Plane Function (UPF);
and the SMF receives a target UPF sent by the PCF and determines an edge computing platform corresponding to the target UPF, wherein the position of the target UPF is in the preset area.
As shown in fig. 2, SMF203 may send a Policy request to PCF206(Policy Control Function) through an Npcf _ SMPolicyControl _ Create message, where PCF206 stores a local Policy related to MEC access. PCF206, upon receiving the policy request sent by SMF203, may send an Npcf _ SMPolicyControl _ Create Response message to SMF203, make authorization and policy decisions, and send target UPF207(User Plane Function) to SMF 203.
In addition, after determining the target UPF207, a session channel between the UE and the target UPF207 may be established, and the SMF203 may send related information of the session channel establishment, for example, a network address of an N3 channel corresponding to the PDU session, accept a session request, and the like, to the AMF202 through a Namf _ Communication _ N1N2MessageTransfer message. The AMF202 may send (R) the information related to the establishment of the Session tunnel to the AN208 via AN N2 PDU Session Request (NAS msg) message. (R) AN208 may send AN AN-specific resource setup (PDU Session Establishment Accept) message to UE201 informing UE201 that the (R) AN N3 channel has been allocated for the PDU Session.
In this embodiment, if the SMF determines that the user identifier set includes the identifier of the UE based on the matching result, the SMF sends a policy request to a control policy function PCF of the core network side device, where the policy request is used to request to determine a target user plane function UPF; and the SMF receives a target UPF sent by the PCF and determines an edge computing platform corresponding to the target UPF, wherein the position of the target UPF is in the preset area. Therefore, the PCF is used for determining the target UPF and further determining the edge computing platform corresponding to the preset area, and the response speed of authentication and authorization can be improved.
Optionally, the method further includes:
and if the position of the UE is determined not to be in the area range of the preset area or the user identification set does not comprise the identification of the UE, accessing the UE to the core network side equipment.
In this embodiment, if it is determined that the location of the UE is not within the area range of the preset area or the user identifier set does not include the identifier of the UE, the UE is accessed to the core network side device. In this way, if the UE is not allowed to access the edge computing platform corresponding to the preset area, the UE can access the network through the core network side device.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a core network device according to an embodiment of the present invention, and as shown in fig. 4, the core network device 300 includes:
an obtaining module 301, configured to obtain a location of a user equipment UE and an identifier of the UE if protocol data unit PDU session request information sent by the UE is received, where the PDU session request information includes the location of the UE and the identifier of the UE;
a processing module 302, configured to allow the UE to access an edge computing platform corresponding to a preset area if it is determined that the location of the UE is within an area range of the preset area and a user identifier set includes an identifier of the UE.
Optionally, the obtaining module 301 is configured to perform, by the SMF:
if a mobility management function (AMF) of the core network side equipment receives PDU session request information sent by UE, acquiring the position of the UE and an identifier of the UE from the AMF;
the processing module 302 is further configured to perform, by the SMF:
and if the SMF determines that the position of the UE is in the area range of a preset area and the user identifier set comprises the identifier of the UE, allowing the UE to access an edge computing platform corresponding to the preset area.
Optionally, the processing module 302 is further configured to perform, by the SMF:
if the SMF determines that the position of the UE is in the area range of a preset area, sending the identifier of the UE to a Unified Data Management (UDM) of the core network side equipment;
the processing module 302 is further configured to perform, by the UDM:
sending the identifier of the UE to a unified data storage (UDR) of the core network side equipment, wherein the UDR stores the user identifier set;
the processing module 302 is further configured to perform, by the UDR:
matching the identity of the UE with the user identity set, and sending a matching result to the UDM;
the processing module 302 is further configured to perform, by the UDM:
sending the matching result to the SMF;
the processing module 302 is further configured to perform, by the SMF:
and if the SMF determines that the user identifier set comprises the identifier of the UE based on the matching result, allowing the UE to access an edge computing platform corresponding to the preset area.
Optionally, as shown in fig. 5, the core network side device 300 further includes:
a transceiver module 303, the transceiver module 303 configured to perform, by the NEF:
receiving the user identification set sent by the edge computing platform;
the transceiver module 303 is further configured to perform, by the UDR:
and receiving the user identification set sent by the NEF, and storing the user identification set, wherein the position of the UDR is in the preset area.
Optionally, as shown in fig. 6, the core network side device 300 further includes:
a change module 304, the change module 304 to perform, by the NEF:
receiving a request sent by the edge computing platform for changing the user identification set;
the change module 304 is further configured to perform, by the UDR:
and receiving a request for changing the user identification set sent by the NEF, and changing the user identification set.
Optionally, the processing module 302 is further configured to perform, by the SMF:
if the SMF determines that the user identification set comprises the identification of the UE based on the matching result, the SMF sends a policy request to a control policy function (PCF) of the core network side equipment, wherein the policy request is used for requesting to determine a target User Plane Function (UPF);
