CN114301703A - Network connection method, network equipment and network connection device - Google Patents
Network connection method, network equipment and network connection device Download PDFInfo
- Publication number
- CN114301703A CN114301703A CN202111657076.8A CN202111657076A CN114301703A CN 114301703 A CN114301703 A CN 114301703A CN 202111657076 A CN202111657076 A CN 202111657076A CN 114301703 A CN114301703 A CN 114301703A
- Authority
- CN
- China
- Prior art keywords
- network
- access point
- user equipment
- network access
- network connection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 56
- 238000013523 data management Methods 0.000 claims abstract description 7
- 230000006870 function Effects 0.000 claims description 30
- 238000007726 management method Methods 0.000 claims description 9
- 230000008569 process Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 4
- 238000013475 authorization Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 230000009467 reduction Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003071 parasitic effect Effects 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The present disclosure relates to a network connection method, which includes the steps of: the N3IWF receives a network connection request initiated by a user equipment through a network access point and provides the network connection request to the AMF; the AMF provides the user identification of the user equipment and the authentication information of the network access point to the AUSF according to the network connection request; and the AUSF inquires a user equipment list which is reserved in the unified data management UMD and is established for the specified UE based on the user identification, inquires a network access point list which is reserved in the UMD and is established for the specified network access point AN based on the authentication information, and if the UE is judged to be in the user equipment list and the network access point is in the network access point list through the AUSF, the UE is allowed to be connected to the network through the network access point and use the network service corresponding to the network access point. In addition, the disclosure also relates to a network device and a network connection device.
Description
Technical Field
The present disclosure relates generally to the field of radio communication technologies, and more particularly, to a network connection method, a network device, and a network connection apparatus.
Background
With the rapid development of 5G services, more and more user equipments, such as mobile phones, access to the 5G network through the network access point. Filtering conditions based on the mac address of the user equipment are set in some network access points with high security level. For this reason, some illegal user equipments may be allowed to access into the 5G network through the above-mentioned network access point by artificially modifying their mac addresses, i.e. by using "pseudo mac addresses". This may create a network security risk.
In addition, for some network access points with high security level, the user equipment needs to perform information binding and authentication registration on the core network side before being used. When used across network access points, the same user equipment needs to perform information binding and authentication registration again, which causes inconvenience to users and leads to reduction of user service perception satisfaction.
Disclosure of Invention
Accordingly, it is an object of the present disclosure to provide a network connection method, a network device, and a network connection apparatus that can overcome at least one of the drawbacks of the related art.
According to a first aspect of the present disclosure, there is provided a network connection method including the steps of:
a non-3GPP interworking function N3IWF at a network side receives a network connection request initiated by user equipment through a network access point and provides the network connection request to an AMF;
an access and mobility management function (AMF) at a network side provides the user identification of the user equipment and the authentication information of the network access point to an AUSF (autonomous underwater system) according to the network connection request;
AN AUSF (authentication service function) at a network side inquires a user equipment list which is reserved in a unified data management UMD and is established for specified User Equipment (UE) based on a user identification of the user equipment, and inquires a network access point list which is reserved in the UMD and is established for a specified network access point (AN) based on authentication information of the network access point, wherein if the User Equipment (UE) is judged to be in the user equipment list through the AUSF and the network access point is in the network access point list, the User Equipment (UE) is allowed to be connected to a network through the network access point and network services corresponding to the network access point are used.
In some embodiments, the user identity of the user equipment and the authentication information of the network access point may be provided by an AMF requirement N3 IWF.
In some embodiments, if it is determined by the AUSF that the UE is not in the UE list or the network access point AN is not in the network access point list, the AUSF may send a message to notify the AMF that the UE is AN illegal user.
In some embodiments, the AMF may notify the N3IWF that the network access authentication fails according to the received message.
In some embodiments, the message may comprise an AAA msg (EAP/AKA Chanllenge) message extended in a manner to add "illegal area user" information.
In some embodiments, the user identity of the user equipment may comprise a user hidden identity SUCI.
In some embodiments, the authentication information of the network access point may include domain name information of the network access point.
In some embodiments, the domain name information of the network access point may include at least one of enterprise information and regional information.
