CN114024693A - Authentication method, authentication device, session management function entity, server and terminal - Google Patents
Authentication method, authentication device, session management function entity, server and terminal Download PDFInfo
- Publication number
- CN114024693A CN114024693A CN202010685582.7A CN202010685582A CN114024693A CN 114024693 A CN114024693 A CN 114024693A CN 202010685582 A CN202010685582 A CN 202010685582A CN 114024693 A CN114024693 A CN 114024693A
- Authority
- CN
- China
- Prior art keywords
- authentication
- eap
- server
- identity
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 107
- 238000013507 mapping Methods 0.000 claims abstract description 163
- 230000004044 response Effects 0.000 claims description 179
- 238000007726 management method Methods 0.000 claims description 74
- 230000006870 function Effects 0.000 claims description 62
- 230000008569 process Effects 0.000 claims description 19
- 238000012545 processing Methods 0.000 claims description 15
- 238000013523 data management Methods 0.000 claims description 9
- 238000012423 maintenance Methods 0.000 abstract description 23
- 230000000694 effects Effects 0.000 description 10
- 230000001960 triggered effect Effects 0.000 description 10
- 238000013475 authorization Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 9
- 230000011664 signaling Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention provides an authentication method, an authentication device, a session management function entity, a server and a terminal, wherein the authentication method comprises the following steps: receiving a re-authentication request sent by a server, wherein the re-authentication request carries an EAP ID; obtaining the identification of the target data network according to the address of the server; obtaining a terminal identification UE ID according to the EAP ID, the identification of the target data network and the first mapping relation; triggering the corresponding terminal and the server to perform re-authentication operation according to the UE ID; wherein the first mapping relationship comprises the mapping relationship among the EAP ID, the identification of the target data network and the UE ID. The scheme well solves the problems that the authentication scheme in the prior art exposes UE information and is high in implementation and maintenance cost.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to an authentication method, an authentication device, a session management function entity, a server, and a terminal.
Background
The secondary authentication is authentication performed after the access 5G network performs primary authentication, and mainly provides service authentication between a terminal (UE) and an external data network (e.g., a service provider) and related key management functions. The secondary authentication realizes the matching of the 5G network and the service side platform, the service side platform executes authentication, and the 5G network bears authentication information and controls whether the UE can be accessed to an external data network according to an authentication result. Unlike credentials stored on a USIM (universal subscriber identity module) used for the first authentication when the UE accesses the operator network, the second authentication needs to be implemented by an additional credential (e.g., a certificate), and the authentication server is located in an external data network.
After the initial secondary authentication, the authentication server or authenticator optionally re-initiates the secondary authentication of the UE, including the following cases: firstly, a server is down (in the case of failure, disconnection, shutdown and the like, which can not provide service); the administrator modifies parameters such as access authority, authorization attribute and the like of a certain user on the authentication server, and if the user is online, the user needs to be re-authenticated in time to ensure the validity of the user; online overtime re-authentication; the authenticator is configured with regular re-authentication; authentication failure. After the secondary authentication, if the user is off-line, false login is found, authentication authorization is changed or the number of users is too many, the cancellation of the secondary authentication state can be initiated. Wherein: the reauthentication can also be used in legacy 3GPP systems (e.g., global system for mobile communications GSM, general packet radio service GPRS, universal mobile telecommunications system UMTS, long term evolution LTE (or system architecture evolution SAE)), and in current 5G system access.
For the external data network, compared with the authentication of an application layer, the secondary authentication enables access control of the external data network to occur before session establishment, and avoids data channels between malicious terminals and the external data network; the secondary authentication can be used for avoiding machine-card separation, when a terminal, particularly a card of the Internet of things equipment, is inserted into other terminals, because the terminal used by an attacker does not have the trust used by the secondary authentication, when the attacker tries to access a certain network, the attacker can be refused because the attacker cannot pass the secondary authentication, so that the safety of a data network is ensured. For 5G networks, secondary authentication enables operators the ability to provide security services for the industry verticals.
In the prior art, during the secondary authentication, an SMF (session management function) sends a GPSI (general public subscription identity) to the outside, where the GPSI is an identity of a UE and is stored in a UDM (unified data management device), and the SMF can identify the UE according to the GPSI. When the AAA server decides to initiate re-authentication and cancel secondary authentication to a certain UE, the AAA server sends GPSI to the network so that the network can identify the UE, updates the state of the secondary authentication of the UE and informs the UE to perform re-authentication.
Specifically, in the existing scheme, the SMF sends a GPSI to the AAA server during the secondary authentication, and when the AAA server sends the primary authentication and cancels the secondary authentication, the SMF sends the GPSI to the network for the network to identify the UE, but the scheme needs to make a large modification to the existing AAA server: the traditional AAA server only has EAP ID as the user identification of EAP authentication, and cannot identify GPSI, so the scheme needs the AAA server to add the network identification GPSI for storing UE, and needs to send the GPSI to SMF when re-authentication and revocation process is initiated.
Therefore, the existing authentication scheme has the problems of exposing UE information, needing a server to maintain extra information, changing the original account management system of the server and being high in implementation cost.
Disclosure of Invention
The invention aims to provide an authentication method, an authentication device, a session management function entity, a server and a terminal, and aims to solve the problems that in the prior art, an authentication scheme exposes UE information and is high in implementation and maintenance cost.
In order to solve the foregoing technical problem, an embodiment of the present invention provides an authentication method applied to a session management function SMF entity, including:
receiving a re-authentication request sent by a server, wherein the re-authentication request carries an extensible authentication protocol identity (EAP ID);
obtaining the identification of the target data network according to the address of the server;
obtaining a terminal identification UE ID according to the EAP ID, the identification of the target data network and the first mapping relation;
triggering a corresponding terminal and the server to perform re-authentication operation according to the UE ID;
wherein the first mapping relationship comprises a mapping relationship among an EAP ID, an identity of a target data network, and a UE ID.
Optionally, the triggering, according to the UE ID, a re-authentication operation between the corresponding terminal and the server includes:
sending an Extensible Authentication Protocol (EAP) re-authentication identity request to a corresponding terminal according to the UE ID;
receiving an EAP re-authentication identity response fed back by the terminal according to the EAP re-authentication identity request;
sending the EAP re-authentication identity response to the server, and triggering the terminal to perform EAP re-authentication with the server;
wherein, the EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP reauthentication identity response is the same as or different from the EAP ID carried in the reauthentication request.
Optionally, after triggering the re-authentication operation between the corresponding terminal and the server according to the UE ID, the method further includes:
and updating the first mapping relation according to the EAP ID carried in the EAP re-authentication identity response.
Optionally, the updating the first mapping relationship according to the EAP ID carried in the EAP reauthentication identity response includes:
and updating the EAP ID in the first mapping relation into the EAP ID carried in the EAP re-authentication identity response.
Optionally, the first mapping relationship includes at least one mapping relationship, and each mapping relationship corresponds to one piece of secondary authentication state information;
the triggering of the corresponding terminal and the re-authentication operation of the server according to the UE ID further comprises:
after sending the EAP re-authentication identity response to the server and triggering the terminal to perform EAP re-authentication with the server, receiving EAP re-authentication result information sent by the server;
after triggering the corresponding terminal to perform re-authentication operation with the server according to the UE ID, the method further comprises the following steps:
and updating the secondary authentication state information in the first mapping relation according to the EAP re-authentication result information.
Optionally, before receiving the re-authentication request sent by the server, the method further includes:
acquiring the UE ID, the identification of the target data network and the EAP ID in the process of the secondary authentication operation corresponding to the re-authentication operation; and obtaining the mapping relation according to the obtained UE ID, the identification of the target data network and the EAP ID.
Optionally, before receiving the re-authentication request sent by the server, the method further includes:
and acquiring authentication result information of the secondary authentication operation as the acquired secondary authentication state information of the mapping relation.
Optionally, the acquiring the UE ID, the identifier of the target data network, and the EAP ID includes:
receiving a Protocol Data Unit (PDU) session establishment request sent by the terminal;
acquiring a UE ID, an identification of a target data network and an EAP ID from the PDU session establishment request, wherein the EAP ID carried in the PDU session establishment request is the same as the EAP ID carried in the re-authentication request; alternatively, the first and second electrodes may be,
receiving a PDU session establishment request sent by the terminal;
acquiring the UE ID and the identification of a target data network from the PDU session establishment request, and sending an Extensible Authentication Protocol (EAP) identity request to the terminal according to the PDU session establishment request;
receiving an EAP identity response fed back by the terminal according to the EAP identity request;
acquiring an EAP ID from the EAP identity response;
and the EAP ID carried in the EAP identity response is the same as the EAP ID carried in the re-authentication request.
Optionally, the first mapping relationship and the secondary authentication status information are both stored in a local or unified data management device UDM.
The embodiment of the invention also provides an authentication method, which is applied to the server and comprises the following steps:
sending a re-authentication request to a Session Management Function (SMF) entity;
wherein, the re-authentication request carries extensible authentication protocol identity (EAP ID).
Optionally, after sending the re-authentication request to the session management function SMF entity, the method further includes:
receiving Extensible Authentication Protocol (EAP) re-authentication identity response sent by the SMF entity;
and performing EAP re-authentication with the corresponding terminal according to the EAP re-authentication identity response.
Optionally, after performing EAP reauthentication with a corresponding terminal according to the EAP reauthentication identity response, the method further includes:
and sending EAP re-authentication result information to the SMF entity.
The embodiment of the invention also provides an authentication method, which is applied to a terminal and comprises the following steps:
receiving an extensible authentication protocol EAP re-authentication identity request sent by a Session Management Function (SMF) entity;
according to the EAP re-authentication identity request, feeding back an EAP re-authentication identity response to the SMF entity;
wherein, the EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP reauthentication identity response is the same as or different from the EAP ID carried in the reauthentication request received by the SMF entity.
Optionally, the feeding back an EAP reauthentication identity response to the SMF entity according to the EAP reauthentication identity request includes:
determining an EAP ID;
generating an EAP re-authentication identity response containing the EAP ID;
and feeding back the generated EAP re-authentication identity response to the SMF entity.