and receiving a target UPF sent by the PCF, and determining an edge computing platform corresponding to the target UPF, wherein the position of the target UPF is in the preset area.
Optionally, as shown in fig. 7, the core network side device 300 further includes:
an access module 305, the access module 305 configured to perform, by the SMF:
and if the position of the UE is determined not to be in the area range of the preset area or the user identification set does not comprise the identification of the UE, accessing the UE to the core network side equipment.
The core network side device can implement each process implemented by the core network side device in the method embodiment shown in fig. 1, and is not described here again to avoid repetition.
Referring to fig. 8, fig. 8 is a schematic structural diagram of a core network device according to an embodiment of the present invention, and as shown in fig. 8, the core network device 400 includes: a memory 402, a processor 401, and a program stored on the memory 402 and executable on the processor 401, wherein:
the processor 401 reads the program in the memory 402 for executing:
if Protocol Data Unit (PDU) session request information sent by User Equipment (UE) is received, acquiring the position of the UE and the identifier of the UE, wherein the PDU session request information comprises the position of the UE and the identifier of the UE;
and if the position of the UE is determined to be in the area range of a preset area and the user identification set comprises the identification of the UE, allowing the UE to access an edge computing platform corresponding to the preset area.
Optionally, the processor 401 is configured to perform, by the SMF:
if a mobility management function (AMF) of the core network side equipment receives PDU session request information sent by UE, acquiring the position of the UE and an identifier of the UE from the AMF;
the processor 401 is further configured to perform, by the SMF:
and if the SMF determines that the position of the UE is in the area range of a preset area and the user identifier set comprises the identifier of the UE, allowing the UE to access an edge computing platform corresponding to the preset area.
Optionally, the processor 401 is further configured to perform, by the SMF:
if the SMF determines that the position of the UE is in the area range of a preset area, sending the identifier of the UE to a Unified Data Management (UDM) of the core network side equipment;
the processor 401 is further configured to perform, by the UDM:
sending the identifier of the UE to a unified data storage (UDR) of the core network side equipment, wherein the UDR stores the user identifier set;
the processor 401 is further configured to perform, by the UDR:
matching the identity of the UE with the user identity set, and sending a matching result to the UDM;
the processor 401 is further configured to perform, by the UDM:
sending the matching result to the SMF;
the processor 401 is further configured to perform, by the SMF:
and if the SMF determines that the user identifier set comprises the identifier of the UE based on the matching result, allowing the UE to access an edge computing platform corresponding to the preset area.
Optionally, the processor 401 is further configured to perform, by the NEF:
receiving the user identification set sent by the edge computing platform;
the processor 401 is further configured to perform, by the UDR:
and receiving the user identification set sent by the NEF, and storing the user identification set, wherein the position of the UDR is in the preset area.
Optionally, the processor 401 is configured to perform, by the NEF:
receiving a request sent by the edge computing platform for changing the user identification set;
the processor 401 is further configured to perform, by the UDR:
and receiving a request for changing the user identification set sent by the NEF, and changing the user identification set.
Optionally, the processor 401 is further configured to perform, by the SMF:
if the SMF determines that the user identification set comprises the identification of the UE based on the matching result, the SMF sends a policy request to a control policy function (PCF) of the core network side equipment, wherein the policy request is used for requesting to determine a target User Plane Function (UPF);
and receiving a target UPF sent by the PCF, and determining an edge computing platform corresponding to the target UPF, wherein the position of the target UPF is in the preset area.
Optionally, the processor 401 is further configured to perform, by the SMF:
and if the position of the UE is determined not to be in the area range of the preset area or the user identification set does not comprise the identification of the UE, accessing the UE to the core network side equipment.
In FIG. 8, the bus architecture may include any number of interconnected buses and bridges, with one or more processors, represented by processor 401, and various circuits, represented by memory 402, being linked together. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface.
The processor 401 is responsible for managing the bus architecture and general processing, and the memory 402 may store data used by the processor 401 in performing operations.
It should be noted that any implementation manner in the method embodiment of the present invention may be implemented by the user authentication method in this embodiment, and the same beneficial effects are achieved, and details are not described here.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the computer program implements each process of the user authentication method embodiment, and can achieve the same technical effect, and in order to avoid repetition, details are not repeated here. The computer-readable storage medium may be a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
While the present invention has been described with reference to the embodiments shown in the drawings, the present invention is not limited to the embodiments, which are illustrative and not restrictive, and it will be apparent to those skilled in the art that various changes and modifications can be made therein without departing from the spirit and scope of the invention as defined in the appended claims.

Claims (10)

1. A user authentication method is applied to core network side equipment, and is characterized in that the method comprises the following steps:
if Protocol Data Unit (PDU) session request information sent by User Equipment (UE) is received, acquiring the position of the UE and the identifier of the UE, wherein the PDU session request information comprises the position of the UE and the identifier of the UE;
and if the position of the UE is determined to be in the area range of a preset area and the user identification set comprises the identification of the UE, allowing the UE to access an edge computing platform corresponding to the preset area.
2. The method of claim 1, wherein the obtaining the location of the UE and the identity of the UE if receiving a PDU session request message sent by a UE comprises:
if the mobility management function AMF of the core network side equipment receives PDU session request information sent by UE, the session management function SMF of the core network side equipment acquires the position of the UE and the identifier of the UE from the AMF;
if the position of the UE is determined to be in the area range of a preset area and the user identifier set comprises the identifier of the UE, allowing the UE to access an edge computing platform corresponding to the preset area, wherein the method comprises the following steps:
if the SMF determines that the position of the UE is in the area range of a preset area and the user identifier set comprises the identifier of the UE, the SMF allows the UE to access an edge computing platform corresponding to the preset area.
3. The method of claim 2, wherein if the SMF determines that the UE is located within an area range of a preset area and a user identity set includes an identity of the UE, the SMF allows the UE to access an edge computing platform corresponding to the preset area, including:
if the SMF determines that the position of the UE is in the area range of a preset area, the SMF sends the identifier of the UE to a Unified Data Management (UDM) of the core network side equipment;
the UDM sends the identifier of the UE to a unified data storage (UDR) of the core network side equipment, wherein the UDR stores the user identifier set;
the UDR matches the identity of the UE with the user identity set and sends a matching result to the UDM;
the UDM sends the matching result to the SMF;
if the SMF determines that the user identifier set comprises the identifier of the UE based on the matching result, the SMF allows the UE to access an edge computing platform corresponding to the preset area.
4. The method of claim 3, wherein before the UDR matches the identity of the UE with the set of user identities and sends the matching result to the UDM, the method further comprises:
a network open function (NEF) of the core network side equipment receives the user identification set sent by the edge computing platform;
and the UDR receives the user identification set sent by the NEF and stores the user identification set, wherein the position of the UDR is in the preset area.
5. The method of claim 4, wherein after the UDR receives the set of user identities sent by the NEF and stores the set of user identities, the method further comprises:
the NEF receives a request sent by the edge computing platform for changing the user identification set;
and the UDR receives a request for changing the user identification set sent by the NEF and changes the user identification set.
6. The method of claim 3, wherein if the SMF determines that the UE identifier set includes the UE identifier based on the matching result, the SMF allowing the UE to access the edge computing platform corresponding to the preset area comprises:
if the SMF determines that the user identifier set comprises the identifier of the UE based on the matching result, the SMF sends a policy request to a control policy function (PCF) of the core network side equipment, wherein the policy request is used for requesting to determine a target User Plane Function (UPF);
and the SMF receives a target UPF sent by the PCF and determines an edge computing platform corresponding to the target UPF, wherein the position of the target UPF is in the preset area.
7. The method of claim 1, further comprising:
and if the position of the UE is determined not to be in the area range of the preset area or the user identification set does not comprise the identification of the UE, accessing the UE to the core network side equipment.
8. A core network side device, wherein the core network side device includes:
an obtaining module, configured to obtain a location of a User Equipment (UE) and an identifier of the UE if Protocol Data Unit (PDU) session request information sent by the UE is received, where the PDU session request information includes the location of the UE and the identifier of the UE;
and the processing module is used for allowing the UE to access to the edge computing platform corresponding to the preset area if the position of the UE is determined to be in the area range of the preset area and the user identification set comprises the identification of the UE.
9. A core network side device, comprising: a processor, a memory and a program stored on the memory and executable on the processor, the program, when executed by the processor, implementing the steps of the user authentication method as claimed in any one of claims 1 to 7.
10. A computer-readable storage medium, comprising: a processor, a memory and a program stored on the memory and executable on the processor, the program, when executed by the processor, implementing the steps of the user authentication method as claimed in any one of claims 1 to 7.
CN201911324272.6A 2019-12-18 2019-12-18 User authentication method, core network side device and computer readable storage medium Active CN113079505B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911324272.6A CN113079505B (en) 2019-12-18 2019-12-18 User authentication method, core network side device and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911324272.6A CN113079505B (en) 2019-12-18 2019-12-18 User authentication method, core network side device and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN113079505A true CN113079505A (en) 2021-07-06
CN113079505B CN113079505B (en) 2023-03-21

Family

ID=76608380

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911324272.6A Active CN113079505B (en) 2019-12-18 2019-12-18 User authentication method, core network side device and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN113079505B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190007992A1 (en) * 2017-07-03 2019-01-03 Electronics And Telecommunications Research Institute Network triggered service request method and user equipment (ue) triggered service request method
CN110035562A (en) * 2018-01-12 2019-07-19 华为技术有限公司 Conversation managing method, equipment and system
CN110199513A (en) * 2017-07-20 2019-09-03 华为国际有限公司 A kind of conversation processing method and equipment
CN110234112A (en) * 2018-03-05 2019-09-13 华为技术有限公司 Message treatment method, system and user plane functions equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190007992A1 (en) * 2017-07-03 2019-01-03 Electronics And Telecommunications Research Institute Network triggered service request method and user equipment (ue) triggered service request method
CN110199513A (en) * 2017-07-20 2019-09-03 华为国际有限公司 A kind of conversation processing method and equipment
CN110035562A (en) * 2018-01-12 2019-07-19 华为技术有限公司 Conversation managing method, equipment and system
CN110234112A (en) * 2018-03-05 2019-09-13 华为技术有限公司 Message treatment method, system and user plane functions equipment

Also Published As

Publication number Publication date
CN113079505B (en) 2023-03-21

Similar Documents

Publication Publication Date Title
US11395122B2 (en) Network access method, device, and system
EP3151628B1 (en) Method, device and system for accessing a wireless network
CN108737381B (en) Extension authentication method of Internet of things system
US11096051B2 (en) Connection establishment method, device, and system
CN114615023A (en) Communication method and related device
US20200228981A1 (en) Authentication method and device
CN111132305B (en) Method for 5G user terminal to access 5G network, user terminal equipment and medium
JP6951445B2 (en) Emergency number setting method, acquisition method and equipment
WO2018045983A1 (en) Information processing method and device, and network system
US20160316368A1 (en) Method, apparatus, and system for selecting authentication algorithm
WO2018099016A1 (en) Method for controlling terminal communication service, network monitoring device and storage medium
CN113498060A (en) Method, device, equipment and storage medium for controlling network slice authentication
CN114423010A (en) Network access control method, device, electronic equipment and storage medium
CN111093196B (en) Method for 5G user terminal to access 5G network, user terminal equipment and medium
WO2019220002A1 (en) Authentication in public land mobile networks comprising tenant slices
CN113079505B (en) User authentication method, core network side device and computer readable storage medium
CN109246847B (en) Network access method and system
JP6503420B2 (en) Wireless communication terminal authentication control device, wireless communication terminal authentication control system, wireless communication terminal authentication control method, and program
US20230096372A1 (en) Localized authorization for secure communication
CN108076009B (en) Resource sharing method, device and system
CN114080004B (en) Private network access method and device
US20230112126A1 (en) Core network transformation authenticator
WO2020147509A1 (en) Method and device for capability report and key negotiation, terminal, communication device and system
CN116782214A (en) Authentication method and related equipment
CN115913584A (en) Authentication method, authentication device, electronic equipment and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20231206

Address after: No. 88 Aowei Road South, Rongcheng County, Baoding City, Hebei Province, 071799

Patentee after: China Mobile xiongan information and Communication Technology Co.,Ltd.

Patentee after: CHINA MOBILE COMMUNICATIONS GROUP Co.,Ltd.

Patentee after: China Mobile Information System Integration Co.,Ltd.

Address before: 071700 No.88, South Aowei Road, Rongcheng County, Baoding City, Hebei Province

Patentee before: China Mobile xiongan information and Communication Technology Co.,Ltd.

Patentee before: CHINA MOBILE COMMUNICATIONS GROUP Co.,Ltd.

TR01 Transfer of patent right