CN113556746A - Access control method and communication equipment - Google Patents

Abstract

The embodiment of the invention provides an access control method and communication equipment, wherein the access control method comprises the following steps: sending first information; the first information includes at least one of: the first NPN information, the index information of the second network, the first indication information, the second indication information, the third indication information, the fourth indication information, the indication information for requesting certificate downloading, the indication information for requesting the first access mode, the type information of the first access mode and the type information of the certificate downloading mode; the information of the first NPN is used for at least one of the following items: requesting access to the first NPN, requesting access to the first NPN through a second certificate, and requesting access to an NPN type network; the first indication information is used for requesting the authority of accessing the first NPN; the second indication information is used for requesting a certificate of the first NPN; the third indication information is used for requesting the authority of accessing the first NPN through the second certificate; this fourth indication is used to request the right to access the NPN type network through the second certificate.

Description

Access control method and communication equipment

Technical Field

The embodiment of the invention relates to the technical field of wireless communication, in particular to an access control method and communication equipment.

Background

At present, enterprises can deploy Non-Public networks (NPN) through communication Network technology, and the NPN is used for internal services of the enterprises and the like or dedicated to employees in the enterprises. Non-public networks are distinguished from public network services provided by operators to public users. The NPN is deployed in a small range, and the service may be dedicated, so that the number of NPN to which the terminal can access is large. Generally, a terminal accessing a network needs to have a certificate that can be authenticated through the network. Configuring certificates for all accessible NPN of a terminal can be a tedious job. In addition, the NPN may not be able to pre-configure a Universal Subscriber Identity Module (USIM) for the terminal and save credentials for accessing the network in the USIM as well as the operator. Therefore, how to effectively implement certificate configuration and network access control for a terminal is a technical problem to be solved urgently at present.

Disclosure of Invention

The embodiment of the invention provides an access control method and communication equipment, which are used for solving the problem of how to effectively realize certificate configuration and network access control of a terminal.

In order to solve the technical problem, the invention is realized as follows:

In a first aspect, an embodiment of the present invention provides an access control method, applied to a first communication device, including:

sending first information;

wherein the first information comprises at least one of: the method comprises the steps that NPN information of a non-public network of a first independent network, index information of a second network, first indication information, second indication information, third indication information, fourth indication information, indication information used for requesting certificate downloading, indication information used for requesting a first access mode, type information of the first access mode and type information of the certificate downloading mode are obtained;

the information of the first NPN can be used for at least one of the following: requesting access to a first NPN authority, requesting a certificate of the first NPN, requesting access to the first NPN through a second certificate, and requesting access to an NPN type network;

the first indication information is used for requesting the authority of accessing the first NPN, or used for requesting the authority of accessing the network at present, or used for requesting the authority of accessing the NPN type network;

the second indication information is used for requesting a certificate of the first NPN, or requesting a certificate of a current access network, or requesting a certificate of an access NPN type network;

the third indication information is used for requesting the authority of accessing the first NPN through the second certificate or requesting the authority of accessing the first NPN through the certificate of the current access network;

The fourth indication information is used for requesting the authority of accessing the NPN type network through the second certificate or requesting the authority of accessing the NPN type network through the certificate of the current access network;

the second certificate comprises a certificate already possessed by the first communication device;

the first access method includes: an access means for accessing the first network in order to download a certificate for accessing the second network; the first network and the second network are the same network or different networks;

the type information of the first access mode indicates at least one of: a first access mode of a control plane type and a first access mode of a user plane type;

the type information of the certificate downloading mode indicates at least one of the following items: control plane type certificate downloading mode and user plane type certificate downloading mode.

In a second aspect, an embodiment of the present invention provides an access control method, applied to a second communications device, including:

acquiring first information;

executing a first operation according to the first information;

wherein the performing the first operation comprises at least one of:

confirming a request of the terminal for accessing the authority of the first NPN;

confirming whether the terminal is allowed to acquire the authority of accessing the first NPN;

Confirming whether certificate information of a first NPN is allowed to be configured for the terminal;

determining whether permission of accessing the first NPN through the second certificate is allowed to be added to the terminal;

determining whether permission of accessing the NPN type network through the second certificate is allowed to be added to the terminal;

confirming that the terminal is configured with the certificate information of the second NPN, or confirming that the terminal is added with the authority of accessing the third NPN through the second certificate, or confirming that the terminal is added with the authority of accessing the NPN type network through the second certificate;

determining a first server;

determining a second server;

determining second information;

initiating a certificate configuration request or a configuration updating request of the terminal to the first server and/or the second server;

sending second information to the first server and/or the second server;

wherein the first server is one of: the configuration server is used for configuring a second NPN certificate for the terminal, the configuration server is used for accessing the NPN certificate for the terminal, and the terminal needs to access the server for downloading the NPN certificate; the second server is a configuration server for configuring a second certificate for the terminal; the second information includes all or part of the first information.

In a third aspect, an embodiment of the present invention provides an access control method, which is applied to a third communication device, and includes:

acquiring first information or second information;

executing a second operation according to the first information or the second information;

wherein the performing the second operation comprises at least one of:

confirming a request of the terminal for accessing the authority of the first NPN;

confirming whether certificate information of a first NPN is allowed to be configured for the terminal;

confirming whether certificate information of a first NPN is allowed to be configured for the terminal;

determining whether permission of accessing the first NPN through the second certificate is allowed to be added to the terminal;

determining whether permission of accessing the NPN type network through the second certificate is allowed to be added to the terminal;

configuring certificate information of a second NPN for the terminal, or adding the authority of accessing a third NPN through the second certificate for the terminal, or adding the authority of accessing an NPN type network through the second certificate for the terminal;

sending certificate information of a second NPN or sending update information of a second certificate;

wherein the second certificate comprises a certificate that the terminal already has;

the second NPN is all NPNs in the first NPN or is a part of NPNs in the first NPN;

The third NPN is all NPNs in the first NPN or is a part of NPNs in the first NPN;

the second NPN is the same as or different from the third NPN.

In a fourth aspect, an embodiment of the present invention provides an access control method, which is applied to a fourth communication device, and includes:

acquiring third information; wherein the third information includes at least one of certificate information of the second NPN and update information of the second certificate; the second certificate comprises a certificate already possessed by the first communication device; the second NPN is one or more NPN;

according to the third information, executing the operation of accessing a second NPN or a fourth network;

wherein the fourth network is one of: other networks different from the second NPN, other networks different from the second network;

the certificate information of the second NPN includes at least one of: a certificate of the second NPN, information of a network that allows access through the certificate of the second NPN, a right to allow access to the NPN-type network through the second NPN certificate;

the credential information of the current access network comprises at least one of: information of networks allowed to access by credentials of the current access network, indication information of requested NPN allowed to access by credentials of the current access network, indication information of NPN type of network allowed to access by credentials of the current access network;

The update information of the second certificate includes at least one of: information allowing access to the network via the second certificate, permission allowing access to the NPN type network via the second certificate, indication allowing access to the requested NPN via the second certificate, indication allowing access to the NPN type network via the second certificate.

In a fifth aspect, an embodiment of the present invention provides a communication device, where the communication device is a first communication device, and the communication device includes:

the sending module is used for sending first information;

wherein the first information comprises at least one of: the method comprises the steps that NPN information of a non-public network of a first independent network, index information of a second network, first indication information, second indication information, third indication information, fourth indication information, indication information used for requesting certificate downloading, indication information used for requesting a first access mode, type information of the first access mode and type information of the certificate downloading mode are obtained;

the information of the first NPN can be used for at least one of the following: requesting access to a first NPN authority, requesting a certificate of the first NPN, requesting access to the first NPN through a second certificate, and requesting access to an NPN type network;

The first indication information is used for requesting the authority of accessing the first NPN, or used for requesting the authority of accessing the network at present, or used for requesting the authority of accessing the NPN type network;

the second indication information is used for requesting a certificate of the first NPN, or requesting a certificate of a current access network, or requesting a certificate of an access NPN type network;

the third indication information is used for requesting the authority of accessing the first NPN through the second certificate or requesting the authority of accessing the first NPN through the certificate of the current access network;

the fourth indication information is used for requesting the authority of accessing the NPN type network through the second certificate or requesting the authority of accessing the NPN type network through the certificate of the current access network;

the second certificate comprises a certificate already possessed by the first communication device;

the first access method includes: an access means for accessing the first network in order to download a certificate for accessing the second network; the first network and the second network are the same network or different networks;

the type information of the first access mode indicates at least one of: a first access mode of a control plane type and a first access mode of a user plane type;

The type information of the certificate downloading mode indicates at least one of the following items: control plane type certificate downloading mode and user plane type certificate downloading mode.

In a sixth aspect, an embodiment of the present invention provides a communication device, where the communication device is a second communication device, and the communication device includes:

the first acquisition module is used for acquiring first information;

the first execution module is used for executing a first operation according to the first information;

wherein the performing the first operation comprises at least one of:

confirming a request of the terminal for accessing the authority of the first NPN;

confirming whether the terminal is allowed to acquire the authority of accessing the first NPN;

confirming whether certificate information of a first NPN is allowed to be configured for the terminal;

determining whether permission of accessing the first NPN through the second certificate is allowed to be added to the terminal;

determining whether permission of accessing the NPN type network through the second certificate is allowed to be added to the terminal;

confirming that the terminal is configured with the certificate information of the second NPN, or confirming that the terminal is added with the authority of accessing the third NPN through the second certificate, or confirming that the terminal is added with the authority of accessing the NPN type network through the second certificate;

determining a first server;

determining a second server;

Determining second information;

initiating a certificate configuration request or a configuration updating request of the terminal to the first server and/or the second server;

sending second information to the first server and/or the second server;

wherein the first server is one of: the configuration server is used for configuring a second NPN certificate for the terminal, the configuration server is used for accessing the NPN certificate for the terminal, and the terminal needs to access the server for downloading the NPN certificate; the second server is a configuration server for configuring a second certificate for the terminal; the second information includes all or part of the first information.

In a seventh aspect, an embodiment of the present invention provides a communication device, where the communication device is a third communication device, and the communication device includes:

the second acquisition module is used for acquiring the first information or the second information;

the second execution module is used for executing second operation according to the first information or the second information;

wherein the performing the second operation comprises at least one of:

confirming a request of the terminal for accessing the authority of the first NPN;

confirming whether certificate information of a first NPN is allowed to be configured for the terminal;

confirming whether certificate information of a first NPN is allowed to be configured for the terminal;

Determining whether permission of accessing the first NPN through the second certificate is allowed to be added to the terminal;

determining whether permission of accessing the NPN type network through the second certificate is allowed to be added to the terminal;

configuring certificate information of a second NPN for the terminal, or adding the authority of accessing a third NPN through the second certificate for the terminal, or adding the authority of accessing an NPN type network through the second certificate for the terminal;

sending certificate information of a second NPN or sending update information of a second certificate;

wherein the second certificate comprises a certificate that the terminal already has;

the second NPN is all NPNs in the first NPN or is a part of NPNs in the first NPN;

the third NPN is all NPNs in the first NPN or is a part of NPNs in the first NPN;

the second NPN is the same as or different from the third NPN.

In an eighth aspect, an embodiment of the present invention provides a communication device, where the communication device is a fourth communication device, and the communication device includes:

the third acquisition module is used for acquiring third information; wherein the third information includes at least one of certificate information of the second NPN and update information of the second certificate; the second certificate comprises a certificate already possessed by the first communication device; the second NPN is one or more NPN;

A third executing module, configured to execute an operation of accessing to a second NPN or fourth network according to the third information;

wherein the fourth network is one of: other networks different from the second NPN, other networks different from the second network;

the certificate information of the second NPN includes at least one of: a certificate of the second NPN, information of a network that allows access through the certificate of the second NPN, a right to allow access to the NPN-type network through the second NPN certificate;

the credential information of the current access network comprises at least one of: information of networks allowed to access by credentials of the current access network, indication information of requested NPN allowed to access by credentials of the current access network, indication information of NPN type of network allowed to access by credentials of the current access network;

the update information of the second certificate includes at least one of: information allowing access to the network via the second certificate, permission allowing access to the NPN type network via the second certificate, indication allowing access to the requested NPN via the second certificate, indication allowing access to the NPN type network via the second certificate.

In a ninth aspect, an embodiment of the present invention provides a communication device, which includes a processor, a memory, and a computer program stored on the memory and executable on the processor, where the computer program, when executed by the processor, implements the steps of the access control method provided in the first aspect, or implements the steps of the access control method provided in the second aspect, or implements the steps of the access control method provided in the third aspect, or implements the steps of the access control method provided in the fourth aspect.

In a tenth aspect, an embodiment of the present invention provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when executed by a processor, the computer program implements the steps of the access control method provided in the first aspect, or implements the steps of the access control method provided in the second aspect, or implements the steps of the access control method provided in the third aspect, or implements the steps of the access control method provided in the fourth aspect.

In the embodiment of the invention, when the access permission of the NPN is requested, the network can decide to distribute the corresponding NPN certificate or add the access permission of the requested NPN network to the existing certificate of the terminal; when the authority of accessing a plurality of NPN is requested, the network can only distribute one NPN certificate, but a plurality of NPN can be accessed through the NPN certificate or the network can add the access authority of the requested NPN network to the existing certificate of the terminal. Therefore, certificate configuration and network access control of the terminal can be effectively realized.

Drawings

Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:

Fig. 1 is a flowchart illustrating an access control method according to an embodiment of the present invention;

fig. 2 is a flowchart illustrating an access control method according to another embodiment of the present invention;

fig. 3 is a flowchart illustrating an access control method according to another embodiment of the present invention;

fig. 4 is a flowchart illustrating an access control method according to another embodiment of the present invention;

fig. 5 is a flowchart illustrating an access control method according to an embodiment of the present invention;

fig. 6 is a block diagram of a communication device provided by the present invention;

fig. 7 is a block diagram of another communication device provided by the present invention;

fig. 8 is a block diagram of another communication device provided by the present invention;

fig. 9 is a block diagram of another communication device provided by the present invention;

fig. 10 is a block diagram of another communication device provided by the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The terms "comprises," "comprising," or any other variation thereof, in the description and claims of this application, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Furthermore, the use of "and/or" in the specification and claims means that at least one of the connected objects, such as a and/or B, means that three cases, a alone, B alone, and both a and B, exist.

In the embodiments of the present invention, words such as "exemplary" or "for example" are used to mean serving as examples, illustrations or descriptions. Any embodiment or design described as "exemplary" or "e.g.," an embodiment of the present invention is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present concepts related in a concrete fashion.

In this embodiment of the present invention, optionally, the obtaining may be understood as obtaining from configuration, receiving after a request, obtaining by self-learning, deriving from unreceived information, or obtaining after processing received information, which may be determined according to actual needs, and is not limited in this embodiment of the present invention.

Optionally, the sending may include broadcasting, broadcasting in a system message, and returning after responding to the request.

In one embodiment of the present invention, the non-public network is an abbreviation of non-public network. The non-public network may be referred to as one of the following: a non-public communication network. The non-public network may include at least one of the following deployment modes: physical non-public networks, virtual non-public networks, non-public networks implemented on public networks. In one embodiment, the non-public network is an NPN of the non-independent network PNI by supporting a Closed Access Group (CAG) in the operator PLMN network. A CAG may consist of a group of terminals. In another embodiment, the non-public network is an NPN (SNPN for short) that is independently networked. The network identification of the SNPN may consist of a PLMN ID and a NID.

In one embodiment of the present invention, the non-public network service is an abbreviation of non-public network service. The non-public network service may also be referred to as one of the following: a network service of a non-public network, a non-public communication service, a non-public network communication service, a network service of a non-public network, or other nomenclature. It should be noted that the naming method in the embodiment of the present invention is not particularly limited. In one embodiment, the non-public network is a closed access group, and in this case, the non-public network service is a network service of the closed access group.

In one embodiment of the invention, the non-public network may comprise or be referred to as a private network. The private network may be referred to as one of the following: a private communication network, a private network, a Local Area Network (LAN), a Private Virtual Network (PVN), an isolated communication network, a private communication network, or other nomenclature. It should be noted that the naming method in the embodiment of the present invention is not particularly limited.

In one embodiment of the invention, the non-public network service may comprise or be referred to as a private network service. The private network service may be referred to as one of the following: a network service of a private network, a private communication service, a private network service, a Local Area Network (LAN) service, a Private Virtual Network (PVN) service, an isolated communication network service, a private network service, or other nomenclature. It should be noted that the naming method in the embodiment of the present invention is not particularly limited.

In one embodiment of the invention, the public network is short for the public network. The public network may be referred to as one of the following: public communication networks or other nomenclature. It should be noted that the naming method in the embodiment of the present invention is not particularly limited.

In one embodiment of the present invention, the public network service is abbreviated as public network service. Public network services may also be referred to as one of the following: a network service of a public network, a public communication service, a public network communication service, a network service of a public network, or other nomenclature. It should be noted that the naming method in the embodiment of the present invention is not particularly limited.

In order to effectively support the terminal to access a plurality of NPN, one certificate for accessing the NPN can access the plurality of NPN. One way is direct access, such as to NPN1 through the credentials of NPN 1; another way is indirect access, such as NPN2 or PLMN's credentials to access NPN 1.

In order to effectively implement network access control of a terminal, the following problems are also solved:

problem 1: when a UE wants to access NPN1 but has not been provisioned with NPN1 credentials, the UE may request the network for access to NPN 1. When the UE already has the credentials of the NPN2 or PLMN, the UE may request additional access to other networks such as the NPN1 or the network decides whether to configure the UE with the credentials of the NPN1 or to add the rights of the network to which the UE already has the credentials access. But this requires provisioning authorization of the network and/or updating the subscription of the UE. At present, the network does not know which NPN access rights the UE specifically wants to acquire or the network does not know which networks the UE wants to add to which credentials can already access.

Problem 2: when a UE wants to access NPN1 and NPN2 but is not yet configured with NPN1 and NPN2 certificates, the UE requests authorization to access the network or a certificate of the current network under NPN1, and the network is not currently aware that the UE has other NPN (e.g., NPN2) access authorization requests in addition to the access authorization request of NPN 1. In addition, the certificate configuration servers corresponding to different NPNs may be different. The control plane method is that a network element in the network, such as an AMF, receives a request of the UE, and then directly or indirectly obtains the certificate configuration of the access network of the UE from a certificate configuration server. If the UE wants to obtain the NPN certificate or the access right is different from the currently accessed NPN, the network does not know how to select the configuration server of the NPN certificate for the UE.

One solution is that the UE provides a list of NPN networks that it wants to access when requesting a subscription to the NPN. For the control plane approach, the network (such as the AMF) requests NPN credentials from the configuration server on behalf of the UE. When different NPN configuration servers are different, the configuration server can be selected according to the NPN network list requested to be accessed by the UE. The certificate configured by the network to the UE includes an NPN list to which the certificate can access. For the user plane approach, the terminal may directly request the NPN certificate from the configuration service.

In an alternative embodiment of the invention, the NPN includes, but is not limited to, one of the following: SNPN (stand-alone NPN), PNI SNPN (Public network integrated NPN) in an alternative embodiment of the invention, the network type of the second network may include, but is not limited to, one of the following: PLMN, SNPN, NPN (e.g., SNPN, or PNI NPN), etc.

In an alternative embodiment of the present invention, the certificate may be referred to as a subscription certificate. The certificate of the network may be referred to as a subscription certificate of the network. The terminal configured with the certificate also has a subscription certificate in the network.

In an alternative embodiment of the present invention, the certificate of the network (e.g. the certificate of the first NPN, the certificate of the second network, the certificate of the NPN) is a certificate of the network configured for the terminal. The certificate of the network enables authentication of the terminal through the network.

In an optional embodiment of the invention, the certificate of the network may comprise at least one of: subscription information of the terminal in the network, a long-term key(s), also called root key, a subscription identifier (e.g. SUPI). The subscription identifier is used to uniquely identify the subscription. The certificate of the network can be used for mutual authentication between the terminal and the network. And after the terminal acquires the signing identifier, the signing identifier is adopted as or generated in the network identifier of the terminal when the terminal accesses the network. The subscription identifier comprises an identity of the network and a terminal identity. The network comprises at least one of: NPN, PLMN. The certificate of the first NPN, the certificate of the second network in this text conform to the definition of the certificate of the network. In an embodiment of the present invention, the network includes, but is not limited to, one of: a first NPN, a second network, and an NPN. Such as a first NPN certificate, a second network certificate, an NPN certificate.

In an alternative embodiment of the present invention, the certificate of the third party is a certificate configured for the terminal, which is of another type than the certificate of the network. The third party can be a terminal manufacturer or an application. Such as a certificate configured for the terminal by the terminal manufacturer, or a certificate of the Application (APP). The third party's credentials may include, but are not limited to, at least one of: the subscription information of the terminal at the third party, a long-term key(s), or a password, and the terminal further refers to the third party subscription identifier (e.g., IMSI, or PEI, or username and/or key).

In an alternative embodiment of the invention, requesting access to the network (first NPN) comprises requesting a certificate enabling the terminal to authenticate through said network, said certificate being either a certificate of the terminal at the network or a certificate outside the network (e.g. a certificate of the service provider, a certificate of a network other than the network, or a certificate of a third party).

In an optional embodiment of the invention, the information about the network allowed to be accessed by the certificate of the first NPN comprises an authentication of the terminal with the network and/or an authentication of the terminal with the network. The network is a network allowing certificate access through a first NPN, and comprises the first NPN.

In an optional embodiment of the invention, the information about the network that is allowed to be accessed by the certificate of the second NPN comprises an authentication of the terminal by the network and/or an authentication of the terminal by the network. The network is a network allowing certificate access through a second NPN, and comprises the second NPN.

In an optional embodiment of the invention, the information about the network that is allowed to be accessed by the NPN certificate includes an authentication of the NPN certificate by the network and/or an authentication of the network by the terminal. The network is a network allowing certificate access through the NPN, and comprises the NPN.

In an optional embodiment of the invention, the information of the network that allows the certificate access via the second network comprises an authentication of the second certificate with the network and/or an authentication of the terminal with the network. The network is a network that allows certificate access through the second network, including the second network.

In an optional embodiment of the present invention, the information of the NPN includes identification information of the NPN.

In an optional embodiment of the invention, the information of the network comprises identification information of the network.

In an optional embodiment of the invention, the communication device may comprise at least one of: a communication network element and a terminal.

In an embodiment of the present invention, the communication network element may include at least one of the following: a core network element and a radio access network element.

In the embodiment of the present invention, the core network element (CN element) may include, but is not limited to, at least one of the following: core network equipment, core network nodes, core network functions, core network elements, Mobility Management Entity (MME), Access Mobility Management Function (AMF), Session Management Function (SMF), User Plane Function (UPF), a Serving GW (SGW), a PDN Gateway (PDN Gateway), a Policy Control Function (Policy Control Function, PCF), a Policy and Charging Rules Function (Policy and Charging Rules Function, PCRF), a GPRS service Support Node (Serving GPRS Support Node, SGSN), a Gateway GPRS Support Node (Gateway GPRS Support Node, GGSN), a Unified Data Management (UDM), a Unified Data storage (UDR), a Home Subscriber Server (Home Subscriber Server, HSS) and an Application Function (Application Function, AF).

In this embodiment of the present invention, the RAN network element may include, but is not limited to, at least one of the following: radio Access Network equipment, Radio Access Network nodes, Radio Access Network functions, Radio Access Network units, 3GPP Radio Access Networks, Non-3GPP Radio Access Networks, Centralized Units (CUs), Distributed Units (DU), base stations, evolved Node bs (eNB), 5G base stations (gNB), Radio Network Controllers (RNC), base stations (NodeB), Non-3GPP Inter Working functions (N3 IWF), Access Control (AC) nodes, Access Point (Access Point, AP) devices or Wireless Local Area Networks (WLAN) nodes, N3 IWF.

In the embodiment of the present invention, the terminal may include a relay supporting the terminal function and/or a terminal supporting the relay function. The terminal may also be referred to as a terminal Device or a User Equipment (UE), where the terminal may be a Mobile phone, a Tablet Personal Computer (Tablet Personal Computer), a Laptop Computer (Laptop Computer), a Personal Digital Assistant (PDA), a Mobile Internet Device (MID), a Wearable Device (Wearable Device), or a vehicle-mounted Device, and it should be noted that a specific type of the terminal is not limited in the embodiment of the present invention.

In an optional embodiment of the present invention, the first access method includes: access means for accessing a first network for downloading credentials for accessing a second network. The first access mode of the control plane type comprises the following steps: the access method of accessing the first network in order to download the certificate for accessing the second network is a control plane type certificate download method. The first access mode of the user plane type comprises the following steps: an access method of accessing the first network in order to download a certificate for accessing the second network, and a method of downloading the certificate for accessing the second network is a user plane type certificate download method; the first network and the second network are the same network or different networks.

In an optional embodiment of the invention, the "right to request access to the first NPN" comprises a certificate for requesting the first NPN, the certificate for the first NPN being used to access the first NPN.

In an optional embodiment of the present invention, the type information of the first access mode includes type information of the first access mode supported and/or requested by the terminal.

In an optional embodiment of the present invention, the type information of the certificate downloading manner includes type information of a certificate downloading manner supported and/or requested by the terminal.

In an optional embodiment of the present invention, the address information of the first server includes at least one of: the IP address of the first server, the MAC address of the first server, and the port number of the first server.

In an optional embodiment of the present invention, the certificate for accessing the NPN includes a certificate of the NPN.

The following describes an access control method according to an embodiment of the present invention in detail.

Referring to fig. 1, an embodiment of the present invention provides an access control method applied to a first communication device; the first communication device includes but is not limited to: a terminal; the method comprises the following steps:

step 11: the first information is transmitted.

Wherein the first information may include at least one of: the index information of the first NPN, the index information of the second network, the first indication information, the second indication information, the third indication information and the fourth indication information.

The information of the first NPN may include an identification of one or more NPN.

The information of the first NPN can be used for at least one of the following: requesting access to a first NPN right, requesting a certificate of the first NPN, requesting access to the first NPN through a second certificate, and requesting access to a network of NPN type.

The first indication information is used for requesting the authority of accessing the first NPN, or used for requesting the authority of accessing the network currently, or used for requesting the authority of accessing the NPN type network.

The second indication information is used for requesting a certificate of the first NPN, or is used for requesting a certificate of a current access network, or is used for requesting a certificate of an access NPN type network.

The third indication information is used for requesting the authority of accessing the first NPN through the second certificate or requesting the authority of accessing the first NPN through the certificate of the current access network.

The fourth indication information is used for requesting the authority of accessing the NPN type network through the second certificate or requesting the authority of accessing the NPN type network through the certificate of the current access network.

The second certificate may comprise a certificate already possessed by the first communication device;

the first access method includes: an access means for accessing the first network in order to download a certificate for accessing the second network; the first network and the second network are the same network or different networks;

the type information of the first access mode indicates at least one of: a first access mode of a control plane type and a first access mode of a user plane type;

the type information of the certificate downloading mode indicates at least one of the following items: control plane type certificate downloading mode and user plane type certificate downloading mode. The certificate that the first communication device already has may comprise one of: a certificate of the second network that the first communication device already has, a certificate of the third party that the first communication device already has, a certificate of the service provider that the first communication device already has. The certificate of the third party is a certificate of another type than the certificate of the network, such as a certificate of a terminal manufacturer or a certificate of an Application (APP). The service provider includes, but is not limited to, one of: a second network (e.g., PLMN, or NPN (e.g., SNPN, or PNI NPN), etc.), a third party.

Optionally, the index information of the second network may include: identification information of the second network. The identification information of the second network may comprise a terminal identification of the terminal in the second network and be transmitted to the network.

In one embodiment, the first NPN requested may be one of: all NPNs, one NPN, a plurality of NPNs.

In one embodiment, the second network may be a different network than the first NPN. The second network may include, but is not limited to: NPN other than the first NPN, PLMN, PNI NPN.

In one embodiment, the first information is sent to the target. The target end comprises: core network elements (e.g., AMF). The core network element may be one of: a core network element of a first NPN, a core network element of a second network, or a core network element of a third network.

In one embodiment, requesting access to the first NPN comprises requesting a certificate that enables the first communication device to authenticate through the first NPN, which may be the certificate of the first NPN or a certificate of a third party other than the first NPN, such as a certificate of the second network. When there are a plurality of NPN's in the first NPN, the certificate may be a certificate of a part of the first NPN. For example, the first NPN includes NPN1 and NPN 2. The first communication device may be provided with a certificate of NPN1, said certificate of NPN1 enabling authentication of the first communication device by means of NPN1 and NPN 2.

Optionally, the current access network is a network that receives the first information. In one embodiment, the current access network may be one of: a first NPN, a second network, or a third network. When the first NPN includes a plurality of NPN, the current access network may be one of the first NPN.

The first information includes combinations of items including, but not limited to, the following embodiments:

1) in one embodiment, the first information includes only: information of the first NPN.

2) In another embodiment, the first information includes: first indication information. It is understood that, in the case where the first indication information is used to request the current access right to the network or to request the access right to the NPN-type network, the first NPN information may not be included.

3) In another embodiment, the first information includes: and second indication information. It is to be understood that the second indication information may not include the first NPN information in the case where the second indication information is used to request a certificate of a current access network or a certificate of an access NPN type network.

4) In another embodiment, the first information includes: and fourth indication information. It is to be understood that, in the case where the fourth indication information is used to request the authority to access the NPN type network through the certificate of the current access network, the information of the first NPN may not be included.

5) In another embodiment, the first information includes: information of the first NPN and first indication information. It is understood that, in the case that the first indication information is used for requesting the right to access the first NPN, the information of the first NPN needs to be provided.

6) In another embodiment, the first information includes: information of the first NPN and second indication information. It is understood that the second indication information is used for requesting the certificate of the first NPN, and the information of the first NPN needs to be provided.

7) In another embodiment, the first information includes: information of the first NPN and third indication information. It is understood that the third indication information is used for requesting the right to access the first NPN through the second certificate, or in a case where the third indication information is used for requesting the right to access the first NPN through the certificate of the current access network, the information of the first NPN needs to be provided.

8) In another embodiment, the first information includes: third indication information and index information of the second network. It is understood that the third indication information may be used to request the right to access the first NPN through the second certificate; if the currently accessed network is not the second network, index information of the second network needs to be provided.

9) In another embodiment, the first information includes: fourth indication information and index information of the second network. It is understood that said fourth indication information may be used to request the right to access an NPN-type network through a second certificate; if the currently accessed network is not the second network, index information of the second network needs to be provided.

10) In another embodiment, the first information includes: the first NPN information, the third indication information and the index information of the second network. It is understood that the third indication information may be used to request the right to access the first NPN through the second certificate; if the currently accessed network is the third network, index information of the second network and information of the first NPN need to be provided.

Optionally, the information of the first NPN may include identification information of the first NPN. When the NPN is SNPN, the identification information of the first NPN may be composed of a PLMN ID and a NID. When the NPN is a PNI NPN, the identification information of the first PNI NPN may be formed by a PLMN ID.

1) In one embodiment, the terminal may determine, by the network, whether to configure the terminal with the certificate of the first NPN by requesting the right to access the first NPN, or add the right to access the first NPN through the second certificate on the basis of the second certificate that the terminal already has.

2) In another embodiment, the terminal may request the certificate of the first NPN to request to acquire the right to access the first NPN.

3) In another embodiment, the terminal may request to access the first NPN through the second certificate to request to acquire the right to access the first NPN.

4) In another embodiment, the terminal may send the first information when accessing the second network, where the first information is, for example, identification information of the first NPN. In this case, the first information may not include information of the second network.

5) In another embodiment, the terminal may send first information when accessing the first NPN, where the first information is, for example, first indication information, and is used to request a right to access the first NPN; or, the first information is, for example, second indication information, and is used to request a certificate of the first NPN; or, the first information is, for example, third indication information, which is used to request access to the first NPN through the second certificate.

6) In another embodiment, the terminal may send first information, for example, fourth indication information, when accessing the NPN-type network, for requesting a right to access the NPN-type network.

7) In another embodiment, the terminal may send the first information when accessing the third network, where the first information is, for example, identification information of the first NPN. And the third network may be different from the second network and the first NPN.

Optionally, after the sending the first information, the method may further include:

acquiring third information; the third information includes at least one of certificate information of a second NPN and update information of the second certificate;

and executing the operation of accessing a second NPN or a fourth network according to the third information.

Wherein the fourth network may be one of: other networks than the second NPN (such as other NPN different from the first NPN, or PLMN), other networks than the second network.

In one embodiment, the second NPN is identical to the first NPN, i.e., all of the first NPN. In another embodiment, in the case that the first NPN includes a plurality of NPN, the second NPN is a subset of the first NPN, that is, the second NPN is a partial NPN of the first NPN.

In one embodiment, the network authorizes access to only a part of the NPN in the first NPN (i.e. the second NPN), and configures only the certificate of the part of the NPN for the first communication device. For example, the terminal requests access rights to the NPN1, NPN2, and NPN 3. It will be appreciated that the network may only allow the terminal to obtain access to the NPN1 and NPN2, configuring the terminal with the certificate of NPN1 and the certificate of NPN 2. The terminal can only access the NPN1 through the NPN1 certificate. The terminal can only access the NPN2 through the NPN2 certificate.

In another embodiment, the network authorizes access to multiple NPN in the first NPN, but only configures a partial NPN certificate (i.e., a second NPN) for the first communication device, through which the multiple NPN can be accessed. For example, the terminal requests access rights to the NPN1, NPN2, and NPN 3. It will be appreciated that the network may allow terminals to access NPN1 and NPN 2. The network may only configure the terminal with the certificate of NPN2, but the certificate through NPN2 does not only access NPN2, but also access NPN 1. At this time, the NPN1 that can be accessed through the certificate of the NPN2 may be referred to as an equivalent NPN of the NPN2, an NPN where the terminal of the NPN2 allows roaming, or an NPN where access can be provided to the NPN 2. NPN2 may be referred to as a service provider for the NPN 1.

Optionally, the certificate information of the second NPN includes at least one of: a certificate of the second NPN, information of the network that allows access through the certificate of the second NPN (such as network identification information), and a right to allow access to the NPN type network through the certificate of the second NPN. Wherein the network allowing certificate access through the second NPN may include other networks in addition to the second NPN. The other network than the second NPN comprises at least one of: other NPNs, PLMNs, PNI NPNs besides the second NPN. The second NPN may be referred to as a service provider of the other network. The other network may be referred to as an equivalent network of the second NPN, a network where the terminal of the second NPN allows roaming, or a network capable of providing access to the second NPN.

Optionally, the certificate information of the current access network may include at least one of: information of networks allowed to access through the credentials of the current access network, such as network identification information (e.g., network identification information of the NPN), indication information of the requested NPN allowed to access through the credentials of the current access network, indication information of the NPN type of network allowed to access through the credentials of the current access network. Wherein the network allowing access through the credentials of the current access network may include other networks in addition to the current access network. The other network than the current access network may include at least one of: NPN, PLMN, PNI NPN except current access network. The current access network may be referred to as a service provider of the other network. The other network may be referred to as an equivalent network of the current access network, a network in which a terminal of the current access network is allowed to roam, or a network capable of providing access to the current access network.

Optionally, the update information of the second certificate may include at least one of: information of the network allowed to access via the second certificate, such as network identification information (e.g. identification information of the NPN), indication information of the requested NPN allowed to access via the second certificate, indication information of the NPN type of network allowed to access via the second certificate. Wherein the network that allows access via the second credentials may include other networks in addition to the second network. The other network than the second network includes at least one of: NPN, PLMN, PNI NPN except second network. The second network may be referred to as a service provider of the other network. The other network may be referred to as an equivalent network of the second network, a network in which the terminal of the second network is allowed to roam, or a network which is capable of providing access to the second network.

In one embodiment, the network allowing certificate access through the second NPN includes a fourth network.

In one embodiment, the network that allows access via the second credentials comprises a fourth network.

In one embodiment, the updated information of the second certificate contains network identification information of all networks allowed to access by the second certificate. I.e. the network that does not request access rights to the terminal, the network also sends network identification information of said network that allows access via the second certificate to the terminal.

In another embodiment, the updated information of the second certificate is added with only the identification information of the NPN that is allowed to access the right in the first NPN that includes the request.

In one embodiment, when the network identification information of the network allowing the access through the certificate of the second NPN includes identification information of a fourth network, the terminal may access the fourth network through the certificate of the second NPN. And the accessing the fourth network through the certificate of the second NPN may include: when accessing the fourth network, the UE identity provided is a UE identity (e.g. SUPI, SUCI, or NAI) corresponding to the certificate of the second NPN, and the UE identity may include the identity information of the second NPN. Such as by a registration request.

In one embodiment, when the network identification information of the network that allows access through the second certificate contains an identification of a fourth network, the terminal may access the fourth network through the second certificate. And the accessing the fourth network via the second credentials comprises: when accessing the fourth network, the UE identity provided is a UE identity (e.g., SUPI, sui, or NAI) corresponding to the second certificate, and the UE identity may include identity information of the second network.

Optionally, after the step of sending the first information, receiving at least one of: address information of the first server, and identification information of the NPN corresponding to the first server.

In one embodiment, the NPN corresponding to the first server includes: a first server is configurable to access the NPN certificate. The certificate for accessing the NPN includes a certificate of the NPN.

In one embodiment, the address information of the first server and/or the identification information of the corresponding NPN of the first server is obtained from a network (e.g., the second communication device). The network may be a network in which the terminal accesses through a first access mode (e.g., an enhancing access network, such as O-SNPN)

Optionally, when the fourth condition is satisfied, the address information of the first server and/or the identification information of the NPN corresponding to the first server is ignored or discarded.

The fourth condition includes at least one of:

the terminal supports and/or requests a certificate downloading mode of a control plane type;

the terminal supports and/or requests a first access mode of a control plane type;

the terminal does not support and/or request a certificate downloading mode of a user plane type;

the terminal does not support and/or request a first access mode of a user plane type;

the first server is not a configuration server for a certificate of the first NPN.

It is to be understood that the address of the first server is for the certificate download mode of the user plane type or the first access mode of the user plane type. For a terminal that does not support the certificate downloading method of the user plane type or the first access method of the user plane type, relevant information of the first server (e.g., address information of the first server and/or NPN identification information corresponding to the first server) sent by the network may be ignored or discarded.

The certificate downloading mode supported and/or requested by the terminal may include a certificate downloading mode only supported and/or requested by the terminal.

The first access means supported and/or requested by the terminal for the control plane type may include the first access means supported and/or requested by the terminal for only the control plane type.

It is understood that, with the present embodiment, when requesting access to the NPN, the network may decide to allocate a corresponding NPN certificate or add the access right of the requested NPN network to the existing certificate of the terminal; when the authority of accessing a plurality of NPN is requested, the network can only distribute one NPN certificate, but a plurality of NPN can be accessed through the NPN certificate or the network can add the access authority of the requested NPN network to the existing certificate of the terminal. Such as a first NPN comprising NPN1 and NPN2, the network may only distribute the NPN1 certificate, while a first communication device such as a terminal may access the NPN1 and NPN2 through the NPN1 certificate. The NPN2 may be the equivalent NPN of NPN1 or an NPN that allows roaming. In this case, the second NPN is an NPN 1. Therefore, certificate configuration and network access control of the terminal can be effectively realized.

Referring to fig. 2, an embodiment of the present invention provides an access control method, which is applied to a second communication device; the second communication device includes, but is not limited to, a core network element (e.g., AMF), which may be one of: a core network element of a first NPN, a core network element of a second network, or a core network element of a third network; the method comprises the following steps:

Step 21: first information is acquired.

It should be noted that the first information obtained in this step is specifically described in the embodiment shown in fig. 1, and is not described herein again.

In one embodiment, the second communication device may obtain the first information from the terminal.

Step 22: and executing a first operation according to the first information.

Wherein the performing the first operation may include at least one of:

confirming a request of the terminal for accessing the authority of the first NPN;

confirming whether the terminal is allowed to acquire the authority of accessing the first NPN;

confirming whether certificate information of a first NPN is allowed to be configured for the terminal; determining whether permission of accessing the first NPN through the second certificate is allowed to be added to the terminal;

determining whether permission of accessing the NPN type network through the second certificate is allowed to be added to the terminal;

confirming that the terminal is configured with the certificate information of the second NPN, or confirming that the terminal is added with the authority of accessing the third NPN through the second certificate, or confirming that the terminal is added with the authority of accessing the NPN type network through the second certificate;

determining a first server;

sending address information of a first server and/or NPN identification information corresponding to the first server;

determining a second server;

determining second information;

Initiating a certificate configuration request or a configuration updating request of the terminal to the first server and/or the second server;

sending second information to the first server and/or the second server;

and sending the certificate information of the second NPN or sending the second certificate updating information to the first communication equipment.

Wherein the first server is one of: the configuration server is used for configuring a second NPN certificate for the terminal, the configuration server is used for accessing the NPN certificate for the terminal, and the terminal needs to access the server for downloading the NPN certificate; the second server is a configuration server that configures the terminal with the second certificate.

Alternatively, the second NPN may be all or part of the first NPN. In one embodiment, the second NPN is an NPN in the first NPN that allows configuration of a certificate for the terminal. It will be appreciated that the first NPN, which may be requested in whole or only in part, allows configuring the terminal with the corresponding certificate. It will be appreciated that, for example, the terminal requests access rights to the NPN1, NPN2, NPN3, but only the NPN1 and NPN2 are allowed to access, in one embodiment, the network may configure the terminal with credentials of the NPN1 and NPN 2. In another embodiment, the network may configure the terminal with the certificate of NPN1 and may access NPN2 through the certificate of NPN 1. It will be understood that when the number of NPN terminals the terminal is allowed to access is large, the certificate of the configured NPN can be saved by this method. It will be appreciated that the second NPN may be a subset of the NPN that allows the terminal to acquire access rights.

Alternatively, the third NPN may be all or part of the first NPN. In one embodiment, the third NPN is an NPN in the first NPN that allows the terminal to acquire access rights. It will be appreciated that only a portion of the requested first NPN may allow the terminal to obtain access rights. It is understood that, for example, the terminal requests the access rights of the NPN1, the NPN2, and the NPN3, but only the NPN1 and the NPN2 are allowed to access. In one embodiment, the network may update the second certificate for the terminal, and add the right to access the NPN1 and NPN2 through the second certificate.

Optionally, the second information may include at least one of: NPN information, index information of the second network (e.g., identification information of the second network), first indication information, second indication information, third indication information, and fourth indication information. The NPN in the second information may be all or part of the first NPN in the first information. It will be understood that for NPN that are requested to gain access, only a portion of the NPN may be allowed or confirmed to gain access.

In one embodiment, the NPN can comprise one of: a first NPN, a second NPN and a third NPN. The first NPN is as described in the embodiment of fig. 1, and the second NPN is as described in the previous embodiments, and is not described here again. The third NPN is as described in the previous embodiments, and is not described here. The second NPN and the third NPN may be the same or different.

The NPN information can be used for at least one of the following: requesting access to the NPN, requesting a certificate of the NPN, requesting access to the NPN via a second certificate, requesting access to a network of NPN type.

The first indication information is used for requesting the access authority of the NPN, or used for requesting the current access authority of the network, or used for requesting the access authority of the NPN type network.

The second indication information is used for requesting the certificate of the NPN, or used for requesting the certificate of the current access network, or used for requesting the certificate of the access NPN type network.

The third indication information is used for requesting the permission of accessing the NPN through a second certificate or requesting the permission of accessing the NPN through a certificate of a current access network.

The fourth indication information is used for requesting the authority of accessing the NPN type network through the second certificate or requesting the authority of accessing the NPN type network through the certificate of the current access network.

In one embodiment, when a protocol exists between the network receiving the first information and one or more NPNs, access to the NPNs is allowed through credentials of the network. When obtaining first indication information (such as a right to request access to an NPN-type network), second indication information (such as a certificate to request access to an NPN-type network), third indication information (such as a right to request access to the NPN-type network through a certificate currently accessing the network), or fourth indication information (such as a right to request access to an NPN-type network through a second certificate, or a right to request access to an NPN-type network through a certificate currently accessing the network), the network may update certificate information of the network for the terminal, including access rights of the NPN-type network.

Illustratively, there is a protocol between NPN1 and NPN2, NPN3, for example, allowing a terminal to access NPN2 and NPN3 using the certificate information of NPN 1. When the terminal requests access rights of the NPN type network from the NPN 1. The NPN1 can open the rights for the terminal and indicate to the terminal. One embodiment is to add NPN2 and NPN3 to the information of the network that will allow certificate access through NPN 1. In another embodiment, permission to access the NPN type network is indicated in the certificate information of the NPN 1.

Illustratively, the second network has a protocol with NPN1, NPN2, and NPN3, for example, allowing the terminal to access NPN1, NPN2, and NPN3 using the certificate information of the second network. And the terminal sends the first information to a second network. When the terminal requests access rights of the NPN type network from the second network. The second network may open the right for the terminal and indicate to the terminal. One embodiment is to add NPN1, NPN2, and NPN3 to the information of the network that will allow certificate access through the second network. Another embodiment is to indicate in the certificate information of the second network that access to the NPN type network is allowed.

The second certificate may comprise a certificate already possessed by the first communication device. The certificate that the first communication device already has may comprise one of: a certificate of the second network that the first communication device already has, a certificate of the third party that the first communication device already has, a certificate of the service provider that the first communication device already has. The certificate of the third party is a certificate of another type than the certificate of the network, such as a certificate of a terminal manufacturer or a certificate of an Application (APP). The service provider includes, but is not limited to, one of: a second network (e.g., PLMN, or NPN (e.g., SNPN, or PNI NPN), etc.), a third party.

In one embodiment, the second information may include all the information in the first information, that is, the acquired first information. In another embodiment, the second information may include partial information in the first information, that is, partial information in the acquired first information. It will be understood that part of the information in the first information may be used only to index the certificate configuration server and need not be sent to the relevant server.

In one embodiment, the second communication device may perform at least one of the following by acquiring subscription information of the terminal, a policy of the network, and/or an allowed device list of the NPN: and confirming whether the terminal is allowed to acquire the authority of accessing the first NPN, confirming whether the terminal is allowed to be configured with the certificate information of the first NPN, and confirming whether the authority of accessing the first NPN through the second certificate is allowed to be added to the terminal.

Optionally, the subscription information of the terminal may include at least one of: NPN information (such as NPN identification information) that allows the terminal to acquire the access right; NPN information allowing the terminal to be configured with a certificate (e.g., identification information of the NPN); NPN information (such as NPN identification information) allowing the terminal to add access authority on the basis of the existing certificate.

Optionally, the policy of the network (which may be referred to as operator policy) may include one of: under the condition that the permission of the terminal to obtain the access authority of a certain NPN is confirmed, configuring the NPN certificate information for the terminal; and under the condition that the permission of the terminal to obtain the access authority of a certain NPN is confirmed, the access authority of the NPN is increased on the basis of the existing certificate of the terminal.

1) In one embodiment, the second communication device may directly add (or is called to add) the right to access the third NPN through the second certificate to the terminal, or configure the second NPN certificate to the terminal.

2) In one embodiment, the second communication device may request the second server to add the right to access the third NPN for the terminal through the second certificate.

3) In one embodiment, the second communication device may request from the first server a certificate to configure the terminal with the second NPN.

The manner of acquiring the first information may include, but is not limited to, an embodiment of one of the following:

1) in one embodiment, the terminal may request the first NPN for permission to access the first NPN by sending the first information. It is understood that, in this manner, the first information may include the first indication information instead of the first NPN information. The first indication information may be understood as a right for requesting a current access to the network.

2) In one embodiment, when the first NPN includes a plurality of NPN, the terminal may request the right to access the first NPN from one of the NPN. The access authority of the first NPN can be realized by acquiring certificate information of the first NPN or adding the authority of accessing the first NPN through the second certificate.

3) In one embodiment, the terminal may request the second network for the right to access the first NPN by sending the first information. It is understood that in this manner, the first information includes information of the first NPN. In this manner, the first information may not include index information of the second network.

4) In one embodiment, the terminal may send third indication information for requesting the right to access the first NPN through the second certificate, or requesting the right to access the first NPN through the certificate of the current access network. When the current access network of the terminal is the second network, the third indication information may be understood as a right to request access to the first NPN through a certificate of the current access network.

5) In one embodiment, the terminal may request the first NPN or the third network to add the right to access the first NPN via the second certificate by sending the first information. It is understood that in this manner, the first information includes index information of the second network. The index information of the second network may be used to index the second server.

Optionally, the second communication device may determine the first server (e.g., determine an address of the first server) based on at least one of:

first NPN information in the first information;

the terminal is currently accessing the network.

In one embodiment, the terminal accesses the first NPN and sends first information to the first NPN. It is understood that in this case, the second communication device is a device in the first NPN, and the first server may be determined according to the current access network and the mapping relationship between the address of the first server and the current access network.

In one embodiment, the terminal accesses the second NPN and transmits the first information to the second NPN. It is understood that in this case, the second communication device is a device in the second NPN, and the first server may be determined according to the current access network and the mapping relationship between the address of the first server and the current access network.

In another embodiment, the first server may be determined according to the mapping relationship between the first NPN information and the first server address and NPN identification information.

The type information of the first access mode indicates at least one of: a first access mode of a control plane type and a first access mode of a user plane type;

The type information of the certificate downloading mode indicates at least one of the following items: control plane type certificate downloading mode and user plane type certificate downloading mode.

In one embodiment, address information of the first server and/or identification information of the NPN corresponding to the first server is sent to the terminal.

Optionally, the sending the address information of the first server and/or the identification information of the NPN corresponding to the first server includes: and when the third condition is met, sending the address information of the first server and/or the identification information of the NPN corresponding to the first server.

The third condition includes:

the type information of the first access mode indicates a first access mode of a user plane type;

the type information of the certificate downloading mode indicates the certificate downloading mode of the user plane type.

It is understood that the address information of the first server is for the certificate download mode of the user plane type or the first access mode of the user plane type. For a terminal that does not support and/or request the certificate downloading method of the user plane type or the first access method of the user plane type, the network may not send the related information of the first server (e.g., the address information of the first server and/or the identification information of the NPN corresponding to the first server). Or, for a terminal that supports and/or requests a certificate downloading method of a user plane type or a first access method of a user plane type, the network may send related information of the first server.

In one embodiment, the second communication device may perform the operation of determining the first server, the operation of determining the second information and/or the operation of sending the second information to the first server if the first condition is satisfied. The first condition may include at least one of:

confirming the permission of allowing the terminal to obtain the authority of accessing the first NPN;

confirming certificate information allowing configuration of the first NPN for the terminal;

confirming certificate information of configuring a second NPN for the terminal;

acquiring first indication information in the first information;

acquiring second indication information in the first information;

and acquiring the information of the first NPN in the first information.

Wherein the second NPN is all NPNs in the first NPN or is a part of NPNs in the first NPN.

In one embodiment, the confirming that the terminal is allowed to acquire the right to access the first NPN may include confirming that the terminal is allowed to acquire the right to access a part of the first NPN. In one embodiment, the certificate information for confirming that the terminal is allowed to be configured with the first NPN may include certificate information for confirming that the terminal is allowed to be configured with a part of the first NPN.

Optionally, the second communication device may determine the second server (e.g., determine the address of the second server) based on at least one of:

Information of the second network in the first information;

first NPN information in the first information;

the terminal is currently accessing the network.

In one embodiment, the second communication device is a device in the second network, and the second server may be confirmed by the network currently accessed by the terminal and/or a second server address corresponding to the currently accessed network.

In another embodiment, the second server may be determined according to the mapping relationship between the first NPN information and the address of the second server and the NPN identification information.

In another embodiment, the second server may be determined according to the index information of the second network and the mapping relationship between the address of the second server and the network identification information.

In one embodiment, the second communication device may perform the operation of determining the second server, the operation of determining the second information and/or the operation of transmitting the second information to the second server if the second condition is satisfied. The second condition may include at least one of:

confirming the permission of allowing the terminal to obtain the authority of accessing the first NPN;

confirming that permission for adding a permission for accessing the first NPN to the terminal through the second certificate is allowed;

determining that the terminal increases the authority of accessing a third NPN through a second certificate;

Acquiring first indication information in the first information;

acquiring third indication information in the first information;

acquiring fourth indication information in the first information;

acquiring first NPN information in the first information;

and acquiring index information of the second network in the first information.

Wherein the third NPN is all NPNs in the first NPN or is a part of NPNs in the first NPN.

In one embodiment, the confirming that the terminal is allowed to acquire the right to access the first NPN may include confirming that the terminal is allowed to acquire the right to access a part of the first NPN. In one embodiment, the confirming that the permission to add the right to the terminal to access the first NPN through the second certificate may include confirming that the permission to add the right to the terminal to access a part of the first NPN through the second certificate may include confirming that the permission to add the right to the terminal to access the part of the first NPN through the second certificate

Optionally, after the step of sending the second information to the first server, the method may further include:

acquiring certificate information of a second NPN;

and sending the acquired certificate information of the second NPN.

Such as obtaining certificate information for the second NPN from the first service. At this time, the certificate information of the second NPN may be transmitted to at least one of: a first communication device (including a terminal), a user data management device (such as a UDM, HSS and/or UDR).

Optionally, after the step of sending the second information to the second server, the method may further include:

acquiring the update information of the second certificate;

and sending the update information of the acquired second certificate.

Such as obtaining updated information for the second certificate from the second server. At this time, the update information of the second certificate may be transmitted to at least one of: a first communication device (including a terminal), a user data management device (such as a UDM, HSS and/or UDR).

It is understood that, with this embodiment, the second communication device may determine, based on the acquired first information, whether to allow the terminal to acquire an access right to the NPN, determine whether to configure certificate information of the corresponding NPN for the terminal, or determine a certificate configuration server and the like required by the terminal, thereby effectively implementing certificate configuration and network access control for the terminal.

Referring to fig. 3, an embodiment of the present invention provides an access control method, which is applied to a third communication device; the third communication device includes but is not limited to: a first server, a second server, or a core network element (e.g., an AMF). The core network may be one of: the method comprises the following steps:

Step 31: first information or second information is acquired.

Wherein the first information may include at least one of: the index information of the first NPN, the index information of the second network, the first indication information, the second indication information, the third indication information and the fourth indication information. For the first NPN information in the first information, the index information of the second network, the first indication information, the second indication information, the third indication information, and the fourth indication information, the specific information may be as described in the embodiment shown in fig. 1, and details are not repeated here.

The second information may include at least one of: NPN information, index information of the second network (e.g., identification information of the second network), first indication information, second indication information, third indication information, and fourth indication information.

The NPN information can be used for at least one of the following: requesting access to the NPN, requesting a certificate of the NPN, requesting access to the NPN via a second certificate, requesting access to a network of NPN type.

The first indication information is used for requesting the access authority of the NPN, or used for requesting the current access authority of the network, or used for requesting the access authority of the NPN type network.

The second indication information is used for requesting the certificate of the NPN, or used for requesting the certificate of the current access network, or used for requesting the certificate of the access NPN type network.

The third indication information is used for requesting the permission of accessing the NPN through a second certificate or requesting the permission of accessing the NPN through a certificate of a current access network.

The fourth indication information is used for requesting the authority of accessing the NPN type network through the second certificate or requesting the authority of accessing the NPN type network through the certificate of the current access network.

The second certificate may comprise a certificate already possessed by the first communication device. The certificate that the first communication device already has may comprise one of: a certificate of the second network that the first communication device already has, a certificate of the third party that the first communication device already has, a certificate of the service provider that the first communication device already has. The certificate of the third party is a certificate of another type than the certificate of the network, such as a certificate of a terminal manufacturer or a certificate of an Application (APP). The service provider includes, but is not limited to, one of: a second network (e.g., PLMN, or NPN (e.g., SNPN, or PNI NPN), etc.), a third party.

In one embodiment, the first information may be obtained from a first communication device or obtained from a second communication device. For example, the first communication device sends the first information to the second communication device, and the second communication device sends the first information to the third communication device.

In one embodiment, the second information may be obtained from a second communication device. For example, the first communication device sends the first information to the second communication device, and the second communication device generates the second information according to the first information and then sends the second information to the third communication device. The NPN of the second information may be all or part of the NPN of the first NPN in the first information.

In one embodiment, the NPN can comprise one of: a first NPN, a second NPN and a third NPN. The first NPN is described in the embodiment of fig. 1, and the second NPN is described in the embodiment of fig. 2, which are not described herein again. The third NPN is as described in the embodiment of fig. 2, and is not described here again. The second NPN and the third NPN may be the same or different.

Step 32: and executing a second operation according to the first information or the second information.

Wherein the performing the second operation may include at least one of:

Confirming a request of the terminal for accessing the authority of the first NPN;

confirming whether certificate information of a first NPN is allowed to be configured for the terminal;

confirming whether certificate information of a first NPN is allowed to be configured for the terminal;

determining whether permission of accessing the first NPN through the second certificate is allowed to be added to the terminal;

determining whether permission of accessing the NPN type network through the second certificate is allowed to be added to the terminal;

configuring certificate information of a second NPN for the terminal, or adding the authority of accessing a third NPN through the second certificate for the terminal, or adding the authority of accessing an NPN type network through the second certificate for the terminal;

and sending certificate information of the second NPN or sending update information of the second certificate.

The second certificate may comprise a certificate already possessed by the first communication device. The certificate that the first communication device already has may comprise one of: a certificate of the second network that the first communication device already has, and a certificate of the third party that the first communication device already has. The certificate of the third party is a certificate of another type than the certificate of the network, such as a certificate of a terminal manufacturer or a certificate of an Application (APP).

The second network may include, but is not limited to, one of: PLMN, NPN (e.g., SNPN, or PNI NPN), etc.

Alternatively, the second NPN may be all or part of the first NPN. In one embodiment, the second NPN is an NPN in the first NPN that allows configuration of a certificate for the terminal. It will be appreciated that the first NPN, which may be requested in whole or only in part, allows configuring the terminal with the corresponding certificate. It will be appreciated that, for example, the terminal requests access rights to the NPN1, NPN2, NPN3, but only the NPN1 and NPN2 are allowed to access, in one embodiment, the network may configure the terminal with credentials of the NPN1 and NPN 2. In another embodiment, the network may configure the terminal with the certificate of NPN1 and may access NPN2 through the certificate of NPN 1. It will be understood that when the number of NPN terminals the terminal is allowed to access is large, the certificate of the configured NPN can be saved by this method. It will be appreciated that the second NPN may be a subset of the NPN that allows the terminal to acquire access rights.

Alternatively, the third NPN may be all or part of the first NPN. In one embodiment, the third NPN is an NPN in the first NPN that allows the terminal to acquire access rights. It will be appreciated that only a portion of the requested first NPN may allow the terminal to obtain access rights. It is understood that, for example, the terminal requests the access rights of the NPN1, the NPN2, and the NPN3, but only the NPN1 and the NPN2 are allowed to access. In one embodiment, the network may update the second certificate for the terminal, and add the right to access the NPN1 and NPN2 through the second certificate.

The certificate information of the second NPN may include at least one of: a certificate of the second NPN, information of the network that allows access through the certificate of the second NPN (such as network identification information), authority to allow access to the NPN type network through the second NPN certificate. The network allowing certificate access through the second NPN may include other networks other than the second NPN including at least one of: other NPN than the second NPN, PLMN, PNI NPN. The second NPN may be referred to as a service provider of the other network. The other network may be referred to as an equivalent network of the second NPN, a network in which the terminal of the second NPN is allowed to roam, or a network capable of providing access to the second NPN.

The second NPN is a subset of the first NPN where a plurality of NPNs are included in the first NPN.

Optionally, the update information of the second certificate may include at least one of: information allowing access to the network via the second certificate, such as network identification information, rights allowing access to the NPN type network via the second certificate, indication allowing access to the requested NPN via the second certificate, indication allowing access to the NPN type network via the second certificate. Wherein the network that allows access via the second credentials may include other networks in addition to the second network. The other network than the second network includes at least one of: NPN, PLMN, PNI NPN in addition to the second network. The second network may be referred to as a service provider of the other network. The other network may be referred to as an equivalent network of the second network, a network in which terminals of the second network are allowed to roam, or a network which is capable of providing access to the second network.

In one embodiment, the network that allows access via the second certificate includes at least one requesting NPN (e.g., at least one of the first NPN, the second NPN, or the third NPN).

In one embodiment, the sent updated information of the second certificate includes all network identification information of networks allowing access through the second certificate, and not only the identification information of the requested NPN (e.g., the identification information of at least one NPN in the identification information of the first NPN, the second NPN, or the third NPN).

In one embodiment, the updated information of the second certificate contains network identification information of all networks allowed to access by the second certificate. I.e. the network that does not request access rights to the terminal, the network also sends network identification information of said network that allows access via the second certificate to the terminal.

In another embodiment, the updated information of the second certificate is added with only the identification information of the NPN that is allowed to access the right in the first NPN that includes the request.

Optionally, the first information is obtained from a first source, where the first source includes one of: a first communication device (including a terminal).

Optionally, obtaining second information from a second source, where the second source includes: the second communication equipment, the network for the terminal to send the first information and the network for the terminal to access.

Optionally, sending certificate information of a second NPN or sending update information of the second certificate to the target, where the target includes at least one of: a first communication device (including a terminal), a second communication device, a network receiving the first information (e.g. UDM or UDR in the network receiving the first information), a user management device in the second network, a network device in the second NPN (e.g. user management device), a network to which the terminal is currently accessing. It will be appreciated that when new network credentials are configured or updated, it is necessary to synchronize the first communications device (including the terminal) and the network simultaneously so that the network can authenticate the terminal when it accesses the network. When the terminal allows a second network accessed through the first network certificate, the second network may also request the first network to authenticate the terminal.

It is understood that, with this embodiment, the third communication device may configure the required certificate information for the terminal based on the obtained second information, thereby effectively implementing certificate configuration and network access control for the terminal.

Referring to fig. 4, an embodiment of the present invention provides an access control method applied to a first communication device; the first communication device includes but is not limited to: a terminal; the method comprises the following steps:

Step 41: and acquiring third information.

Step 42: and executing the operation of accessing a second NPN or a fourth network according to the third information.

Wherein the third information may include at least one of certificate information of the second NPN and update information of the second certificate.

In one embodiment, the second NPN may be broadly referred to as one or more NPN. In one embodiment, the certificate of the second NPN may be directly obtained; in another embodiment, the certificate of the second NPN is acquired after the first NPN is requested. In this case, in one embodiment, the second NPN is identical to the first NPN; in another embodiment, the second NPN is a subset of the first NPN, such as where the first NPN includes multiple NPN, the second NPN may be a partial NPN of the first NPN.

Optionally, the certificate information of the second NPN includes at least one of: a certificate of the second NPN, information of the network that allows access through the certificate of the second NPN (such as network identification information), and a right to allow access to the NPN type network through the certificate of the second NPN. Wherein the network allowing certificate access through the second NPN may include other networks other than the second NPN, the other networks other than the second NPN including at least one of: other NPN than the second NPN, PLMN, PNI NPN. The second NPN may be referred to as a service provider of the other network. The other network may be referred to as an equivalent network of the second NPN, a network in which the terminal of the second NPN is allowed to roam, or a network capable of providing access to the second NPN.

In one embodiment, the current access network is a network for sending the first information or a network for acquiring the third information. The fourth network may be different from the current access network.

The first information is specifically described in the embodiment of fig. 1.

Optionally, the certificate information of the current access network may include at least one of: information of networks allowed to access through the credentials of the current access network, such as network identification information (e.g., network identification information of the NPN), indication information of the requested NPN allowed to access through the credentials of the current access network, indication information of the NPN type of network allowed to access through the credentials of the current access network. Wherein the information of the network that is allowed to be accessed through the certificate of the current access network may include other networks except the current access network. The other networks than the current access network include at least one of: NPN, PLMN, PNI NPN in addition to the current access network. The current access network may be referred to as a service provider of the other network. The other network may be referred to as an equivalent network of the current access network, a network in which a terminal of the current access network is allowed to roam, or a network capable of providing access to the current access network.

Optionally, the update information of the second certificate may include at least one of: information of the network allowed to access via the second certificate, such as network identification information (e.g. identification information of the NPN), the right to allow access to the NPN type network via the second certificate, indication information of the requested NPN allowed to access via the second certificate, indication information of the NPN type network allowed to access via the second certificate. Wherein the network allowing access via the second credentials may comprise a network other than the second network, the network other than the second network comprising at least one of: NPN, PLMN, PNI NPN in addition to the second network. The second network may be referred to as a service provider of the other network. The other network may be referred to as an equivalent network of the second network, a network in which terminals of the second network are allowed to roam, or a network which is capable of providing access to the second network.

In one embodiment, the network allowing certificate access through the second NPN includes a fourth network.

In one embodiment, the network that allows access via the second credentials comprises a fourth network.

In one embodiment, the updated information of the second certificate contains network identification information of all networks allowed to access by the second certificate. I.e. the network that does not request access rights to the terminal, the network also sends network identification information of said network that allows access via the second certificate to the terminal.

In another embodiment, the updated information of the second certificate is added with only the identification information of the NPN that is allowed to access the right in the first NPN that includes the request.

Wherein the fourth network may be one of: other networks than the second NPN (e.g. other NPN different from the second NPN, or PLMN), other networks than the network requesting the first NPN access right, or other networks than the second network.

In one embodiment, when the network identification information of the network allowing the access through the certificate of the second NPN includes identification information of a fourth network, the terminal may access the fourth network through the certificate of the second NPN. And the accessing the fourth network through the certificate of the second NPN may include: when accessing the fourth network, the UE identity provided is a UE identity (e.g. SUPI, SUCI, or NAI) corresponding to the certificate of the second NPN, and the UE identity may include the identity information of the second NPN. Such as by a registration request.

In one embodiment, when the network identification information of the network that allows access through the second certificate contains an identification of a fourth network, the terminal may access the fourth network through the second certificate. And the accessing the fourth network via the second credentials comprises: when accessing the fourth network, the UE identity provided is a UE identity (e.g., SUPI, sui, or NAI) corresponding to the second certificate, and the UE identity may include identity information of the second network.

In one embodiment, when the network identification information of the network allowing the access through the certificate of the first NPN includes identification information of a fourth network, the terminal may access the fourth network through the certificate of the first NPN. And the accessing the fourth network through the certificate of the first NPN may include: when accessing the fourth network, the UE identity provided is a UE identity (e.g., SUPI, SUCI, or NAI) corresponding to the certificate of the first NPN, and the UE identity may include identification information of the first NPN.

Optionally, before step 41, the method may further include: the first information is transmitted. The content related to the sending of the first information may be as described in the embodiment shown in fig. 1, and will not be described herein again.

Optionally, in this case, in an embodiment, the second NPN is identical to the first NPN; in another embodiment, the second NPN is a subset of the first NPN, such as where the first NPN includes multiple NPN, the second NPN may be a partial NPN of the first NPN.

In one embodiment, the network authorizes access to only a part of the NPN in the first NPN (i.e. the second NPN), and configures only the certificate of the part of the NPN for the first communication device. For example, the terminal requests access rights to the NPN1, NPN2, and NPN 3. It will be appreciated that the network may only allow the terminal to obtain access to the NPN1 and NPN2, configuring the terminal with the certificate of NPN1 and the certificate of NPN 2. The terminal can only access the NPN1 through the NPN1 certificate. The terminal can only access the NPN2 through the NPN2 certificate.

In another embodiment, the network authorizes access to multiple NPN in the first NPN, but only configures a partial NPN certificate (i.e., a second NPN) for the first communication device, through which the multiple NPN can be accessed. For example, the terminal requests access rights to the NPN1, NPN2, and NPN 3. It will be appreciated that the network may allow terminals to access NPN1 and NPN 2. The network may only configure the terminal with the certificate of NPN2, but the certificate through NPN2 does not only access NPN2, but also access NPN 1. At this time, the NPN1 that can be accessed through the certificate of the NPN2 may be referred to as an equivalent NPN of the NPN2, an NPN where the terminal of the NPN2 allows roaming, or an NPN where access can be provided to the NPN 2. NPN2 may be referred to as a service provider for the NPN 1.

In one embodiment, the third information is obtained from a source, and the source includes one of: the system comprises a first communication device, a second communication device, a network for receiving first information and a currently accessed network.

It is understood that, with the present embodiment, when requesting access to multiple NPN authorities, the network may only allocate one NPN certificate, but may access multiple NPN through the NPN certificate. Therefore, the network access control of the terminal can be effectively realized.

The method provided by the embodiment of the invention is described in the following with reference to specific embodiments.

In this embodiment, as shown in fig. 5, the NPN certificate configuration process of the UE may include the following steps:

step 51: the UE initiates a registration request to the AMF of the first network through the NG-RAN. Optionally, the registration request includes an NPN list requested by the UE to obtain an access certificate (critical).

In one embodiment, the UE already has a credetial of NPN1 requesting to append the credentials of NPN 2. At this time, the AMF can authenticate the UE through the certificate of accessing the NPN 1.

In another embodiment, the UE does not have the NPN1 certificate yet, requesting NPN1 and NPN2 certificates at the same time. At this time, the UE needs to be authenticated by a default certificate (default certificate) or a UDM corresponding to the SUPI provided by the UE.

Step 52: and the AMF selects a configuration server according to the NPN list and sends a certificate configuration request to the configuration server.

Step 53: if the UE is not authenticated in the above steps, optionally, the configuration server authenticates the UE through the authentication server.

Step 54: and after the authentication is passed, the configuration server sends a configuration response to the UE through the AMF so as to configure the UE.

In one embodiment, when the NPN list requesting the certificate contains NPN2, the configuration server of NPN1 can update the certificate of NPN1 on the one hand, supplementing NPN2 that allows roaming. Or the configuration server of the NPN2 configures the certificate of the NPN2 to the UE separately.

Further, optionally, the configuration server may synchronize the UE's credentials to the UDM.

Referring to fig. 6, an embodiment of the present invention provides a communication device, where the communication device is a first communication device, and as shown in fig. 6, the communication device 60 includes:

a sending module 61, configured to send first information;

wherein the first information comprises at least one of: the method comprises the steps that NPN information of a non-public network of a first independent network, index information of a second network, first indication information, second indication information, third indication information, fourth indication information, indication information used for requesting certificate downloading, indication information used for requesting a first access mode, type information of the first access mode and type information of the certificate downloading mode are obtained;

the information of the first NPN can be used for at least one of the following: requesting access to a first NPN authority, requesting a certificate of the first NPN, requesting access to the first NPN through a second certificate, and requesting access to an NPN type network;

the first indication information is used for requesting the authority of accessing the first NPN, or used for requesting the authority of accessing the network at present, or used for requesting the authority of accessing the NPN type network;

the second indication information is used for requesting a certificate of the first NPN, or requesting a certificate of a current access network, or requesting a certificate of an access NPN type network;

The third indication information is used for requesting the authority of accessing the first NPN through the second certificate or requesting the authority of accessing the first NPN through the certificate of the current access network;

the fourth indication information is used for requesting the authority of accessing the NPN type network through the second certificate or requesting the authority of accessing the NPN type network through the certificate of the current access network;

the second certificate may comprise a certificate already possessed by the first communication device. The certificate that the first communication device already has includes: a certificate of the second network that the first communication device already has, and a certificate of the third party that the first communication device already has. The certificate of the third party is a certificate of another type than the certificate of the network, such as a certificate of a terminal manufacturer or a certificate of an Application (APP).

Optionally, the communication device 60 may further include:

the third acquisition module is used for acquiring third information; wherein the third information includes at least one of certificate information of a second NPN and update information of the second certificate;

a third executing module, configured to execute an operation of accessing to a second NPN or fourth network according to the third information;

wherein the fourth network is one of: other networks different from the second NPN, other networks different from the second network;

The second NPN is all NPNs in the first NPN or a part of NPNs in the first NPN.

Optionally, the certificate information of the second NPN includes at least one of: a certificate of the second NPN, information of a network that allows access through the certificate of the second NPN, a right to allow access to the NPN-type network through the second NPN certificate;

and/or the updated information of the second certificate comprises at least one of the following: information allowing access to the network via the second certificate, permission allowing access to the NPN type network via the second certificate, indication allowing access to the requested NPN via the second certificate, indication allowing access to the NPN type network via the second certificate.

Optionally, the network allowing certificate access through the second NPN includes the fourth network;

and/or the network allowing access via the second credentials comprises the fourth network.

Optionally, after the step of sending the first information, receiving at least one of: address information of the first server, and identification information of the NPN corresponding to the first server.

In one embodiment, the NPN corresponding to the first server includes a certificate that the first server is capable of configuring for accessing the NPN. The certificate for accessing the NPN includes a certificate of the NPN.

In one embodiment, the address information of the first server and/or the identification information of the NPN corresponding to the first server is obtained from the network. The network may be a network in which the terminal accesses through a first access mode (e.g., an enhancing access network, such as O-SNPN)

Optionally, when the fourth condition is satisfied, the address information of the first server and/or the identification information of the NPN corresponding to the first server is ignored or discarded.

The fourth condition includes at least one of:

the terminal supports and/or requests a certificate downloading mode of a control plane type;

the terminal supports and/or requests a first access mode of a control plane type;

the terminal does not support and/or request a certificate downloading mode of a user plane type;

the terminal does not support and/or request a first access mode of a user plane type;

the first server is not a configuration server for a certificate of the first NPN.

It is to be understood that the address of the first server is for the certificate download mode of the user plane type or the first access mode of the user plane type. For a terminal which does not support the certificate downloading mode of the user plane type or the first access mode of the user plane type, the relevant information of the first server sent by the network can be ignored or discarded.

The certificate downloading mode supported and/or requested by the terminal may include a certificate downloading mode only supported and/or requested by the terminal.

The first access means supported and/or requested by the terminal for the control plane type may include the first access means supported and/or requested by the terminal for only the control plane type.

In this embodiment, the communication device 60 can implement each process implemented in the method embodiment shown in fig. 1 of the present invention, and achieve the same beneficial effects, and for avoiding repetition, details are not described here again.

Referring to fig. 7, an embodiment of the present invention provides a communication device, where the communication device is a second communication device, and as shown in fig. 7, the communication device 70 includes:

a first obtaining module 71, configured to obtain first information;

a first executing module 72, configured to execute a first operation according to the first information;

wherein the performing the first operation comprises at least one of:

confirming a request of the terminal for accessing the authority of the first NPN;

confirming whether the terminal is allowed to acquire the authority of accessing the first NPN;

confirming whether certificate information of a first NPN is allowed to be configured for the terminal;

determining whether permission of accessing the first NPN through the second certificate is allowed to be added to the terminal;

Determining whether permission of accessing the NPN type network through the second certificate is allowed to be added to the terminal;

confirming that the terminal is configured with the certificate information of the second NPN, or confirming that the terminal is added with the authority of accessing the third NPN through the second certificate, or confirming that the terminal is added with the authority of accessing the NPN type network through the second certificate;

determining a first server;

sending address information of a first server and/or NPN identification information corresponding to the first server;

determining a second server;

determining second information;

initiating a certificate configuration request or a configuration updating request of the terminal to the first server and/or the second server;

sending second information to the first server and/or the second server;

wherein the first server is one of: the configuration server is used for configuring a second NPN certificate for the terminal, the configuration server is used for accessing the NPN certificate for the terminal, and the terminal needs to access the server for downloading the NPN certificate; the second server is a configuration server for configuring a second certificate for the terminal; the second information includes all or part of the first information.

Optionally, the first information includes at least one of: the first NPN information, the index information of the second network, the first indication information, the second indication information, the third indication information, the fourth indication information, the indication information for requesting certificate downloading, the indication information for requesting the first access mode, the type information of the first access mode and the type information of the certificate downloading mode;

The information of the first NPN can be used for at least one of the following: requesting access to a first NPN authority, requesting a certificate of the first NPN, requesting access to the first NPN through a second certificate, and requesting access to an NPN type network;

the first indication information is used for requesting the authority of accessing the first NPN, or used for requesting the authority of accessing the network at present, or used for requesting the authority of accessing the NPN type network;

the second indication information is used for requesting a certificate of the first NPN, or requesting a certificate of a current access network, or requesting a certificate of an access NPN type network;

the third indication information is used for requesting the authority of accessing the first NPN through the second certificate or requesting the authority of accessing the first NPN through the certificate of the current access network;

the fourth indication information is used for requesting the authority of accessing the NPN type network through the second certificate or requesting the authority of accessing the NPN type network through the certificate of the current access network;

the second certificate may comprise a certificate already possessed by the first communication device. The certificate that the first communication device already has may comprise one of: a certificate of the second network that the first communication device already has, and a certificate of the third party that the first communication device already has. The certificate of the third party is a certificate of another type than the certificate of the network, such as a certificate of a terminal manufacturer or a certificate of an Application (APP).

The type information of the first access mode indicates at least one of: a first access mode of a control plane type and a first access mode of a user plane type;

the type information of the certificate downloading mode indicates at least one of the following items: control plane type certificate downloading mode and user plane type certificate downloading mode.

In one embodiment, address information of the first server and/or identification information of the NPN corresponding to the first server is sent to the terminal.

Optionally, the first executing module 72 sends the address information of the first server and/or the identification information of the NPN corresponding to the first server when the third condition is satisfied.

The third condition includes:

the type information of the first access mode indicates a first access mode of a user plane type;

the type information of the certificate downloading mode indicates the certificate downloading mode of the user plane type.

It is understood that the address information of the first server is for the certificate download mode of the user plane type or the first access mode of the user plane type. For a terminal that does not support and/or request the certificate downloading method of the user plane type or the first access method of the user plane type, the network may not send the related information of the first server (e.g., the address information of the first server and/or the identification information of the NPN corresponding to the first server). Or, for a terminal that supports and/or requests a certificate downloading method of a user plane type or a first access method of a user plane type, the network may send related information of the first server.

Optionally, the first executing module 72 may execute the operation of determining the first server, the operation of determining the second information and/or the operation of sending the second information to the first server if the first condition is satisfied; wherein the first condition comprises at least one of:

confirming the permission of allowing the terminal to obtain the authority of accessing the first NPN;

confirming certificate information allowing configuration of the first NPN for the terminal;

confirming certificate information of configuring a second NPN for the terminal;

acquiring first indication information in the first information;

acquiring second indication information in the first information;

acquiring first NPN information in the first information;

wherein the second NPN is all NPNs in the first NPN or is a part of NPNs in the first NPN.

Optionally, the first executing module 72 may perform an operation of determining the second server, determining the second information and/or performing an operation of sending the second information to the first server if the second condition is satisfied; wherein the second condition comprises at least one of:

confirming the permission of allowing the terminal to obtain the authority of accessing the first NPN;

confirming that permission for adding a permission for accessing the first NPN to the terminal through the second certificate is allowed;

determining that the terminal increases the authority of accessing a third NPN through a second certificate;

Acquiring first indication information in the first information;

acquiring third indication information in the first information;

acquiring fourth indication information in the first information;

acquiring first NPN information in the first information;

acquiring index information of a second network in the first information;

wherein the third NPN is all NPNs in the first NPN or is a part of NPNs in the first NPN.

In this embodiment, the communication device 70 can implement each process implemented in the method embodiment shown in fig. 2 of the present invention, and achieve the same beneficial effects, and for avoiding repetition, details are not described here again.

Referring to fig. 8, an embodiment of the present invention provides a communication device, where the communication device is a third communication device, and as shown in fig. 8, the communication device 80 includes:

a second obtaining module 81, configured to obtain the first information or the second information;

a second executing module 82, configured to execute a second operation according to the first information or the second information;

wherein the performing the second operation comprises at least one of:

confirming a request of the terminal for accessing the authority of the first NPN;

confirming whether certificate information of a first NPN is allowed to be configured for the terminal;

confirming whether certificate information of a first NPN is allowed to be configured for the terminal;

Determining whether permission of accessing the first NPN through the second certificate is allowed to be added to the terminal;

determining whether permission of accessing the NPN type network through the second certificate is allowed to be added to the terminal;

configuring certificate information of a second NPN for the terminal, or adding the authority of accessing a third NPN through the second certificate for the terminal, or adding the authority of accessing an NPN type network through the second certificate for the terminal;

sending certificate information of a second NPN or sending update information of a second certificate;

wherein the second certificate comprises a certificate that the terminal already has;

the second NPN is all NPNs in the first NPN or is a part of NPNs in the first NPN;

the third NPN is all NPNs in the first NPN or is a part of NPNs in the first NPN;

the second NPN is the same as or different from the third NPN.

Optionally, the first information includes at least one of: the first NPN information, the index information of the second network, the first indication information, the second indication information, the third indication information, the fourth indication information, the indication information for requesting certificate downloading, the indication information for requesting the first access mode, the type information of the first access mode and the type information of the certificate downloading mode;

The information of the first NPN can be used for at least one of the following: requesting access to a first NPN authority, requesting a certificate of the first NPN, requesting access to the first NPN through a second certificate, and requesting access to an NPN type network;

the first indication information is used for requesting the authority of accessing the first NPN, or used for requesting the authority of accessing the network at present, or used for requesting the authority of accessing the NPN type network;

the second indication information is used for requesting a certificate of the first NPN, or requesting a certificate of a current access network, or requesting a certificate of an access NPN type network;

the third indication information is used for requesting the authority of accessing the first NPN through the second certificate or requesting the authority of accessing the first NPN through the certificate of the current access network;

the fourth indication information is used for requesting the authority of accessing the NPN type network through the second certificate or requesting the authority of accessing the NPN type network through the certificate of the current access network.

Optionally, the second information includes at least one of: NPN information, index information of a second network, first indication information, second indication information, third indication information and fourth indication information;

The NPN information can be used for at least one of the following: requesting an NPN access authority, requesting a certificate of the NPN, requesting an NPN access authority through a second certificate, and requesting an NPN type network access authority;

the first indication information is used for requesting the access authority of the NPN, or used for requesting the current access authority of the network, or used for requesting the access authority of the NPN type network;

the second indication information is used for requesting a certificate of the NPN, or requesting a certificate of a current access network, or requesting a certificate of an access NPN type network;

the third indication information is used for requesting the permission of accessing the NPN through a second certificate or requesting the permission of accessing the NPN through a certificate of a current access network;

the fourth indication information is used for requesting the authority of accessing the NPN type network through the second certificate or requesting the authority of accessing the NPN type network through the certificate of the current access network.

Optionally, the certificate information of the first NPN includes at least one of: a certificate of the first NPN, information of a network allowing access through the certificate of the first NPN, and a right allowing access to the NPN type network through the certificate of the first NPN;

And/or the certificate information of the second NPN comprises at least one of the following items: a certificate of the second NPN, information of a network that allows access through the certificate of the second NPN, a right to allow access to the NPN-type network through the second NPN certificate;

and/or the updated information of the second certificate comprises at least one of the following: information allowing access to the network via the second certificate, permission allowing access to the NPN type network via the second certificate, indication allowing access to the requested NPN via the second certificate, indication allowing access to the NPN type network via the second certificate;

wherein the second NPN is all NPNs in the first NPN or is a part of NPNs in the first NPN.

In this embodiment, the communication device 80 can implement each process implemented in the method embodiment shown in fig. 3 of the present invention, and achieve the same beneficial effects, and for avoiding repetition, details are not described here again.

Referring to fig. 9, an embodiment of the present invention provides a communication device, where the communication device is a fourth communication device, and as shown in fig. 9, the communication device 90 includes:

a third obtaining module 91, configured to obtain third information; wherein the third information includes at least one of certificate information of the second NPN and update information of the second certificate; the second certificate comprises a certificate already possessed by the first communication device; the second NPN is one or more NPN;

A third executing module 92, configured to execute an operation of accessing to a second NPN or fourth network according to the third information;

wherein the fourth network is one of: other networks different from the second NPN, other networks different from the second network;

the certificate information of the second NPN includes at least one of: a certificate of the second NPN, information of a network that allows access through the certificate of the second NPN, a right to allow access to the NPN-type network through the second NPN certificate;

the credential information of the current access network comprises at least one of: information of networks allowed to access by credentials of the current access network, indication information of requested NPN allowed to access by credentials of the current access network, indication information of NPN type of network allowed to access by credentials of the current access network;

the update information of the second certificate includes at least one of: information allowing access to the network via the second certificate, permission allowing access to the NPN type network via the second certificate, indication allowing access to the requested NPN via the second certificate, indication allowing access to the NPN type network via the second certificate.

In this embodiment, the communication device 90 can implement each process implemented in the method embodiment shown in fig. 4 of the present invention, and achieve the same beneficial effects, and for avoiding repetition, details are not described here again.

Referring to fig. 10, fig. 10 is a schematic structural diagram of another communication device according to an embodiment of the present invention, and as shown in fig. 10, the communication device 100 includes: a processor 101, a memory 102, and a computer program stored in the memory 102 and capable of running on the processor, where components in the communication device 100 are coupled together through a bus interface 103, and when executed by the processor 101, the computer program may implement each process implemented in the method embodiment shown in fig. 1, or implement each process implemented in the method embodiment shown in fig. 2, or implement each process implemented in the method embodiment shown in fig. 3, or implement each process implemented in the method embodiment shown in fig. 4, and may achieve the same technical effect, and in order to avoid repetition, details are not repeated here.

An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when executed by a processor, the computer program implements each process implemented in the method embodiment shown in fig. 1, or implements each process implemented in the method embodiment shown in fig. 2, or implements each process implemented in the method embodiment shown in fig. 3, or implements each process implemented in the method embodiment shown in fig. 4, and can achieve the same technical effect, and in order to avoid repetition, details are not repeated here. The computer-readable storage medium may be a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk.

It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.

While the present invention has been described with reference to the embodiments shown in the drawings, the present invention is not limited to the embodiments, which are illustrative and not restrictive, and it will be apparent to those skilled in the art that various changes and modifications can be made therein without departing from the spirit and scope of the invention as defined in the appended claims.

Claims (24)

1. An access control method applied to a first communication device, the method comprising:

sending first information;

wherein the first information comprises at least one of: NPN information of a first non-public network, index information of a second network, first indication information, second indication information, third indication information, fourth indication information, indication information for requesting certificate downloading, indication information for requesting a first access mode, type information of the first access mode and type information of the certificate downloading mode;

the information of the first NPN can be used for at least one of the following: requesting access to a first NPN authority, requesting a certificate of the first NPN, requesting access to the first NPN through a second certificate, and requesting access to an NPN type network;

The first indication information is used for requesting the authority of accessing the first NPN, or used for requesting the authority of accessing the network at present, or used for requesting the authority of accessing the NPN type network;

the second indication information is used for requesting a certificate of the first NPN, or requesting a certificate of a current access network, or requesting a certificate of an access NPN type network;

the third indication information is used for requesting the authority of accessing the first NPN through the second certificate or requesting the authority of accessing the first NPN through the certificate of the current access network;

the fourth indication information is used for requesting the authority of accessing the NPN type network through the second certificate or requesting the authority of accessing the NPN type network through the certificate of the current access network;

the second certificate comprises a certificate already possessed by the first communication device;

wherein the content of the first and second substances,

the first access method includes: an access means for accessing the first network in order to download a certificate for accessing the second network; the first network and the second network are the same network or different networks;

the type information of the first access mode indicates at least one of: a first access mode of a control plane type and a first access mode of a user plane type;

The type information of the certificate downloading mode indicates at least one of the following items: control plane type certificate downloading mode and user plane type certificate downloading mode.

2. The method of claim 1, wherein after the sending the first information, the method further comprises:

acquiring third information; wherein the third information includes at least one of certificate information of a second NPN and update information of the second certificate;

according to the third information, executing the operation of accessing a second NPN or a fourth network;

wherein the fourth network is one of: other networks different from the second NPN, other networks different from the second network;

the second NPN is all NPNs in the first NPN or a part of NPNs in the first NPN.

3. The method of claim 2,

the certificate information of the second NPN includes at least one of: a certificate of the second NPN, information of a network that allows access through the certificate of the second NPN, a right to allow access to the NPN-type network through the second NPN certificate;

and/or the updated information of the second certificate comprises at least one of the following: information allowing access to the network via the second certificate, permission allowing access to the NPN type network via the second certificate, indication allowing access to the requested NPN via the second certificate, indication allowing access to the NPN type network via the second certificate.

4. The method of claim 3,

the network allowing certificate access through the second NPN comprises the fourth network;

and/or

The network that allows access via the second credentials comprises the fourth network.

5. The method of claim 1, wherein the step of sending the first information is followed by receiving at least one of: address information of the first server, and identification information of the NPN corresponding to the first server.

6. The method according to claim 5, wherein when the fourth condition is satisfied, the address information of the first server and/or the identification information of the NPN corresponding to the first server are ignored or discarded.

The fourth condition includes at least one of:

certificate downloading mode of terminal supporting and/or requesting control plane type

The terminal supports and/or requests a first access mode of a control plane type;

certificate downloading mode of user plane type that terminal does not support and/or request

The terminal does not support and/or request a first access mode of a user plane type;

the first server is not a configuration server for a certificate of the first NPN.

7. An access control method applied to a second communication device, the method comprising:

Acquiring first information;

executing a first operation according to the first information;

wherein the performing the first operation comprises at least one of:

confirming a request of the terminal for accessing the authority of the first NPN;

confirming whether the terminal is allowed to acquire the authority of accessing the first NPN;

confirming whether certificate information of a first NPN is allowed to be configured for the terminal;

determining whether permission of accessing the first NPN through the second certificate is allowed to be added to the terminal;

determining whether permission of accessing the NPN type network through the second certificate is allowed to be added to the terminal;

confirming that the terminal is configured with the certificate information of the second NPN, or confirming that the terminal is added with the authority of accessing the third NPN through the second certificate, or confirming that the terminal is added with the authority of accessing the NPN type network through the second certificate;

determining a first server;

sending address information of a first server and/or NPN identification information corresponding to the first server;

determining a second server;

determining second information;

initiating a certificate configuration request or a configuration updating request of the terminal to the first server and/or the second server;

sending second information to the first server and/or the second server;

wherein the first server is one of: the configuration server is used for configuring a second NPN certificate for the terminal, the configuration server is used for accessing the NPN certificate for the terminal, and the terminal needs to access the server for downloading the NPN certificate; the second server is a configuration server for configuring a second certificate for the terminal; the second information includes all or part of the first information.

8. The method of claim 7,

the first information includes at least one of: the first NPN information, the index information of the second network, the first indication information, the second indication information, the third indication information, the fourth indication information, the indication information for requesting certificate downloading, the indication information for requesting the first access mode, the type information of the first access mode and the type information of the certificate downloading mode;

the information of the first NPN can be used for at least one of the following: requesting access to a first NPN authority, requesting a certificate of the first NPN, requesting access to the first NPN through a second certificate, and requesting access to an NPN type network;

the first indication information is used for requesting the authority of accessing the first NPN, or used for requesting the authority of accessing the network at present, or used for requesting the authority of accessing the NPN type network;

the second indication information is used for requesting a certificate of the first NPN, or requesting a certificate of a current access network, or requesting a certificate of an access NPN type network;

the third indication information is used for requesting the authority of accessing the first NPN through the second certificate or requesting the authority of accessing the first NPN through the certificate of the current access network;

The fourth indication information is used for requesting the authority of accessing the NPN type network through the second certificate or requesting the authority of accessing the NPN type network through the certificate of the current access network;

the second certificate comprises a certificate that the terminal already has;

the type information of the first access mode indicates at least one of: a first access mode of a control plane type and a first access mode of a user plane type;

the type information of the certificate downloading mode indicates at least one of the following items: control plane type certificate downloading mode and user plane type certificate downloading mode.

9. The method of claim 7, wherein sending the address information of the first server and/or the identification information of the corresponding NPN of the first server comprises: when a third condition is met, sending address information of the first server and/or NPN identification information corresponding to the first server;

wherein the third condition comprises:

the type information of the first access mode indicates a first access mode of a user plane type;

the type information of the certificate downloading mode indicates the certificate downloading mode of the user plane type.

10. The method according to claim 7, wherein the second communication device performs the operation of determining the first server, the operation of determining the second information and/or the operation of sending the second information to the first server if the first condition is satisfied; wherein the first condition comprises at least one of:

Confirming the permission of allowing the terminal to obtain the authority of accessing the first NPN;

confirming certificate information allowing configuration of the first NPN for the terminal;

confirming certificate information of configuring a second NPN for the terminal;

acquiring first indication information in the first information;

acquiring second indication information in the first information;

acquiring first NPN information in the first information;

wherein the second NPN is all NPNs in the first NPN or is a part of NPNs in the first NPN.

11. The method according to claim 7, wherein the second communication device performs the operation of determining the second server, the operation of determining the second information, and/or the operation of sending the second information to the first server if the second condition is satisfied; wherein the second condition comprises at least one of:

confirming the permission of allowing the terminal to obtain the authority of accessing the first NPN;

confirming that permission for adding a permission for accessing the first NPN to the terminal through the second certificate is allowed;

determining that the terminal increases the authority of accessing a third NPN through a second certificate;

acquiring first indication information in the first information;

acquiring third indication information in the first information;

acquiring fourth indication information in the first information;

acquiring first NPN information in the first information;

Acquiring index information of a second network in the first information;

wherein the third NPN is all NPNs in the first NPN or is a part of NPNs in the first NPN.

12. The method of claim 7, wherein after the step of sending the second information to the first server, the method further comprises:

acquiring certificate information of a second NPN;

sending the acquired certificate information of the second NPN;

and/or

After the step of sending the second information to the second server, the method further includes:

acquiring the update information of the second certificate;

and sending the update information of the acquired second certificate.

13. An access control method applied to a third communication device, the method comprising:

acquiring first information or second information;

executing a second operation according to the first information or the second information;

wherein the performing the second operation comprises at least one of:

confirming a request of the terminal for accessing the authority of the first NPN;

confirming whether certificate information of a first NPN is allowed to be configured for the terminal;

confirming whether certificate information of a first NPN is allowed to be configured for the terminal;

determining whether permission of accessing the first NPN through the second certificate is allowed to be added to the terminal;

Determining whether permission of accessing the NPN type network through the second certificate is allowed to be added to the terminal;

configuring certificate information of a second NPN for the terminal, or adding the authority of accessing a third NPN through the second certificate for the terminal, or adding the authority of accessing an NPN type network through the second certificate for the terminal;

sending certificate information of a second NPN or sending update information of a second certificate;

wherein the second certificate comprises a certificate that the terminal already has;

the second NPN is all NPNs in the first NPN or is a part of NPNs in the first NPN;

the third NPN is all NPNs in the first NPN or is a part of NPNs in the first NPN;

the second NPN is the same as or different from the third NPN.

14. The method of claim 13, wherein the first information comprises at least one of: the first NPN information, the index information of the second network, the first indication information, the second indication information, the third indication information and the fourth indication information;

the information of the first NPN can be used for at least one of the following: requesting access to a first NPN authority, requesting a certificate of the first NPN, requesting access to the first NPN through a second certificate, and requesting access to an NPN type network;

The first indication information is used for requesting the authority of accessing the first NPN, or used for requesting the authority of accessing the network at present, or used for requesting the authority of accessing the NPN type network;

the second indication information is used for requesting a certificate of the first NPN, or requesting a certificate of a current access network, or requesting a certificate of an access NPN type network;

the third indication information is used for requesting the authority of accessing the first NPN through the second certificate or requesting the authority of accessing the first NPN through the certificate of the current access network;

the fourth indication information is used for requesting the authority of accessing the NPN type network through the second certificate or requesting the authority of accessing the NPN type network through the certificate of the current access network.

15. The method of claim 13, wherein the second information comprises at least one of: NPN information, index information of a second network, first indication information, second indication information, third indication information and fourth indication information;

the NPN information can be used for at least one of the following: requesting an NPN access authority, requesting a certificate of the NPN, requesting an NPN access authority through a second certificate, and requesting an NPN type network access authority;

The first indication information is used for requesting the access authority of the NPN, or used for requesting the current access authority of the network, or used for requesting the access authority of the NPN type network;

the second indication information is used for requesting a certificate of the NPN, or requesting a certificate of a current access network, or requesting a certificate of an access NPN type network;

the third indication information is used for requesting the permission of accessing the NPN through a second certificate or requesting the permission of accessing the NPN through a certificate of a current access network;

the fourth indication information is used for requesting the authority of accessing the NPN type network through the second certificate or requesting the authority of accessing the NPN type network through the certificate of the current access network.

16. The method of claim 13, wherein the certificate information of the first NPN comprises at least one of: a certificate of the first NPN, information of a network allowing access through the certificate of the first NPN, and a right allowing access to the NPN type network through the certificate of the first NPN;

and/or the certificate information of the second NPN comprises at least one of the following items: a certificate of the second NPN, information of a network that allows access through the certificate of the second NPN, a right to allow access to the NPN-type network through the second NPN certificate;

And/or the updated information of the second certificate comprises at least one of the following: information allowing access to the network via the second certificate, permission allowing access to the NPN type network via the second certificate, indication allowing access to the requested NPN via the second certificate, indication allowing access to the NPN type network via the second certificate;

wherein the second NPN is all NPNs in the first NPN or is a part of NPNs in the first NPN.

17. An access control method applied to a first communication device, the method comprising:

acquiring third information; wherein the third information includes at least one of certificate information of the second NPN and update information of the second certificate; the second certificate comprises a certificate already possessed by the first communication device; the second NPN is one or more NPN;

according to the third information, executing the operation of accessing a second NPN or a fourth network;

wherein the fourth network is one of: other networks different from the second NPN, other networks different from the second network;

the certificate information of the second NPN includes at least one of: a certificate of the second NPN, information of a network that allows access through the certificate of the second NPN, a right to allow access to the NPN-type network through the second NPN certificate;

The credential information of the current access network comprises at least one of: information of networks allowed to access by credentials of the current access network, indication information of requested NPN allowed to access by credentials of the current access network, indication information of NPN type of network allowed to access by credentials of the current access network;

the update information of the second certificate includes at least one of: information allowing access to the network via the second certificate, permission allowing access to the NPN type network via the second certificate, indication allowing access to the requested NPN via the second certificate, indication allowing access to the NPN type network via the second certificate.

18. The method of claim 17,

the network allowing certificate access through the second NPN comprises the fourth network;

and/or

The network that allows access via the second credentials comprises the fourth network.

19. A communication device, the communication device being a first communication device, comprising:

the sending module is used for sending first information;

wherein the first information comprises at least one of: the method comprises the steps that NPN information of a non-public network of a first independent network, index information of a second network, first indication information, second indication information, third indication information, fourth indication information, indication information used for requesting certificate downloading, indication information used for requesting a first access mode, type information of the first access mode and type information of the certificate downloading mode are obtained;

The information of the first NPN can be used for at least one of the following: requesting access to a first NPN authority, requesting a certificate of the first NPN, requesting access to the first NPN through a second certificate, and requesting access to an NPN type network;

the first indication information is used for requesting the authority of accessing the first NPN, or used for requesting the authority of accessing the network at present, or used for requesting the authority of accessing the NPN type network;

the second indication information is used for requesting a certificate of the first NPN, or requesting a certificate of a current access network, or requesting a certificate of an access NPN type network;

the third indication information is used for requesting the authority of accessing the first NPN through the second certificate or requesting the authority of accessing the first NPN through the certificate of the current access network;

the fourth indication information is used for requesting the authority of accessing the NPN type network through the second certificate or requesting the authority of accessing the NPN type network through the certificate of the current access network;

the second certificate comprises a certificate already possessed by the first communication device; wherein the content of the first and second substances,

the first access method includes: an access means for accessing the first network in order to download a certificate for accessing the second network; the first network and the second network are the same network or different networks;

The type information of the first access mode indicates at least one of: a first access mode of a control plane type and a first access mode of a user plane type;

the type information of the certificate downloading mode indicates at least one of the following items: control plane type certificate downloading mode and user plane type certificate downloading mode.

20. A communication device, the communication device being a second communication device, comprising:

the first acquisition module is used for acquiring first information;

the first execution module is used for executing a first operation according to the first information;

wherein the performing the first operation comprises at least one of:

confirming a request of the terminal for accessing the authority of the first NPN;

confirming whether the terminal is allowed to acquire the authority of accessing the first NPN;

confirming whether certificate information of a first NPN is allowed to be configured for the terminal;

determining whether permission of accessing the first NPN through the second certificate is allowed to be added to the terminal;

determining whether permission of accessing the NPN type network through the second certificate is allowed to be added to the terminal;

confirming that the terminal is configured with the certificate information of the second NPN, or confirming that the terminal is added with the authority of accessing the third NPN through the second certificate, or confirming that the terminal is added with the authority of accessing the NPN type network through the second certificate;

Determining a first server;

sending address information of a first server and/or NPN identification information corresponding to the first server;

determining a second server;

determining second information;

initiating a certificate configuration request or a configuration updating request of the terminal to the first server and/or the second server;

sending second information to the first server and/or the second server;

wherein the first server is one of: the configuration server is used for configuring a second NPN certificate for the terminal, the configuration server is used for accessing the NPN certificate for the terminal, and the terminal needs to access the server for downloading the NPN certificate; the second server is a configuration server for configuring a second certificate for the terminal; the second information includes all or part of the first information.

21. A communication device, the communication device being a third communication device, comprising:

the second acquisition module is used for acquiring the first information or the second information;

the second execution module is used for executing second operation according to the first information or the second information;

wherein the performing the second operation comprises at least one of:

Confirming a request of the terminal for accessing the authority of the first NPN;

confirming whether certificate information of a first NPN is allowed to be configured for the terminal;

confirming whether certificate information of a first NPN is allowed to be configured for the terminal;

determining whether permission of accessing the first NPN through the second certificate is allowed to be added to the terminal;

determining whether permission of accessing the NPN type network through the second certificate is allowed to be added to the terminal;

configuring certificate information of a second NPN for the terminal, or adding the authority of accessing a third NPN through the second certificate for the terminal, or adding the authority of accessing an NPN type network through the second certificate for the terminal;

sending certificate information of a second NPN or sending update information of a second certificate;

wherein the second certificate comprises a certificate that the terminal already has;

the second NPN is all NPNs in the first NPN or is a part of NPNs in the first NPN;

the third NPN is all NPNs in the first NPN or is a part of NPNs in the first NPN;

the second NPN is the same as or different from the third NPN.

22. A communication device, the communication device being a fourth communication device, comprising:

the third acquisition module is used for acquiring third information; wherein the third information includes at least one of certificate information of the second NPN and update information of the second certificate; the second certificate comprises a certificate already possessed by the first communication device; the second NPN is one or more NPN;

A third executing module, configured to execute an operation of accessing to a second NPN or fourth network according to the third information;

wherein the fourth network is one of: other networks different from the second NPN, other networks different from the second network;

the certificate information of the second NPN includes at least one of: a certificate of the second NPN, information of a network that allows access through the certificate of the second NPN, a right to allow access to the NPN-type network through the second NPN certificate;

the credential information of the current access network comprises at least one of: information of networks allowed to access by credentials of the current access network, indication information of requested NPN allowed to access by credentials of the current access network, indication information of NPN type of network allowed to access by credentials of the current access network;

the update information of the second certificate includes at least one of: information allowing access to the network via the second certificate, permission allowing access to the NPN type network via the second certificate, indication allowing access to the requested NPN via the second certificate, indication allowing access to the NPN type network via the second certificate.

23. A communication device comprising a processor, a memory and a computer program stored on the memory and executable on the processor, the computer program, when executed by the processor, implementing the steps of an access control method according to any one of claims 1 to 6, or implementing the steps of an access control method according to any one of claims 7 to 12, or implementing the steps of an access control method according to any one of claims 13 to 16, or implementing the steps of an access control method according to claim 17 or 18.

24. A computer readable storage medium, characterized in that a computer program is stored thereon, which computer program, when being executed by a processor, realizes the steps of the access control method according to any one of claims 1 to 6, or the steps of the access control method according to any one of claims 7 to 12, or the steps of the access control method according to any one of claims 13 to 16, or the steps of the access control method according to claim 17 or 18.

Images