Optionally, before receiving the EAP re-authentication identity request sent by the session management function SMF entity, the method further includes:
in the process of secondary authentication operation corresponding to the re-authentication request, sending a Protocol Data Unit (PDU) session establishment request to the SMF entity; the PDU session establishment request carries a UE ID, an identification of a target data network and an EAP ID, and the EAP ID carried in the PDU session establishment request is the same as the EAP ID carried in the re-authentication request; alternatively, the first and second electrodes may be,
in the process of secondary authentication operation corresponding to the re-authentication request, sending a Protocol Data Unit (PDU) session establishment request to the SMF entity; the PDU session establishment request carries a UE ID and a target data network identifier;
receiving an Extensible Authentication Protocol (EAP) identity request sent by the SMF entity according to the PDU session establishment request;
feeding back an EAP identity response to the SMF entity according to the EAP identity request;
and the EAP identity response carries an EAP ID, and the EAP ID carried in the EAP identity response is the same as the EAP ID carried in the re-authentication request.
The embodiment of the invention also provides an authentication device, which is applied to the SMF entity with the session management function and comprises the following steps:
the first receiving module is used for receiving a re-authentication request sent by a server, wherein the re-authentication request carries an extensible authentication protocol identity (EAP ID);
the first processing module is used for obtaining the identifier of the target data network according to the address of the server;
the second processing module is used for obtaining a terminal identification UE ID according to the EAP ID, the identification of the target data network and the first mapping relation;
the first triggering module is used for triggering the corresponding terminal and the server to perform re-authentication operation according to the UE ID;
wherein the first mapping relationship comprises a mapping relationship among an EAP ID, an identity of a target data network, and a UE ID.
Optionally, the first triggering module includes:
the first sending submodule is used for sending an Extensible Authentication Protocol (EAP) re-authentication identity request to a corresponding terminal according to the UE ID;
the first receiving sub-module is used for receiving an EAP re-authentication identity response fed back by the terminal according to the EAP re-authentication identity request;
the first triggering sub-module is used for sending the EAP re-authentication identity response to the server and triggering the terminal to perform EAP re-authentication with the server;
wherein, the EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP reauthentication identity response is the same as or different from the EAP ID carried in the reauthentication request.
Optionally, the method further includes:
and the first updating module is used for updating the first mapping relation according to the EAP ID carried in the EAP re-authentication identity response after triggering the corresponding terminal and the server to perform re-authentication operation according to the UE ID.
Optionally, the first updating module includes:
a first updating sub-module, configured to update the EAP ID in the first mapping relationship to the EAP ID carried in the EAP re-authentication identity response.
Optionally, the first mapping relationship includes at least one mapping relationship, and each mapping relationship corresponds to one piece of secondary authentication state information;
the first trigger module further includes:
the second receiving sub-module is configured to receive EAP re-authentication result information sent by the server after sending the EAP re-authentication identity response to the server and triggering the terminal to perform EAP re-authentication with the server;
the authentication apparatus further includes:
and the second updating module is used for updating the secondary authentication state information in the first mapping relation according to the EAP re-authentication result information after triggering the corresponding terminal and the server to perform re-authentication operation according to the UE ID.
Optionally, the method further includes:
a third processing module, configured to, before receiving a re-authentication request sent by a server, acquire a UE ID, an identifier of a target data network, and an EAP ID in a secondary authentication operation corresponding to the re-authentication operation; and obtaining the mapping relation according to the obtained UE ID, the identification of the target data network and the EAP ID.
Optionally, the method further includes:
and the first acquisition module is used for acquiring the authentication result information of the secondary authentication operation before receiving the re-authentication request sent by the server, and the authentication result information is used as the acquired secondary authentication state information of the mapping relation.
Optionally, the third processing module includes:
a third receiving submodule, configured to receive a protocol data unit PDU session establishment request sent by the terminal;
a first obtaining sub-module, configured to obtain, from the PDU session establishment request, an ID of the UE, an identifier of the target data network, and an EAP ID, where the EAP ID carried in the PDU session establishment request is the same as the EAP ID carried in the re-authentication request; alternatively, the first and second electrodes may be,
a fourth receiving submodule, configured to receive a PDU session establishment request sent by the terminal;
the first processing sub-module is used for acquiring the UE ID and the identification of a target data network from the PDU session establishment request and sending an Extensible Authentication Protocol (EAP) identity request to the terminal according to the PDU session establishment request;
a fifth receiving sub-module, configured to receive an EAP identity response fed back by the terminal according to the EAP identity request;
a second obtaining sub-module, configured to obtain an EAP ID from the EAP identity response;
and the EAP ID carried in the EAP identity response is the same as the EAP ID carried in the re-authentication request.
Optionally, the first mapping relationship and the secondary authentication status information are both stored in a local or unified data management device UDM.
The embodiment of the invention also provides an authentication device, which is applied to a server and comprises the following components:
the first sending module is used for sending a re-authentication request to a Session Management Function (SMF) entity;
wherein, the re-authentication request carries extensible authentication protocol identity (EAP ID).
Optionally, the method further includes:
a second receiving module, configured to receive an extensible authentication protocol EAP re-authentication identity response sent by a session management function SMF entity after sending a re-authentication request to the SMF entity;
and the first authentication module is used for performing EAP re-authentication with the corresponding terminal according to the EAP re-authentication identity response.
Optionally, the method further includes:
and a second sending module, configured to send EAP re-authentication result information to the SMF entity after performing EAP re-authentication with a corresponding terminal according to the EAP re-authentication identity response.
The embodiment of the invention also provides an authentication device, which is applied to a terminal and comprises the following components:
a third receiving module, configured to receive an extensible authentication protocol EAP re-authentication identity request sent by a session management function SMF entity;
a first feedback module, configured to feed back an EAP re-authentication identity response to the SMF entity according to the EAP re-authentication identity request;
wherein, the EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP reauthentication identity response is the same as or different from the EAP ID carried in the reauthentication request received by the SMF entity.
Optionally, the first feedback module includes:
a first determining submodule for determining an EAP ID;
a first generation sub-module, configured to generate an EAP reauthentication identity response including the EAP ID;
and the first feedback sub-module is used for feeding back the generated EAP re-authentication identity response to the SMF entity.
The embodiment of the present invention further provides a session management functional entity, including: a processor and a transceiver;
the processor is configured to receive, by using the transceiver, a re-authentication request sent by the server, where the re-authentication request carries an extensible authentication protocol identity (EAP ID);
obtaining the identification of the target data network according to the address of the server;
obtaining a terminal identification UE ID according to the EAP ID, the identification of the target data network and the first mapping relation;
triggering a corresponding terminal and the server to perform re-authentication operation according to the UE ID;
wherein the first mapping relationship comprises a mapping relationship among an EAP ID, an identity of a target data network, and a UE ID.
Optionally, the processor is specifically configured to:
according to the UE ID, the transceiver is utilized to send an extensible authentication protocol EAP re-authentication identity request to a corresponding terminal;
receiving, by the transceiver, an EAP re-authentication identity response fed back by the terminal according to the EAP re-authentication identity request;
sending the EAP re-authentication identity response to the server by using the transceiver, and triggering the terminal to perform EAP re-authentication with the server;
wherein, the EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP reauthentication identity response is the same as or different from the EAP ID carried in the reauthentication request.
Optionally, the processor is further configured to:
and updating the first mapping relation according to the EAP ID carried in the EAP re-authentication identity response after triggering the corresponding terminal and the server to perform re-authentication operation according to the UE ID.
Optionally, the processor is specifically configured to:
and updating the EAP ID in the first mapping relation into the EAP ID carried in the EAP re-authentication identity response.
Optionally, the first mapping relationship includes at least one mapping relationship, and each mapping relationship corresponds to one piece of secondary authentication state information;
the processor is further configured to:
after sending the EAP re-authentication identity response to the server and triggering the terminal to perform EAP re-authentication with the server, receiving EAP re-authentication result information sent by the server by using the transceiver;
the processor is further configured to:
and after triggering the corresponding terminal and the server to perform re-authentication operation according to the UE ID, updating the secondary authentication state information in the first mapping relation according to the EAP re-authentication result information.
Optionally, the processor is further configured to:
before receiving a re-authentication request sent by a server, acquiring a UE ID, a target data network identifier and an EAP ID in a secondary authentication operation process corresponding to the re-authentication operation; and obtaining the mapping relation according to the obtained UE ID, the identification of the target data network and the EAP ID.
Optionally, the processor is further configured to:
and before receiving a re-authentication request sent by a server, acquiring authentication result information of the secondary authentication operation as the acquired secondary authentication state information of the mapping relation.
Optionally, the processor is specifically configured to:
receiving a Protocol Data Unit (PDU) session establishment request sent by the terminal by using the transceiver;
acquiring a UE ID, an identification of a target data network and an EAP ID from the PDU session establishment request, wherein the EAP ID carried in the PDU session establishment request is the same as the EAP ID carried in the re-authentication request; alternatively, the first and second electrodes may be,
receiving a PDU session establishment request sent by the terminal by utilizing the transceiver;
acquiring a UE ID and a target data network identifier from the PDU session establishment request, and sending an Extensible Authentication Protocol (EAP) identity request to the terminal by using the transceiver according to the PDU session establishment request;
receiving an EAP identity response fed back by the terminal according to the EAP identity request by using the transceiver;
acquiring an EAP ID from the EAP identity response;
and the EAP ID carried in the EAP identity response is the same as the EAP ID carried in the re-authentication request.
Optionally, the first mapping relationship and the secondary authentication status information are both stored in a local or unified data management device UDM.
An embodiment of the present invention further provides a server, including: a processor and a transceiver;
the processor is used for sending a re-authentication request to a Session Management Function (SMF) entity by using the transceiver;
wherein, the re-authentication request carries extensible authentication protocol identity (EAP ID).
Optionally, the processor is further configured to:
after sending a re-authentication request to a Session Management Function (SMF) entity, receiving an Extensible Authentication Protocol (EAP) re-authentication identity response sent by the SMF entity by using the transceiver;
and performing EAP re-authentication with the corresponding terminal according to the EAP re-authentication identity response.
Optionally, the processor is further configured to:
and after the EAP re-authentication is carried out between the corresponding terminal and the EAP re-authentication identity response, sending EAP re-authentication result information to the SMF entity by using the transceiver.
An embodiment of the present invention further provides a terminal, including: a processor and a transceiver;
the processor is used for receiving an extensible authentication protocol EAP re-authentication identity request sent by a Session Management Function (SMF) entity by using the transceiver;
according to the EAP re-authentication identity request, feeding back an EAP re-authentication identity response to the SMF entity by using the transceiver;
wherein, the EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP reauthentication identity response is the same as or different from the EAP ID carried in the reauthentication request received by the SMF entity.
Optionally, the processor is specifically configured to:
determining an EAP ID;
generating an EAP re-authentication identity response containing the EAP ID;
and feeding back the generated EAP re-authentication identity response to the SMF entity by using the transceiver.
The embodiment of the invention also provides a session management functional entity, which comprises a memory, a processor and a program which is stored on the memory and can be operated on the processor; the processor implements the authentication method on the session management function entity side when executing the program.
The embodiment of the invention also provides a server, which comprises a memory, a processor and a program which is stored on the memory and can be operated on the processor; the processor implements the server-side authentication method when executing the program.
The embodiment of the invention also provides a terminal, which comprises a memory, a processor and a program which is stored on the memory and can be operated on the processor; the processor implements the above terminal-side authentication method when executing the program.
An embodiment of the present invention further provides a readable storage medium, on which a program is stored, where the program, when executed by a processor, implements the steps in the authentication method on the session management function entity side, the server side, or the terminal side.
The technical scheme of the invention has the following beneficial effects:
in the scheme, a re-authentication request sent by a server is received, wherein the re-authentication request carries an extensible authentication protocol identity (EAP ID); obtaining the identification of the target data network according to the address of the server; obtaining a terminal identification UE ID according to the EAP ID, the identification of the target data network and the first mapping relation; triggering a corresponding terminal and the server to perform re-authentication operation according to the UE ID; wherein the first mapping relationship comprises the mapping relationship among an EAP ID, an identification of a target data network and a UE ID; the mapping relation among the EAP ID, the identification of the target data network and the UE ID can be maintained and used in a core network element (SMF): when re-authentication is performed, the UE ID positioning terminal is obtained by using the EAP ID as a key value through the mapping relation, re-authentication is triggered, GPSI (general purpose service) does not need to be obtained, a server does not need to maintain the GPSI, an original account management system of the server is not changed, the implementation and maintenance cost is reduced, and UE information is prevented from being exposed; the problems that the authentication scheme in the prior art exposes UE information and is high in implementation and maintenance cost are well solved.
Drawings
Fig. 1 is a first flowchart illustrating an authentication method according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a second authentication method according to an embodiment of the present invention;
FIG. 3 is a third flowchart illustrating an authentication method according to an embodiment of the present invention;
FIG. 4 is a diagram illustrating a corresponding relationship between UE ID, EAP ID and DNN according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a secondary authentication process according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of a re-authentication process according to an embodiment of the present invention;
FIG. 7 is a first schematic structural diagram of an authentication device according to an embodiment of the present invention;
FIG. 8 is a second schematic structural diagram of an authentication device according to an embodiment of the present invention;
FIG. 9 is a third schematic structural diagram of an authentication device according to an embodiment of the present invention;
FIG. 10 is a block diagram of a session management function entity according to an embodiment of the present invention;
FIG. 11 is a diagram illustrating a server structure according to an embodiment of the present invention;
fig. 12 is a schematic structural diagram of a terminal according to an embodiment of the present invention.
Detailed Description
In order to make the technical problems, technical solutions and advantages of the present invention more apparent, the following detailed description is given with reference to the accompanying drawings and specific embodiments.
Aiming at the problems of UE information exposure and high implementation and maintenance cost in the authentication scheme in the prior art, the invention provides an authentication method which is applied to a Session Management Function (SMF) entity, and as shown in figure 1, the authentication method comprises the following steps:
step 11: receiving a re-authentication request sent by a server, wherein the re-authentication request carries an extensible authentication protocol identity (EAP ID);
step 12: obtaining the identification of the target data network according to the address of the server;
step 13: obtaining a terminal identification UE ID according to the EAP ID, the identification of the target data network and the first mapping relation;
step 14: triggering a corresponding terminal and the server to perform re-authentication operation according to the UE ID;
wherein the first mapping relationship comprises a mapping relationship among an EAP ID, an identity of a target data network, and a UE ID.
The identification of the target data network may be, but is not limited to, a data network name DNN.
The authentication method provided by the embodiment of the invention receives a re-authentication request sent by a server, wherein the re-authentication request carries an extensible authentication protocol identity (EAP ID); obtaining the identification of the target data network according to the address of the server; obtaining a terminal identification UE ID according to the EAP ID, the identification of the target data network and the first mapping relation; triggering a corresponding terminal and the server to perform re-authentication operation according to the UE ID; wherein the first mapping relationship comprises the mapping relationship among an EAP ID, an identification of a target data network and a UE ID; the mapping relation among the EAP ID, the identification of the target data network and the UE ID can be maintained and used in a core network element (SMF): when re-authentication is performed, the UE ID positioning terminal is obtained by using the EAP ID as a key value through the mapping relation, re-authentication is triggered, GPSI (general purpose service) does not need to be obtained, a server does not need to maintain the GPSI, an original account management system of the server is not changed, the implementation and maintenance cost is reduced, and UE information is prevented from being exposed; the problems that the authentication scheme in the prior art exposes UE information and is high in implementation and maintenance cost are well solved.
Specifically, the triggering, according to the UE ID, a corresponding terminal and the server to perform re-authentication operation includes: sending an Extensible Authentication Protocol (EAP) re-authentication identity request to a corresponding terminal according to the UE ID; receiving an EAP re-authentication identity response fed back by the terminal according to the EAP re-authentication identity request; sending the EAP re-authentication identity response to the server, and triggering the terminal to perform EAP re-authentication with the server; wherein, the EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP reauthentication identity response is the same as or different from the EAP ID carried in the reauthentication request.
Further, after triggering the corresponding terminal and the server to perform re-authentication operation according to the UE ID, the method further includes: and updating the first mapping relation according to the EAP ID carried in the EAP re-authentication identity response.
Specifically, the updating the first mapping relationship according to the EAP ID carried in the EAP reauthentication identity response includes: and updating the EAP ID in the first mapping relation into the EAP ID carried in the EAP re-authentication identity response.
In the embodiment of the present invention, the first mapping relationship includes at least one mapping relationship, and each mapping relationship corresponds to one piece of secondary authentication status information; the triggering of the corresponding terminal and the re-authentication operation of the server according to the UE ID further comprises: after sending the EAP re-authentication identity response to the server and triggering the terminal to perform EAP re-authentication with the server, receiving EAP re-authentication result information sent by the server; after triggering the corresponding terminal to perform re-authentication operation with the server according to the UE ID, the method further comprises the following steps: and updating the secondary authentication state information in the first mapping relation according to the EAP re-authentication result information.
Once the re-authentication process is started, it can also be understood that the SMF entity receives a re-authentication request sent by the server, and then the result of the secondary authentication is not approved, so that the secondary authentication state information obtained by the secondary authentication is not approved, and the subsequent operation cannot be executed according to the secondary authentication state information; however, in a specific implementation, if the re-authentication procedure is not completed normally (for example, interrupted), and the EAP re-authentication result information cannot be obtained to obtain the final secondary authentication state information, the SMF may perform operations that are risky, such as:
the secondary authentication state information obtained by the secondary authentication is successful, the authentication is interrupted due to some reasons in the process of re-authentication, at this time, because the re-authentication process is not completed, the EAP re-authentication result information can not be obtained, and the secondary authentication state information can not be updated, so the secondary authentication state information is still marked as successful; the subsequent SMF considers that the authentication result is successful, and the execution operation is safe, so that the operation corresponding to the re-authentication process is executed (for example, a link between the terminal and the target data network is established); but actually re-authentication is not completed, and since re-authentication is initiated, the operation corresponding to this re-authentication procedure may be risky, and once the SMF performs the operation corresponding to this re-authentication procedure, there may be a security risk;
therefore, in order to avoid such similar situations, in the embodiment of the present invention, after receiving the re-authentication request sent by the server, and obtaining the identifier of the target data network according to the address of the server, before triggering the re-authentication operation between the corresponding terminal and the server according to the UE ID, the method may further include: firstly, setting the secondary authentication state information corresponding to the mapping relation between the EAP ID carried in the re-authentication request and the identification of the target data network as failure.
Therefore, the SMF can be prevented from executing operations with risks according to the secondary authentication state information (information is successful) under the condition that the re-authentication flow is not normally ended.
Further, before receiving the re-authentication request sent by the server, the method further includes: acquiring the UE ID, the identification of the target data network and the EAP ID in the process of the secondary authentication operation corresponding to the re-authentication operation; and obtaining the mapping relation according to the obtained UE ID, the identification of the target data network and the EAP ID.
In particular, it is understood that: there is a correspondence between the re-authentication operation and the secondary authentication operation, and the re-authentication operation is for a re-authentication operation after the secondary authentication operation.
Further, before receiving the re-authentication request sent by the server, the method further includes: and acquiring authentication result information of the secondary authentication operation as the acquired secondary authentication state information of the mapping relation.
Specifically, the acquiring the UE ID, the identifier of the target data network, and the EAP ID includes: receiving a Protocol Data Unit (PDU) session establishment request sent by the terminal; acquiring a UE ID, an identification of a target data network and an EAP ID from the PDU session establishment request, wherein the EAP ID carried in the PDU session establishment request is the same as the EAP ID carried in the re-authentication request; or, receiving a PDU session establishment request sent by the terminal; acquiring the UE ID and the identification of a target data network from the PDU session establishment request, and sending an Extensible Authentication Protocol (EAP) identity request to the terminal according to the PDU session establishment request; receiving an EAP identity response fed back by the terminal according to the EAP identity request; acquiring an EAP ID from the EAP identity response; and the EAP ID carried in the EAP identity response is the same as the EAP ID carried in the re-authentication request.
In the embodiment of the invention, the first mapping relation and the secondary authentication state information are both stored in a local or unified data management device (UDM).