In some embodiments, the UDM may match at least one user equipment in said list of user equipments with a portion of network access points in said list of network access points, whereby said at least one user equipment UE is only allowed to access into the core network through said portion of network access points and to use network traffic corresponding to said portion of network access points.
In some embodiments, the network connection method may include the steps of:
a non-3GPP interworking function N3IWF at a network side receives a network connection request initiated by user equipment and transmits the network connection request to an AMF;
the access and mobility management function AMF of the network side transmits the user identification and the current mac address of the user equipment to the AUSF according to the network connection request;
an AUSF (authentication service function) at a network side inquires a historical mac address left by the user equipment in a Unified Data Management (UDM) based on the user identification of the user equipment;
and if the AUSF does not inquire the historical mac address of the user equipment or the AUSF judges that the current mac address is consistent with the inquired historical mac address, allowing the network connection to be continued.
According to a second aspect of the present disclosure, there is provided a network device, comprising:
a non-3GPP interworking function N3IWF on a network side configured to receive a network connection request initiated by a user equipment and to provide the network connection request to the AMF;
AN access and mobility management function, AMF, on the network side, configured to provide, according to the network connection request, a user identifier of the user equipment and authentication information of the network access point, AN, to the AUSF;
a network side authentication service function AUSF configured to query a user equipment list, which is reserved in the UMD and is established for a specified user equipment UE, based on a user identification of the user equipment, and query a network access point list, which is reserved in the UMD and is established for a specified network access point AN, based on authentication information of the network access point; and is configured to determine whether the UE is in the UE list and determine whether the network access point is in the network access point list, and if yes, allow the UE to connect to the network through the network access point AN and use the network service corresponding to the network access point.
According to a third aspect of the present disclosure, there is provided a network connection device comprising a processor and a memory, the memory having stored thereon instructions which, when executed by the processor, carry out the steps of the above method.
Drawings
The disclosure is explained in more detail below with the aid of specific embodiments with reference to the drawings. The schematic drawings are briefly described as follows:
fig. 1 is a flow chart of a first network connection method according to the present disclosure;
FIG. 2 is a schematic flow diagram of a first network connection method of FIG. 1 in a network;
fig. 3 is a network connection flow diagram of a second network connection method according to the present disclosure;
fig. 4 is a schematic flow chart of a second network connection method in fig. 3 in a network.
Note that in the embodiments described below, the same reference numerals are used in common between different drawings in some cases to denote the same portions or portions having the same functions, and a repetitive description thereof is omitted. In some cases, similar reference numbers and letters are used to denote similar items, and thus, once an item is defined in one figure, it need not be discussed further in subsequent figures.
For convenience of understanding, the positions, sizes, ranges, and the like of the respective structures shown in the drawings and the like do not sometimes indicate actual positions, sizes, ranges, and the like. Therefore, the present disclosure is not limited to the positions, dimensions, ranges, and the like disclosed in the drawings and the like.
Detailed Description
Various exemplary embodiments of the present disclosure will be described in detail below with reference to the accompanying drawings. It should be noted that: the relative arrangement of the components and steps, the numerical expressions, and numerical values set forth in these embodiments do not limit the scope of the present disclosure unless specifically stated otherwise.
The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses. That is, the structures and methods herein are shown by way of example to illustrate different embodiments of the structures and methods of the present disclosure. Those skilled in the art will appreciate that these examples are merely illustrative of embodiments of the disclosure and are not exhaustive. Furthermore, the drawings are not necessarily to scale, some features may be exaggerated to show details of some particular components.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
In all examples shown and discussed herein, any particular value should be construed as merely exemplary and not limiting. Thus, other examples of the exemplary embodiments may have different values.
In the network connection method according to the prior art, a process of connecting a user equipment UE (e.g. a mobile phone) to a network through a non-trusted non-3GPP network access point AN (e.g. through a wifi device) mainly includes the following parts:
a first part: the user equipment UE accesses the non-3GPP network through said network access point AN and selects the N3 IWF.
A second part: and executing an IKE-SA process, wherein the IKE-SA process is used for establishing a safe transmission channel for the subsequent 5G-NAS authentication process under an unsafe network, so that the safety of message transmission in the subsequent 5G-NAS authentication process is ensured. After the second part is completed, all IKE messages are encrypted and protected.
And a third part: 5G-NAS authentication and SMC flow is performed.
The fourth part: an IPsec SA flow is performed. And establishing a safe data channel for the user through the IPsec SA flow, and transmitting all subsequent NAS signaling through the safe data channel.
In the first part of the network connection method according to the prior art, a network access point AN (e.g. a wifi device) tends to restrict the user equipment UE from accessing the core network and using network traffic by means of the mac address and IP address of the user equipment UE. If the mac address of the illegitimate user equipment UE is modified to the allowed mac address, it is possible to access the core network through the network access point AN in case of obtaining the user name and password for connecting the network access point AN (e.g. wifi device). Although the AUSF may be called by the AMF to perform authentication and authorization on the UE on the core network side when the illegal UE attempts to access the network, the authentication and authorization only determines whether the hidden identity suici of the UE is legal. Once the AUSF judges that the SUCI of the illegal user equipment UE is legal, the IPsec SA flow can be established for the illegal user equipment UE. This may create a network security risk.
To this end, the present disclosure proposes an improved first network connection method, in which, when a user equipment UE attempts to access a core network, a current mac address of the user equipment is compared with a historical mac address or old mac address of the user equipment left in a UDM on a core network side. If the current mac address of the user equipment is consistent with the historical mac address left in the UDM after comparison, the user equipment UE trying to access the core network is judged to be normal user equipment, and a normal channel establishing process is carried out. In this way, the user equipment can be effectively prevented from accessing the core network by changing the mac address, namely using the pseudo mac address, thereby further improving the reliability of authentication.
A first network connection method according to the present disclosure is explained in more detail below with the aid of fig. 1 and 2. Fig. 2 shows a schematic flow diagram of the first network connection method in fig. 1 in a network.
In step 101, a user equipment UE initiates a network connection request to a non-3GPP interworking function N3IWF on the network side in order to request access to the network. In this disclosure, the network side may be understood as the core network side.
In step 102, the N3IWF receives a network connection request initiated by the user equipment and provides said network connection request to the access and mobility management function AMF on the network side.
In step 103, AMF extends N2 msg (Identity Req/Res) message and sends the message to N3IWF, asking N3IWF to provide unique user Identity (e.g. user permanent Identity SUPI or user hidden Identity SUCI) and current mac address information of the user equipment UE in the network and the AMF provides these information to the authentication service function AUSF on the network side.
In step 104, the AUSF queries the UDM for a legacy mac address or old mac address left by the UE based on the UE user identity. And if the historical mac address is inquired by the AUSF, judging whether the current mac address is consistent with the inquired historical mac address.
In step 105, if the AUSF does not inquire the historical mac address of the UE or the AUSF determines that the current mac address is consistent with the inquired historical mac address, it determines that the UE attempting to access the core network is a normal UE, and performs a normal channel establishment procedure.
In step 106, if the SUCI of the UE provided by the AMF and the current mac address information do not match the information stored in the UDM, the AUSF determines that the UE may use a pseudo mac address. Then, the AUSF extends a corresponding AAA msg (EAP/AKA chanllengel) message, adds old mac information, and sends to the AMF to inform the AMF that the user equipment used a mac address different from the current mac address. The AMF informs that the N3IWF has failed network access authentication according to the received extended AAA msg (EAP/AKA Chanllenge) message, wherein the failure reason is that the current mac address of the user equipment UE is wrong or the current mac address is a pseudo mac address.
Thus, the user equipment UE cannot access the core network even if a pseudo mac address is used, which further increases network security.
Furthermore, in the third part of the network connection method according to the prior art, for some network access points AN with high security level, if the user equipment UE wants to access to the core network through the network access point AN with high security level so as to use the corresponding network service with high security level, it is usually necessary to provide a unique user identifier (for example, SUPI and sui based on a SIM card or a mobile phone number) of the user equipment UE in the 5G network and authentication information (for example, domain name information) of the network access point AN with high security level for the core network side to perform authentication. For this purpose, the user needs to manually perform information binding between the user identifier of the user equipment UE and the authentication information of the network access point AN, for example, by manually inputting the mobile phone number in the authentication process. This causes inconvenience to the user and results in a reduction in the user's perceived satisfaction with the service. In the present disclosure, the above-mentioned "network access point AN with high security level" and "network service with high security level" may be understood as a network access point AN and a network service which are open only to a specific user (e.g., a user belonging to a specific enterprise), i.e., a network access point AN and a network service which are not open to public users, respectively.
In particular, some users belong to corporate users. In the present disclosure, a group is understood to be a group composed of a certain organization, such as a company, an institution, a civil organization, and the like. A group may typically comprise a plurality of network access points AN distributed in different office areas, through one of which a user equipment UE may connect to a core network and use the same network service. However, according to the current network connection method, when used across network access points AN (i.e. moving from a first network access point AN to a second network access point AN), in order to perform networking through the changed network access point AN (here, for example, the second network access point AN), the same user equipment needs to perform the above-mentioned information binding again to use the same network service. This is undesirable.
Therefore, the present disclosure proposes AN improved second network connection method, according to which a user can access a specified user equipment UE to a core network through a specified network access point AN without manually performing the above-mentioned information binding, thereby using a specified network service. The above-mentioned information binding does not have to be done anew even when used across network access points AN or across office areas. This enables an imperceptible access (core network) of the user equipment UE, i.e. the user does not perceive the network entry procedure.
The second network connection method according to the present disclosure is explained in more detail below with the aid of fig. 3 and 4. Fig. 4 shows a schematic flow diagram of the second network connection method of fig. 3 in a network.
In a second network connection method according to the present disclosure, on the core network side, a network access point list has been established in advance for a prescribed network access point AN. The network access point list may be added and modified manually by network operator staff and may be stored in the UDM. In addition, a user equipment list is established for the specified user equipment UE. Likewise, the user equipment list may be manually added and modified by network operator staff and may be stored in the UDM.
In step 201, a user equipment UE initiates a network connection request to AN N3IWF through a network access point AN to request access to the network.
In step 202, the non-3GPP interworking function N3IWF at the network side receives a network connection request initiated by said one user equipment through said one network access point AN and provides said network connection request to the access and mobility management function AMF at the network side.
In step 203, AMF extends N2 msg (Identity Req/Res) message and sends the message to N3IWF, asking N3IWF to provide the unique user Identity (e.g. suii) of the one user equipment UE in the 5G network and the authentication information (e.g. domain name information) of the one network access point AN, and the AMF provides these information to the authentication service function AUSF on the network side. The authentication information of the network access point AN can be here, for example, domain name information in the form of the @ enterprise name, area name, and can be stored in a user profile list in the UDM.
In step 204, the AUSF determines whether the one UE is in the UE list set up for the specified UE reserved in the unified data management UMD based on the unique UE identifier (e.g., suici) of the one UE in the 5G network, and determines whether the one network access point AN is in the network access point list set up for the specified network access point AN reserved in the UMD based on the authentication information (e.g., domain name information) of the one network access point AN.
In step 205, if it is determined through AUSF that the user equipment UE is in the user equipment list and the network access point AN is in the network access point list, the user equipment UE is allowed to access the core network through the network access point AN and use the network service corresponding to the network access point AN.
In step 206, if it is determined by the AUSF that the UE is not in the UE list or the AN is not in the network access point list, the AUSF expands a corresponding AAA msg (EAP/AKA chanllengel) message, adds "illegal area user" information, and sends the information to the AMF. And the AMF informs the N3IWF of network access authentication according to the received AAA msg (EAP/AKA Chanllenge) message, wherein the reason of failure is that the UE is an illegal user.
In this way, on the core network side, AN automatic authentication can be performed based on the unique user identity (e.g. sui) of the user equipment UE in the 5G network and the authentication information (e.g. domain name information) of the network access point AN without the user having to manually bind them for authentication. This enables a predetermined user equipment UE to access the core network through a predetermined network access point AN without sensing (which corresponds to the user equipment UE in the user equipment list being provisioned with AN without sensing service). This applies even when used across network access points AN or across office areas.
In the above embodiment, on the core network side, as long as the user equipment UE is in the user equipment list, the user equipment UE is allowed to automatically access the core network through any network access point AN in the network access point list and use the corresponding network service. However, it should be understood here that the one user equipment UE in the above-mentioned user equipment list may also be matched with a part of the network access points AN in the above-mentioned network access point list, thereby only allowing the one user equipment UE to automatically access the core network and use the corresponding network services through the part of the network access points AN. In this way, different permission levels can be set for different user equipments UE, for example, a user equipment UE with a higher permission level can connect to the core network through more network access points AN. In other words, according to the second network connection method of the present disclosure, a prescribed user equipment UE can automatically access into a core network through a prescribed network access point AN and use a corresponding network service.
In the present disclosure, the first network connection method and the second network connection method described above may be used in combination.
In some embodiments of the second network connection method, a security level is assigned to each network access point AN. Here, it can be provided that: the first network connection method according to the present disclosure is performed only if the AMF judges that the security level of the network access point AN has reached a certain security level.
In further embodiments of the second network connection method, provision may be made for: the first network connection method according to the present disclosure is performed only if it is judged through the AUSF that the one user equipment UE is in the user equipment list and the one network access point AN is in the network access point list. In other words, only for the user equipment UE that has opened the above-mentioned non-sensory access service, the enhanced determination procedure of whether it uses the pseudo mac address is performed.
As used herein, the terms "front," "back," "top," "bottom," "over," "under," and the like, if any, are used for descriptive purposes and not necessarily for describing permanent relative positions. It is to be understood that such terms are interchangeable under appropriate circumstances such that the embodiments of the disclosure described herein are, for example, capable of operation in other orientations than those illustrated or otherwise described herein.
As used herein, the word "exemplary" means "serving as an example, instance, or illustration," and not as a "model" that is to be replicated accurately. Any implementation exemplarily described herein is not necessarily to be construed as preferred or advantageous over other implementations. Furthermore, the disclosure is not limited by any expressed or implied theory presented in the preceding technical field, background, brief summary or the detailed description.
As used herein, the term "substantially" is intended to encompass any minor variation resulting from design or manufacturing imperfections, tolerances of the device or components, environmental influences and/or other factors. The word "substantially" also allows for differences from a perfect or ideal situation due to parasitics, noise, and other practical considerations that may exist in a practical implementation.
In addition, the foregoing description may refer to elements or nodes or features being "connected" or "coupled" together. As used herein, unless expressly stated otherwise, "connected" means that one element/node/feature is electrically, mechanically, logically, or otherwise connected (or in communication) with another element/node/feature. Similarly, unless expressly stated otherwise, "coupled" means that one element/node/feature may be mechanically, electrically, logically, or otherwise joined to another element/node/feature in a direct or indirect manner to allow for interaction, even though the two features may not be directly connected. That is, to "couple" is intended to include both direct and indirect joining of elements or other features, including connection with one or more intermediate elements.
In addition, "first," "second," and like terms may also be used herein for reference purposes only, and thus are not intended to be limiting. For example, the terms "first," "second," and other such numerical terms referring to structures or elements do not imply a sequence or order unless clearly indicated by the context.
It should also be noted that, as used herein, the terms "comprises," "comprising," "includes," "including," "has," "having" and any other variations thereof, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
In the present disclosure, the term "providing" is used broadly to encompass all ways of obtaining an object, and thus "providing an object" includes, but is not limited to, "purchasing," "preparing/manufacturing," "arranging/setting," "installing/assembling," and/or "ordering" the object, and the like.
Those skilled in the art will also appreciate that the boundaries between the above described operations are merely illustrative. Multiple operations may be combined into a single operation, single operations may be distributed in additional operations, and operations may be performed at least partially overlapping in time. Moreover, alternative embodiments may include multiple instances of a particular operation, and the order of operations may be altered in various other embodiments. However, other modifications, variations, and alternatives are also possible. The specification and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense.
Although some specific embodiments of the present disclosure have been described in detail by way of example, it should be understood by those skilled in the art that the foregoing examples are for purposes of illustration only and are not intended to limit the scope of the present disclosure. The embodiments disclosed herein may be combined with each other in any combination without departing from the spirit and scope of the present disclosure. Those skilled in the art will also appreciate that modifications may be made to the above embodiments without departing from the scope and spirit of the disclosure. The scope of the present disclosure is defined by the appended claims.
List of reference numerals
AN network access point
AUSF Authentication Server Function Authentication service Function
AMF Access and Mobility Management Function
N3IWF Non-3GPP Interwork Function Non-3GPP interworking Function
UDM Unified Data Management
UE User Equipment
SUPI Subscription Permanent Identifier
SUCI Subscription conditional Identifier user hidden Identifier
Claims (12)
1. A network connection method, characterized by comprising the steps of:
a non-3GPP interworking function N3IWF at a network side receives a network connection request initiated by user equipment through a network access point and provides the network connection request to an AMF;
an access and mobility management function (AMF) at a network side provides the user identification of the user equipment and the authentication information of the network access point to an AUSF (autonomous underwater system) according to the network connection request;
AN AUSF (authentication service function) at a network side inquires a user equipment list which is reserved in a unified data management UMD and is established for specified User Equipment (UE) based on a user identification of the user equipment, and inquires a network access point list which is reserved in the UMD and is established for a specified network access point (AN) based on authentication information of the network access point, wherein if the User Equipment (UE) is judged to be in the user equipment list through the AUSF and the network access point is in the network access point list, the User Equipment (UE) is allowed to be connected to a network through the network access point and network services corresponding to the network access point are used.
2. The network connection method according to claim 1, wherein the user identity of the user equipment and the authentication information of the network access point are provided by AMF requirement N3 IWF.
3. The network connection method according to claim 1 or 2, wherein if it is determined through the AUSF that the UE is not in the UE list or the network access point AN is not in the network access point list, the AUSF sends a message to notify the AMF that the UE is AN illegal user.
4. The network connection method according to claim 3, wherein the AMF informs the N3IWF of the failure of the network access authentication according to the received message.
5. The method of claim 3, wherein the message comprises an AAA msg (EAP/AKA Chanllenge) message extended in a manner of adding "illegal area user" information.
6. The network connection method according to claim 1 or 2, wherein the user identity of the user equipment comprises a hidden identity SUCI of the user.
7. The network connection method according to claim 1 or 2, wherein the authentication information of the network access point includes domain name information of the network access point.
8. The network connection method according to claim 7, wherein the domain name information of the network access point includes at least one of enterprise information and regional information.
9. The network connection method according to claim 1 or 2, wherein the UDM coordinates at least one user equipment in the user equipment list with a part of the network access points in the network access point list, whereby the at least one user equipment UE only allows access into the core network through the part of the network access points and uses network traffic corresponding to the part of the network access points.
10. The network connection method according to claim 1 or 2, characterized in that the network connection method comprises the steps of:
a non-3GPP interworking function N3IWF at a network side receives a network connection request initiated by user equipment and transmits the network connection request to an AMF;
the access and mobility management function AMF of the network side transmits the user identification and the current mac address of the user equipment to the AUSF according to the network connection request;
an AUSF (authentication service function) at a network side inquires a historical mac address left by the user equipment in a Unified Data Management (UDM) based on the user identification of the user equipment;
and if the AUSF does not inquire the historical mac address of the user equipment or the AUSF judges that the current mac address is consistent with the inquired historical mac address, allowing the network connection to be continued.
11. A network device, characterized in that the network device comprises:
a non-3GPP interworking function N3IWF on a network side configured to receive a network connection request initiated by a user equipment and to provide the network connection request to the AMF;
AN access and mobility management function, AMF, on the network side, configured to provide, according to the network connection request, a user identifier of the user equipment and authentication information of the network access point, AN, to the AUSF;
a network side authentication service function AUSF configured to query a user equipment list, which is reserved in the UMD and is established for a specified user equipment UE, based on a user identification of the user equipment, and query a network access point list, which is reserved in the UMD and is established for a specified network access point AN, based on authentication information of the network access point; and is configured to determine whether the UE is in the UE list and determine whether the network access point is in the network access point list, and if yes, allow the UE to connect to the network through the network access point AN and use the network service corresponding to the network access point.
12. A network connection device comprising a processor and a memory, the memory having stored thereon instructions which, when executed by the processor, carry out the steps of the method according to any one of claims 1 to 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111657076.8A CN114301703A (en) | 2021-12-30 | 2021-12-30 | Network connection method, network equipment and network connection device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111657076.8A CN114301703A (en) | 2021-12-30 | 2021-12-30 | Network connection method, network equipment and network connection device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114301703A true CN114301703A (en) | 2022-04-08 |
Family
ID=80974313
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111657076.8A Pending CN114301703A (en) | 2021-12-30 | 2021-12-30 | Network connection method, network equipment and network connection device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114301703A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2023246942A1 (en) * | 2022-06-25 | 2023-12-28 | 华为技术有限公司 | Communication method and apparatus |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110268734A (en) * | 2017-02-07 | 2019-09-20 | IPCom两合公司 | Use the interworking function of unreliable network |
| WO2020090764A1 (en) * | 2018-11-02 | 2020-05-07 | Nec Corporation | SECURITY PROCEDURE FOR UE's IN 5GLAN GROUP COMMUNICATION |
| US20200396673A1 (en) * | 2019-06-14 | 2020-12-17 | Samsung Electronics Co., Ltd. | Method and system for handling of closed access group related procedure |
| US20210076301A1 (en) * | 2018-05-22 | 2021-03-11 | Huawei Technologies Co., Ltd. | Network access method, related apparatus, and system |
| US20210306849A1 (en) * | 2018-08-09 | 2021-09-30 | Nokia Technologies Oy | Method and apparatus for security realization of connections over heterogeneous access networks |
| WO2021244737A1 (en) * | 2020-06-03 | 2021-12-09 | Lenovo (Singapore) Pte. Ltd. | Methods and apparatuses for determining an authentication type |
-
2021
- 2021-12-30 CN CN202111657076.8A patent/CN114301703A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110268734A (en) * | 2017-02-07 | 2019-09-20 | IPCom两合公司 | Use the interworking function of unreliable network |
| US20210076301A1 (en) * | 2018-05-22 | 2021-03-11 | Huawei Technologies Co., Ltd. | Network access method, related apparatus, and system |
| US20210306849A1 (en) * | 2018-08-09 | 2021-09-30 | Nokia Technologies Oy | Method and apparatus for security realization of connections over heterogeneous access networks |
| WO2020090764A1 (en) * | 2018-11-02 | 2020-05-07 | Nec Corporation | SECURITY PROCEDURE FOR UE's IN 5GLAN GROUP COMMUNICATION |
| US20200396673A1 (en) * | 2019-06-14 | 2020-12-17 | Samsung Electronics Co., Ltd. | Method and system for handling of closed access group related procedure |
| WO2021244737A1 (en) * | 2020-06-03 | 2021-12-09 | Lenovo (Singapore) Pte. Ltd. | Methods and apparatuses for determining an authentication type |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2023246942A1 (en) * | 2022-06-25 | 2023-12-28 | 华为技术有限公司 | Communication method and apparatus |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10834571B1 (en) | Steering of roaming for 5G core roaming in an internet packet exchange network | |
| EP3629613B1 (en) | Network verification method, and relevant device and system | |
| CN102017677B (en) | Access through non-3GPP access networks | |
| CN101983517B (en) | Security for a non-3gpp access to an evolved packet system | |
| CN110476447A (en) | The registration process of enhancing in the mobile system for supporting network slice | |
| KR20230128142A (en) | Method and apparatus for security realization of connectionsover heterogeneous access networks | |
| US20060281457A1 (en) | Authentication of mobile stations | |
| US20200100111A1 (en) | Connection establishment method, device, and system | |
| US11871223B2 (en) | Authentication method and apparatus and device | |
| CN109891921B (en) | Method, apparatus and computer-readable storage medium for authentication of next generation system | |
| US20170156105A1 (en) | Realm based network-access-identifier (nai) modification for a roaming party needing to authenticate with home network | |
| US11722956B2 (en) | Securing the choice of the network visited during roaming | |
| US20220369219A1 (en) | Non-3gpp interworking function (n3iwf) selection for stand-alone non-public networks (snpn) | |
| CN114301703A (en) | Network connection method, network equipment and network connection device | |
| US20230300596A1 (en) | Remote subscription profile download | |
| US11109219B2 (en) | Mobile terminal, network node server, method and computer program | |
| CN105493540A (en) | Wireless local area network user side device and information processing method | |
| CN114339757A (en) | Network connection method, network equipment and network connection device | |
| CN108235315B (en) | Wireless VPDN (virtual private network digital network) access method and system with configuration-free terminal | |
| CN113904781B (en) | Slice authentication method and system | |
| EP1843541B1 (en) | A method of securing communication between an access network and a core network | |
| CN104185303A (en) | Methods and systems for establishing channel in fixed and mobile network convergence case | |
| CN113498055A (en) | Access control method and communication equipment | |
| CN103379591A (en) | Method and device for user device connection mode selection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |