CN113676903B

CN113676903B - Slice authentication authorization management method, device and system

Info

Publication number: CN113676903B
Application number: CN202010366933.8A
Authority: CN
Inventors: 吴义壮
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2020-04-30
Filing date: 2020-04-30
Publication date: 2023-03-10
Anticipated expiration: 2040-04-30
Also published as: WO2021219107A1; CN113676903A

Abstract

The embodiment of the application provides a slice authentication authorization management method, a slice authentication authorization management device and a slice authentication authorization management system. The method comprises the following steps: the authentication authorization network element acquires a trigger network element serving the terminal device and associated with the first slice; the authentication and authorization network element informs the triggering network element of carrying out slice authentication and authorization processing on the first slice on the terminal device; wherein, the slice authentication and authorization processing is as follows: slice re-authentication and re-authorization, or slice authorization revocation. The method can be used for a double-registration scene, a 3GPP access scene and a non-3GPP access scene, and a scene related to authentication and authorization of slicing or other network functions.

Description

Slice authentication authorization management method, device and system

Technical Field

The present application relates to the field of communications technologies, and in particular, to a slice authentication authorization management method, apparatus, and system.

Background

The 5G era is an era of everything perception, everything intelligence and everything interconnection. The requirements of different services for the network are diversified. Smart homes and smart grids, for example, require a large number of connections and frequent transmission of small data packets; autopilot and industrial control require delays on the order of milliseconds and near 100% reliability; entertainment information services require broadband connectivity. Therefore, 5G networks need to be more flexible to support the diverse requirements of different services on the network. Currently, the industry groups the 5G era business into three typical types: the method includes the steps of enhancing mobile broadband (eMBB) service, ultra-high reliability ultra-low time delay communication (URLLC) service and massive Internet of things communication (mMTC) service.

Network slicing techniques are emerging in order to adapt to the differentiated needs of different services for the network. The network slicing technique generally refers to dividing a physical network of an operator into a plurality of virtual networks, and each virtual network is divided according to different service requirements, such as time delay, bandwidth, security, reliability, and the like, so as to flexibly cope with different types of services. A network slice may be referred to simply as a slice.

When the terminal registers to the network, the network determines one or more network slices allowed to be accessed for the terminal, and the network can initiate slice authentication and authorization of the network slices as required. After authenticating and authorizing the network slice, the network may initiate slice re-authentication and re-authorization, or slice authorization revocation, on the network slice as needed.

The network architecture at 5G supports dual registration, allowing the terminal to register to different networks. For example, a terminal may be registered with two networks belonging to different Public Land Mobile Networks (PLMNs) through non-third generation partnership project (non-3 GPP) access and third generation partnership project (3 GPP) access. The terminal may also be served by respective access and mobility management functions (AMFs) of the two networks in the two networks, and one or more network slices determined by the different AMFs for the terminal to allow access may include the same slice or different slices. In the dual registration scenario, the network may also perform slice authentication and authorization on slices that the terminal is allowed to access as needed. The network may then perform slice re-authentication and re-authorization, or slice authorization revocation, on the slices as needed.

In the above-mentioned dual registration scenario, 2 AMFs provide services for the same terminal, and a phenomenon of communication abnormality may occur when the network performs slice re-authentication and re-authorization on a slice or when slice authorization is revoked. This communication anomaly may also occur in other scenarios where multiple network elements of the same type serve the terminal.

Disclosure of Invention

The embodiment of the application is used for providing a slice authentication authorization management method, a slice authentication authorization management device and a slice authentication authorization management system, and is used for improving communication abnormity caused by slice re-authentication and re-authorization or slice authorization revocation.

In order to achieve the above object, the embodiments of the present application provide the following solutions.

In a first aspect, an embodiment of the present application provides a slice authentication and authorization management method, including: the authentication authorization network element acquires a trigger network element serving the terminal device and associated with the first slice; the authentication and authorization network element informs the triggering network element of carrying out slice authentication and authorization processing on the first slice on the terminal device; wherein, the slice authentication and authorization processing is as follows: slice re-authentication and re-authorization, or slice authorization revocation.

By the method of the first aspect, the authentication and authorization network element can accurately acquire the trigger network elements associated with the slice, which serve the terminal, by using the information of the slice, so that communication abnormality caused by mistakenly acquiring the trigger network elements not associated with the slice when one terminal is associated with a plurality of trigger network elements can be avoided.

As an optional implementation manner, the acquiring, by the authentication and authorization network element, a triggering network element associated with the first slice, which serves the terminal device, includes: the authentication and authorization network element acquires a first trigger network element associated with the terminal device and the first slice from an information storage network element; the step of informing, by the authentication and authorization network element, the triggering network element of performing the slice authentication and authorization operation of the first slice on the terminal device includes: the authentication and authorization network element informs the first triggering network element to perform the slice authentication and authorization processing of the first slice on the terminal device. The embodiment can facilitate sharing and interaction of slice-related information by different networks by using the information storage network element.

As an optional implementation manner, the acquiring, by the authentication and authorization network element, a triggering network element associated with the first slice, which serves the terminal device, includes: the authentication and authorization network element sends a first request to the information storage network element, where the first request includes first identification information of the terminal device and first identification information of the first slice, and the first request is used to obtain the first trigger network element; the authentication authorization network element receives a first response from the information storage network element, the first response including first identification information of the first triggering network element.

As an optional implementation manner, the acquiring, by the authentication and authorization network element, a triggering network element associated with the first slice, which serves the terminal device, includes: the authentication and authorization network element acquires a plurality of first trigger network elements which serve the terminal device and are associated with the first slice; the step of informing, by the authentication and authorization network element, the triggering network element of performing the slice authentication and authorization operation of the first slice on the terminal device includes: the authentication authorization network element informs the plurality of first trigger network elements to perform the slice authentication authorization processing of the first slice on the terminal device.

As an optional implementation manner, the acquiring, by the authentication and authorization network element, a plurality of first triggering network elements associated with the first slice, which serve the terminal device, includes: the authentication authorization network element obtains a plurality of first triggering network elements associated with the terminal device and the first slice from an information storage network element.

As an optional implementation manner, the acquiring, by the authentication and authorization network element, a plurality of first triggering network elements associated with the terminal device and the first slice from an information storage network element includes: the authentication and authorization network element sends a first request to the information storage network element, where the first request includes first identification information of the terminal device and first identification information of the first slice, and the first request is used to obtain the first trigger network element; the authentication authorization network element receives a first response from the information storage network element, the first response including identification information of the plurality of first triggering network elements.

As an optional implementation manner, the obtaining, by the authentication and authorization network element, a plurality of first triggering network elements associated with the first slice, which serve the terminal device, includes: the authentication and authorization network element acquires a plurality of second trigger network elements associated with the terminal device and slices associated with the plurality of second trigger network elements from an information storage network element; the authentication and authorization network element determines the plurality of first triggering network elements from the plurality of second triggering network elements according to the first slice and the slices associated with the plurality of second triggering network elements.

As an optional implementation manner, the acquiring, by the authentication and authorization network element, the plurality of second trigger network elements associated with the terminal device and the slices associated with the plurality of second trigger network elements from the information storage network element includes: the authentication and authorization network element sends a first request to the information storage network element, wherein the first request comprises first identification information of the terminal device, and the first request is used for acquiring the second trigger network element and a slice associated with the second trigger network element; the authentication authorization network element receives a first response from the information storage network element, the first response including identification information of the plurality of second trigger network elements and identification information of the slices associated with the plurality of second trigger network elements.

As an alternative embodiment, the slice authentication authorization process is the slice re-authentication and re-authorization; the authentication and authorization network element acquiring a trigger network element serving a terminal device and associated with a first slice, includes: the authentication and authorization network element acquires a plurality of first trigger network elements which serve the terminal device and are associated with the first slice; the authentication authorization network element determines a second triggering network element from the plurality of first triggering network elements; the step of informing the triggering network element of performing slice authentication and authorization processing of the first slice on the terminal device by the authentication and authorization network element includes: and the authentication and authorization network element informs the second trigger network element of carrying out slice reauthentication and reauthorization of the first slice on the terminal device. By the implementation mode, when a plurality of trigger network elements are associated with the slice, one network element can be selected for the terminal to perform slice reauthentication and reauthorization, so that repeated reauthentication and reauthorization are avoided, and signaling is saved.

As an optional implementation manner, the obtaining, by the authentication and authorization network element, a plurality of first triggering network elements associated with the first slice, which serve the terminal device, includes: the authentication and authorization network element obtains a plurality of first triggering network elements associated with the terminal device and the first slice from an information storage network element.

As an optional implementation manner, the acquiring, by the authentication and authorization network element, the plurality of second trigger network elements associated with the terminal device and the slices associated with the plurality of second trigger network elements from the information storage network element includes: the authentication and authorization network element sends a first request to the information storage network element, wherein the first request comprises first identification information of the terminal device, and the first request is used for acquiring the second trigger network element and a slice associated with the second trigger network element; the authentication authorization network element receives a first response from the information storage network element, the first response including identification information of the plurality of second triggering network elements and identification information of the slices associated with the plurality of second triggering network elements.

As an optional implementation manner, the determining, by the authentication authorization network element, the second triggering network element from the plurality of first triggering network elements includes: the authentication authorization network element determines the second triggering network element from the plurality of first triggering network elements according to the connection state of the terminal device and the plurality of first triggering network elements; wherein the connection state comprises a connection state or an idle state. The triggering network element is selected through the connection state, so that the triggering network element which is more suitable for slice authentication and authorization processing can be selected.

As an optional implementation manner, the determining, by the authentication authorization network element, the second triggering network element from the plurality of first triggering network elements according to the connection status between the terminal device and the plurality of first triggering network elements includes: the authentication authorization network element determines the second triggering network element from the plurality of first triggering network elements, and the connection state between the terminal device and the second triggering network element is the connection state.

As an optional implementation manner, the determining, by the authentication authorization network element, the second triggering network element from the plurality of first triggering network elements according to the connection status between the terminal device and the plurality of first triggering network elements includes: when the connection state between the terminal device and each of the plurality of first triggering network elements is the idle state, the authentication authorization network element determines the second triggering network element from the plurality of first triggering network elements according to the access type corresponding to the plurality of first triggering network elements; wherein the access types include 3GPP access and non-3GPP access. When the trigger network element is selected, the access type is further considered, and the trigger network element which is more suitable for slice authentication and authorization processing can be selected.

As an optional implementation manner, the determining, by the authentication and authorization network element, the second triggering network element from the multiple first triggering network elements according to the access types corresponding to the multiple first triggering network elements includes: the authentication authorization network element determines the second triggering network element from the plurality of first triggering network elements, and the access type corresponding to the second triggering network element is the 3GPP access.

As an optional implementation manner, the determining, by the authentication authorization network element, the second triggering network element from the plurality of first triggering network elements includes: the authentication authorization network element determines the second triggering network element from the plurality of first triggering network elements according to the access types corresponding to the plurality of first triggering network elements; wherein the access types include 3GPP access and non-3GPP access.

As an optional implementation, the method further comprises: the authentication and authorization network element acquires the connection states of the plurality of first trigger network elements from the information storage network element; or, the authentication and authorization network element obtains the connection statuses of the plurality of first trigger network elements from the plurality of first trigger network elements.

As an optional implementation, the method further comprises: the authentication and authorization network element acquires the access types corresponding to the plurality of first trigger network elements from the information storage network element; or, the authentication and authorization network element obtains the access types corresponding to the plurality of first trigger network elements from the plurality of first trigger network elements.

As an optional implementation, the first request further includes: a first indication, which is used for indicating that the network element type is AMF; or a second indication indicating the slice authentication authorization process.

As an optional implementation, the method further comprises: the authentication and authorization network element receives a second request, where the second request includes second identification information of the terminal device and second identification information of the first slice, and the second request is used to request that the terminal device initiate the slice authentication and authorization processing on the first slice.

As an optional implementation manner, the authentication authorization network element is NSSAAF, and the triggering network element is AMF.

As an alternative embodiment, the information storage network element is a UDM.

In a second aspect, an embodiment of the present application provides a slice authentication and authorization management method, including: the method comprises the steps that an information storage network element acquires slice authentication and authorization information, wherein the slice authentication and authorization information is used for indicating a terminal device, a trigger network element associated with the terminal device and a slice associated with the terminal device and the trigger network element, the trigger network element serves the terminal device, and the slice is a slice of the terminal device successfully authenticated and authorized on the trigger network element; the information storage network element receives a first request from an authentication authorization network element, wherein the first request is used for requesting to acquire a first trigger network element associated with the terminal device and the first slice; the information storage network element determines the first triggering network element according to the slice authentication and authorization information and the first request; the information storage network element sends a first response to the authentication authorization network element, where the first response includes the identification information of the first trigger network element. Optionally, the information storage network element is a UDM, or a HSS, or an HLR.

By the method of the second aspect, the information storage network element can obtain the terminal, the triggering network element serving the terminal, and the slice associated with the terminal and the triggering network element, and can provide the correct triggering network element to the authentication and authorization network element according to the request of the authentication and authorization network element, so that the authentication and authorization network element can notify the correct triggering network element to perform slice authentication and authorization processing.

As an optional implementation manner, the determining, by the information storage network element, the first triggering network element according to the slice authentication and authorization information and the first request includes: the information storage network element determining a plurality of second triggering network elements associated with the terminal device and the first slice according to the slice authentication and authorization information and the first request; the information storage network element sends a first response to the authentication authorization network element, where the first response includes identification information of the first trigger network element, and includes: the information storage network element sends the first response to the authentication authorization network element, where the first response includes the identification information of the plurality of second trigger network elements.

As an optional embodiment, the first request further includes a first indication indicating that the slice is authorized to be revoked; the information storing network element determining a plurality of second triggering network elements associated with the terminal device and the first slice according to the slice authentication and authorization information and the first request, comprising: the information storage network element determines the plurality of second triggering network elements based on the slice authentication and authorization information, the first request, and the first indication.

As an optional implementation manner, the determining, by the information storage network element, the first triggering network element according to the slice authentication and authorization information and the first request includes: the information storage network element determining a third triggering network element of a plurality of second triggering network elements associated with the terminal device and the first slice according to the slice authentication and authorization information and the first request; the information storage network element sends a first response to the authentication authorization network element, where the first response includes identification information of the first trigger network element, and includes: the information storage network element sends the first response to the authentication and authorization network element, where the first response includes the identification information of the third trigger network element.

As an optional implementation, the information storing network element determining, according to the slice authentication and authorization information and the first request, a third triggering network element of a plurality of second triggering network elements associated with the terminal device and the first slice, includes: the information storage network element determines the plurality of second trigger network elements according to the slice authentication and authorization information and the first request; the information storage network element determines the third triggering network element from the plurality of second triggering network elements according to the connection state of the terminal device and the plurality of second triggering network elements; wherein the connection state comprises a connection state or an idle state.

As an optional implementation manner, the determining, by the information storage network element, the third triggering network element from the plurality of second triggering network elements according to the connection status between the terminal device and the plurality of second triggering network elements includes: the information storage network element determines the third triggering network element from the plurality of second triggering network elements, and the connection state between the terminal device and the third triggering network element is the connection state.

As an optional implementation manner, the determining, by the information storage network element, the third triggering network element from the plurality of second triggering network elements according to the connection status between the terminal device and the plurality of second triggering network elements includes: when the connection state between the terminal device and each of the plurality of second triggering network elements is the idle state, the information storage network element determines the third triggering network element from the plurality of second triggering network elements according to the access type corresponding to the plurality of second triggering network elements; wherein the access types include 3GPP access and non-3GPP access.

As an optional implementation manner, the determining, by the information storage network element, the third triggering network element from the plurality of second triggering network elements according to the access types corresponding to the plurality of second triggering network elements includes: the information storage network element determines the third triggering network element from the plurality of second triggering network elements, and the access type corresponding to the third triggering network element is the 3GPP access.

As an optional embodiment, the information storing network element determines, according to the slice authentication and authorization information and the first request, a third triggering network element of a plurality of second triggering network elements associated with the terminal device and the first slice, including: the information storage network element determines the plurality of second trigger network elements according to the slice authentication and authorization information and the first request; the information storage network element determines the third triggering network element from the plurality of second triggering network elements according to the access types corresponding to the plurality of second triggering network elements; wherein the access types include 3GPP access and non-3GPP access.

As an optional implementation manner, the determining, by the information storage network element, the third triggering network element from the multiple second triggering network elements according to the access types corresponding to the multiple second triggering network elements includes: the information storage network element determines the third triggering network element from the plurality of second triggering network elements, and the access type corresponding to the third triggering network element is the 3GPP access.

As an optional implementation manner, the first request further includes a second indication, where the second indication is used to indicate that the network element type is an AMF.

In a third aspect, an embodiment of the present application provides a slice authentication and authorization management method, including: the triggering network element sends slice authentication and authorization information to an information storage network element, wherein the slice authentication and authorization information is used for indicating a terminal device, a triggering network element associated with the terminal device and a slice associated with the terminal device and the triggering network element, the triggering network element serves the terminal device, and the slice is a slice in which the terminal device is successfully authenticated and authorized on the triggering network element; the triggering network element receives a notification from an authentication authorization network element, wherein the notification is used for notifying the terminal device of slice authentication authorization processing of the slice; wherein, the slice authentication and authorization processing is as follows: slice re-authentication and re-authorization, or slice authorization revocation.

As an optional implementation, the method further comprises: the triggering network element initiates the slice authentication and authorization processing of the slice to the terminal device.

In a fourth aspect, an embodiment of the present application provides an authentication and authorization network element, including a processor and a memory; the processor is adapted to read and execute instructions from the memory to implement the method of the first aspect.

In a fifth aspect, an embodiment of the present application provides an information storage network element, including a processor and a memory; the processor is configured to read and execute instructions from the memory to implement the method of the second aspect.

In a sixth aspect, an embodiment of the present application provides a triggering network element, including a processor and a memory; the processor is configured to read and execute instructions from the memory to implement the method of the third aspect.

In a seventh aspect, an embodiment of the present application provides a network element, including a functional unit configured to implement the method according to the first aspect.

In an eighth aspect, an embodiment of the present application provides a network element, which includes functional units for implementing the method according to the second aspect.

In a ninth aspect, an embodiment of the present application provides a network element, including functional units for implementing the method according to the third aspect.

In a tenth aspect, an embodiment of the present application provides a communication system, including at least 2 network elements of the following network elements: the authentication authorization network element of the fourth aspect; an information storage network element of the fifth aspect; the triggering network element of the sixth aspect.

In an eleventh aspect, embodiments of the present application provide a computer program product comprising instructions which, when executed on a computer, cause the computer to implement the method according to the first aspect.

In a twelfth aspect, embodiments of the present application provide a computer program product comprising instructions that, when executed on a computer, cause the computer to implement the method according to the second aspect.

In a thirteenth aspect, the present application provides a computer program product, which is characterized by comprising instructions, when the instructions are executed in a computer, the computer is enabled to implement the method according to the third aspect.

In a fourteenth aspect, the present application provides a computer-readable storage medium, including the computer program product according to the eleventh aspect.

In a fifteenth aspect, the present application provides a computer readable storage medium, including the computer program product according to the twelfth aspect.

In a sixteenth aspect, the present application provides a computer-readable storage medium, which is characterized by comprising the computer program product according to the thirteenth aspect.

In the solutions of the above aspects, by associating the slice, the terminal and the trigger network element, the trigger network element serving for the terminal and associated with the slice can be accurately obtained, thereby ensuring correct execution of the slice re-authentication and re-authorization process and the slice authorization revocation process, and avoiding communication errors.

Drawings

Fig. 1 is a schematic diagram of a 5G network dual registration scenario;

fig. 2 is a schematic diagram of a method for terminal a to authenticate and authorize a slice in PLMN-1;

fig. 3 is a schematic diagram of a method for terminal a to authenticate and authorize a slice in PLMN-2;

fig. 4 is a schematic diagram of a method for AAA-s to initiate re-authentication and re-authorization of slice 1;

fig. 5 is a schematic diagram of a method for AAA-s to initiate re-authentication and re-authorization of slice 2;

fig. 6 is a schematic diagram of another AAA-s initiated method of re-authenticating and re-authorizing slice 2;

fig. 7 is a schematic diagram of a method for AAA-s to initiate authorization revocation for slice 1;

fig. 8 is a schematic diagram of a method for AAA-s to initiate authorization revocation for slice 2;

fig. 9 is a schematic diagram of another method for AAA-s to initiate authorization revocation for slice 2;

FIG. 10 is a schematic diagram of a method of slice authentication authorization management;

figure 11 is a schematic diagram of an architecture of a network element;

figure 12 is a schematic diagram of another architecture of a network element.

Detailed Description

In order to more clearly and completely describe the technical solution of the present application, the following description is made with reference to the accompanying drawings.

The embodiments of the present application mainly use a dual registration scenario of a 5G network as an example for description.

The 5G network is a new generation mobile communication network defined by the 3GPP organization after the 4G network. The 5G network architecture includes an access network and a core network. The access network is used to implement radio access related functions. The access networks are mainly divided into 3GPP access networks and non-3GPP access networks. The 3GPP access network refers to an access network using a 3GPP access technology, for example, an access network using an NR (new radio, new air interface) or LTE (long term evolution) access technology. The non-3GPP access network refers to an access network using a non-3GPP access technology, for example, an access network using a WiMax or WLAN (wireless local area network) access technology. The core network is used for realizing functions related to authentication, access, mobility management, session management, policy management and the like. The core network of the 5G network may be referred to as 5GC for short. The 5GC employs an architecture in which a control plane is separated from a user plane, and a service architecture, with respect to a core network of 4G. It should be noted that the scheme of the present application may be applied not only to a 5G network, but also to an evolved 4G network or a future 6G network. The network applicable to the scheme of the application can adopt a structure that a control plane is separated from a user plane, and also can adopt a structure that the control plane is integrated with the user plane. The network applicable to the scheme of the application can adopt a service architecture and can also adopt a non-service architecture.

The 5GC mainly comprises the following logic network elements: AMF (access and mobility Management Function), SMF (session Management Function), UPF (User Plane Function), UDM (Unified Data Management), and AUSF (Authentication Server Function). Different logical network elements of the 5GC may be deployed on the same or different physical devices. As a typical deployment, AMF and SMF may be deployed on the same physical device. In addition, the logical network element of the 5GC may be deployed on the same physical device as the network element of the 4G core network.

The AMF is a network element for performing access and mobility management on a terminal, and mainly relates to functions of location update, network registration, handover control, and the like of the terminal. The SMF is a network element for managing sessions of terminals, and mainly relates to functions of session establishment, modification, and release. The UPF is a network element for receiving and forwarding data of a user. The UPF is under SMF control. The UDM network element is a network element for managing user information, and mainly relates to the functions of generating authentication trusts, storing and managing user permanent identities, access authorization control, user subscription data management and the like. The AUSF is a network element for authenticating a terminal to access a network. It should be noted that, as the 5G network evolves, names of the above logical network elements may change, functions of the network elements may merge, separate, or even change, and these changes are not meant to depart from the applicable scope of the present solution.

Optionally, in order to implement the functions related to Authentication and Authorization for the Slice, an NSSAAF (Network Slice-Specific Authentication and Authorization Function) Network element may be introduced.

Through the 5G network, the terminal can communicate with a Data Network (DN). In mobile communication, a terminal is a device having a wireless communication function, and may be referred to as a terminal device. Such as a handheld device with wireless communication capabilities, an in-vehicle device, a wearable device, a computing device, or a water meter, sensor, chip-system, baseband chip, baseband board, etc. connected to a wireless modem. In different networks, a terminal may be called differently, for example, the terminal may be called a User Equipment (UE), a Mobile Station (MS), a Wireless Local Loop (WLL) station, and the like. The DN is a service network providing a service for a user, such as an IMS (IP multimedia service) network, the Internet (Internet), and the like.

The 5G network supports the terminal to access the network side through different access technologies. The terminal can be respectively registered to the network side through the 3GPP access and the non-3GPP access in the double registration scene of the 5G network. Concept and description of dual registration for 5G networks reference may be made exemplarily to 3GPP TS 23.501v16.4.0 section 5.3.2.4-content supporting 3GPP access and Non-3GPP access (Support of a UE registered over 3GPP and Non-3GPP access) for user equipment.

Fig. 1 is a schematic diagram of a 5G network dual registration scenario. As shown in fig. 1, a terminal accesses to different networks through a 3GPP access and a non-3GPP access, respectively. It is understood that different networks refer to networks that differ in some property from one network to another. For example, the different networks may be networks belonging to different PLMNs (public land mobile networks). Also for example, the different networks may be networks employing different technologies, such as a 5G network and a 4G network. In fig. 1, the 3GPP access and the non-3GPP access belong to different PLMNs. 3GPP access belongs to PLMN-1, non-3GPP access belongs to PLMN-2. Since the 3GPP access and the non-3GPP access selected by the terminal belong to different PLMNs, the terminal may be served by different AMFs. In PLMN-1, terminal A is served by AMF1, and in PLMN-2, terminal A is served by AMF2. Since the non-3GPP access network in fig. 1 is an untrusted non-3GPP access network, terminal a needs to interact with AMF2 through N3 IWF. An N3IWF (non-3 GPP interworking function) is a network element for supporting the interworking between a non-3GPP access network element or node and a network element of a 3GPP network. In addition, the non-3GPP access network may also be a trusted non-3GPP access network. For a Trusted Non-3GPP access network, the terminal may interact with the AMF via a TNGF (Trusted Non-3GPP Gateway Function). Furthermore, the access network of non-3GPP may also be a wired 5G access network. For the wired 5G Access network, the terminal may interact with the AMF through a W-AGF (wired Access Gateway Function). It should be noted that the dual registration scenario shown in fig. 1 is only an example, and the solution of the present application may also be applied to other scenarios in which a plurality of network elements of the same type provide services for a terminal.

The 5G network supports the determination of the slice for the terminal to allow access when the terminal registers to the network. In the dual registration scenario of fig. 1, when a terminal a is registered to PLMN-1 through 3GPP access, AMF1 may select slice 1 and slice 2 for the terminal a to register according to user subscription data and/or a request of the terminal a, and initiate slice authentication and authorization procedures for slice 1 and slice 2; when the terminal is registered to PLMN-2 through non-3GPP access, AMF2 can select slice 1 and slice 3 for terminal A to register according to the user subscription data and/or the request of the terminal, and initiate slice authentication and authorization processes for slice 1 and slice 3. Alternatively, slice authentication and authorization of the slice 1 by the AMF2 may be determined based on the slice authentication and authorization result of the AMF1 for the slice 1. The user subscription data may be obtained from UDM and AUSF (or NSSAAF) and AAA-s may be used to handle authentication and/or authorization of the slice. Among them, AAA-s (authentication, authorization, and accounting server) is an authentication server providing services such as authentication, authorization, and accounting. The AAA-s belong to the operator or may belong to a third party. AAA-p (authentication, authorization and accounting proxy) may be set between the optional AUSF (or NSSAAF) and AAA-s, and the AAA-p is an authentication, authorization and accounting proxy network element and belongs to an operator. AAA-p may be used to transfer information between AUSF (or NSSAAF) and AAA-s. In the present application, the authentication process and the authorization process are collectively referred to as an authentication and authorization process, that is, the authentication and authorization process may refer to the authentication process, the authorization process, or the authentication and authorization process. Authentication may also sometimes be referred to as authentication. The slice authentication and authorization flow refers to an authentication and authorization flow performed on a slice. The AAA-s may initiate re-authentication and re-authorization procedures for the slice, or authorization revocation procedures for the slice, if desired. Similar to the authentication and authorization process, in the present application, the re-authentication and re-authorization process may refer to a process of performing re-authentication, a process of performing re-authorization, or a process of performing re-authentication and re-authorization. The slice re-authentication and re-authorization flow refers to a re-authentication and re-authorization flow performed on a slice. In this application, the process of performing authorization revocation on slices may be referred to as a slice authorization revocation process.

For example, the Slice Authentication and Authorization flow may refer to 3gpp TS 23.502v16.4.0, section 4.2.9.2-Network Slice-Specific Authentication and Authorization (Network Slice-Specific Authentication and Authorization) related content; slice Re-authentication and Re-authorization flow can refer to 3GPP TS 23.502v16.4.0 section 4.2.9.3-AAA Server triggered Network Slice-Specific Re-authentication and Re-authorization (AAA Server triggered Network Slice-Specific Re-authentication and Re-authorization procedure) related content; the Slice grant Revocation procedure can refer to 3gpp TS 23.502v16.4.0 section 4.2.9.4-AAA Server triggered Slice-Specific grant Revocation (AAA Server triggered Slice-Specific Authorization Revocation). It should be noted that the content of the 3GPP standard protocol cited in the present application may vary, and is not meant to depart from the application scope of the present application.

It should be noted that the scheme of the present application may be applicable to not only the authentication and authorization process, re-authentication and re-authorization process, and authorization revocation process related to the slice, but also the authentication and authorization process, re-authentication and re-authorization process, and authorization revocation process of other network functions.

In fig. 1, since AMF1 and AMF2 both provide services for terminal a, when AAA-s initiates a slice reauthentication and re-authorization procedure or a slice authorization revocation procedure for one or more of slice 1, slice 2, or slice 3, a communication exception may be caused.

In view of this, the present application provides a method for authenticating and authorizing a slice, so as to reduce the above communication anomaly. In the following examples, NSSAAF is taken as an example for explanation. It is understood that NSSAAF in the following examples may be replaced with AUSF. The method is described below with reference to the scenario of fig. 1.

Fig. 2 shows a method for terminal a to authenticate and authorize a slice in PLMN-1. As shown in fig. 2:

s201: authentication and authorization of the slice 1 and the slice 2 of the terminal A are completed through the AMF1.

The AMF1 may trigger a slice authentication and authorization flow to authenticate and authorize the terminal a for slice 1 and slice 2. The slice authentication grant procedure can be referred to in section 4.2.9.2 of 3gpp TS 23.502v16.4.0.

As an embodiment, AMF1 may trigger slice authentication and authorization procedures for slice 1 and slice authentication and authorization procedures for slice 2 separately for terminal a, that is, initiate slice authentication and authorization procedures for each slice. As another embodiment, AMF1 may initiate a slice authentication and authorization procedure to authenticate and authorize slice 1 and slice 2.

Optionally, the S201 part may be performed when the terminal a registers to the PLMN-1 through the AMF1.

S202: the AMF1 sends slice authentication and authorization information to the UDM, the slice authentication and authorization information being used to indicate the slice that the terminal a successfully authenticates and authorizes on the AMF1.

In one embodiment, the AMF1 sends a piece of slice authentication and authorization information to the UDM, where the slice authentication and authorization information indicates a plurality of slices. As another embodiment, the AMF1 transmits a plurality of pieces of slice authentication and authorization information to the UDM, each piece of slice authentication and authorization information indicating one slice. Optionally, the AMF1 may send the slice authentication and authorization information corresponding to each slice after each slice authentication and authorization is successful. Optionally, the AMF1 may also send the corresponding multiple pieces of slice authentication and authorization information after the multiple pieces of slice authentication and authorization are successful.

As an example, the AMF1 transmits the identification information of the terminal a, the identification information of the slice 1, the identification information of the slice 2, and the identification information of the AMF1 to the UDM. The identification information of the terminal A is used for identifying the terminal A, the identification information of the slice 1 is used for identifying the slice 1, the identification information of the slice 2 is used for identifying the slice 2, and the identification information of the AMF1 is used for identifying the AMF1. The slices successfully authenticated and authorized by the terminal a on the AMF1 can be indicated as slice 1 and slice 2 by the identification information of the terminal a, the identification information of slice 1, the identification information of slice 2, and the identification information of the AMF1. The identification information of the terminal a, the identification information of the slice 1, the identification information of the slice 2, and the identification information of the AMF1 may be regarded as a kind of slice authentication and authorization information.

As another example, the AMF1 transmits first slice authentication and authorization information including identification information of the terminal a, identification information of the slice 1, and identification information of the AMF1 to the UDM. And the AMF1 transmits second slice authentication and authorization information to the UDM, the second slice authentication and authorization information including the identification information of the terminal a, the identification information of the slice 2, and the identification information of the AMF1.

As an embodiment, the AMF1 may send slice authentication and authorization information to the UDM through a Nudm UESliceAUthentication message. For example, AMF1 sends a Nudm uesliceaauthentication message to the UDM, which carries slice authentication and authorization information.

S203: the UDM stores slice authentication and authorization information.

Through S203, the UDM stores therein the association relationship between the terminal A, AMF1 and the slice 1, and the association relationship between the terminal A, AMF and the slice 2. It can be understood that storing the association relationship between a and B means storing a, storing B, and establishing the association relationship between a and B.

S204: the UDM sends a response to the slice authentication and authorization information to the AMF1. This response is used to inform the AMF1 whether the above-described slice authentication and authorization information is successfully received. For receipt of multiple pieces of slice authentication and authorization information, the UDM may send the above-described response to AMF1 for each piece of slice authentication and authorization information. S204 is an optional step.

Illustratively, the response may be a Nudm _ UESliceAuthenticationResponse.

As an alternative, S202 may be replaced with S205.

S205: the NSSAAF sends slice authentication and authorization information to the UDM, the slice authentication and authorization information indicating the slice that the terminal successfully authenticates and authorizes on the AMF1. Optionally, the NSSAAF may send slice authentication and authorization information corresponding to each slice after each slice authentication and authorization is successful. Optionally, the NSSAAF may also send the corresponding slice authentication and authorization information after the slice authentication and authorization is successful.

In the slice authentication and authorization process of S201, the NSSAAF may participate in the authentication and authorization of slice 1 and slice 2, and the NSSAAF may know the slice that the terminal successfully authenticates and authorizes on AMF1.

Similar to S202, as an embodiment, the NSSAAF transmits the identification information of terminal a, the identification information of slice 1, the identification information of slice 2, and the identification information of AMF1 to the UDM. The relevant content of these identification information can be referred to S202. Similar to S202, the NSSAAF may send a piece of slice authentication and authorization information to the UDM, the slice authentication and authorization information indicating a plurality of slices; alternatively, the NSSAAF may also send a plurality of slice authentication and authorization information to the UDM, each slice authentication and authorization information indicating one slice.

As another possibility, the NSSAAF involved in the authentication and authorization of slice 1 may be different from the NSSAAF involved in the authentication and authorization of slice 2. For example, NSSAAF1 participates in the authentication and authorization of slice 1, and NSSAAF2 participates in the authentication and authorization of slice 2. In this case, the NSSAAF1 transmits first slice authentication and authorization information including identification information of the terminal a, identification information of the slice 1, and identification information of the AMF1 to the UDM, and the NSSAAF2 transmits second slice authentication and authorization information including identification information of the terminal a, identification information of the slice 2, and identification information of the AMF1 to the UDM.

Through the above S202 and S203, the UDM stores information of the slice successfully authenticated and authorized by the terminal a on the AMF1. When re-authentication and re-authorization or revocation of authorization is subsequently performed on slice 1 or slice 2, it can be known through the UDM that the (associated with) AMF serving the terminal a is AMF1, which is associated with slice 1 or slice 2.

As an alternative to fig. 2, in the process of performing authentication and authorization on slice 1 and slice 2 of terminal a through AMF1, AMF1 may send slice authentication and authorization process information to AAA-s, where the slice authentication and authorization process information includes identification information of the terminal, identification information of the slice, and identification information of a PLMN to which the AMF belongs; for example: the slice authentication and authorization process information includes: identification information of terminal a, identification information of slice 1, and identification information of PLMN-1. When there are multiple slices, the AMF may transmit slice authentication and authorization procedure information once per slice, or the AMF may transmit slice authentication and authorization procedure information once including identification information of the multiple slices. For example, the slice authentication and authorization process information includes: identification information of terminal a, identification information of slice 1, identification information of slice 2, and identification information of PLMN-1. After receiving the information of the slice authentication and authorization process, the AAA-s may store the information of the slice authentication and authorization process after the slice authentication and authorization is successful. Among them, the AMF may send slice authentication and authorization procedure information to the AAA-s through NSSAAF. In this alternative, the AMF may send the identification information of the AMF and the identification information of the PLMN to which the AMF belongs to the UDM, so as to query the AMF corresponding to the PLMN through the identification information of the PLMN. For example, the AMF1 transmits the identification information of the AMF1 and the identification information of the PLMN-1 to the UDM. Optionally, the AMF may also send the identification information of the slice to the UDM, for example, the AMF1 sends the identification information of the slice 1 to the UDM.

Fig. 3 shows a method for terminal a to authenticate and authorize a slice in PLMN-2. As shown in fig. 3:

s301: authentication and authorization of slice 2 and slice 3 for terminal a are completed through AMF2.

The AMF2 may trigger a slice authentication and authorization flow to authenticate and authorize the terminal a for slice 2 and slice 3. The slice authentication grant procedure can be referred to in section 4.2.9.2 of 3gpp TS 23.502v16.4.0.

As an embodiment, AMF2 may trigger slice authentication and authorization procedures for slice 2 and slice authentication and authorization procedures for slice 3 separately for terminal a, that is, initiate slice authentication and authorization procedures for each slice. As another embodiment, AMF1 may initiate a slice authentication and authorization procedure to authenticate and authorize slice 2 and slice 3. As another embodiment, the AMF2 obtains the result of the slice authentication and authorization performed by the terminal a on the AMF1 to determine whether to initiate the authentication and authorization procedure for slice 2 and slice 3. If slice 2 on AMF1 has been successfully authenticated and authorized, AMF2 may not initiate the authentication and authorization procedure of slice 2, and determine that terminal a authorizes access to slice 2. For this embodiment, AMF1 may send the slice authentication result to NSSAAF, and send the result of successful authentication to UDM by NSSAAF.

Optionally, the S301 portion may be performed when the terminal a registers with the PLMN-2 through the AMF2.

S302: the AMF2 sends slice authentication and authorization information to the UDM, where the slice authentication and authorization information is used to indicate the slice that the terminal a successfully authenticates and authorizes on the AMF2.

In one embodiment, the AMF2 sends a piece of slice authentication and authorization information to the UDM, where the slice authentication and authorization information indicates a plurality of slices. As another embodiment, the AMF2 transmits a plurality of pieces of slice authentication and authorization information to the UDM, each piece of slice authentication and authorization information indicating one slice.

As an example, the AMF2 transmits the identification information of the terminal a, the identification information of the slice 2, the identification information of the slice 3, and the identification information of the AMF2 to the UDM. The identification information of the terminal A is used for identifying the terminal A, the identification information of the slice 1 is used for identifying the slice 1, the identification information of the slice 2 is used for identifying the slice 2, and the identification information of the AMF2 is used for identifying the AMF2. The slice that the terminal a successfully authenticates and authorizes on the AMF2 may be indicated as the slice 2 and the slice 3 by the identification information of the terminal a, the identification information of the slice 2, the identification information of the slice 3, and the identification information of the AMF2. The identification information of the terminal a, the identification information of the slice 2, the identification information of the slice 3, and the identification information of the AMF2 may be regarded as a kind of slice authentication and authorization information.

As another example, the AMF2 transmits first slice authentication and authorization information including identification information of the terminal a, identification information of the slice 2, and identification information of the AMF2 to the UDM. And the AMF2 transmits second slice authentication and authorization information to the UDM, the second slice authentication and authorization information including the identification information of the terminal a, the identification information of the slice 3, and the identification information of the AMF2.

As an embodiment, AMF2 may send slice authentication and authorization information to the UDM via a numdm uesliceaauthentication message. For example, AMF2 sends a Nudm uesliceaauthentication message to the UDM, which carries slice authentication and authorization information.

S303: the UDM stores slice authentication and authorization information.

Through S303, for terminal a, the UDM stores the association relationship between terminal A, AMF and slice 2, and the association relationship between terminal A, AMF and slice 3. It is understood that storing the association relationship between a and B means storing a, storing B, and establishing the association relationship between a and B.

S304: the UDM sends a response to the slice authentication and authorization information to the AMF2. The response is used to inform the AMF2 whether the above-described slice authentication and authorization information was successfully received. For receipt of multiple pieces of slice authentication and authorization information, the UDM may send the above-described response to AMF1 for each piece of slice authentication and authorization information. S304 is an optional step.

Illustratively, the response may be a Nudm _ UESliceAuthenticationResponse.

As an alternative, S302 may be replaced with S305.

S305: the NSSAAF sends slice authentication and authorization information to the UDM, the slice authentication and authorization information indicating the slice that the terminal successfully authenticates and authorizes on AMF2.

In the slice authentication and authorization process of S301, the NSSAAF may participate in the authentication and authorization of slice 2 and slice 3, and the NSSAAF may know the slice that the terminal successfully authenticates and authorizes on AMF2.

Similar to S302, as an embodiment, the NSSAAF transmits the identification information of the terminal a, the identification information of the slice 2, the identification information of the slice 3, and the identification information of the AMF2 to the UDM. The relevant content of these identification information can refer to S302. Similar to S302, the NSSAAF may send a piece of slice authentication and authorization information to the UDM, the slice authentication and authorization information indicating a plurality of slices; alternatively, the NSSAAF may also send a plurality of slice authentication and authorization information to the UDM, each slice authentication and authorization information indicating one slice.

As another possibility, the NSSAAF involved in the authentication and authorization of slice 2 may be different from the NSSAAF involved in the authentication and authorization of slice 3. For example, NSSAAF2 is involved in the authentication and authorization of slice 2, and NSSAAF3 is involved in the authentication and authorization of slice 3. In this case, the NSSAAF2 transmits first slice authentication and authorization information including identification information of the terminal a, identification information of the slice 2, and identification information of the AMF2 to the UDM, and the NSSAAF3 transmits second slice authentication and authorization information including identification information of the terminal a, identification information of the slice 3, and identification information of the AMF2 to the UDM.

Through the above S302 and S303, the UDM stores information of the slice successfully authenticated and authorized by the terminal a on the AMF2. When the slice 2 or the slice 3 is re-authenticated and re-authorized or revoked, the AMF associated with the slice 2 or the slice 3 serving the terminal a may be known as the AMF2 through the UDM.

As an alternative to fig. 3, in the process of performing authentication and authorization on slice 2 and slice 3 of terminal a through AMF2, AMF2 may send slice authentication and authorization process information to AAA-s, where the slice authentication and authorization process information includes identification information of the terminal, identification information of the slice, and identification information of a PLMN to which the AMF belongs; for example: the slice authentication and authorization process information includes: identification information of terminal a, identification information of slice 2, and identification information of PLMN-2. When there are multiple slices, the AMF may transmit slice authentication and authorization procedure information once per slice, or the AMF may transmit slice authentication and authorization procedure information once including identification information of the multiple slices. For example, the slice authentication and authorization process information includes: identification information of terminal a, identification information of slice 2, identification information of slice 3, and identification information of PLMN-2. After receiving the information of the slice authentication and authorization process, the AAA-s may store the information of the slice authentication and authorization process after the slice authentication and authorization is successful. Among them, the AMF may send slice authentication and authorization procedure information to the AAA-s through NSSAAF. In this alternative, the AMF may send the identification information of the AMF and the identification information of the PLMN to which the AMF belongs to the UDM, so as to query the AMF corresponding to the PLMN through the identification information of the PLMN. For example, the AMF2 transmits the identification information of the AMF2 and the identification information of the PLMN-2 to the UDM. Optionally, the AMF may also send the identification information of the slice to the UDM, for example, the AMF2 sends the identification information of the slice 2 to the UDM.

In the methods of fig. 2 and 3, the identification information of the terminal includes: SUPI (Subscription permanent Identifier), 5G-GUTI (5G Global Unique temporal Identifier,5G Global Unique Temporary Identifier), GPSI (Generic Public Subscription Identifier), or other Identifier that can be used to identify a terminal; the identification information of the AMF includes: < AMF area identification > < AMF group identification > < AMF Pointer > (< AMF registration ID > < AMF Set ID > < AMF Pointer >), FQDN (full Qualified Domain Name), AMF instance identification (AMF instance Id), AMF IP address or AMF IPv6 prefix; the identification information of the slice includes: S-NSSAI (Single Network Slice Selection Assistance Information), or an external identification of a Slice. The external identification is used to identify the slice outside the network. As an optional scheme, because a one-to-one correspondence relationship exists between the AMF and the PLMN, the identification information of the AMF may also be replaced by the identification information of the PLMN, that is, the identification information of the PLMN may be regarded as the identification information of the AMF. The corresponding AMF can be found through the identification information of the PLMN.

It should be noted that the identification information may be converted during the transmission and storage processes, and the converted identification information and the identification information before conversion have the same function and are the same objects to be identified, and therefore are collectively referred to as identification information in the present application. For example, the AMF sends the identification information of the terminal a to the UDM, and the UDM sends the identification information of the terminal a to other network elements, which may include the following schemes: the AMF sends the SUPI of the terminal A to the UDM, and the UDM can acquire the GPSI corresponding to the SUPI and send the GPSI to other network elements. As another example, AMF sends S-NSSAI to NSSAAF, which maps S-NSSAI to an outer slice identifier and sends the outer slice identifier to AAA-S or AAA-S via AAA-p. Similarly, the slice authentication and authorization information may be converted during the transmission and storage processes, and the converted slice authentication and authorization information has the same effect as the slice authentication and authorization information before conversion, and is a slice used for indicating that the terminal successfully authenticates and authorizes on the AMF, and is collectively referred to as slice authentication and authorization information in the present application. In the method for authenticating and authorizing a slice in fig. 2 and 3, AMF1 and AMF2 may be regarded as a network element that triggers authentication and authorization of a slice, and are referred to as triggering network elements in this application for short. Under different network architectures or scenarios, other types of network elements may be used as trigger network elements to trigger authentication and authorization for a certain network function. In the above method, the UDM may be regarded as a network element storing the correspondence between the slice and the AMF, and is referred to as an information storage network element in this application for short. In different network architectures or scenarios, other types of network elements may be used as the information storage network element, such as a HSS (home subscriber server), an HLR (home location register). In the above method, the NSSAAF may be regarded as a network element participating in slice authentication and authorization, and is referred to as an authentication and authorization network element in this application for short. Also, in a network architecture using the AUSF to participate in the slice authentication and authorization process, the AUSF may be considered as a network element participating in slice authentication and authorization. Under different network architectures or scenarios, other types of network elements may be used as the authentication and authorization network elements.

Terminal a authenticates and authorizes the slice at PLMN-1 and PLMN-2, respectively, by the methods shown in fig. 2 and 3. Through the UDM, it can be known that the AMF serving terminal a and associated with slice 1 is AMF1, the AMFs serving terminal a and associated with slice 2 are AMF1 and AMF2, and the AMF serving terminal a and associated with slice 3 is AMF2.

As an example, with the methods of fig. 2 and 3, the UDM may store the following information, as shown in table 1:

TABLE 1

In the alternative of fig. 2 and 3, the AAA-s stores the information as shown in table 2:

TABLE 2

In the alternative of fig. 2 and 3, the UDM stores the information as shown in table 3:

TABLE 3

After the terminal a authenticates and authorizes the slice at PLMN-1 and PLMN-2, respectively, the AAA-s may initiate slice reauthentication and re-authorization flows, or initiate slice authorization revocation flows, as needed.

In order to reduce the foregoing communication anomalies, embodiments of the present application provide a method for re-authenticating and re-authorizing a slice. The method will be described below with reference to fig. 1, 2, and 3.

Fig. 4 shows the AAA-s initiating the method of re-authenticating and re-authorizing slice 1. As shown in fig. 4:

s401: AAA-s requests to NSSAAF to initiate re-authentication and re-authorization for terminal a for slice 1.

As an embodiment, the AAA-s sends a first request to the NSSAAF requesting that terminal a initiate re-authentication and re-authorization for slice 1. As an example, the first request includes identification information of terminal a, and identification information of slice 1. It can be known from the identification information of the terminal a and the identification information of the slice 1 that the re-authentication and re-authorization of the slice 1 is requested for the terminal a. If AAA-p is set between AAA-s and NSSAAF, AAA-s can send the first request to NSSAAF through AAA-p. The identification information of the terminal a and the identification information of the slice 1 may refer to the relevant contents in fig. 2 and fig. 3. For example, in S401, the identification information of terminal a may be the GPSI of terminal a, and the identification information of slice 1 may be the S-NSSAI of slice 1 or the external identification of slice 1.

Illustratively, the first Request may be an AAA Procol Re-auth Request.

As an optional alternative to S401, when the AAA-S requests the NSSAAF to initiate re-authentication and re-authorization for the slice 1 to the terminal a, the AAA-S may further carry the identification information of the PLMN-1 in the request according to the information in table 2, and the NSSAAF may obtain the identification information of the AMF1 from the UDM through the identification information of the PLMN-1, thereby directly performing S405.

S402: NSSAAF requests the UDM to retrieve the AMF associated with slice 1 serving terminal a.

As an embodiment, the NSSAAF sends a second request to the UDM, the second request requesting to obtain the AMF associated with slice 1 serving terminal a. As an example, the second request includes identification information of terminal a and identification information of slice 1. Optionally, the request further includes a first indication, where the first indication is used to indicate that the obtained network element type is AMF. Optionally, the request further includes a second indication for indicating that the related flow is a slice re-authentication and re-authorization flow. Alternatively, the second request may be a Nudm _ UECM _ Get Req.

Optionally, if the identification information of the slice 1 received by the NSSAAF in S401 is the external identifier of the slice 1, the NSSAAF may obtain the S-NSSAI of the slice 1 according to the external identifier of the slice 1, and send the S-NSSAI of the slice 1 to the UDM in S402. Optionally, if the identification information of the slice 1 received by the NSSAAF in S401 is the external identifier of the slice 1, the NSSAAF may also send the external identifier of the slice 1 to the UDM.

S403: the UDM obtains the AMF associated with slice 1 serving terminal a.

After the method of fig. 2 and fig. 3 is used, the UDM stores the association relationship between the terminal A, AMF and the slice 1.

As an embodiment, the UDM may obtain the identification information of AMF1 according to the received identification information of terminal a and the identification information of slice 1, that is, the AMF associated with slice 1 serving terminal a is AMF1. Optionally, the UDM may learn that the obtained network element type is AMF according to the first indication. Optionally, the UDM may learn, according to the second indication, that the relevant flow is a slice reauthentication and reauthorization flow, so that the UDM performs corresponding processing.

S404: the UDM sends to NSSAAF the identification information of the AMF associated with slice 1 serving terminal a.

The UDM may transmit the identification information of AMF1 obtained at S403 to NSSAAF.

As an embodiment, the UDM sends a response message to the NSSAAF, the response message including the identification information of AMF1. Alternatively, the response message may be a numm UECM Get Resp.

Optionally, in S402, when the identification information of the slice 1 acquired by the UDM from the NSSAAF is the external identifier of the slice 1, the UDM may acquire the S-NSSAI of the slice 1 according to the external identifier, and send the S-NSSAI of the slice 1 and the identification information of the AMF1 to the NSSAAF.

S405: NSSAAF informs AMF1 to initiate slice authentication and authorization procedure for slice 1 to terminal a.

As an embodiment, the NSSAAF sends a first notification to the AMF1 according to the received identification information of the AMF1, where the first notification is used to notify the AMF1 to initiate a slice authentication and authorization procedure for the terminal a to the slice 1. As an example, the first notification includes: event information, identification information of terminal a, and identification information of slice 1. As an example, in S405, the identification information of slice 1 may be the S-NSSAI of slice 1. The event information is used for indicating the slice authentication and authorization process. Optionally, the first notification may be nssaaf _ NSSAA _ Notify.

S406: the AMF1 triggers the slice authentication and authorization procedure for slice 1.

The AMF1 acquires that a slice authentication and authorization process for the slice 1 needs to be initiated for the terminal A according to the event information, the identification information of the terminal A and the identification information of the slice 1. The slice authentication and authorization process may be performed with reference to the method shown in fig. 2.

Through S402-S405, the NSSAAF can accurately acquire the identification information of the AMF1 associated with slice 1 serving terminal a from the UDM using the identification information of slice 1. In contrast, if only the association relationship between the terminal and the AMF exists on the UDM, but the association relationship between the terminal, the AMF, and the slice is not stored, the NSSAAF may acquire the identification information of the AMF2, so as to notify the AMF2 to trigger the slice authentication and authorization process for the slice 1, which may result in the generation of communication abnormality. Therefore, according to the scheme of the application, the generation of communication abnormity can be reduced.

Fig. 5 shows a method where the AAA-s initiates re-authentication and re-authorization of slice 2. The same terms and concepts in fig. 5 as in fig. 4 can be referred to in relation to fig. 4. As shown in fig. 5:

s501: AAA-s requests to NSSAAF to initiate re-authentication and re-authorization for terminal a for slice 2.

As an embodiment, the AAA-s sends a first request to the NSSAAF requesting that terminal a initiate re-authentication and re-authorization for slice 2. As an example, the first request includes identification information of terminal a, and identification information of slice 2. It can be known from the identification information of the terminal a and the identification information of the slice 2 that the re-authentication and re-authorization of the slice 2 is requested for the terminal a. If AAA-p is set between AAA-s and NSSAAF, AAA-s can send the first request to NSSAAF through AAA-p. The identification information of terminal a and the identification information of slice 2 may refer to the relevant contents in fig. 2 and fig. 3. For example, in S501, the identification information of terminal a may be the GPSI of terminal a, and the identification information of slice 2 may be the S-NSSAI of slice 2 or the external identification of slice 2.

Illustratively, the first Request may be an AAA Procol Re-auth Request.

As an optional alternative of S501, when the AAA-S requests the nsaaf to initiate re-authentication and re-authorization of the slice 2 for the terminal a, it may know that the slice 2 corresponds to the PLMN-1 and the PLMN-2 according to the information in table 2, and determine to initiate re-authentication and re-authorization at the PLMN-1, or initiate re-authentication and re-authorization at the PLMN-2, or initiate re-authentication and re-authorization at the PLMN-1 and the PLMN-2 by itself, and further carry the identification information of the PLMN-1 and/or PLMN-2 in the request, and the nsaaf may obtain the identification information of the AMF1 and/or AMF2 from the UDM through the identification information of the PLMN-1 and/or PLMN-2. When the AAA-S determines to initiate re-authentication and re-authorization at one PLMN of PLMN-1 and PLMN-2, the NSSAAF may acquire the identification information of AMF1 or AMF2 from the UDM according to the identification information of PLMN-1 or PLMN-2, so that S505a or S505b may be directly performed. Alternatively, the AAA-s may determine at which PLMN to initiate re-authentication and re-authorization based on policy, timers, or the like.

S502: NSSAAF requests the UDM to retrieve the AMF associated with slice 2 serving terminal a.

As an embodiment, the NSSAAF sends a second request to the UDM requesting to obtain the AMF associated with slice 2 serving terminal a. As an example, the second request includes identification information of terminal a and identification information of slice 2. Optionally, the request further includes a first indication, where the first indication is used to indicate that the obtained network element type is AMF. Optionally, the request further includes a second indication for indicating that the related flow is a slice re-authentication and re-authorization flow. Alternatively, the second request may be a Nudm _ UECM _ Get Req.

Optionally, if the identification information of the slice 2 received by the NSSAAF in S501 is the external identifier of the slice 2, the NSSAAF may obtain the S-NSSAI of the slice 2 according to the external identifier of the slice 2, and send the S-NSSAI of the slice 2 to the UDM in S502. Optionally, if the identification information of the slice 2 received by the NSSAAF in S501 is the external identifier of the slice 2, the NSSAAF may also send the external identifier of the slice 2 to the UDM.

S503: the UDM obtains the AMF associated with slice 2 serving terminal a.

After the method of fig. 2 and 3 is adopted, the UDM stores the association relationship between the terminal A, AMF and the slice 2, and stores the association relationship between the terminal A, AMF and the slice 2.

As an implementation manner, the UDM may obtain the identification information of the AMF1 and the identification information of the AMF2 according to the received identification information of the terminal a and the identification information of the slice 1, that is, the AMFs associated with the slice 1 and serving the terminal a are the AMF1 and the AMF2. Optionally, the UDM may learn that the obtained network element type is AMF according to the first indication. Optionally, the UDM may learn that the related flow is a slice re-authentication and re-authorization flow according to the second indication, so that the UDM performs corresponding processing.

Optionally, when there are multiple AMFs associated with a slice serving a terminal, the UDM may not select one of the AMFs further.

Optionally, when there are multiple AMFs associated with a slice serving the terminal, the UDM may further select one of the AMFs.

For the slice reauthentication and re-authorization procedure, the UDM may select one AMF from the multiple AMFs according to a connection state of the terminal, where the connection state of the terminal includes a connection state and an idle state. As a possibility, if the connection state of the terminal and each AMF in the plurality of AMFs is a connection state, the UDM may select one of the AMFs according to a policy or arbitrarily. For example, if the connection state between the terminal a and the AMF1 is the connection state and the connection state between the terminal a and the AMF2 is the connection state, the UDM may select one of the AMF1 and the AMF2 according to a policy or arbitrarily. As another possibility, if the connection state between the terminal and each AMF in the multiple AMFs is in an idle state, the UDM may select one AMF according to the access type, for example, select an AMF corresponding to a 3GPP access. Generally, access types may be classified into 3GPP accesses and non-3GPP accesses. For example, if the connection state between the terminal a and the AMF1 is in the idle state and the connection state between the terminal a and the AMF2 is in the idle state, the UDM may select the AMF corresponding to the 3GPP access, that is, the AMF1. As another possibility, if the connection state of the terminal with some AMFs among the AMFs is a connection state and the connection state with other AMFs is an idle state, the UDM may select an AMF between which the terminal is in the connection state. For example, if the connection state of terminal a with respect to AMF1 is a connection state and the connection state with respect to AMF2 is an idle state, the UDM selects AMF1.

S504: UDM sends NSSAAFNSSAAF the identification information of the AMF associated with slice 2 serving terminal a.

Alternatively, the UDM may transmit the identification information of AMF1 and the identification information of AMF2 obtained at S503 to NSSAAF.

Alternatively, the UDM may transmit the identification information of AMF1 or the identification information of AMF2 obtained at S503 to NSSAAF.

As an embodiment, the UDM sends a response message to the NSSAAF, the response message including the identification information of AMF1 and/or the identification information of AMF2. Alternatively, the response message may be a numm UECM Get Resp.

Optionally, in S502, when the identification information of the slice 2 acquired by the UDM from the NSSAAF is the external identifier of the slice 2, the UDM may acquire the S-NSSAI of the slice 2 according to the external identifier, and send the S-NSSAI of the slice 2 and the identification information of the AMF1 to the NSSAAF.

S505a: NSSAAF informs AMF1 to initiate slice authentication and authorization procedure for slice 2 to terminal a.

As an embodiment, if the NSSAAF receives the identification information of AMF1 in S504, the NSSAAF sends a first notification to AMF1. As another embodiment, for the slice reauthentication and reauthorization procedure, if the NSSAAF receives the identification information of AMF1 and the identification information of AMF2 in S504, the NSSAAF may select AMF1 and send the first notification to AMF1. Alternatively, NSSAAF may select AMF1 according to a policy. The first notification is used to notify the AMF1 to initiate a slice authentication and authorization procedure for the terminal a to the slice 2. As an example, the first notification includes: event information, identification information of terminal a, and identification information of slice 2. As an example, in S505a, the identification information of slice 2 may be S-NSSAI of slice 2. The event information is used for indicating the slice authentication and authorization process. Optionally, the first notification may be nssaaf _ NSSAA _ Notify.

And S505b, the NSSAAF informs the AMF2 to initiate a slice authentication and authorization process for the slice 2 to the terminal A.

As an embodiment, if the NSSAAF receives the identification information of AMF2 in S504, the NSSAAF sends a second notification to AMF2. As another embodiment, for the slice reauthentication and re-authorization procedure, if the nsaaf receives the identification information of AMF1 and the identification information of AMF2 in S504, the nsaaf may select AMF2 and send a second notification to AMF2. Alternatively, NSSAAF may select AMF2 according to a policy. This second notification is used to inform AMF1 to initiate a slice authentication and authorization procedure for slice 2 for terminal a. As an example, the second notification includes: event information, identification information of terminal a, and identification information of slice 2. As an example, in S505b, the identification information of slice 2 may be S-NSSAI of slice 2. The event information is used for indicating the slice authentication and authorization process. Optionally, the second notification may be nssaaf _ NSSAA _ Notify.

Optionally, as another embodiment, for the slice re-authentication and re-authorization procedure, if the NSSAAF receives the identification information of AMF1 and the identification information of AMF2 in S504, the NSSAAF may notify AMF1 and AMF2 to initiate the slice authentication and authorization procedure for slice 2 to terminal a. That is, both S505a and S505b are executed. Compared with the implementation mode, the NSSAAF selects one AMF to inform the terminal to initiate the slice authentication and authorization process, so that the signaling overhead can be saved.

S506a: AMF1 triggers the slice authentication and authorization procedure for slice 2.

The AMF1 acquires that the slice authentication and authorization process of the slice 2 needs to be initiated for the terminal A according to the event information, the identification information of the terminal A and the identification information of the slice 2. The slice authentication and authorization process may be performed with reference to the method shown in fig. 2.

S506b: AMF2 triggers the slice authentication and authorization procedure for slice 2.

And the AMF2 acquires that the slice authentication and authorization process of the slice 2 needs to be initiated for the terminal A according to the event information, the identification information of the terminal A and the identification information of the slice 2. The slice authentication and authorization process may be performed with reference to the method shown in fig. 3.

Through S502-S505a or S505b, the NSSAAF can accurately acquire the identification information of the AMF1 associated with the slice 2 and/or the identification information of the AMF2 serving the terminal a from the UDM using the identification information of the slice 2. In contrast, if only the association relationship between the terminal and the AMF exists on the UDM, but the association relationship between the terminal, the AMF, and the slice is not stored, the NSSAAF may acquire the identification information of the AMF registered by the terminal a other than the AMF1 and the AMF2, so as to notify the wrong AMF to trigger the slice authentication and authorization procedure for the slice 2, which may result in the generation of communication abnormality. Therefore, according to the scheme of the application, the generation of communication abnormity can be reduced. In addition, when there are a plurality of AMFs associated with a slice serving a terminal, selecting an appropriate AMF in consideration of a connection state of the terminal can save signaling interaction and can improve communication efficiency.

Fig. 6 in turn shows a method where the AAA-s initiates re-authentication and re-authorization of slice 2. The same description of terms and concepts in fig. 6 as in fig. 5 can be referred to in relation to fig. 5. In contrast to fig. 5, in which the UDM determines AMF from the identification information of the slice, fig. 6, in which the NSSAAF determines AMF from the identification information of the slice. As shown in fig. 6:

s601: AAA-s requests to NSSAAF to initiate re-authentication and re-authorization for terminal a for slice 2.

S601 can be seen in S501.

As an optional alternative of S601, when the AAA-S requests the nsaaf to initiate re-authentication and re-authorization of the slice 2 for the terminal a, it may know that the slice 2 corresponds to the PLMN-1 and the PLMN-2 according to the information in table 2, and determine to initiate re-authentication and re-authorization at the PLMN-1, or initiate re-authentication and re-authorization at the PLMN-2, or initiate re-authentication and re-authorization at the PLMN-1 and the PLMN-2 by itself, and further carry the identification information of the PLMN-1 and/or PLMN-2 in the request, and the nsaaf may obtain the identification information of the AMF1 and/or AMF2 from the UDM through the identification information of the PLMN-1 and/or PLMN-2. When the AAA-S determines to initiate re-authentication and re-authorization at one PLMN of PLMN-1 and PLMN-2, the NSSAAF may acquire the identification information of AMF1 or AMF2 from the UDM according to the identification information of PLMN-1 or PLMN-2, so that S606a or S606b may be directly performed. Alternatively, the AAA-s may determine at which PLMN to initiate re-authentication and re-authorization based on policy, timers, or the like.

S602: NSSAAF requests the UDM to obtain the AMF serving terminal a and the slice associated with the AMF serving terminal a.

As an embodiment, the NSSAAF sends a second request to the UDM, the second request requesting to acquire the AMF serving terminal a and the slice associated with the AMF serving terminal a. As an example, the second request includes identification information of terminal a. Optionally, the request further includes a first indication, where the first indication is used to indicate that the obtained network element type is AMF. Optionally, the request further includes a second indication for indicating that the related flow is a slice re-authentication and re-authorization flow. Alternatively, the second request may be a Nudm _ UECM _ Get Req.

S603: the UDM obtains the AMF serving terminal a and the slice associated with the AMF serving terminal a.

After using the methods of fig. 2 and 3, the UDM stores the association of the terminal, AMF and slice as in table 1 above.

As an implementation manner, the UDM may obtain { AMF1 identification information, (identification information of slice 1, identification information of slice 2) } and { AMF2 identification information, (identification information of slice 2, identification information of slice 3) } according to the received identification information of the terminal a, that is, the AMFs serving the terminal a are AMF1 and AMF2, the slices associated with AMF1 are slice 1 and slice 2, and the slices associated with AMF2 are slice 2 and slice 3. Optionally, the UDM may learn that the obtained network element type is AMF according to the first indication. Optionally, the UDM may learn, according to the second indication, that the relevant flow is a slice reauthentication and reauthorization flow, so that the UDM performs corresponding processing. It will be understood that { A, B } indicates that A and B have an associative relationship, and that (A, B) indicates a set or list that includes both A and B elements.

Optionally, the UDM may also obtain the connection status of the terminal and the AMF serving the terminal. The connection state of the terminal includes a connection state and an idle state. As an embodiment, the UDM may request from the AMF serving the terminal to obtain the connection status of the terminal. For example, in table 1, AMFs serving terminal a are AMF1 and AMF2, and the UDM may obtain the connection status of terminal a and AMF1 from AMF1 and the connection status of terminal a and AMF2 from AMF2, respectively.

Optionally, the UDM may further obtain an access type corresponding to the AMF serving the terminal. The access type-related content may refer to the related content of S503. For example: the access type corresponding to the AMF1 is 3GPP access, and the access type corresponding to the AMF2 is non-3GPP access technology.

S604: the UDM sends to the NSSAAF the identification information of the AMF serving terminal a and the identification information of the slice with which the AMF serving terminal a is associated.

Illustratively, the UDM sends { AMF1 identification information, (slice 1 identification information, slice 2 identification information) } and { AMF2 identification information, (slice 2 identification information, slice 3 identification information) } to the NSSAAF.

Illustratively, the UMD transmits { AMF1 identification information, slice 1 identification information }, { AMF1 identification information, slice 2 identification information }, { AMF2 identification information, slice 2 identification information }, and { AMF2 identification information, slice 3 identification information } to the NSSAAF.

Alternatively, the UDM may send the connection status information to the NSSAAF. The connection state information is used to indicate a connection state of the terminal with the AMF serving the terminal. For example, the connection state information indicates that the connection state of the terminal a and the AMF1 is a connection state, and the connection state of the terminal a and the AMF2 is an idle state.

Optionally, the UDM may send access type information to the NSSAAF. The access type information is used to indicate an access type corresponding to an AMF serving the terminal. For example, the access type information indicates that the access type of the AMF1 is a 3GPP access, and the access type of the AMF2 is a non-3GPP access.

As an embodiment, the UDM sends a response message to the NSSAAF, the response message including identification information of the AMF serving terminal a and identification information of the slice with which the AMF serving terminal a is associated. Optionally, the response message further includes the connection status information. Optionally, the response message further includes the access type information. Alternatively, the response message may be a numm UECM Get Resp.

S605: NSSAAF determines the AMF associated with slice 2.

Based on the information received at S604, the NSSAAF may learn that the AMFs associated with slice 2 serving terminal a are AMF1 and AMF2.

Optionally, if there are multiple AMFs associated with a slice serving the terminal, the NSSAAF may not further select one AMF among the multiple AMFs.

Optionally, if there are multiple AMFs serving the terminal and associated with a slice, the NSSAAF may further select one of the multiple AMFs. Compared with the scheme that one AMF is not further determined in a plurality of AMFs, the further determination of one AMF in a plurality of AMFs is beneficial to saving subsequent signaling interaction.

For the slice re-authentication and re-authorization procedure, the NSSAAF may select one AMF among a plurality of AMFs according to a connection state of the terminal. The connection state of the terminal may be acquired through the connection state information in S604. As a possibility, if the connection state of the terminal and each AMF of the plurality of AMFs is a connection state, the NSSAAF may select one of the AMFs according to a policy or arbitrarily. For example, if the connection state between the terminal a and the AMF1 is the connection state and the connection state between the terminal a and the AMF2 is the connection state, the NSSAAF may select one of the AMF1 and the AMF2 according to a policy or arbitrarily. As another possibility, if the connection state between the terminal and each AMF in the multiple AMFs is an idle state, the NSSAAF may select one AMF according to the access type corresponding to the AMF. For example, selecting an AMF corresponding to the 3GPP access. The access type corresponding to the AMF may be obtained through the access type information in S604. For example, if the connection state between the terminal a and the AMF1 is the idle state and the connection state between the terminal a and the AMF2 is the idle state, the NSSAAF may select the AMF corresponding to the 3GPP access, that is, the AMF1. As another possibility, if the connection state of the terminal and some AMFs in the plurality of AMFs is a connection state and the connection state of the terminal and other AMFs is an idle state, the NSSAAF may select an AMF between which the terminal is in the connection state. For example, NSSAAF selects AMF1 if the connection state of terminal a with respect to AMF1 is a connection state and the connection state with respect to AMF2 is an idle state.

If, at S605, NSSAAF determines that the AMFs associated with slice 2 are AMF1 and AMF2, then S606a and S606b are performed.

If, at S605, the NSSAAF determines that the AMF associated with slice 2 is one of AMF1 and AMF2, S606a or S606b is performed.

S606a: NSSAAF informs AMF1 to initiate slice authentication and authorization procedure for slice 2 to terminal a.

As an embodiment, NSSAAF sends a first notification to AMF1. The first notification is used to notify the AMF1 to initiate a slice authentication and authorization procedure for the terminal a to the slice 2. As an example, the first notification includes: event information, identification information of terminal a, and identification information of slice 2. As an example, in S606a, the identification information of slice 2 may be the S-NSSAI of slice 2. The event information is used for indicating the slice authentication and authorization process. Optionally, the first notification may be nssaaf _ NSSAA _ Notify.

And S606b, NSSAAF informs AMF2 to initiate slice authentication and authorization flow of slice 2 to terminal A.

As an embodiment, the NSSAAF sends a second notification to AMF2. As an example, the second notification includes: event information, identification information of terminal a, and identification information of slice 2. As an example, in S606b, the identification information of slice 2 may be the S-NSSAI of slice 2. The event information is used for indicating the slice authentication and authorization process. Optionally, the second notification may be nssaaf _ NSSAA _ Notify.

S607a: AMF1 triggers the slice authentication and authorization procedure for slice 2.

S607a may refer to S506a.

S607b: AMF2 triggers the slice authentication and authorization flow for slice 2.

S607b may refer to S506b.

Through S602-S606a or S606b, the NSSAAF can accurately acquire the identification information of the AMF1 and/or the identification information of the AMF2 associated with the slice 2 serving the terminal a using the identification information of the slice 2. In contrast, if only the association relationship between the terminal and the AMF exists on the UDM, but the association relationship between the terminal, the AMF, and the slice is not stored, the NSSAAF may acquire the identification information of the AMF registered by the terminal a other than the AMF1 and the AMF2, so as to notify the wrong AMF to trigger the slice authentication and authorization procedure for the slice 2, which may result in the generation of communication abnormality. Therefore, according to the scheme of the application, the generation of communication abnormity can be reduced. In addition, when there are a plurality of AMFs associated with a slice serving a terminal, selecting an appropriate AMF in consideration of a connection state of the terminal can save signaling interaction and can improve communication efficiency.

In order to reduce the foregoing communication anomaly, embodiments of the present application provide a method for performing authorization revocation on a slice. The method will be described below with reference to fig. 1, 2 and 3.

Fig. 7 shows a method for AAA-s to initiate authorization revocation of slice 1. As shown in fig. 7:

s701: AAA-s requests NSSAAF to initiate an authorization revocation for terminal a for slice 1.

As an embodiment, the AAA-s sends a first request to the NSSAAF, the first request requesting that terminal a initiate revocation of authorization for slice 1. As an example, the first request includes identification information of terminal a, and identification information of slice 1. It can be known from the identification information of terminal a and the identification information of slice 1 that revocation of authorization for slice 1 is requested for terminal a. If AAA-p is set between AAA-s and NSSAAF, AAA-s can send the first request to NSSAAF through AAA-p. The identification information of the terminal a and the identification information of the slice 1 may refer to the relevant contents in fig. 2 and fig. 3. For example, in 701, the identification information of terminal a may be the GPSI of terminal a, and the identification information of slice 1 may be the S-NSSAI of slice 1 or the external identification of slice 1.

Illustratively, the first Request may be an AAA Procol Revoke Auth Request.

As an optional alternative to S701, when the AAA-S requests the NSSAAF to initiate revocation of authorization to the slice 1 to the terminal a, the AAA-S may further carry the identification information of the PLMN-1 in the request according to the information in table 2, and the NSSAAF may obtain the identification information of the AMF1 from the UDM through the identification information of the PLMN-1, thereby directly performing S705.

S702: NSSAAF requests the UDM to retrieve the AMF associated with slice 1 serving terminal a.

As an embodiment, the NSSAAF sends a second request to the UDM requesting to acquire the AMF associated with slice 1 serving terminal a. As an example, the second request includes identification information of terminal a and identification information of slice 1. Optionally, the request further includes a first indication, where the first indication is used to indicate that the obtained network element type is AMF. Optionally, the request further includes a second indication, where the second indication is used to indicate that the related flow is a slice authorization revocation flow. Alternatively, the second request may be a Nudm _ UECM _ Get Req.

Optionally, if the identification information of the slice 1 received by the NSSAAF in S701 is the external identifier of the slice 1, the NSSAAF may obtain the S-NSSAI of the slice 1 according to the external identifier of the slice 1, and send the S-NSSAI of the slice 1 to the UDM in S702. Optionally, if the identification information of the slice 1 received by the NSSAAF in S701 is the external identification of the slice 1, the NSSAAF may also send the external identification of the slice 1 to the UDM.

S703: the UDM obtains the AMF associated with slice 1 serving terminal a.

After the method of fig. 2 and 3 is used, the UDM stores the association relationship between the terminal A, AMF and the slice 1.

As an embodiment, the UDM may obtain the identification information of AMF1 according to the received identification information of terminal a and the identification information of slice 1, that is, the AMF associated with slice 1 and serving terminal a is AMF1. Optionally, the UDM may learn that the obtained network element type is AMF according to the first indication. Optionally, the UDM may learn that the related flow is a slice authorization revocation flow according to the second indication, so that the UDM performs corresponding processing.

S704: the UDM sends to NSSAAF the identification information of the AMF associated with slice 1 serving terminal a.

The UDM may transmit the identification information of AMF1 obtained at S703 to NSSAAF.

Optionally, in S702, when the identification information of the slice 1 acquired by the UDM from the NSSAAF is the external identifier of the slice 1, the UDM may acquire the S-NSSAI of the slice 1 according to the external identifier, and send the S-NSSAI of the slice 1 and the identification information of the AMF1 to the NSSAAF.

S705: NSSAAF informs AMF1 to initiate revocation of authorization for slice 1 to terminal a.

As an embodiment, the NSSAAF sends a first notification to the AMF1 according to the received identification information of the AMF1, where the first notification is used to notify the AMF1 to initiate revocation of authorization to the slice 1 for the terminal a. As an example, the first notification includes: event information, identification information of terminal a, and identification information of slice 1. As an example, in S705, the identification information of slice 1 may be S-NSSAI of slice 1. Wherein the event information is used for indicating that the slice authorization revocation is performed. Optionally, the first notification may be nssaaf _ NSSAA _ Notify.

S706: the AMF1 revokes the authorization of the slice 1 to the terminal a.

And the AMF1 acquires that the terminal A needs to be subjected to authorization revocation on the slice 1 according to the event information, the identification information of the terminal A and the identification information of the slice 1. AMF1 performs revocation of grant to slice 1 for terminal a in reference to step 5 of 3gpp TS 23.502v16.4.0 section 4.2.9.4.

Through S702-S705, the NSSAAF can accurately acquire the identification information of the AMF1 associated with slice 1 serving terminal a from the UDM using the identification information of slice 1. In contrast, if only the association relationship between the terminal and the AMF is stored on the UDM, but the association relationship between the terminal, the AMF, and the slice is not stored, the NSSAAF may acquire the identification information of the AMF2, so as to notify the AMF2 to trigger the revocation of the authorization to the slice 1, which may cause the generation of communication abnormality. Therefore, according to the scheme of the application, the generation of communication abnormity can be reduced.

Fig. 8 shows a method for AAA-s to initiate authorization revocation of slice 2. The same terms and concepts in fig. 8 as in fig. 7 can be referred to in relation to fig. 7. As shown in fig. 7:

s801: AAA-s requests to NSSAAF to initiate an authorization revocation for slice 2 for terminal a.

As an embodiment, the AAA-s sends a first request to the NSSAAF, the first request requesting that terminal a initiate revocation of authorization for slice 2. As an example, the first request includes identification information of terminal a, and identification information of slice 2. It can be known from the identification information of terminal a and the identification information of slice 2 that revocation of authorization for slice 2 is requested for terminal a. If AAA-p is set between AAA-s and NSSAAF, AAA-s can send the first request to NSSAAF through AAA-p. The identification information of terminal a and the identification information of slice 2 may refer to the relevant contents in fig. 2 and fig. 3. For example, in S801, the identification information of terminal a may be the GPSI of terminal a, and the identification information of slice 2 may be the S-NSSAI of slice 2 or the external identification of slice 2.

Illustratively, the first Request may be an AAA Procol Revoke Auth Request.

As an optional alternative of S801, when the AAA-S requests the nsaaf to initiate the authorization revocation for the slice 2 to the terminal a, it may learn, according to the information in table 2, that the slice 2 corresponds to the PLMN-1 and the PLMN-2, and determine by itself that the authorization revocation is initiated at the PLMN-1, or the authorization revocation is initiated at the PLMN-2, or the authorization revocation is initiated at the PLMN-1 and the PLMN-2, and further carry the identification information of the PLMN-1 and/or PLMN-2 in the request, the nsaaf may obtain the identification information of the AMF1 and/or AMF2 from the UDM through the identification information of the PLMN-1 and/or PLMN-2, so that S805a and/or S805b may be directly executed. Alternatively, the AAA-s may determine at which PLMN to initiate the revocation of authorization based on policy, or a timer, etc.

S802: NSSAAF requests the UDM to retrieve the AMF associated with slice 2 serving terminal a.

As an embodiment, the NSSAAF sends a second request to the UDM requesting to obtain the AMF associated with slice 2 serving terminal a. As an example, the second request includes identification information of terminal a, and identification information of slice 2. Optionally, the request further includes a first indication, where the first indication is used to indicate that the acquired network element type is AMF. Optionally, the request further includes a second indication, where the second indication is used to indicate that the related flow is a slice authorization revocation flow. Alternatively, the second request may be a Nudm _ UECM _ Get Req.

Optionally, if the identification information of the slice 2 received by the NSSAAF in S801 is the external identifier of the slice 2, the NSSAAF may obtain the S-NSSAI of the slice 2 according to the external identifier of the slice 2, and send the S-NSSAI of the slice 2 to the UDM in S802. Optionally, if the identification information of the slice 2 received by the NSSAAF in S801 is the external identification of the slice 2, the NSSAAF may also send the external identification of the slice 2 to the UDM.

S803: the UDM obtains the AMF associated with slice 2 serving terminal a.

As an implementation manner, the UDM may obtain the identification information of the AMF1 and the identification information of the AMF2 according to the received identification information of the terminal a and the identification information of the slice 1, that is, the AMFs associated with the slice 1 and serving the terminal a are the AMF1 and the AMF2. Optionally, the UDM may learn that the obtained network element type is AMF according to the first indication. Optionally, the UDM may learn that the related flow is a slice authorization revocation flow according to the second indication, so that the UDM performs corresponding processing.

For the slice authorization revocation procedure, when there are multiple AMFs associated with a slice serving the terminal, the UDM needs to notify NSSAAF of the multiple AMFs.

S804: the UDM sends to NSSAAF the identification information of the AMF associated with slice 2 serving terminal a.

The UDM transmits the identification information of AMF1 and the identification information of AMF2 obtained at S803 to NSSAAF.

As an embodiment, the UDM sends a response message to the NSSAAF, the response message including the identification information of AMF1 and the identification information of AMF2. Alternatively, the response message may be a numm UECM Get Resp.

Optionally, in S802, when the identification information of the slice 2 acquired by the UDM from the NSSAAF is the external identifier of the slice 2, the UDM may acquire the S-NSSAI of the slice 2 according to the external identifier, and send the S-NSSAI of the slice 2 and the identification information of the AMF1 to the NSSAAF.

For the slice authorization revocation procedure, when the NSSAAF receives the identification information of multiple AMFs, the multiple AMFs need to be notified to perform authorization revocation.

S805a: NSSAAF informs AMF1 to initiate revocation of authorization for slice 2 to terminal a.

As an embodiment, the NSSAAF sends, according to the received identification information of the AMF1, a first notification to the AMF1, where the first notification is used to notify the AMF1 to initiate revocation of authorization to the slice 2 for the terminal a. As an example, the first notification includes: event information, identification information of terminal a, and identification information of slice 2. As an example, in S705, the identification information of slice 2 may be S-NSSAI of slice 2. Wherein the event information is used for indicating that the slice authorization revocation is performed. Optionally, the first notification may be nssaaf _ NSSAA _ Notify.

S805b: NSSAAF informs AMF2 to initiate revocation of authorization for slice 2 to terminal a.

As an embodiment, the NSSAAF sends a second notification to the AMF2 according to the received identification information of the AMF2, where the second notification is used to notify the AMF2 to initiate revocation of authorization to the slice 2 for the terminal a. As an example, the first notification includes: event information, identification information of terminal a, and identification information of slice 2. As an example, in S705, the identification information of slice 2 may be S-NSSAI of slice 2. Wherein the event information is used for indicating that the slice authorization revocation is performed. Optionally, the first notification may be nssaaf _ NSSAA _ Notify.

S806a: the AMF1 revokes the authorization of the slice 2 to the terminal a.

And the AMF1 acquires that the terminal A needs to be subjected to authorization revocation on the slice 2 according to the event information, the identification information of the terminal A and the identification information of the slice 2. AMF1 performs revocation of grant to slice 2 for terminal a in reference to step 5 of 3gpp TS 23.502v16.4.0 section 4.2.9.4.

S806b: the AMF2 revokes the authorization of the slice 2 to the terminal a.

And the AMF2 acquires that the terminal A needs to be subjected to authorization revocation on the slice 2 according to the event information, the identification information of the terminal A and the identification information of the slice 2. AMF2 performs revocation of grant to slice 2 for terminal a in reference to step 5 of 3gpp TS 23.502v16.4.0 section 4.2.9.4.

Through S802-S805a or S805b, the NSSAAF can accurately acquire the identification information of AMF1 and the identification information of AMF2 associated with slice 2 serving terminal a from the UDM using the identification information of slice 2. In contrast, if only the association relationship between the terminal and the AMF exists on the UDM, but the association relationship between the terminal, the AMF, and the slice is not stored, the NSSAAF may acquire the identification information of the AMF registered by the terminal a other than the AMF1 and the AMF2, so as to notify the wrong AMF to revoke the authorization of the slice 2, which may result in abnormal communication. In addition, if only the association relationship between the terminal and the AMF is stored on the UDM, but the association relationship between the terminal, the AMF, and the slice is not stored, the NSSAAF may acquire one of the AMF1 and the AMF2, and thus the other AMF is not notified to revoke the authorization of the slice 2, which may cause communication abnormality. Therefore, according to the scheme of the application, the generation of communication abnormity can be reduced.

Fig. 9 shows yet another method for AAA-s to initiate authorization revocation for slice 2. The same description of terms and concepts in fig. 9 as in fig. 8 can be found with reference to fig. 8. In contrast to fig. 8, in which the UDM determines AMF from the identification information of the slice, fig. 9, the NSSAAF determines AMF from the identification information of the slice. As shown in fig. 9:

s901: AAA-s requests to NSSAAF to initiate an authorization revocation for slice 2 for terminal a.

See S801 for S901.

As an optional alternative of S901, when the AAA-S requests the nsaaf to initiate an authorization revocation on the slice 2 to the terminal a, it may learn, according to the information in table 2, that the slice 2 corresponds to the PLMN-1 and the PLMN-2, and determine by itself that the authorization revocation is initiated on the PLMN-1, or the authorization revocation is initiated on the PLMN-2, or the authorization revocation is initiated on the PLMN-1 and the PLMN-2, and further carry the identification information of the PLMN-1 and/or the PLMN-2 in the request, the nsaaf may obtain the identification information of the AMF1 and/or the AMF2 from the UDM through the identification information of the PLMN-1 and/or the PLMN-2, so as to directly perform S906a and/or S906b. Alternatively, the AAA-s may determine at which PLMN to initiate the revocation of authorization based on policy, or a timer, etc.

S902: NSSAAF requests the UDM for the AMF serving terminal a and the slice associated with the AMF serving terminal a.

As an embodiment, the NSSAAF sends a second request to the UDM, the second request requesting to acquire the AMF serving terminal a and the slice associated with the AMF serving terminal a. As an example, the second request includes identification information of terminal a. Optionally, the request further includes a first indication, where the first indication is used to indicate that the obtained network element type is AMF. Optionally, the request further includes a second indication, where the second indication is used to indicate that the related flow is a slice authorization revocation flow. Alternatively, the second request may be a Nudm _ UECM _ Get Req.

S903: the UDM obtains the AMF serving terminal a and the slice associated with the AMF serving terminal a.

As an implementation manner, the UDM may obtain, according to the received identification information of the terminal a, { AMF1 identification information, (slice 1 identification information, slice 2 identification information) } and { AMF2 identification information, (slice 2 identification information, slice 3 identification information) }, that is, the AMFs serving the terminal a are AMF1 and AMF2, the slices associated with AMF1 are slice 1 and slice 2, and the slices associated with AMF2 are slice 2 and slice 3. Optionally, the UDM may learn that the obtained network element type is AMF according to the first indication. Optionally, the UDM may learn, according to the second indication, that the relevant flow is a slice authorization revocation flow, so that the UDM performs corresponding processing. It will be understood that { A, B } indicates that A and B have an associative relationship, and that (A, B) indicates a set or list that includes both A and B elements.

Optionally, the UDM may further obtain an access type corresponding to the AMF serving the terminal. Generally, access types may be classified into 3GPP accesses and non-3GPP accesses. For example: the access type corresponding to the AMF1 is 3GPP access, and the access type corresponding to the AMF2 is non-3GPP access technology.

S904: the UDM sends to the NSSAAF the identification information of the AMF serving terminal a and the identification information of the slice with which the AMF serving terminal a is associated.

Optionally, the UDM may send access type information to the NSSAAF. The access type information is used to indicate an access type corresponding to an AMF serving the terminal. For example, the access type information indicates that the access type of the AMF1 is 3GPP access and the access type of the AMF2 is non-3GPP access.

S905: NSSAAF determines the AMF associated with slice 2.

Based on the information received at S904, the NSSAAF may learn that the AMFs associated with slice 2 serving terminal a are AMF1 and AMF2.

For slice revocation authorization, if there are multiple AMFs associated with a slice serving a terminal, the NSSAAF needs to notify the multiple AMFs of revocation authorization for the slice. Therefore, NSSAAF informs AMF1 and AMF2 to initiate slice retraction for slice 2 to terminal a.

S906a: NSSAAF informs AMF1 to initiate revocation of authorization for slice 2 to terminal a.

S906a may refer to S805a.

S906b: NSSAAF informs AMF2 to initiate revocation of authorization for slice 2 to terminal a.

S906b may refer to S805b.

S907a: the AMF1 revokes the authorization of the slice 2 to the terminal a.

S907a may refer to S806a.

S907b: the AMF2 revokes the authorization of the slice 2 to the terminal a.

S907b may refer to S806b.

Through S902-S906a and S906b, the NSSAAF can accurately acquire the identification information of the AMF1 and the identification information of the AMF2 associated with the slice 2 serving the terminal a using the identification information of the slice 2. In contrast, if only the association relationship between the terminal and the AMF exists on the UDM, but the association relationship between the terminal, the AMF, and the slice is not stored, the NSSAAF may acquire the identification information of the AMF registered by the terminal a other than the AMF1 and the AMF2, so as to notify the wrong AMF to revoke the authorization of the slice 2, which may result in abnormal communication. In addition, if only the association relationship between the terminal and the AMF is stored on the UDM, but the association relationship between the terminal, the AMF, and the slice is not stored, the NSSAAF may acquire one of the AMF1 and the AMF2, and thus the other AMF is not notified to revoke the authorization of the slice 2, which may cause communication abnormality. Therefore, according to the scheme of the application, the generation of communication abnormity can be reduced.

Fig. 10 illustrates a method of slice authentication authorization management. The method is described in the context of fig. 1, in conjunction with the methods of fig. 2-9. As shown in fig. 10:

s1001: terminal a authenticates and authorizes the slice at PLMN-1.

S1001 performs the method as shown in fig. 2.

S1002: terminal a authenticates and authorizes the slice at PLMN-2.

S1002 performs the method as shown in fig. 3.

Terminal a authenticates and authorizes the slice at PLMN-1 and PLMN-2, respectively, via S1001 and S1002. The AMF serving terminal a associated with slice 1 is AMF1, the AMFs serving terminal a associated with slice 2 are AMF1 and AMF2, and the AMF serving terminal a associated with slice 3 is AMF2.

S1003 may be performed in the case where the AAA-S initiates the slice reauthentication and re-authorization procedures as needed. S1004 may be performed in case the AAA-S initiates a slice authorization revocation procedure as needed.

S1003: slice re-authentication and re-authorization flow.

S1003 performs a method as shown in fig. 4, 5, or 6.

S1004: and a slice authorization revocation flow.

S1004: the method shown in fig. 7, fig. 8, or fig. 9 is performed.

By the method of fig. 10, the AMF associated with the slice serving for the terminal can be accurately obtained, thereby ensuring correct execution of the slice re-authentication and re-authorization process and the slice authorization revocation process, and avoiding communication errors.

It should be noted that the scheme provided in the embodiment of the present application may also be applied to a scenario in which a terminal is registered to only one AMF. That is, in the case of registering to one AMF and the case of multiple AMFs, the same scheme may be used. The scheme is realized under the same scheme framework, and the realization complexity is reduced.

In the above embodiment, optionally, the NSSAAF may acquire the connection state information of the terminal and the AMF from the AMF. Optionally, the NSSAAF may obtain the access type corresponding to the AMF from the AMF.

In the above embodiments, the function of NSSAAF may also be implemented by AUSF, that is, NSSAAF in the above embodiments may be replaced by AUSF.

In order to implement the above technical solutions in fig. 2 to fig. 10, an embodiment of the present application provides a schematic structural diagram of a network element. Referring to fig. 11, the network element 1100 shown in fig. 11 comprises a processing unit 1101 and a communication unit 1102. The processing unit 1101 is mainly configured to perform processing, and the communication unit 1102 is mainly configured to communicate with other network elements.

In one design, network element 1100 is an authentication and authorization network element to implement NSSAAF functionality as in fig. 2-10.

As an example of this design, the processing unit 1101 and the communication unit 1102 are configured to implement the following method: acquiring a trigger network element serving a terminal device and associated with a first slice, and informing the trigger network element of carrying out slice authentication and authorization processing on the first slice on the terminal device; wherein, the slice authentication and authorization processing is as follows: slice re-authentication and re-authorization, or slice authorization revocation.

Optionally, the acquiring, by the authentication and authorization network element, a trigger network element associated with the first slice, which serves as the terminal device, includes: the authentication and authorization network element acquires a first trigger network element associated with the terminal device and the first slice from an information storage network element; the step of informing, by the authentication and authorization network element, the triggering network element of performing the slice authentication and authorization operation of the first slice on the terminal device includes: the authentication and authorization network element informs the first triggering network element to perform the slice authentication and authorization processing of the first slice on the terminal device.

Optionally, the obtaining, by the authentication and authorization network element, the first triggering network element associated with the terminal device and the first slice from the information storage network element includes: the authentication and authorization network element sends a first request to the information storage network element, where the first request includes first identification information of the terminal device and first identification information of the first slice, and the first request is used to obtain the first trigger network element; the authentication authorization network element receives a first response from the information storage network element, the first response including first identification information of the first triggering network element.

Optionally, the acquiring, by the authentication and authorization network element, a trigger network element associated with the first slice, which serves as the terminal device, includes: the authentication and authorization network element acquires a plurality of first trigger network elements serving the terminal device and associated with the first slice; the step of informing, by the authentication and authorization network element, the triggering network element of performing the slice authentication and authorization operation of the first slice on the terminal device includes: the authentication authorization network element informs the plurality of first trigger network elements to perform the slice authentication authorization processing of the first slice on the terminal device.

Optionally, the obtaining, by the authentication and authorization network element, a plurality of first triggering network elements associated with the first slice, which serve the terminal device, includes: the authentication authorization network element obtains a plurality of first triggering network elements associated with the terminal device and the first slice from an information storage network element.

Optionally, the obtaining, by the authentication and authorization network element, a plurality of first triggering network elements associated with the terminal device and the first slice from an information storage network element includes: the authentication and authorization network element sends a first request to the information storage network element, where the first request includes first identification information of the terminal device and first identification information of the first slice, and the first request is used to obtain the first trigger network element; the authentication authorization network element receives a first response from the information storage network element, the first response including identification information of the plurality of first triggering network elements.

Optionally, the obtaining, by the authentication and authorization network element, a plurality of first triggering network elements associated with the first slice, which serve the terminal device, includes: the authentication and authorization network element acquires a plurality of second trigger network elements associated with the terminal device and slices associated with the plurality of second trigger network elements from an information storage network element; the authentication and authorization network element determines the plurality of first triggering network elements from the plurality of second triggering network elements according to the first slice and the slices associated with the plurality of second triggering network elements.

Optionally, the obtaining, by the authentication and authorization network element, the plurality of second trigger network elements associated with the terminal device and the slices associated with the plurality of second trigger network elements from the information storage network element includes: the authentication and authorization network element sends a first request to the information storage network element, wherein the first request comprises first identification information of the terminal device, and the first request is used for acquiring the second trigger network element and a slice associated with the second trigger network element; the authentication authorization network element receives a first response from the information storage network element, the first response including identification information of the plurality of second triggering network elements and identification information of the slices associated with the plurality of second triggering network elements.

Optionally, the slice authentication and authorization process is the slice re-authentication and re-authorization; the authentication and authorization network element acquiring a trigger network element serving a terminal device and associated with a first slice, includes: the authentication and authorization network element acquires a plurality of first trigger network elements serving the terminal device and associated with the first slice; the authentication authorization network element determines a second triggering network element from the plurality of first triggering network elements; the step of informing the triggering network element of performing slice authentication and authorization processing of the first slice on the terminal device by the authentication and authorization network element includes: and the authentication and authorization network element informs the second triggering network element of carrying out slice reauthentication and reauthorization on the first slice on the terminal device. By the implementation mode, when a plurality of trigger network elements are associated with the slice, one network element can be selected for the terminal to perform slice reauthentication and reauthorization, so that repeated reauthentication and reauthorization are avoided, and signaling is saved.

Optionally, the obtaining, by the authentication and authorization network element, a plurality of first trigger network elements associated with the first slice and serving the terminal device includes: the authentication authorization network element obtains a plurality of first triggering network elements associated with the terminal device and the first slice from an information storage network element.

Optionally, the obtaining, by the authentication and authorization network element, a plurality of first trigger network elements associated with the first slice and serving the terminal device includes: the authentication and authorization network element acquires a plurality of second trigger network elements associated with the terminal device and slices associated with the plurality of second trigger network elements from an information storage network element; the authentication and authorization network element determines the plurality of first triggering network elements from the plurality of second triggering network elements according to the first slice and the slices associated with the plurality of second triggering network elements.

Optionally, the obtaining, by the authentication and authorization network element, the plurality of second trigger network elements associated with the terminal device and the slices associated with the plurality of second trigger network elements from the information storage network element includes: the authentication and authorization network element sends a first request to the information storage network element, wherein the first request comprises first identification information of the terminal device, and the first request is used for acquiring the second trigger network element and a slice associated with the second trigger network element; the authentication authorization network element receives a first response from the information storage network element, the first response including identification information of the plurality of second trigger network elements and identification information of the slices associated with the plurality of second trigger network elements.

Optionally, the determining, by the authentication authorization network element, a second triggering network element from the plurality of first triggering network elements includes: the authentication authorization network element determines the second triggering network element from the plurality of first triggering network elements according to the connection state of the terminal device and the plurality of first triggering network elements; wherein the connection state comprises a connection state or an idle state. The triggering network element is selected through the connection state, so that the triggering network element which is more suitable for slice authentication and authorization processing can be selected.

Optionally, the determining, by the authentication authorization network element, the second triggering network element from the multiple first triggering network elements according to the connection status between the terminal device and the multiple first triggering network elements includes: the authentication authorization network element determines the second triggering network element from the plurality of first triggering network elements, and the connection state between the terminal device and the second triggering network element is the connection state.

Optionally, the determining, by the authentication authorization network element, the second triggering network element from the multiple first triggering network elements according to the connection status between the terminal device and the multiple first triggering network elements includes: when the connection state between the terminal device and each of the plurality of first triggering network elements is the idle state, the authentication authorization network element determines the second triggering network element from the plurality of first triggering network elements according to the access type corresponding to the plurality of first triggering network elements; wherein the access types include 3GPP access and non-3GPP access. When the trigger network element is selected, the access type is further considered, and the trigger network element which is more suitable for slice authentication and authorization processing can be selected.

Optionally, the determining, by the authentication and authorization network element, the second triggering network element from the multiple first triggering network elements according to the access types corresponding to the multiple first triggering network elements includes: the authentication authorization network element determines the second triggering network element from the plurality of first triggering network elements, and the access type corresponding to the second triggering network element is the 3GPP access.

Optionally, the determining, by the authentication authorization network element, a second triggering network element from the plurality of first triggering network elements includes: the authentication authorization network element determines the second triggering network element from the plurality of first triggering network elements according to the access types corresponding to the plurality of first triggering network elements; wherein the access types include 3GPP access and non-3GPP access.

Optionally, the determining, by the authentication authorization network element, the second triggering network element from the multiple first triggering network elements according to the access types corresponding to the multiple first triggering network elements includes: the authentication authorization network element determines the second triggering network element from the plurality of first triggering network elements, and the access type corresponding to the second triggering network element is the 3GPP access.

Optionally, the method further includes: the authentication and authorization network element acquires the connection states of the plurality of first trigger network elements from the information storage network element; or, the authentication and authorization network element obtains the connection statuses of the plurality of first trigger network elements from the plurality of first trigger network elements.

Optionally, the method further includes: the authentication and authorization network element acquires the access types corresponding to the plurality of first trigger network elements from the information storage network element; or, the authentication and authorization network element obtains the access types corresponding to the plurality of first trigger network elements from the plurality of first trigger network elements.

Optionally, the first request further includes: a first indication, which is used for indicating that the network element type is AMF; or a second indication indicating the slice authentication authorization process.

Optionally, the method further includes: the authentication and authorization network element receives a second request, where the second request includes second identification information of the terminal device and second identification information of the first slice, and the second request is used to request that the terminal device initiate the slice authentication and authorization processing on the first slice.

Optionally, the authentication authorization network element is NSSAAF, and the triggering network element is AMF.

Optionally, the information storage network element is a UDM.

In another design, the network element 1100 is an information storage network element to implement functions such as UDM in fig. 2-10.

As an example of this design, the processing unit 1101 and the communication unit 1102 are configured to implement the following method:

the method comprises the steps that an information storage network element acquires slice authentication and authorization information, wherein the slice authentication and authorization information is used for indicating a terminal device, a trigger network element associated with the terminal device and a slice associated with the terminal device and the trigger network element, the trigger network element serves the terminal device, and the slice is a slice of the terminal device successfully authenticated and authorized on the trigger network element; the information storage network element receives a first request from an authentication authorization network element, wherein the first request is used for requesting to acquire a first trigger network element associated with the terminal device and the first slice; the information storage network element determines the first triggering network element according to the slice authentication and authorization information and the first request; the information storage network element sends a first response to the authentication authorization network element, where the first response includes the identification information of the first trigger network element.

Optionally, the determining, by the information storage network element, the first triggering network element according to the slice authentication and authorization information and the first request includes: the information storage network element determining a plurality of second triggering network elements associated with the terminal device and the first slice according to the slice authentication and authorization information and the first request; the information storage network element sends a first response to the authentication authorization network element, where the first response includes identification information of the first trigger network element, and includes: the information storage network element sends the first response to the authentication and authorization network element, where the first response includes the identification information of the plurality of second trigger network elements.

Optionally, the first request further includes a first indication, where the first indication indicates that the slice is authorized to be revoked; the information storing network element determining a plurality of second triggering network elements associated with the terminal device and the first slice according to the slice authentication and authorization information and the first request, comprising: the information storage network element determines the plurality of second triggering network elements based on the slice authentication and authorization information, the first request, and the first indication.

Optionally, the determining, by the information storage network element, the first triggering network element according to the slice authentication and authorization information and the first request includes: the information storage network element determining a third triggering network element of a plurality of second triggering network elements associated with the terminal device and the first slice according to the slice authentication and authorization information and the first request; the information storage network element sends a first response to the authentication authorization network element, where the first response includes identification information of the first trigger network element, and includes: the information storage network element sends the first response to the authentication authorization network element, where the first response includes the identification information of the third trigger network element.

Optionally, the determining, by the information storage network element, a third triggering network element of a plurality of second triggering network elements associated with the terminal device and the first slice according to the slice authentication and authorization information and the first request includes: the information storage network element determines the plurality of second trigger network elements according to the slice authentication and authorization information and the first request; the information storage network element determines the third triggering network element from the plurality of second triggering network elements according to the connection state of the terminal device and the plurality of second triggering network elements; wherein the connection state comprises a connection state or an idle state.

Optionally, the determining, by the information storage network element, the third triggering network element from the plurality of second triggering network elements according to the connection status between the terminal device and the plurality of second triggering network elements includes: the information storage network element determines the third triggering network element from the plurality of second triggering network elements, and the connection state between the terminal device and the third triggering network element is the connection state.

Optionally, the determining, by the information storage network element, the third triggering network element from the plurality of second triggering network elements according to the connection status between the terminal device and the plurality of second triggering network elements includes: when the connection state between the terminal device and each of the plurality of second triggering network elements is the idle state, the information storage network element determines the third triggering network element from the plurality of second triggering network elements according to the access type corresponding to the plurality of second triggering network elements; wherein the access types include 3GPP access and non-3GPP access.

Optionally, the determining, by the information storage network element, the third triggering network element from the plurality of second triggering network elements according to the access types corresponding to the plurality of second triggering network elements includes: the information storage network element determines the third triggering network element from the plurality of second triggering network elements, and the access type corresponding to the third triggering network element is the 3GPP access.

Optionally, the determining, by the information storage network element, a third triggering network element of a plurality of second triggering network elements associated with the terminal device and the first slice according to the slice authentication and authorization information and the first request includes: the information storage network element determines the plurality of second trigger network elements according to the slice authentication and authorization information and the first request; the information storage network element determines the third triggering network element from the plurality of second triggering network elements according to the access types corresponding to the plurality of second triggering network elements; wherein the access types include 3GPP access and non-3GPP access.

Optionally, the determining, by the information storage network element, the third triggering network element from the multiple second triggering network elements according to the access types corresponding to the multiple second triggering network elements includes: the information storage network element determines the third triggering network element from the plurality of second triggering network elements, and the access type corresponding to the third triggering network element is the 3GPP access.

Optionally, the first request further includes a second indication, where the second indication is used to indicate that the network element type is AMF.

As yet another design, the network element 1100 is a triggering network element for implementing the functions of AMF1 or AMF2 in fig. 2-10.

the triggering network element sends slice authentication and authorization information to an information storage network element, wherein the slice authentication and authorization information is used for indicating a terminal device, a triggering network element associated with the terminal device and a slice associated with the terminal device and the triggering network element, the triggering network element serves the terminal device, and the slice is a slice in which the terminal device is successfully authenticated and authorized on the triggering network element; the triggering network element receives a notification from an authentication authorization network element, wherein the notification is used for notifying the terminal device of slice authentication authorization processing of the slice; wherein, the slice authentication and authorization processing is as follows: slice re-authentication and re-authorization, or slice authorization revocation.

Optionally, the method further includes: the triggering network element initiates the slice authentication and authorization processing of the slice to the terminal device.

Referring to fig. 12, an embodiment of the present application provides a schematic structural diagram of another network element. The network element 1200 shown in fig. 12 comprises at least one processor 1201, a memory 1202 and, optionally, a communication interface 1203.

Memory 1202 may be a volatile memory, such as a random access memory; the memory may also be a non-volatile memory such as, but not limited to, a read-only memory, a flash memory, a Hard Disk Drive (HDD) or a solid-state drive (SSD), or the memory 1202 is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. Memory 1202 may be a combination of the above.

The embodiment of the present application does not limit the specific connection medium between the processor 1201 and the memory 1202. In the embodiment of the present application, the memory 1202 and the processor 1201 are connected by a bus 1204, the bus 1204 is represented by a thick line in the figure, and the connection manner between other components is only schematically illustrated and is not limited. The bus 1204 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 12, but this is not intended to represent only one bus or type of bus.

The processor 1201 may have a data transceiving function, and may communicate with other devices, and in the apparatus as shown in fig. 12, an independent data transceiving module, for example, a communication interface 1203, may also be provided for transceiving data; the processor 1201 can perform data transmission through the communication interface 1203 when communicating with other apparatuses.

In one design, network element 1200 is an authentication and authorization network element, and processor 1201 may invoke instructions in memory 1202 to implement the functionality of the NSSAAF in fig. 2-10, as well as the functionality of the authentication and authorization network element of the structure shown in fig. 11.

In another design, in which the network element 1200 is an information storage network element, the processor 1201 can invoke instructions in the memory 1202 to implement the functionality of the UDM of fig. 2-10, as well as the functionality of the information storage network element of the structure shown in fig. 11.

In yet another design, where network element 1200 is a triggering network element, processor 1201 may invoke instructions in memory 1202 to implement the functionality of AMF1 or AMF2 in fig. 2-10, as well as the functionality of the triggering network element of the architecture shown in fig. 11.

By the aid of the device, the AMF serving for the terminal and associated with the slice can be accurately acquired, correct execution of the slice re-authentication and re-authorization process and the slice authorization revocation process is guaranteed, and communication errors are avoided.

An embodiment of the present application further provides a communication system, where the system may include some or all of the authentication authorization network element, the information storage network element, and the triggering network element in fig. 2 to fig. 11.

It is understood that some optional features in the embodiments of the present application may be implemented independently without depending on other features in some scenarios, such as a currently-based solution, to solve corresponding technical problems and achieve corresponding effects, or may be combined with other features according to requirements in some scenarios. Accordingly, the apparatuses provided in the embodiments of the present application may also implement these features or functions, which are not described herein again.

Those skilled in the art will also appreciate that the various illustrative logical blocks and steps (step) set forth in the embodiments of the present application may be implemented in electronic hardware, computer software, or combinations of both. Whether such functionality is implemented as hardware or software depends upon the particular application and design requirements of the overall system. Those skilled in the art can implement the described functions in various ways for corresponding applications, but such implementation decisions should not be interpreted as causing a departure from the scope of the embodiments of the present application.

The approaches described herein may be implemented in a variety of ways. For example, these techniques may be implemented in hardware, software, or a combination of hardware and software. For a hardware implementation, the processing units used to perform these techniques at a communication device (e.g., a base station, a terminal, a network entity, a core network element, or a chip) may be implemented in one or more general-purpose processors, digital Signal Processors (DSPs), digital signal processing devices, application Specific Integrated Circuits (ASICs), programmable logic devices, field Programmable Gate Arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic, discrete hardware components, or any combination thereof. A general-purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a digital signal processor and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a digital signal processor core, or any other similar configuration.

It will be appreciated that the memory in the embodiments of the subject application can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. The non-volatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), or a flash memory. Volatile memory can be Random Access Memory (RAM), which acts as external cache memory. By way of example, but not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), synchronous Dynamic Random Access Memory (SDRAM), double data rate SDRAM, enhanced SDRAM, SLDRAM, synchronous Link DRAM (SLDRAM), and direct rambus RAM (DR RAM). It should be noted that the memory of the systems and methods described herein is intended to comprise, without being limited to, these and any other suitable types of memory.

The present application also provides a computer-readable medium having stored thereon a computer program which, when executed by a computer, performs the functions of any of the method embodiments described above.

The present application also provides a computer program product which, when executed by a computer, implements the functionality of any of the above-described method embodiments.

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a Digital Video Disk (DVD)), or a semiconductor medium (e.g., a Solid State Disk (SSD)), among others.

It should be appreciated that reference throughout this specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Thus, the various embodiments are not necessarily referring to the same embodiment throughout the specification. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. It should be understood that, in the various embodiments of the present application, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present application.

It should be understood that, in the present application, "when …", "if" and "if" all refer to the corresponding processing that the device will perform under certain objective conditions, and are not intended to limit the time, nor do they require the device to perform certain judgment actions when implemented, nor do they imply that there are other limitations.

The term "simultaneously" in this application is to be understood as being at the same point in time, as well as being within a period of time, and also being within the same period.

Reference in the present application to an element using the singular is intended to mean "one or more" rather than "one and only one" unless specifically stated otherwise. In the present application, unless otherwise specified, "at least one" is intended to mean "one or more" and "a plurality" is intended to mean "two or more".

Additionally, the terms "system" and "network" are often used interchangeably herein. The term "and/or" herein is merely an association describing an associated object, meaning that three relationships may exist, e.g., a and/or B, may mean: a exists alone, A and B exist simultaneously, and B exists alone, wherein A can be singular or plural, and B can be singular or plural.

It is understood that in the embodiments of the present application, "B corresponding to a" means that B is associated with a, from which B can be determined. It should also be understood that determining B from a does not mean determining B from a alone, but may be determined from a and/or other information.

The correspondence shown in the tables in the present application may be configured or predefined. The values of the information in each table are only examples, and may be configured to other values, which is not limited in the present application. When the correspondence between the information and each parameter is configured, it is not always necessary to configure all the correspondences indicated in each table. For example, in the table in the present application, the correspondence shown in some rows may not be configured. For another example, appropriate modification adjustments, such as splitting, merging, etc., can be made based on the above tables. The names of the parameters in the tables may be other names understandable by the communication device, and the values or the expression of the parameters may be other values or expressions understandable by the communication device. When the above tables are implemented, other data structures may be used, for example, arrays, queues, containers, stacks, linear tables, pointers, linked lists, trees, graphs, structures, classes, heaps, hash tables, or hash tables may be used.

Predefinition in this application may be understood as defining, predefining, storing, pre-negotiating, pre-configuring, curing, or pre-firing.

Those of ordinary skill in the art would appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

For convenience and brevity of description, a person skilled in the art may refer to the corresponding processes in the foregoing method embodiments for specific working processes of the system, the apparatus, and the unit described above, which are not described herein again.

It is to be understood that the systems, apparatus and methods described herein may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.

The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.

The same or similar parts between the various embodiments in this application may be referred to each other. In the embodiments and the implementation methods/implementation methods in the embodiments in the present application, unless otherwise specified or conflicting in logic, terms and/or descriptions between different embodiments and between various implementation methods/implementation methods in various embodiments have consistency and can be mutually cited, and technical features in different embodiments and various implementation methods/implementation methods in various embodiments can be combined to form new embodiments, implementation methods, or implementation methods according to the inherent logic relationships thereof. The above-described embodiments of the present application do not limit the scope of the present application.

The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application.

Claims

1. A slice authentication authorization management method, comprising:

the authentication authorization network element acquires a trigger network element associated with the first slice, wherein the trigger network element serves a terminal device;

the authentication and authorization network element informs the trigger network element of carrying out slice authentication and authorization processing on the first slice on the terminal device; wherein the slice authentication and authorization process is as follows: slice re-authentication and re-authorization, or slice authorization revocation.

2. The method of claim 1, wherein,

the method for acquiring the trigger network element serving the terminal device and associated with the first slice includes:

the authentication and authorization network element acquires a first trigger network element associated with the terminal device and the first slice from an information storage network element;

the step of informing, by the authentication and authorization network element, the triggering network element of performing the slice authentication and authorization operation of the first slice on the terminal device includes:

and the authentication and authorization network element informs the first triggering network element of carrying out the slice authentication and authorization processing of the first slice on the terminal device.

3. The method of claim 2, wherein the obtaining, by the authentication authorization network element, the first triggering network element associated with the terminal device and the first slice from an information storage network element comprises:

the authentication and authorization network element sends a first request to the information storage network element, where the first request includes first identification information of the terminal device and first identification information of the first slice, and the first request is used to obtain the first trigger network element;

the authentication authorization network element receives a first response from the information storage network element, where the first response includes first identification information of the first triggering network element.

4. The method of claim 1, wherein,

the authentication and authorization network element acquires a plurality of first trigger network elements serving the terminal device and associated with the first slice;

and the authentication and authorization network element informs the plurality of first trigger network elements to perform the slice authentication and authorization processing of the first slice on the terminal device.

5. The method of claim 4, wherein the obtaining, by the authentication authorization network element, a plurality of first triggering network elements associated with the first slice serving the terminal device comprises:

the authentication and authorization network element acquires a plurality of first trigger network elements associated with the terminal device and the first slice from an information storage network element.

6. The method of claim 5, wherein the obtaining, by the authentication authorization network element from an information storage network element, a plurality of first trigger network elements associated with the terminal device and the first slice comprises:

the authentication authorization network element receives a first response from the information storage network element, the first response including identification information of the plurality of first trigger network elements.

7. The method of claim 4, wherein the obtaining, by the authentication authorization network element, a plurality of first triggering network elements associated with the first slice serving the terminal device comprises:

the authentication and authorization network element acquires a plurality of second trigger network elements associated with the terminal device and slices associated with the plurality of second trigger network elements from an information storage network element;

and the authentication and authorization network element determines the plurality of first trigger network elements from the plurality of second trigger network elements according to the first slice and the slices associated with the plurality of second trigger network elements.

8. The method of claim 7, wherein the authenticating and authorizing network element obtaining a plurality of second triggering network elements associated with the terminal device and a slice associated with the plurality of second triggering network elements from an information storage network element comprises:

the authentication and authorization network element sends a first request to the information storage network element, where the first request includes first identification information of the terminal device, and the first request is used to obtain the second trigger network element and a slice associated with the second trigger network element;

the authentication and authorization network element receives a first response from the information storage network element, where the first response includes identification information of the plurality of second trigger network elements and identification information of the slices associated with the plurality of second trigger network elements.

9. The method of claim 1, wherein the slice authentication authorization process is the slice re-authentication and re-authorization;

the authentication authorization network element determines a second triggering network element from the plurality of first triggering network elements;

the step of informing, by the authentication and authorization network element, the triggering network element of performing slice authentication and authorization processing of the first slice on the terminal device includes:

and the authentication and authorization network element informs the second trigger network element of carrying out slice reauthentication and reauthorization of the first slice on the terminal device.

10. The method of claim 9, wherein the obtaining, by the authentication authorization network element, a plurality of first triggering network elements associated with the first slice serving the terminal device comprises:

11. The method of claim 10, wherein the obtaining, by the authentication authorization network element from an information storage network element, a plurality of first triggering network elements associated with the terminal device and the first slice comprises:

12. The method of claim 9, wherein the obtaining, by the authentication authorization network element, a plurality of first triggering network elements associated with the first slice serving the terminal device comprises:

13. The method of claim 12, wherein the authenticating and authorizing network element obtaining a plurality of second triggering network elements associated with the terminal device and a slice associated with the plurality of second triggering network elements from an information storage network element comprises:

14. The method of claim 9, wherein the determining, by the authentication authorization network element, a second triggering network element from the plurality of first triggering network elements comprises:

the authentication authorization network element determines the second triggering network element from the plurality of first triggering network elements according to the connection state of the terminal device and the plurality of first triggering network elements; wherein the connection state comprises a connection state or an idle state.

15. The method of claim 14, wherein the determining, by the authentication authorization network element, the second triggering network element from the plurality of first triggering network elements according to the connection status of the terminal device with the plurality of first triggering network elements comprises:

the authentication authorization network element determines the second triggering network element from the plurality of first triggering network elements, and the connection state between the terminal device and the second triggering network element is the connection state.

16. The method of claim 14, wherein the determining, by the authentication authorization network element, the second triggering network element from the plurality of first triggering network elements according to the connection status of the terminal device with the plurality of first triggering network elements comprises:

when the connection state between the terminal device and each of the plurality of first trigger network elements is the idle state, the authentication authorization network element determines the second trigger network element from the plurality of first trigger network elements according to the access type corresponding to the plurality of first trigger network elements; wherein the access types include 3GPP access and non-3GPP access.

17. The method of claim 16, wherein the determining, by the authentication and authorization network element, the second triggering network element from the plurality of first triggering network elements according to the access types corresponding to the plurality of first triggering network elements comprises:

and the authentication authorization network element determines the second triggering network element from the plurality of first triggering network elements, and the access type corresponding to the second triggering network element is the 3GPP access.

18. The method of claim 9, wherein the determining, by the authentication authorization network element, a second triggering network element from the plurality of first triggering network elements comprises:

the authentication authorization network element determines the second trigger network element from the plurality of first trigger network elements according to the access types corresponding to the plurality of first trigger network elements; wherein the access types include 3GPP access and non-3GPP access.

19. The method of claim 18, wherein the determining, by the authentication and authorization network element, the second triggering network element from the plurality of first triggering network elements according to the access types corresponding to the plurality of first triggering network elements comprises:

20. The method according to any one of claims 14-16, wherein the method further comprises:

the authentication authorization network element acquires the connection states of the plurality of first trigger network elements from an information storage network element; alternatively, the first and second electrodes may be,

and the authentication authorization network element acquires the connection states of the first trigger network elements from the first trigger network elements.

21. The method of any of claims 16-19, wherein the method further comprises:

the authentication authorization network element acquires access types corresponding to the plurality of first trigger network elements from an information storage network element; alternatively, the first and second electrodes may be,

and the authentication authorization network element acquires the access types corresponding to the first trigger network elements from the first trigger network elements.

22. The method of any of claims 3, 6, 11, and 13, wherein the first request further comprises:

a first indication, where the first indication is used to indicate that a network element type is an AMF; alternatively, the first and second electrodes may be,

a second indication to indicate the slice authentication authorization process.

23. The method of any of claims 1-19, wherein the method further comprises:

and the authentication and authorization network element receives a second request, where the second request includes second identification information of the terminal device and second identification information of the first slice, and the second request is used to request the terminal device to initiate slice authentication and authorization processing on the first slice.

24. The method according to any of claims 1-19, wherein the authentication authorization network element is NSSAAF and the triggering network element is AMF.

25. The method of any of claims 2-3, 5-8, and 10-13, wherein the information storing network element is a UDM.

26. A slice authentication authorization management method, comprising:

an information storage network element acquires slice authentication and authorization information, wherein the slice authentication and authorization information is used for indicating a terminal device, a trigger network element associated with the terminal device and a slice associated with the terminal device and the trigger network element, the trigger network element serves the terminal device, and the slice is a slice of the terminal device successfully authenticated and authorized on the trigger network element;

the information storage network element receives a first request from an authentication authorization network element, wherein the first request is used for requesting to acquire a first trigger network element associated with the terminal device and a first slice;

the information storage network element determines the first trigger network element according to the slice authentication and authorization information and the first request;

and the information storage network element sends a first response to the authentication and authorization network element, wherein the first response comprises the identification information of the first trigger network element.

27. The method of claim 26, wherein,

the determining, by the information storage network element, the first trigger network element according to the slice authentication and authorization information and the first request includes:

the information storage network element determines a plurality of second trigger network elements associated with the terminal device and the first slice according to the slice authentication and authorization information and the first request;

the information storage network element sends a first response to the authentication authorization network element, where the first response includes identification information of the first trigger network element, and includes:

and the information storage network element sends the first response to the authentication and authorization network element, wherein the first response comprises the identification information of the plurality of second trigger network elements.

28. The method of claim 27, wherein the first request further comprises a first indication indicating a slice authorization revocation;

the determining, by the information storage network element, a plurality of second trigger network elements associated with the terminal device and the first slice according to the slice authentication and authorization information and the first request, includes:

the information storage network element determines the plurality of second trigger network elements according to the slice authentication and authorization information, the first request, and the first indication.

29. The method of claim 26, wherein the information storing network element determining the first triggering network element based on the slice authentication and authorization information and the first request comprises:

the information storage network element determines a third triggering network element of a plurality of second triggering network elements associated with the terminal device and the first slice according to the slice authentication and authorization information and the first request;

and the information storage network element sends the first response to the authentication and authorization network element, wherein the first response comprises the identification information of the third trigger network element.

30. The method of claim 29, wherein the information storing network element determining a third triggering network element of a plurality of second triggering network elements associated with the terminal device and the first slice from the slice authentication and authorization information and the first request, comprises:

the information storage network element determines the plurality of second trigger network elements according to the slice authentication and authorization information and the first request;

the information storage network element determines the third triggering network element from the plurality of second triggering network elements according to the connection state between the terminal device and the plurality of second triggering network elements; wherein the connection state comprises a connection state or an idle state.

31. The method of claim 30, wherein the determining, by the information storage network element, the third triggering network element from the plurality of second triggering network elements based on the connection status of the terminal device with the plurality of second triggering network elements comprises:

and the information storage network element determines the third triggering network element from the plurality of second triggering network elements, and the connection state between the terminal device and the third triggering network element is the connection state.

32. The method of claim 30, wherein the determining, by the information storage network element, the third triggering network element from the plurality of second triggering network elements based on the connection status of the terminal device with the plurality of second triggering network elements comprises:

when the connection state between the terminal device and each of the plurality of second trigger network elements is the idle state, the information storage network element determines the third trigger network element from the plurality of second trigger network elements according to the access types corresponding to the plurality of second trigger network elements; wherein the access types include 3GPP access and non-3GPP access.

33. The method of claim 32, wherein the determining, by the information storage network element, the third triggering network element from the plurality of second triggering network elements according to the access types corresponding to the plurality of second triggering network elements comprises:

and the information storage network element determines the third triggering network element from the plurality of second triggering network elements, and the access type corresponding to the third triggering network element is the 3GPP access.

34. The method of claim 29, wherein the information storing network element determining a third triggering network element of a plurality of second triggering network elements associated with the terminal device and the first slice from the slice authentication and authorization information and the first request, comprises:

the information storage network element determines the third triggering network element from the plurality of second triggering network elements according to the access types corresponding to the plurality of second triggering network elements; wherein the access types include 3GPP access and non-3GPP access.

35. The method of claim 34, wherein the determining, by the information storage network element, the third triggering network element from the plurality of second triggering network elements according to the access types corresponding to the plurality of second triggering network elements comprises:

and the information storage network element determines the third trigger network element from the plurality of second trigger network elements, and the access type corresponding to the third trigger network element is the 3GPP access.

36. The method of any of claims 26-35, wherein the first request further comprises a second indication indicating that the network element type is AMF.

37. A slice authentication authorization management method, comprising:

the method comprises the steps that a triggering network element sends slice authentication and authorization information to an information storage network element, wherein the slice authentication and authorization information is used for indicating a terminal device, the triggering network element associated with the terminal device and a slice associated with the terminal device and the triggering network element, the triggering network element serves the terminal device, and the slice is a slice of the terminal device which is successfully authenticated and authorized on the triggering network element;

the triggering network element receives a notice from an authentication authorization network element, wherein the notice is used for notifying the terminal device of slice authentication authorization processing of the slice; wherein the slice authentication and authorization process is as follows: slice re-authentication and re-authorization, or slice authorization revocation.

38. The method of claim 37, wherein the method further comprises:

and the triggering network element initiates the slice authentication and authorization processing of the slice to the terminal device.

39. An authentication and authorization network element comprising a processor and a memory;

the processor is configured to read and execute instructions from the memory to implement the method of any of claims 1-25.

40. An information storage network element comprising a processor and a memory;

the processor is configured to read and execute instructions from the memory to implement the method of any of claims 26-36.

41. A triggering network element comprising a processor and a memory;

the processor is configured to read and execute instructions from the memory to implement the method of any of claims 37 or 38.

42. A communication system comprising at least 2 of the following network elements:

the authentication authorization network element of claim 39;

an information storage network element according to claim 40;

the triggering network element of claim 41.

43. A computer-readable storage medium comprising instructions which, when executed on a computer, cause the computer to carry out the method of any one of claims 1 to 25.

44. A computer-readable storage medium comprising instructions which, when executed on a computer, cause the computer to carry out the method of any one of claims 26 to 36.

45. A computer-readable storage medium comprising instructions which, when executed on a computer, cause the computer to carry out the method of claim 37 or 38.