An embodiment of the present invention further provides an authentication method, applied to a server, as shown in fig. 2, including:
step 21: sending a re-authentication request to a Session Management Function (SMF) entity;
wherein, the re-authentication request carries extensible authentication protocol identity (EAP ID).
The authentication method provided by the embodiment of the invention sends a re-authentication request to a Session Management Function (SMF) entity; wherein, the re-authentication request carries extensible authentication protocol identity (EAP ID); the mapping relation among the EAP ID, the identification of the target data network and the UE ID can be maintained and used in a core network element (SMF) in a supporting way: when re-authentication is performed, the UE ID positioning terminal is obtained by using the EAP ID as a key value through the mapping relation, re-authentication is triggered, GPSI (general purpose service) does not need to be obtained, a server does not need to maintain the GPSI, an original account management system of the server is not changed, the implementation and maintenance cost is reduced, and UE information is prevented from being exposed; the problems that the authentication scheme in the prior art exposes UE information and is high in implementation and maintenance cost are well solved.
Further, after sending the re-authentication request to the session management function SMF entity, the method further includes: receiving Extensible Authentication Protocol (EAP) re-authentication identity response sent by the SMF entity; and performing EAP re-authentication with the corresponding terminal according to the EAP re-authentication identity response.
Further, after performing EAP reauthentication with the corresponding terminal according to the EAP reauthentication identity response, the method further includes: and sending EAP re-authentication result information to the SMF entity.
This can support the SMF to update the authentication status corresponding to the mapping.
An embodiment of the present invention further provides an authentication method, applied to a terminal, as shown in fig. 3, including:
step 31: receiving an extensible authentication protocol EAP re-authentication identity request sent by a Session Management Function (SMF) entity;
step 32: according to the EAP re-authentication identity request, feeding back an EAP re-authentication identity response to the SMF entity;
wherein, the EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP reauthentication identity response is the same as or different from the EAP ID carried in the reauthentication request received by the SMF entity.
The authentication method provided by the embodiment of the invention re-authenticates the identity request by receiving the extensible authentication protocol EAP sent by the SMF entity; according to the EAP re-authentication identity request, feeding back an EAP re-authentication identity response to the SMF entity; wherein, the EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP re-authentication identity response is the same as or different from the EAP ID carried in the re-authentication request received by the SMF entity; the mapping relation among the EAP ID, the identification of the target data network and the UE ID can be maintained and used in a core network element (SMF) in a supporting way: when re-authentication is performed, the UE ID positioning terminal is obtained by using the EAP ID as a key value through the mapping relation, re-authentication is triggered, GPSI (general purpose service) does not need to be obtained, a server does not need to maintain the GPSI, an original account management system of the server is not changed, the implementation and maintenance cost is reduced, and UE information is prevented from being exposed; the problems that the authentication scheme in the prior art exposes UE information and is high in implementation and maintenance cost are well solved.
Specifically, the feeding back an EAP reauthentication identity response to the SMF entity according to the EAP reauthentication identity request includes: determining an EAP ID; generating an EAP re-authentication identity response containing the EAP ID; and feeding back the generated EAP re-authentication identity response to the SMF entity.
This may be implemented to allow resetting of the EAP ID.
Further, before receiving the EAP re-authentication identity request sent by the session management function SMF entity, the method further includes: in the process of secondary authentication operation corresponding to the re-authentication request, sending a Protocol Data Unit (PDU) session establishment request to the SMF entity; the PDU session establishment request carries a UE ID, an identification of a target data network and an EAP ID, and the EAP ID carried in the PDU session establishment request is the same as the EAP ID carried in the re-authentication request; or, in the process of the secondary authentication operation corresponding to the re-authentication request, sending a Protocol Data Unit (PDU) session establishment request to the SMF entity; the PDU session establishment request carries a UE ID and a target data network identifier; receiving an Extensible Authentication Protocol (EAP) identity request sent by the SMF entity according to the PDU session establishment request; feeding back an EAP identity response to the SMF entity according to the EAP identity request; and the EAP identity response carries an EAP ID, and the EAP ID carried in the EAP identity response is the same as the EAP ID carried in the re-authentication request.
This can support SMF to get mapping and maintain.
The authentication method provided by the embodiment of the present invention is further described below with reference to multiple sides, such as an SMF entity, a server, and a terminal, where the identifier of the target data network is DNN, and the server is AAA (authentication, authorization, and accounting) server.
In view of the above technical problem, consider: (1) the secondary authentication can be realized based on an EAP (extensible authentication protocol), a 5G network element SMF (session management function) serves as an authenticator in the EAP authentication, a signaling channel (non-access stratum NAS signaling + N4 interface (interface between SMF and user plane function UPF)) of the 5G network carries authentication authorization message exchange, the network element of the 5G network triggers the secondary authentication and determines whether to establish a PDU (protocol data unit) session for accessing the data network according to an authentication result of an AAA (authentication, authorization, and accounting) server, that is, whether to allow the UE to access an external data network;
(2) a user accesses an operator network through UE and accesses an external data network; the UE has a plurality of identity IDs, wherein, as an access user of an external data network, the subscription ID of the terminal equipment in the external data network is a user ID for DN (user identity of a data network DN), and a plurality of user IDs can be used for different DNs; as an access user of the operator network, the access user binds an identity identifier for network access with a SIM (subscriber identity module) card, that is, a subscription ID of the terminal device in the operator network is a UE ID; the external data network identification is DNN (data network name); user ID for DN, namely EAP ID used when corresponding external data network DNN executes EAP authentication; specifically, the corresponding relationship among UE ID, EAP ID, and DNN is shown in fig. 4;
the embodiment of the invention provides an authentication method, relating to the following steps: the mapping relation of EAP ID-UE ID-DNN is maintained and used in the network element of the core network: and adding a mapping item during secondary authentication, acquiring the UE ID positioning terminal by using the EAP ID as a key value during re-authentication (by using a mapping relation), and updating the mapping item without sending GPSI or maintaining the GPSI by an AAA server.
The scheme can be specifically realized as a method for re-authentication of secondary authentication of the 5G network:
1. overview of the architecture
The AAA server (i.e., AAA server) is located in the external data network and is responsible for performing authentication and authorization for access to the external data network. The core network element SMF is responsible for starting secondary authentication, transmitting EAP information between the UE and the AAA server, storing the relationship between the state of the secondary authentication and the UE multi-identity (in the form of an EAP ID-UE ID-DNN mapping table), and storing the authentication authorization relationship of the EAP ID.
The mapping table is a quadruple: UE ID, DNN, EAP ID, authentication status (success, failure) where UE ID-DNN is the primary key.
2. Implementation process
(1) As shown in fig. 5, the secondary authentication process may specifically include:
step 51: a terminal sends a PDU session establishment request (carrying UE ID, DNN and PDU session ID) to an SMF (authenticator);
specifically, the terminal is powered on for registration, performs a first authentication of the UE ID (i.e., subscription permanent identifier, SUPI), based on operator network access credentials, and establishes a NAS (non-access stratum) security context with the network.
The terminal starts an application, triggers a PDU session setup request for the DN (to be accessed by the UE), and may specifically send a network slice identification (i.e. single-network slice selection assistance information S-NSSAI), a data network name DNN, a PDU session ID, and a request type. The AMF (access and mobility management functions, not shown) selects the SMF and sends it SUPI, PDU session ID, S-NSSAI, and DNN.
Step 52: the SMF acquires subscription information and a local strategy, verifies the UE request, judges whether the UE request is allowed or not, whether secondary authentication is required or not and whether the UE is authenticated by the DN or not;
specifically, the SMF obtains subscription data from the UDM (not shown in the figure) according to the SUPI, and the SMF checks whether the data in the UE request conforms to the user subscription; checking whether an SMF policy associated with the DN requires secondary authentication authorization; it is checked whether the UE has been authenticated and/or authorized by the DN or the same AAA server (the successful authentication and authorization message may be stored in the SMF or UDM), and if necessary, a second authentication is performed, and step 53 is entered.
Step 53: SMF starts EAP authentication;
specifically, the SMF initiates EAP authentication with the AAA server.
Step 54: SMF sends EAP-Request/Identity (EAP Identity Request) to terminal;
that is, the SMF sends EAP Request/Identity to the UE (terminal). For the description, the EAP Request/Identity indicates EAP Request (EAP Request) + Identity (Request classification is Identity), specifically, refers to an Identity Request in the EAP Request, that is, the EAP Identity Request; similarly, the following EAP-Response/Identity refers to the Identity Response in the EAP Response, i.e. the EAP Identity Response.
Step 55: the terminal feeds back EAP-Response/Identity to the SMF;
specifically, the UE sends the user Identity EAP ID for the DN in an EAP Response/Identity protocol packet, which may also be sent in step 51, but is not limited herein.
Step 56: SMF acquires EAP ID;
and 57: SMF establishes N4 conversation, according to UE request and local strategy identifies AAA server;
specifically, the SMF selects UPF, establishes an N4 session, and identifies an AAA server according to DNN requested by UE and a local policy;
step 58: SMF sends EAP-Response/Identity to AAA server via UPF;
specifically, the SMF forwards the EAP Request/Identity to the AAA server through the UPF through the N4 session;
step 59: the terminal and the AAA server interact EAP-Request/EAP-Response messages (namely EAP Request and EAP Response messages, via N4 and NAS (through N4 and NAS));
specifically, the AAA server and the terminal exchange EAP information through NAS signaling and an N4 session according to the EAP method requirement, and perform EAP authentication;
step 510: the AAA server sends EAP-Success, OR (OR), step 510a to the SMF via UPF: the AAA server sends EAP-Failure to the SMF through UPF;
specifically, if the authentication is successful, the AAA server sends an EAP Success message to the SMF; if the authentication fails, the AAA server sends an EAP Failure message to the SMF.
Step 511: SMF establishes the mapping relation of EAP ID, DNN and UE ID;
specifically, the SMF establishes a mapping entry (i.e., the first mapping relationship) between the EAP ID, DNN, and the UE ID (i.e., the SUPI), and may also exist in the UDM, where if EAP Success is received, the authentication status bit of the entry is set to be successful (i.e., the secondary authentication status information is successful), and if EAP Failure is received, the authentication status bit of the entry is set to be failed (i.e., the secondary authentication status information is failed).
Step 512: the SMF sends EAP-Success to the terminal (corresponding to step 510); OR, step 512 a: the SMF sends EAP-Failure to the terminal (corresponding to step 510 a);
specifically, the SMF transmits an authentication success or failure message to the terminal.
(2) As shown in fig. 6, the re-authentication process may specifically include:
step 60: performing secondary authentication, wherein the SMF stores the mapping relation of EAP ID-DNN-UE ID;
specifically, in the previous secondary authentication, the SMF has already stored the mapping relationship between EAPID, DNN and UEID;
step 61: the SMF determines concurrent re-authentication; OR, step 61 a: the AAA server determines concurrent authentication; step 61 b: the AAA server sends a re-authentication request (carrying an EAP ID) to the SMF by the UPF;
specifically, both the SMF and the AAA server may issue re-authentication under a specific condition according to a policy, and if the AAA server initiates the re-authentication, the re-authentication request is sent from the AAA server to the SMF and carries an EAP ID of a user to perform the re-authentication;
step 62: the SMF obtains a UE ID according to the EAP ID and DNN mapping so as to identify the UE;
specifically, the SMF obtains DNN according to the address of the AAA server, and obtains UE ID from the mapping table according to the EAP ID and DNN, for identifying the UE; and sets the state of the EAP ID-DNN mapping entry to fail.
And step 63: SMF sends EAP-Request/Re-Auth Identity (EAP Re-authentication Identity Request) to the terminal;
specifically, the SMF starts EAP authentication with the AAA server, and the SMF sends EAPRequest/Re-Auth Identity to the identified UE(s). It should be noted that the EAP Request/Re-Auth Identity means EAP Request (EAP Request) + Re-Auth Identity (Request classification is Re-authentication Identity), specifically, the Re-authentication Identity Request in the EAP Request, that is, the EAP Re-authentication Identity Request; similarly, the following EAP-Response/Re-Auth Identity refers to the Re-authentication Identity Response in the EAP Response, that is, the EAP Re-authentication Identity Response.
Step 64: the terminal feeds back EAP-Response/Re-Auth Identity (EAP Re-authentication Identity Response) to the SMF;
specifically, the UE sends the user Identity EAP ID for the DN in an EAP Response/Re-Auth Identity protocol packet (which may be Re-entered, unlike in step 61 b);
step 65: SMF acquires EAP ID;
and step 66: the SMF sends EAP-Response/Re-Auth Identity to the AAA server through the UPF;
that is, SMF sends EAP Response/Re-Auth Identity to AAA server;
step 67: the terminal and the AAA server interact with EAP-Request/EAP-Response messages (via N4 and NAS);
specifically, the AAA server and the terminal exchange EAP information through NAS signaling and an N4 session according to the EAP method requirement, and perform EAP authentication;
step 68: the AAA server sends EAP-Success, OR to the SMF via UPF, step 68 a: the AAA server sends EAP-Failure to the SMF through the UPF;
specifically, if the authentication is successful, the AAA server sends an EAP Success message to the SMF; if the authentication fails, the AAA server sends an EAP Failure message to the SMF.
Step 69: SMF updates the mapping relation among UE ID, DNN and EAP ID;
specifically, the mapping entry (old information covered) between the EAP ID, DNN, and UE ID (i.e., SUPI) is updated, and if EAP Success is received, the authentication status bit of the entry is updated to be successful, and if EAP Failure is received, the authentication status bit of the entry is still failed.
Step 610: the SMF sends EAP-Success to the terminal (corresponding to step 68); OR, step 610 a: the SMF sends EAP-Failure to the terminal (corresponding to step 68 a);
specifically, the SMF transmits an authentication success or failure message to the terminal.
As can be seen from the above, the scheme provided by the embodiment of the present invention mainly relates to:
(1) the method for triggering the secondary authentication re-authentication in the 5G network comprises the following steps: during secondary authentication, establishing mapping entries among EAP ID, DNN and UE ID (namely SUPI) and a secondary authentication state in SMF or UDM; when the secondary authentication (for) is carried out, the AAA server sends the EAP ID needing to be carried out the re-authentication to the SMF, the SMF searches the UE ID according to the received EAP ID and the mapping table to locate the UE and trigger the secondary authentication, and the mapping items among the EAP ID, the DNN and the UE ID (namely SUPI) and the secondary authentication state are updated after the secondary authentication is carried out the re-authentication.
(2) The new functions of SMF are as follows: 1) during the secondary authentication, a mapping item between EAP ID, DNN and UE ID (namely SUPI) is established in SMF, and the authentication state bit of the item is set to be successful or failed according to the result of the secondary authentication; 2) and during secondary authentication, searching the UE ID according to the received EAP ID and the mapping table, updating mapping entries among the EAP ID, DNN and the UE ID (namely SUPI) after the secondary authentication, and setting the authentication state bit of the entry as success or failure according to the result of the secondary authentication. The mapping entry and the authentication status of the entry may be stored in the SMF or the UDM, but are not limited thereto.
To sum up, the scheme provided by the embodiment of the invention is as follows:
1. without exposing UE information to the external data network, it is EAP ID rather than GPSI that is passed;
2. the AAA server is not required to maintain the GPSI, and the original account management system of the AAA server is not changed.
It should be noted that, in the embodiment of the present invention, the re-authentication mentioned above may specifically refer to re-authentication of secondary authentication of the external data network, but is not limited thereto.
An embodiment of the present invention further provides an authentication apparatus, which is applied to a session management function SMF entity, and as shown in fig. 7, the authentication apparatus includes:
a first receiving module 71, configured to receive a re-authentication request sent by a server, where the re-authentication request carries an extensible authentication protocol identity EAP ID;
a first processing module 72, configured to obtain an identifier of a target data network according to the address of the server;
a second processing module 73, configured to obtain a terminal identifier UE ID according to the EAP ID, the identifier of the target data network, and the first mapping relationship;
a first triggering module 74, configured to trigger, according to the UE ID, a re-authentication operation between the corresponding terminal and the server;
wherein the first mapping relationship comprises a mapping relationship among an EAP ID, an identity of a target data network, and a UE ID.
The authentication device provided by the embodiment of the invention receives a re-authentication request sent by a server, wherein the re-authentication request carries an extensible authentication protocol identity (EAP ID); obtaining the identification of the target data network according to the address of the server; obtaining a terminal identification UE ID according to the EAP ID, the identification of the target data network and the first mapping relation; triggering a corresponding terminal and the server to perform re-authentication operation according to the UE ID; wherein the first mapping relationship comprises the mapping relationship among an EAP ID, an identification of a target data network and a UE ID; the mapping relation among the EAP ID, the identification of the target data network and the UE ID can be maintained and used in a core network element (SMF): when re-authentication is performed, the UE ID positioning terminal is obtained by using the EAP ID as a key value through the mapping relation, re-authentication is triggered, GPSI (general purpose service) does not need to be obtained, a server does not need to maintain the GPSI, an original account management system of the server is not changed, the implementation and maintenance cost is reduced, and UE information is prevented from being exposed; the problems that the authentication scheme in the prior art exposes UE information and is high in implementation and maintenance cost are well solved.
Specifically, the first trigger module includes: the first sending submodule is used for sending an Extensible Authentication Protocol (EAP) re-authentication identity request to a corresponding terminal according to the UE ID; the first receiving sub-module is used for receiving an EAP re-authentication identity response fed back by the terminal according to the EAP re-authentication identity request; the first triggering sub-module is used for sending the EAP re-authentication identity response to the server and triggering the terminal to perform EAP re-authentication with the server; wherein, the EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP reauthentication identity response is the same as or different from the EAP ID carried in the reauthentication request.
The authentication device further includes: and the first updating module is used for updating the first mapping relation according to the EAP ID carried in the EAP re-authentication identity response after triggering the corresponding terminal and the server to perform re-authentication operation according to the UE ID.
Specifically, the first updating module includes: a first updating sub-module, configured to update the EAP ID in the first mapping relationship to the EAP ID carried in the EAP re-authentication identity response.
In the embodiment of the present invention, the first mapping relationship includes at least one mapping relationship, and each mapping relationship corresponds to one piece of secondary authentication status information; the first trigger module further includes: the second receiving sub-module is configured to receive EAP re-authentication result information sent by the server after sending the EAP re-authentication identity response to the server and triggering the terminal to perform EAP re-authentication with the server; the authentication apparatus further includes: and the second updating module is used for updating the secondary authentication state information in the first mapping relation according to the EAP re-authentication result information after triggering the corresponding terminal and the server to perform re-authentication operation according to the UE ID.
Further, the authentication apparatus further includes: a third processing module, configured to, before receiving a re-authentication request sent by a server, acquire a UE ID, an identifier of a target data network, and an EAP ID in a secondary authentication operation corresponding to the re-authentication operation; and obtaining the mapping relation according to the obtained UE ID, the identification of the target data network and the EAP ID.
Further, the authentication device further includes: and the first acquisition module is used for acquiring the authentication result information of the secondary authentication operation before receiving the re-authentication request sent by the server, and the authentication result information is used as the acquired secondary authentication state information of the mapping relation.
Specifically, the third processing module includes: a third receiving submodule, configured to receive a protocol data unit PDU session establishment request sent by the terminal; a first obtaining sub-module, configured to obtain, from the PDU session establishment request, an ID of the UE, an identifier of the target data network, and an EAP ID, where the EAP ID carried in the PDU session establishment request is the same as the EAP ID carried in the re-authentication request; or, the fourth receiving submodule is configured to receive a PDU session establishment request sent by the terminal; the first processing sub-module is used for acquiring the UE ID and the identification of a target data network from the PDU session establishment request and sending an Extensible Authentication Protocol (EAP) identity request to the terminal according to the PDU session establishment request; a fifth receiving sub-module, configured to receive an EAP identity response fed back by the terminal according to the EAP identity request; a second obtaining sub-module, configured to obtain an EAP ID from the EAP identity response; and the EAP ID carried in the EAP identity response is the same as the EAP ID carried in the re-authentication request.
In the embodiment of the invention, the first mapping relation and the secondary authentication state information are both stored in a local or unified data management device (UDM).
The implementation embodiments of the authentication method on the session management function entity side are all applicable to the embodiment of the authentication device, and the same technical effects can be achieved.
An embodiment of the present invention further provides an authentication apparatus, applied to a server, as shown in fig. 8, including:
a first sending module 81, configured to send a re-authentication request to the session management function SMF entity;
wherein, the re-authentication request carries extensible authentication protocol identity (EAP ID).
The authentication device provided by the embodiment of the invention sends a re-authentication request to a Session Management Function (SMF) entity; wherein, the re-authentication request carries extensible authentication protocol identity (EAP ID); the mapping relation among the EAP ID, the identification of the target data network and the UE ID can be maintained and used in a core network element (SMF) in a supporting way: when re-authentication is performed, the UE ID positioning terminal is obtained by using the EAP ID as a key value through the mapping relation, re-authentication is triggered, GPSI (general purpose service) does not need to be obtained, a server does not need to maintain the GPSI, an original account management system of the server is not changed, the implementation and maintenance cost is reduced, and UE information is prevented from being exposed; the problems that the authentication scheme in the prior art exposes UE information and is high in implementation and maintenance cost are well solved.
Further, the authentication apparatus further includes: a second receiving module, configured to receive an extensible authentication protocol EAP re-authentication identity response sent by a session management function SMF entity after sending a re-authentication request to the SMF entity; and the first authentication module is used for performing EAP re-authentication with the corresponding terminal according to the EAP re-authentication identity response.
Further, the authentication device further includes: and a second sending module, configured to send EAP re-authentication result information to the SMF entity after performing EAP re-authentication with a corresponding terminal according to the EAP re-authentication identity response.
The implementation embodiments of the authentication method on the server side are all applicable to the embodiment of the authentication device, and the same technical effects can be achieved.
An embodiment of the present invention further provides an authentication apparatus, which is applied to a terminal, and as shown in fig. 9, the authentication apparatus includes:
a third receiving module 91, configured to receive an extensible authentication protocol EAP re-authentication identity request sent by a session management function SMF entity;
a first feedback module 92, configured to feed back an EAP reauthentication identity response to the SMF entity according to the EAP reauthentication identity request;
wherein, the EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP reauthentication identity response is the same as or different from the EAP ID carried in the reauthentication request received by the SMF entity.
The authentication device provided by the embodiment of the invention re-authenticates the identity request by receiving the extensible authentication protocol EAP sent by the SMF entity; according to the EAP re-authentication identity request, feeding back an EAP re-authentication identity response to the SMF entity; wherein, the EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP re-authentication identity response is the same as or different from the EAP ID carried in the re-authentication request received by the SMF entity; the mapping relation among the EAP ID, the identification of the target data network and the UE ID can be maintained and used in a core network element (SMF) in a supporting way: when re-authentication is performed, the UE ID positioning terminal is obtained by using the EAP ID as a key value through the mapping relation, re-authentication is triggered, GPSI (general purpose service) does not need to be obtained, a server does not need to maintain the GPSI, an original account management system of the server is not changed, the implementation and maintenance cost is reduced, and UE information is prevented from being exposed; the problems that the authentication scheme in the prior art exposes UE information and is high in implementation and maintenance cost are well solved.
Specifically, the first feedback module includes: a first determining submodule for determining an EAP ID; a first generation sub-module, configured to generate an EAP reauthentication identity response including the EAP ID; and the first feedback sub-module is used for feeding back the generated EAP re-authentication identity response to the SMF entity.
The implementation embodiments of the authentication method on the terminal side are all applicable to the embodiment of the authentication device, and the same technical effects can be achieved.
An embodiment of the present invention further provides a session management function entity, as shown in fig. 10, including: a processor 101 and a transceiver 102;
the processor 101 is configured to receive, by using the transceiver 102, a re-authentication request sent by a server, where the re-authentication request carries an extensible authentication protocol identity (EAP ID);
obtaining the identification of the target data network according to the address of the server;
obtaining a terminal identification UE ID according to the EAP ID, the identification of the target data network and the first mapping relation;
triggering a corresponding terminal and the server to perform re-authentication operation according to the UE ID;
wherein the first mapping relationship comprises a mapping relationship among an EAP ID, an identity of a target data network, and a UE ID.
The session management functional entity provided by the embodiment of the invention receives a re-authentication request sent by a server, wherein the re-authentication request carries an extensible authentication protocol identity (EAP ID); obtaining the identification of the target data network according to the address of the server; obtaining a terminal identification UE ID according to the EAP ID, the identification of the target data network and the first mapping relation; triggering a corresponding terminal and the server to perform re-authentication operation according to the UE ID; wherein the first mapping relationship comprises the mapping relationship among an EAP ID, an identification of a target data network and a UE ID; the mapping relation among the EAP ID, the identification of the target data network and the UE ID can be maintained and used in a core network element (SMF): when re-authentication is performed, the UE ID positioning terminal is obtained by using the EAP ID as a key value through the mapping relation, re-authentication is triggered, GPSI (general purpose service) does not need to be obtained, a server does not need to maintain the GPSI, an original account management system of the server is not changed, the implementation and maintenance cost is reduced, and UE information is prevented from being exposed; the problems that the authentication scheme in the prior art exposes UE information and is high in implementation and maintenance cost are well solved.
Specifically, the processor is specifically configured to: according to the UE ID, the transceiver is utilized to send an extensible authentication protocol EAP re-authentication identity request to a corresponding terminal; receiving, by the transceiver, an EAP re-authentication identity response fed back by the terminal according to the EAP re-authentication identity request; sending the EAP re-authentication identity response to the server by using the transceiver, and triggering the terminal to perform EAP re-authentication with the server; wherein, the EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP reauthentication identity response is the same as or different from the EAP ID carried in the reauthentication request.
Further, the processor is further configured to: and updating the first mapping relation according to the EAP ID carried in the EAP re-authentication identity response after triggering the corresponding terminal and the server to perform re-authentication operation according to the UE ID.
Specifically, the processor is specifically configured to: and updating the EAP ID in the first mapping relation into the EAP ID carried in the EAP re-authentication identity response.
In the embodiment of the present invention, the first mapping relationship includes at least one mapping relationship, and each mapping relationship corresponds to one piece of secondary authentication status information; the processor is further configured to: after sending the EAP re-authentication identity response to the server and triggering the terminal to perform EAP re-authentication with the server, receiving EAP re-authentication result information sent by the server by using the transceiver; the processor is further configured to: and after triggering the corresponding terminal and the server to perform re-authentication operation according to the UE ID, updating the secondary authentication state information in the first mapping relation according to the EAP re-authentication result information.
Further, the processor is further configured to: before receiving a re-authentication request sent by a server, acquiring a UE ID, a target data network identifier and an EAP ID in a secondary authentication operation process corresponding to the re-authentication operation; and obtaining the mapping relation according to the obtained UE ID, the identification of the target data network and the EAP ID.
Still further, the processor is further configured to: and before receiving a re-authentication request sent by a server, acquiring authentication result information of the secondary authentication operation as the acquired secondary authentication state information of the mapping relation.
Specifically, the processor is specifically configured to: receiving a Protocol Data Unit (PDU) session establishment request sent by the terminal by using the transceiver; acquiring a UE ID, an identification of a target data network and an EAP ID from the PDU session establishment request, wherein the EAP ID carried in the PDU session establishment request is the same as the EAP ID carried in the re-authentication request; or, receiving a PDU session establishment request sent by the terminal by using the transceiver; acquiring a UE ID and a target data network identifier from the PDU session establishment request, and sending an Extensible Authentication Protocol (EAP) identity request to the terminal by using the transceiver according to the PDU session establishment request; receiving an EAP identity response fed back by the terminal according to the EAP identity request by using the transceiver; acquiring an EAP ID from the EAP identity response; and the EAP ID carried in the EAP identity response is the same as the EAP ID carried in the re-authentication request.
In the embodiment of the invention, the first mapping relation and the secondary authentication state information are both stored in a local or unified data management device (UDM).
The implementation embodiments of the authentication method on the session management function entity side are all applicable to the embodiment of the session management function entity, and the same technical effect can be achieved.
An embodiment of the present invention further provides a server, as shown in fig. 11, including: a processor 111 and a transceiver 112;
the processor 111 is configured to send a re-authentication request to a session management function, SMF, entity by using the transceiver 112;
wherein, the re-authentication request carries extensible authentication protocol identity (EAP ID).
The server provided by the embodiment of the invention sends a re-authentication request to a Session Management Function (SMF) entity; wherein, the re-authentication request carries extensible authentication protocol identity (EAP ID); the mapping relation among the EAP ID, the identification of the target data network and the UE ID can be maintained and used in a core network element (SMF) in a supporting way: when re-authentication is performed, the UE ID positioning terminal is obtained by using the EAP ID as a key value through the mapping relation, re-authentication is triggered, GPSI (general purpose service) does not need to be obtained, a server does not need to maintain the GPSI, an original account management system of the server is not changed, the implementation and maintenance cost is reduced, and UE information is prevented from being exposed; the problems that the authentication scheme in the prior art exposes UE information and is high in implementation and maintenance cost are well solved.
Further, the processor is further configured to: after sending a re-authentication request to a Session Management Function (SMF) entity, receiving an Extensible Authentication Protocol (EAP) re-authentication identity response sent by the SMF entity by using the transceiver; and performing EAP re-authentication with the corresponding terminal according to the EAP re-authentication identity response.
Still further, the processor is further configured to: and after the EAP re-authentication is carried out between the corresponding terminal and the EAP re-authentication identity response, sending EAP re-authentication result information to the SMF entity by using the transceiver.
The implementation embodiments of the authentication method on the server side are all applicable to the embodiment of the server, and the same technical effects can be achieved.
An embodiment of the present invention further provides a terminal, as shown in fig. 12, including: a processor 121 and a transceiver 122;
the processor 121, configured to receive, by using the transceiver 122, an extensible authentication protocol EAP re-authentication identity request sent by a session management function SMF entity;
feeding back an EAP re-authentication identity response to the SMF entity using the transceiver 122 according to the EAP re-authentication identity request;
wherein, the EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP reauthentication identity response is the same as or different from the EAP ID carried in the reauthentication request received by the SMF entity.
The terminal provided by the embodiment of the invention re-authenticates the identity request by receiving the extensible authentication protocol EAP sent by the SMF entity; according to the EAP re-authentication identity request, feeding back an EAP re-authentication identity response to the SMF entity; wherein, the EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP re-authentication identity response is the same as or different from the EAP ID carried in the re-authentication request received by the SMF entity; the mapping relation among the EAP ID, the identification of the target data network and the UE ID can be maintained and used in a core network element (SMF) in a supporting way: when re-authentication is performed, the UE ID positioning terminal is obtained by using the EAP ID as a key value through the mapping relation, re-authentication is triggered, GPSI (general purpose service) does not need to be obtained, a server does not need to maintain the GPSI, an original account management system of the server is not changed, the implementation and maintenance cost is reduced, and UE information is prevented from being exposed; the problems that the authentication scheme in the prior art exposes UE information and is high in implementation and maintenance cost are well solved.
Specifically, the processor is specifically configured to: determining an EAP ID; generating an EAP re-authentication identity response containing the EAP ID; and feeding back the generated EAP re-authentication identity response to the SMF entity by using the transceiver.
The implementation embodiments of the authentication method at the terminal side are all applicable to the embodiment of the terminal, and the same technical effects can be achieved.
The embodiment of the invention also provides a session management functional entity, which comprises a memory, a processor and a program which is stored on the memory and can be operated on the processor; the processor implements the authentication method on the session management function entity side when executing the program.
The implementation embodiments of the authentication method on the session management function entity side are all applicable to the embodiment of the session management function entity, and the same technical effect can be achieved.
The embodiment of the invention also provides a server, which comprises a memory, a processor and a program which is stored on the memory and can be operated on the processor; the processor implements the server-side authentication method when executing the program.
The implementation embodiments of the authentication method on the server side are all applicable to the embodiment of the server, and the same technical effects can be achieved.
The embodiment of the invention also provides a terminal, which comprises a memory, a processor and a program which is stored on the memory and can be operated on the processor; the processor implements the above terminal-side authentication method when executing the program.
The implementation embodiments of the authentication method at the terminal side are all applicable to the embodiment of the terminal, and the same technical effects can be achieved.
An embodiment of the present invention further provides a readable storage medium, on which a program is stored, where the program, when executed by a processor, implements the steps in the authentication method on the session management function entity side, the server side, or the terminal side.
The implementation embodiments of the authentication method on the session management function entity side, the server side or the terminal side are all applicable to the embodiment of the readable storage medium, and the same technical effects can be achieved.
It should be noted that many of the functional components described in this specification are referred to as modules/sub-modules in order to more particularly emphasize their implementation independence.
In embodiments of the invention, the modules/sub-modules may be implemented in software for execution by various types of processors. An identified module of executable code may, for instance, comprise one or more physical or logical blocks of computer instructions which may, for instance, be constructed as an object, procedure, or function. Nevertheless, the executables of an identified module need not be physically located together, but may comprise disparate instructions stored in different bits which, when joined logically together, comprise the module and achieve the stated purpose for the module.
Indeed, a module of executable code may be a single instruction, or many instructions, and may even be distributed over several different code segments, among different programs, and across several memory devices. Likewise, operational data may be identified within the modules and may be embodied in any suitable form and organized within any suitable type of data structure. The operational data may be collected as a single data set, or may be distributed over different locations including over different storage devices, and may exist, at least partially, merely as electronic signals on a system or network.
When a module can be implemented by software, considering the level of existing hardware technology, a module implemented by software may build a corresponding hardware circuit to implement a corresponding function, without considering cost, and the hardware circuit may include a conventional Very Large Scale Integration (VLSI) circuit or a gate array and an existing semiconductor such as a logic chip, a transistor, or other discrete components. A module may also be implemented in programmable hardware devices such as field programmable gate arrays, programmable array logic, programmable logic devices or the like.
While the preferred embodiments of the present invention have been described, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention.
Claims (35)
1. An authentication method applied to a Session Management Function (SMF) entity is characterized by comprising the following steps:
receiving a re-authentication request sent by a server, wherein the re-authentication request carries an extensible authentication protocol identity (EAP ID);
obtaining the identification of the target data network according to the address of the server;
obtaining a terminal identification UE ID according to the EAP ID, the identification of the target data network and the first mapping relation;
triggering a corresponding terminal and the server to perform re-authentication operation according to the UE ID;
wherein the first mapping relationship comprises a mapping relationship among an EAP ID, an identity of a target data network, and a UE ID.
2. The authentication method according to claim 1, wherein the triggering, according to the UE ID, the corresponding terminal to perform re-authentication with the server comprises:
sending an Extensible Authentication Protocol (EAP) re-authentication identity request to a corresponding terminal according to the UE ID;
receiving an EAP re-authentication identity response fed back by the terminal according to the EAP re-authentication identity request;
sending the EAP re-authentication identity response to the server, and triggering the terminal to perform EAP re-authentication with the server;
wherein, the EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP reauthentication identity response is the same as or different from the EAP ID carried in the reauthentication request.
3. The authentication method according to claim 2, after triggering the corresponding terminal to perform re-authentication operation with the server according to the UE ID, further comprising:
and updating the first mapping relation according to the EAP ID carried in the EAP re-authentication identity response.
4. The authentication method according to claim 3, wherein the updating the first mapping relationship according to the EAP ID carried in the EAP re-authentication identity response comprises:
and updating the EAP ID in the first mapping relation into the EAP ID carried in the EAP re-authentication identity response.
5. The authentication method according to claim 2 or 3, wherein the first mapping relationship comprises at least one mapping relationship, and each mapping relationship corresponds to one piece of secondary authentication state information;
the triggering of the corresponding terminal and the re-authentication operation of the server according to the UE ID further comprises:
after sending the EAP re-authentication identity response to the server and triggering the terminal to perform EAP re-authentication with the server, receiving EAP re-authentication result information sent by the server;
after triggering the corresponding terminal to perform re-authentication operation with the server according to the UE ID, the method further comprises the following steps:
and updating the secondary authentication state information in the first mapping relation according to the EAP re-authentication result information.
6. The authentication method according to claim 1, before receiving the re-authentication request sent by the server, further comprising:
acquiring the UE ID, the identification of the target data network and the EAP ID in the process of the secondary authentication operation corresponding to the re-authentication operation; and obtaining the mapping relation according to the obtained UE ID, the identification of the target data network and the EAP ID.
7. The authentication method according to claim 6, before receiving the re-authentication request sent by the server, further comprising:
and acquiring authentication result information of the secondary authentication operation as the acquired secondary authentication state information of the mapping relation.
8. The authentication method according to claim 6, wherein the obtaining the UE ID, the identification of the target data network and the EAP ID comprises:
receiving a Protocol Data Unit (PDU) session establishment request sent by the terminal;
acquiring a UE ID, an identification of a target data network and an EAP ID from the PDU session establishment request, wherein the EAP ID carried in the PDU session establishment request is the same as the EAP ID carried in the re-authentication request; alternatively, the first and second electrodes may be,
receiving a PDU session establishment request sent by the terminal;
acquiring the UE ID and the identification of a target data network from the PDU session establishment request, and sending an Extensible Authentication Protocol (EAP) identity request to the terminal according to the PDU session establishment request;
receiving an EAP identity response fed back by the terminal according to the EAP identity request;
acquiring an EAP ID from the EAP identity response;
and the EAP ID carried in the EAP identity response is the same as the EAP ID carried in the re-authentication request.
9. The authentication method according to claim 5, wherein the first mapping relationship and the secondary authentication status information are both stored in a local or unified data management device (UDM).
10. An authentication method applied to a server, the method comprising:
sending a re-authentication request to a Session Management Function (SMF) entity;
wherein, the re-authentication request carries extensible authentication protocol identity (EAP ID).
11. The authentication method according to claim 10, after sending the re-authentication request to the Session Management Function (SMF) entity, further comprising:
receiving Extensible Authentication Protocol (EAP) re-authentication identity response sent by the SMF entity;
and performing EAP re-authentication with the corresponding terminal according to the EAP re-authentication identity response.
12. The authentication method according to claim 11, after performing EAP reauthentication with a corresponding terminal according to the EAP reauthentication identity response, further comprising:
and sending EAP re-authentication result information to the SMF entity.
13. An authentication method applied to a terminal, the method comprising:
receiving an extensible authentication protocol EAP re-authentication identity request sent by a Session Management Function (SMF) entity;
according to the EAP re-authentication identity request, feeding back an EAP re-authentication identity response to the SMF entity;
wherein, the EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP reauthentication identity response is the same as or different from the EAP ID carried in the reauthentication request received by the SMF entity.
14. The authentication method according to claim 13, wherein the feeding back an EAP reauthentication identity response to the SMF entity according to the EAP reauthentication identity request comprises:
determining an EAP ID;
generating an EAP re-authentication identity response containing the EAP ID;
and feeding back the generated EAP re-authentication identity response to the SMF entity.
15. An authentication device applied to a Session Management Function (SMF) entity, comprising:
the first receiving module is used for receiving a re-authentication request sent by a server, wherein the re-authentication request carries an extensible authentication protocol identity (EAP ID);
the first processing module is used for obtaining the identifier of the target data network according to the address of the server;
the second processing module is used for obtaining a terminal identification UE ID according to the EAP ID, the identification of the target data network and the first mapping relation;
the first triggering module is used for triggering the corresponding terminal and the server to perform re-authentication operation according to the UE ID;
wherein the first mapping relationship comprises a mapping relationship among an EAP ID, an identity of a target data network, and a UE ID.
16. The authentication device of claim 15, wherein the first triggering module comprises:
the first sending submodule is used for sending an Extensible Authentication Protocol (EAP) re-authentication identity request to a corresponding terminal according to the UE ID;
the first receiving sub-module is used for receiving an EAP re-authentication identity response fed back by the terminal according to the EAP re-authentication identity request;
the first triggering sub-module is used for sending the EAP re-authentication identity response to the server and triggering the terminal to perform EAP re-authentication with the server;
wherein, the EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP reauthentication identity response is the same as or different from the EAP ID carried in the reauthentication request.
17. The authentication device of claim 16, further comprising:
and the first updating module is used for updating the first mapping relation according to the EAP ID carried in the EAP re-authentication identity response after triggering the corresponding terminal and the server to perform re-authentication operation according to the UE ID.
18. The authentication device of claim 17, wherein the first update module comprises:
a first updating sub-module, configured to update the EAP ID in the first mapping relationship to the EAP ID carried in the EAP re-authentication identity response.
19. The authentication device according to claim 16 or 17, wherein the first mapping relationship comprises at least one mapping relationship, and each mapping relationship corresponds to one piece of secondary authentication status information;
the first trigger module further includes:
the second receiving sub-module is configured to receive EAP re-authentication result information sent by the server after sending the EAP re-authentication identity response to the server and triggering the terminal to perform EAP re-authentication with the server;
the authentication apparatus further includes:
and the second updating module is used for updating the secondary authentication state information in the first mapping relation according to the EAP re-authentication result information after triggering the corresponding terminal and the server to perform re-authentication operation according to the UE ID.
20. The authentication device of claim 15, further comprising:
a third processing module, configured to, before receiving a re-authentication request sent by a server, acquire a UE ID, an identifier of a target data network, and an EAP ID in a secondary authentication operation corresponding to the re-authentication operation; and obtaining the mapping relation according to the obtained UE ID, the identification of the target data network and the EAP ID.
21. The authentication device of claim 20, further comprising:
and the first acquisition module is used for acquiring the authentication result information of the secondary authentication operation before receiving the re-authentication request sent by the server, and the authentication result information is used as the acquired secondary authentication state information of the mapping relation.
22. The authentication device of claim 20, wherein the third processing module comprises:
a third receiving submodule, configured to receive a protocol data unit PDU session establishment request sent by the terminal;
a first obtaining sub-module, configured to obtain, from the PDU session establishment request, an ID of the UE, an identifier of the target data network, and an EAP ID, where the EAP ID carried in the PDU session establishment request is the same as the EAP ID carried in the re-authentication request; alternatively, the first and second electrodes may be,
a fourth receiving submodule, configured to receive a PDU session establishment request sent by the terminal;
the first processing sub-module is used for acquiring the UE ID and the identification of a target data network from the PDU session establishment request and sending an Extensible Authentication Protocol (EAP) identity request to the terminal according to the PDU session establishment request;
a fifth receiving sub-module, configured to receive an EAP identity response fed back by the terminal according to the EAP identity request;
a second obtaining sub-module, configured to obtain an EAP ID from the EAP identity response;
and the EAP ID carried in the EAP identity response is the same as the EAP ID carried in the re-authentication request.
23. The authentication apparatus according to claim 19, wherein the first mapping relationship and the secondary authentication status information are both stored in a local or unified data management device UDM.
24. An authentication apparatus applied to a server, comprising:
the first sending module is used for sending a re-authentication request to a Session Management Function (SMF) entity;
wherein, the re-authentication request carries extensible authentication protocol identity (EAP ID).
25. The authentication device of claim 24, further comprising:
a second receiving module, configured to receive an extensible authentication protocol EAP re-authentication identity response sent by a session management function SMF entity after sending a re-authentication request to the SMF entity;
and the first authentication module is used for performing EAP re-authentication with the corresponding terminal according to the EAP re-authentication identity response.
26. The authentication device of claim 25, further comprising:
and a second sending module, configured to send EAP re-authentication result information to the SMF entity after performing EAP re-authentication with a corresponding terminal according to the EAP re-authentication identity response.
27. An authentication apparatus applied to a terminal, comprising:
a third receiving module, configured to receive an extensible authentication protocol EAP re-authentication identity request sent by a session management function SMF entity;
a first feedback module, configured to feed back an EAP re-authentication identity response to the SMF entity according to the EAP re-authentication identity request;
wherein, the EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP reauthentication identity response is the same as or different from the EAP ID carried in the reauthentication request received by the SMF entity.
28. The authentication device of claim 27, wherein the first feedback module comprises:
a first determining submodule for determining an EAP ID;
a first generation sub-module, configured to generate an EAP reauthentication identity response including the EAP ID;
and the first feedback sub-module is used for feeding back the generated EAP re-authentication identity response to the SMF entity.
29. A session management function entity, comprising: a processor and a transceiver;
the processor is configured to receive, by using the transceiver, a re-authentication request sent by the server, where the re-authentication request carries an extensible authentication protocol identity (EAP ID);
obtaining the identification of the target data network according to the address of the server;
obtaining a terminal identification UE ID according to the EAP ID, the identification of the target data network and the first mapping relation;
triggering a corresponding terminal and the server to perform re-authentication operation according to the UE ID;
wherein the first mapping relationship comprises a mapping relationship among an EAP ID, an identity of a target data network, and a UE ID.
30. A server, comprising: a processor and a transceiver;
the processor is used for sending a re-authentication request to a Session Management Function (SMF) entity by using the transceiver;
wherein, the re-authentication request carries extensible authentication protocol identity (EAP ID).
31. A terminal, comprising: a processor and a transceiver;
the processor is used for receiving an extensible authentication protocol EAP re-authentication identity request sent by a Session Management Function (SMF) entity by using the transceiver;
according to the EAP re-authentication identity request, feeding back an EAP re-authentication identity response to the SMF entity by using the transceiver;
wherein, the EAP re-authentication identity response carries an EAP ID; the EAP ID carried in the EAP reauthentication identity response is the same as or different from the EAP ID carried in the reauthentication request received by the SMF entity.
32. A session management function entity comprising a memory, a processor and a program stored on the memory and executable on the processor; characterized in that the processor, when executing the program, implements the authentication method according to any one of claims 1 to 9.
33. A server comprising a memory, a processor, and a program stored on the memory and executable on the processor; characterized in that the processor, when executing the program, implements the authentication method according to any one of claims 10 to 12.
34. A terminal comprising a memory, a processor, and a program stored on the memory and executable on the processor; characterized in that the processor, when executing the program, implements the authentication method according to any one of claims 13 to 14.
35. A readable storage medium on which a program is stored, the program realizing the steps in the authentication method according to any one of claims 1 to 14 when executed by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010685582.7A CN114024693A (en) | 2020-07-16 | 2020-07-16 | Authentication method, authentication device, session management function entity, server and terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010685582.7A CN114024693A (en) | 2020-07-16 | 2020-07-16 | Authentication method, authentication device, session management function entity, server and terminal |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114024693A true CN114024693A (en) | 2022-02-08 |
Family
ID=80053968
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010685582.7A Pending CN114024693A (en) | 2020-07-16 | 2020-07-16 | Authentication method, authentication device, session management function entity, server and terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114024693A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2023202337A1 (en) * | 2022-04-21 | 2023-10-26 | 华为技术有限公司 | Communication method and apparatus |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2019017835A1 (en) * | 2017-07-20 | 2019-01-24 | 华为国际有限公司 | Network authentication method and related device and system |
| CN110235423A (en) * | 2017-01-27 | 2019-09-13 | 瑞典爱立信有限公司 | Auxiliary certification to user equipment |
| CN110291803A (en) * | 2017-05-09 | 2019-09-27 | 英特尔Ip公司 | Secret protection and Extensible Authentication Protocol certification and authorization in cellular network |
| US20200162919A1 (en) * | 2018-11-16 | 2020-05-21 | Lenovo (Singapore) Pte. Ltd. | Accessing a denied network resource |
-
2020
- 2020-07-16 CN CN202010685582.7A patent/CN114024693A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110235423A (en) * | 2017-01-27 | 2019-09-13 | 瑞典爱立信有限公司 | Auxiliary certification to user equipment |
| CN110291803A (en) * | 2017-05-09 | 2019-09-27 | 英特尔Ip公司 | Secret protection and Extensible Authentication Protocol certification and authorization in cellular network |
| WO2019017835A1 (en) * | 2017-07-20 | 2019-01-24 | 华为国际有限公司 | Network authentication method and related device and system |
| US20200162919A1 (en) * | 2018-11-16 | 2020-05-21 | Lenovo (Singapore) Pte. Ltd. | Accessing a denied network resource |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2023202337A1 (en) * | 2022-04-21 | 2023-10-26 | 华为技术有限公司 | Communication method and apparatus |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112352409B (en) | Security procedures for generic API framework in next generation networks | |
| US20200153830A1 (en) | Network authentication method, related device, and system | |
| CN112566050B (en) | Cellular service account transfer for an accessory wireless device | |
| US9065641B2 (en) | Method and device for updating a key | |
| US8626708B2 (en) | Management of user data | |
| US11870765B2 (en) | Operation related to user equipment using secret identifier | |
| EP3120591B1 (en) | User identifier based device, identity and activity management system | |
| US9025769B2 (en) | Method of registering smart phone when accessing security authentication device and method of granting access permission to registered smart phone | |
| WO2018137713A1 (en) | Internal network slice authentication method, slice authentication proxy entity, and session management entity | |
| CN110199513A (en) | A kind of conversation processing method and equipment | |
| US8621572B2 (en) | Method, apparatus and system for updating authentication, authorization and accounting session | |
| US11895487B2 (en) | Method for determining a key for securing communication between a user apparatus and an application server | |
| CN115989689A (en) | User equipment authentication and authorization procedures for edge data networks | |
| US20230396602A1 (en) | Service authorization method and system, and communication apparatus | |
| CN114024693A (en) | Authentication method, authentication device, session management function entity, server and terminal | |
| KR102358371B1 (en) | Platform system for controlling vertical service in mobile network and controlling method thereof | |
| CN110351726B (en) | Terminal authentication method and device | |
| CN113330766A (en) | User identity management | |
| CN112202799B (en) | Authentication system and method for realizing binding of user and/or terminal and SSID | |
| US20240223547A1 (en) | Network Supported Authentication | |
| CN118200923A (en) | Access control method, device and storage medium | |
| CN116800520A (en) | Enhanced network access system and method | |
| CN115843447A (en) | Network authentication of user equipment access to edge data networks | |
| CN115996377A (en) | Slice authentication and authorization method and device, terminal and network equipment | |
| CN115967940A (en) | Authentication method and authentication system for network slice |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |