CN114339837B - Private network access control method and device, electronic equipment and storage medium - Google Patents
Private network access control method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114339837B CN114339837B CN202111676897.6A CN202111676897A CN114339837B CN 114339837 B CN114339837 B CN 114339837B CN 202111676897 A CN202111676897 A CN 202111676897A CN 114339837 B CN114339837 B CN 114339837B
- Authority
- CN
- China
- Prior art keywords
- access
- user
- private network
- access control
- control information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 74
- 238000012545 processing Methods 0.000 claims abstract description 71
- 230000002452 interceptive effect Effects 0.000 claims abstract description 14
- 230000006870 function Effects 0.000 claims description 30
- 230000008569 process Effects 0.000 claims description 15
- 230000011664 signaling Effects 0.000 claims description 10
- 238000012795 verification Methods 0.000 claims description 4
- 230000002708 enhancing effect Effects 0.000 abstract description 4
- 238000007726 management method Methods 0.000 description 26
- 238000010586 diagram Methods 0.000 description 8
- 238000004891 communication Methods 0.000 description 7
- 230000007246 mechanism Effects 0.000 description 6
- 238000002955 isolation Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000013523 data management Methods 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 238000012216 screening Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000004913 activation Effects 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000000725 suspension Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The application provides a private network access control method, a private network access control device, electronic equipment and a storage medium, wherein the method comprises the following steps: receiving an access request of an access user forwarded by a base station; verifying the access user based on access control information configured by a private network user; wherein the access control information includes at least one of: access control information acquired through a northbound interface connected to the access and mobile management function module and access control information input by a private network user through an interactive interface; and executing access processing or refusing processing according to the matching condition of the access user and the access control information. Through the northbound interface or the interactive interface, the private network user can configure access control information by himself and perform access or refusal processing according to the matching condition of the access control information, thereby enhancing the autonomy and flexibility of the private network access control.
Description
Technical Field
The present disclosure relates to communication technologies, and in particular, to a private network access control method, a private network access control device, an electronic device, and a storage medium.
Background
The private network supports rich customized network industry attributes, including high bandwidth, low delay, mass access, exclusive network resources, security and the like, and simultaneously, the client puts higher requirements on self-service of private network user management, and enterprise clients need to conveniently and efficiently customize management rules of user access to the private network.
The existing private network user access control method mainly comprises the steps of sending a request to a core network through a server, configuring user access parameters by a core network manager or a network capability open platform, issuing configuration access control rules, and realizing private network access control of users based on the access control rules.
However, the above solution is not sufficient to meet the personalized management and control requirements of the client for the user to access the private network.
Disclosure of Invention
The application provides a private network access control method, a private network access control device, electronic equipment and a storage medium, which enhance the autonomy and flexibility of private network access control.
In a first aspect, the present application provides a private network access control method, including:
receiving an access request of an access user forwarded by a base station;
verifying the access user based on access control information configured by a private network user; wherein the access control information includes at least one of: access control information acquired through a northbound interface connected to the access and mobile management function module and access control information input by a private network user through an interactive interface;
and executing access processing or refusing processing according to the matching condition of the access user and the access control information.
Optionally, the access control information includes a user identifier and a user state; and executing access processing or refusing processing according to the matching condition of the access user and the access control information, wherein the method comprises the following steps:
if the access user is not recorded in the access control information, or the access user is recorded in the access control information and the corresponding user state is an allowed state, executing access processing;
and if the access user is recorded in the access control information and the corresponding user state is a refused state, executing refusing processing.
Optionally, the method further comprises:
synchronizing, via the northbound interface, a user identification of a private network subscriber from a core network;
pushing a user identifier of the private network subscriber to a private network user so that the private network user configures a user state for the pushed user identifier;
and establishing the access control information based on the user identification of the private network subscriber and the user state configured by the private network subscriber.
Optionally, the performing access processing includes:
and the access and mobile management function module is used for transmitting the access request to the core network, so that the core network executes an access flow based on the access request.
Optionally, the performing the rejection processing includes:
and returning an access failure message to the access user.
In a second aspect, the present application provides a private network access control device, including:
the request receiving module is used for receiving an access request of an access user forwarded by the base station;
the identity verification module is used for verifying the access user based on the access control information configured by the private network user; wherein the access control information includes at least one of: access control information acquired through a northbound interface connected to the access and mobile management function module and access control information input by a private network user through an interactive interface;
and the access processing module is used for executing access processing or refusing processing according to the matching condition of the access user and the access control information.
Optionally, the access control information includes a user identifier and a user state; the access processing module is specifically configured to:
if the access user is not recorded in the access control information, or the access user is recorded in the access control information and the corresponding user state is an allowed state, executing access processing;
and if the access user is recorded in the access control information and the corresponding user state is a refused state, executing refusing processing.
Optionally, the apparatus further includes:
the user synchronization unit is used for synchronizing the user identification of the private network subscriber from the core network through the northbound interface;
the identity pushing unit is used for pushing the user identification of the private network subscriber to the private network user so that the private network user configures a user state for the pushed user identification;
and the information establishing unit is used for establishing the access control information based on the user identification of the private network subscriber and the user state configured by the private network subscriber.
Optionally, the performing access processing includes:
and the access and mobile management function module is used for transmitting the access request to the core network, so that the core network executes an access flow based on the access request.
Optionally, the performing the rejection processing includes:
and returning an access failure message to the access user.
In a third aspect, the present application provides an electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of the first aspect.
In a fourth aspect, the present application provides a computer-readable storage medium having stored therein computer-executable instructions for performing the method according to the first aspect when executed by a processor.
The application provides a private network access control method, a private network access control device, electronic equipment and a storage medium, wherein the method comprises the following steps: receiving an access request of an access user forwarded by a base station; verifying the access user based on access control information configured by a private network user; wherein the access control information includes at least one of: access control information acquired through a northbound interface connected to the access and mobile management function module and access control information input by a private network user through an interactive interface; and executing access processing or refusing processing according to the matching condition of the access user and the access control information. Through the northbound interface or the interactive interface, the private network user can configure access control information by himself and perform access or refusal processing according to the matching condition of the access control information, thereby enhancing the autonomy and flexibility of the private network access control.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
Fig. 1 is a schematic view of an application scenario provided in an example of the present application;
fig. 2 is a schematic flow chart of a private network access control method according to a first embodiment of the present application;
fig. 3 is a schematic flow chart of a private network access control method provided in the second embodiment of the present application;
fig. 4 is a schematic flow chart of another private network access control method provided in the second embodiment of the present application;
fig. 5 is a schematic application scenario diagram of a private network access control method provided in a second embodiment of the present application;
fig. 6 is a schematic flow chart of another private network access control method provided in the second embodiment of the present application;
fig. 7 is a schematic flow chart of a private network access control method provided in the third embodiment of the present application;
fig. 8 is a schematic structural diagram of a private network access control device according to a fourth embodiment of the present application;
fig. 9 is a schematic structural diagram of an electronic device according to a fifth embodiment of the present application;
fig. 10 is a schematic structural diagram of still another electronic device according to the fifth embodiment of the present application.
Specific embodiments thereof have been shown by way of example in the drawings and will herein be described in more detail. These drawings and the written description are not intended to limit the scope of the inventive concepts in any way, but to illustrate the concepts of the present application to those skilled in the art by reference to specific embodiments.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present application as detailed in the accompanying claims.
Fig. 1 is a schematic application scenario provided in the example of the present application, as shown in fig. 1, where private network access control is mainly used for access user management in a fifth generation mobile communication technology (5 th Generation Mobile Communication Technology, abbreviated as 5G) private network scenario. The 5G private network user access control method is generally implemented by sending a request to a network opening function (Network Exposure Function, abbreviated as NEF) network element of a 5G core network through an enterprise server, calling a unified data management function (Unified Data Management, abbreviated as UDM) network element by the core network manager or the NEF network element to configure user access parameters, and issuing configuration access control rules into the private network by the UDM to an access and mobility management function (Access and Mobility Management Function, abbreviated as AMF) network element. Because there is information interaction between the User Equipment (UE), the radio access network (Radio Access Network, RAN) network element in the private network and the AMF, and the RAN constructs a connection with the enterprise server through the User plane function (User Plane Function, UPF), and there is a session management function (Session Management Function, SMF) between the UPF and the core network, for implementing the allocation of the IP address and implementation of the control policy. In addition, the 5G core network is also configured with an authentication server function (Authentication Server Function, abbreviated as AUSF) network element, a network storage function (NF Repository Function, abbreviated as NRF) network element and a policy control function (Policy Control function, abbreviated as PCF) network element to cooperatively realize the method. Obviously, the method may restrict the access of the user equipment, i.e. the private network area is able to implement the access control rules. However, the operation of the scheme directly applies a large number of core network elements, and the flow is complex, which is insufficient for the enterprise clients to independently, conveniently and efficiently manage private network users.
Therefore, a corresponding device can be arranged on the private network side between the 5G private network base station and the 5G core network AMF for private network user management configuration. The concept can enhance the autonomy and flexibility of 5G private network user management and realize the effective isolation of private network access control and large network access control. When a terminal carries out network registration through a base station in a private network, after a registration signaling passes through the base station, the terminal firstly reaches the device for processing, the device can detect the access control rule of the terminal according to the configuration of a private network client, if the access control rule is met, the access control management of the terminal is carried out according to the configured rule, otherwise, the registration signaling is sent to a 5G core network AMF for carrying out a normal 5G registration flow.
The technical scheme of the present application and the technical scheme of the present application are described in detail below with specific examples. The following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments. In the description of the present application, the terms are to be construed broadly in the art, unless explicitly stated or defined otherwise. Embodiments of the present application will be described below with reference to the accompanying drawings.
Example 1
Fig. 2 is a schematic flow chart of a private network access control method according to a first embodiment of the present application, as shown in fig. 2, where the method includes:
s101, receiving an access request of an access user forwarded by a base station;
s102, verifying the access user based on access control information configured by a private network user;
and S103, executing access processing or refusal processing according to the matching condition of the access user and the access control information.
In practical application, the execution body of the embodiment may be an electronic device, or may be a private network access control device, a chip, a circuit, a microprocessor, or the like for executing the method, which are provided in the electronic device. In the drawings, the term "present apparatus" refers to an execution subject, if any.
Where private network users may refer to users who need to apply private network services to fulfill personalized needs, typically, the users are enterprise clients. As an example, private network users may customize access control information according to traffic direction, customer identity, etc. For example, clients that are no longer in cooperation can be listed in the access control rule, and when the clients access or register the customized private network of the enterprise again, access or registration of the clients is directly refused through the private network access control rule, so that personalized management and control of the private network registration rule can be realized.
The present embodiment is exemplarily described with reference to a specific application scenario: the method provided by the embodiment firstly needs to receive the access request of the access user forwarded by the base station; after receiving an access request, authentication and user matching are needed, specifically, authentication is carried out on the access user based on access control information configured by a private network user; wherein the access control information includes at least one of: access control information acquired through a northbound interface connected to the access and mobile management function module and access control information input by a private network user through an interactive interface; the access control information can be uploaded through an own platform developed by a user and a northbound interface, or can be input directly through a provided console interface. Then, according to the matching condition of the access user and the access control information, the access processing or refusing processing can be executed.
The embodiment provides a private network access control method, which comprises the following steps: receiving an access request of an access user forwarded by a base station; verifying the access user based on access control information configured by a private network user; wherein the access control information includes at least one of: access control information acquired through a northbound interface connected to the access and mobile management function module and access control information input by a private network user through an interactive interface; and executing access processing or refusing processing according to the matching condition of the access user and the access control information. Through the northbound interface or the interactive interface, the private network user can configure access control information by himself and perform access or refusal processing according to the matching condition of the access control information, thereby enhancing the autonomy and flexibility of the private network access control.
Example two
Fig. 3 is a schematic flow chart of a private network access control method provided in the second embodiment of the present application, which is used to illustrate a specific implementation of the access processing and the rejection processing, as shown in fig. 3, on the basis of any embodiment, S103 may specifically include:
s201, if the access user is not recorded in the access control information, or the access user is recorded in the access control information and the corresponding user state is an allowed state, executing access processing;
and S202, if the access user is recorded in the access control information and the corresponding user state is a refusal state, refusal processing is executed.
Wherein the access control information includes a user identification and a user status.
The present embodiment is exemplarily described with reference to a specific application scenario:
the access control information is a blacklist mechanism for limiting access to the private network by the listed users. If the access user accords with the matching rule of the access control information, the access control is carried out according to the private network access control rule, the access is limited, and if the access user does not accord with the matching rule of the access control information, the registration signaling can be transmitted to the core network AMF for carrying out the large network registration flow. Specifically, if the access user is not recorded in the access control information, or the access user is recorded in the access control information and the corresponding user state is an allowed state, performing access processing, that is, when the access user is not in a blacklist, or the access user is in the blacklist, but at the moment, the user is in a state of allowing private network registration, the registration information of the access user may be allowed; and if the access user is recorded in the access control information and the corresponding user state is a refused state, namely, when the access user is in a blacklist and the user state is still refused to access at the moment, refusing processing is executed.
The access control information mainly includes a user identifier, i.e. an international mobile identity (International Mobile Subscriber Identification Number, abbreviated as IMSI), and a user status, and may also include a user number, a slice identifier, a private network access point name (Data Network Name, abbreviated as DNN), and the like.
Fig. 4 is a schematic flow chart of another private network access control method according to the second embodiment of the present application, which is used to illustrate a specific implementation of the access process and the reject process. As shown in fig. 4, the performing access processing may specifically include:
s211, the access request is transmitted to the access and mobile management function module of the core network, so that the core network executes an access flow based on the access request.
Fig. 5 is a schematic application scenario diagram of a private network access control method provided in a second embodiment of the present application, which is used to illustrate a flow of the access processing. When the access user meets the condition of allowing access, the registration signaling is transmitted to the core network AMF to carry out a registration process, wherein the registration process can be a general private network registration process. However, the enterprise server directly performs information interaction with the execution main body of the method, that is, the device in the illustration, and directly performs information interaction with the AMF, that is, the transparent registration signaling is transmitted to the core network AMF. At this time, the AMF sends a request to the NEF network element of the 5G core network, and the core network manager or the NEF network element invokes the UDM to configure the user access parameter, and further, the UDM issues a configuration access control rule to the AMF. Through the AMF and the setting of the execution main body of the method, the isolation of the private network side and the large network side access control information is completed.
Fig. 6 is a schematic flow chart of another private network access control method provided in the second embodiment of the present application, which is used to illustrate a specific implementation of the access process and the reject process. As shown in fig. 6, the performing the rejection processing may specifically include:
s212, returning an access failure message to the access user.
When the access user accords with the refusing condition, the access failure message is directly returned to the access user through a blacklist mechanism set by the private network access control method, and the access user is refused to enter the core network for registration flow. By setting the blacklist mechanism, for the user needing to reject access, the user is isolated before entering the core network to carry out the registration process, so that the data processing capacity of the core network is reduced.
The various embodiments described in this example may be implemented alone or in combination with one another. For example, fig. 4 and 6 each show a case of a corresponding example implementation alone.
The embodiment provides a private network access control method, wherein the access control information comprises a user identifier and a user state; and executing access processing or refusing processing according to the matching condition of the access user and the access control information, wherein the method comprises the following steps: if the access user is not recorded in the access control information, or the access user is recorded in the access control information and the corresponding user state is an allowed state, executing access processing; and if the access user is recorded in the access control information and the corresponding user state is a refused state, executing refusing processing. The matching of the access control rule can be completed through the user identification and the user state, if the user is the user needing to perform access control, the isolation is completed directly through the access control rule similar to a blacklist mechanism, and the data processing capacity of the core network element is reduced.
Example III
Fig. 7 is a schematic flow chart of a private network access control method provided in the third embodiment of the present application, as shown in fig. 7, and on the basis of any embodiment, the method further includes:
s301, synchronizing the user identification of the private network subscriber from the core network through the northbound interface;
s302, pushing a user identifier of the private network subscriber to a private network user so that the private network user configures a user state for the pushed user identifier;
s303, establishing the access control information based on the user identification of the private network subscriber and the user state configured by the private network subscriber.
The present embodiment is exemplarily described with reference to a specific application scenario: the embodiment can synchronize private network subscriber information from a core network through an operator connection management platform, wherein the private network subscriber information comprises a subscriber number (Mobile Subscriber International ISDN Number, abbreviated as MSISDN), a subscriber identifier IMSI, a private network DNN and a private network slice identifier (Single Network Slice Selection Assistance Information, abbreviated as S-NSSAI) to form a local private network subscriber database, and the subscriber identifier IMSI is the most main parameter of private network access control. Pushing a user identifier of the private network subscriber to a private network user so that the private network user configures a user state for the pushed user identifier, wherein the state can be activation, rejection, suspension, logout and the like; and finally, establishing the access control information based on the user identification of the private network subscriber and the user state configured by the private network subscriber.
The embodiment provides a private network access control method, which synchronizes the user identification of a private network subscriber from a core network through the northbound interface; pushing a user identifier of the private network subscriber to a private network user so that the private network user configures a user state for the pushed user identifier; and establishing the access control information based on the user identification of the private network subscriber and the user state configured by the private network subscriber. The screening of effective users and the configuration of user states can be carried out through the private network subscription user information recorded in the operator connection management platform, so that the setting of the private network user access rule is finished, and the autonomy and the flexibility of the private network access control are enhanced.
Example IV
The fourth embodiment of the application also provides a private network access control device to implement the foregoing method. As shown in fig. 8, fig. 8 is a schematic structural diagram of a private network access control device according to a fourth embodiment of the present application, where the device includes:
a request receiving module 41, configured to receive an access request of an access user forwarded by a base station;
an authentication module 42, configured to authenticate the access user based on access control information configured by the private network user; wherein the access control information includes at least one of: access control information acquired through a northbound interface connected to the access and mobile management function module and access control information input by a private network user through an interactive interface;
and an access processing module 43, configured to perform access processing or refusal processing according to the matching situation of the access user and the access control information.
It should be noted that, the illustrated device shows the case where the embodiments of the present embodiment are combined, and in practical application, the configuration needs to be performed according to a specific scenario, but at least the request receiving module 41, the identity verification module 42, and the access processing module 43 should be reserved.
An example, the access control information includes a user identification and a user status; the access processing module 43 is specifically configured to:
if the access user is not recorded in the access control information, or the access user is recorded in the access control information and the corresponding user state is an allowed state, executing access processing;
and if the access user is recorded in the access control information and the corresponding user state is a refused state, executing refusing processing.
The matching of the access control rule can be completed through the user identification and the user state, if the user is the user needing to perform access control, the isolation is completed directly through the access control rule similar to a blacklist mechanism, and the data processing capacity of the core network element is reduced.
An example, the performing access processing, comprising:
and the access and mobile management function module is used for transmitting the access request to the core network, so that the core network executes an access flow based on the access request.
Through the setting of AMF and this device, the isolation of private network side and big net side access control information has been accomplished.
An example, the performing a refusal process, comprising:
and returning an access failure message to the access user.
By setting the blacklist mechanism, for the user needing to reject access, the user is isolated before entering the core network to carry out the registration process, so that the data processing capacity of the core network is reduced.
An example, the apparatus further comprises:
a subscriber synchronization unit 44, configured to synchronize, via the northbound interface, a subscriber identity of a private network subscriber from a core network;
an identity pushing unit 45, configured to push, to a private network user, a user identifier of the private network subscriber, so that the private network user configures a user state for the pushed user identifier;
an information establishing unit 46, configured to establish the access control information based on the subscriber identity of the private network subscriber and the subscriber status configured by the private network subscriber.
The screening of effective users and the configuration of user states can be carried out through the private network subscription user information recorded in the operator connection management platform, so that the setting of the private network user access rule is finished, and the autonomy and the flexibility of the private network access control are enhanced.
The embodiment provides a private network access control device, which comprises: the request receiving module is used for receiving an access request of an access user forwarded by the base station; the identity verification module is used for verifying the access user based on the access control information configured by the private network user; wherein the access control information includes at least one of: access control information acquired through a northbound interface connected to the access and mobile management function module and access control information input by a private network user through an interactive interface; and the access processing module is used for executing access processing or refusing processing according to the matching condition of the access user and the access control information. Through the northbound interface or the interactive interface, the private network user can configure access control information by himself and perform access or refusal processing according to the matching condition of the access control information, thereby enhancing the autonomy and flexibility of the private network access control.
Example five
Fig. 9 is a schematic structural diagram of an electronic device provided in a fifth embodiment of the present application, as shown in fig. 9, where the electronic device includes:
and a processor for executing the application program code to implement the method described herein. The processor may be a general purpose central processing unit (central processing unit, CPU), microprocessor, application Specific Integrated Circuit (ASIC), or one or more integrated circuits for controlling the execution of the programs of the present application.
As shown in fig. 9, the present device may further include a memory. The memory is used for storing application program codes for executing the scheme of the application, and the processor is used for controlling the execution. The memory may be, but is not limited to, read-only memory (ROM) or other type of static storage device that can store static information and instructions, random access memory (random access memory, RAM) or other type of dynamic storage device that can store information and instructions, but may also be electrically erasable programmable read-only memory (EEPROM), compact disc-read only memory (compact disc read-only memory) or other optical disk storage, optical disk storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer.
As shown in fig. 9, the apparatus further includes an API interface, and the user receives a request from the user to access the console interface of the control device and the enterprise own platform, for operations such as adding, deleting, and checking the data splitting PDR rule of the device.
As shown in fig. 9, the present apparatus further includes a communication module for data communication services with the base station, the 5G core network, and the enterprise local server.
As shown in fig. 9, the apparatus further includes a power module for supplying power to the device.
Fig. 10 is a schematic structural diagram of still another electronic device provided in the fifth embodiment of the present application, and as shown in fig. 10, a processor 291, where the electronic device further includes a memory 292; a communication interface (Communication Interface) 293 and bus 294 may also be included. The processor 291, the memory 292, and the communication interface 293 may communicate with each other via the bus 294. Communication interface 293 may be used for information transfer. The processor 291 may call logic instructions in the memory 294 to perform the methods of the above embodiments.
Further, the logic instructions in memory 292 described above may be implemented in the form of software functional units and stored in a computer-readable storage medium when sold or used as a stand-alone product.
The memory 292 is a computer readable storage medium, and may be used to store a software program, a computer executable program, and program instructions/modules corresponding to the methods in the embodiments of the present application. The processor 291 executes functional applications and data processing by running software programs, instructions and modules stored in the memory 292, i.e., implements the methods of the method embodiments described above.
Memory 292 may include a storage program area that may store an operating system, at least one application program required for functionality, and a storage data area; the storage data area may store data created according to the use of the terminal device, etc. Further, memory 292 may include high-speed random access memory, and may also include non-volatile memory.
Embodiments of the present application also provide a computer-readable storage medium having stored therein computer-executable instructions that, when executed by a processor, are configured to implement the method described in any of the embodiments.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the application following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the application pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It is to be understood that the present application is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the application is limited only by the appended claims.
Claims (10)
1. A private network access control method, the method is used for private network user management configuration, and the device for private network user management configuration is arranged at a private network side between a 5G private network base station and a 5G core network AMF, and the method is characterized by comprising the following steps:
receiving an access request of an access user forwarded by a base station;
verifying the access user based on access control information configured by a private network user; wherein the access control information includes at least one of: access control information acquired through a northbound interface connected to the access and mobile management function module and access control information input by a private network user through an interactive interface;
executing access processing or refusing processing according to the matching condition of the access user and the access control information;
the access control information comprises a user identifier and a user state; and executing access processing or refusing processing according to the matching condition of the access user and the access control information, wherein the method comprises the following steps:
if the access user is not recorded in the access control information, or the access user is recorded in the access control information and the corresponding user state is an allowed state, transmitting registration signaling to a core network AMF to perform private network registration flow;
and if the access user is recorded in the access control information and the corresponding user state is a refused state, transmitting registration signaling to a core network AMF to carry out a large network registration process.
2. The method according to claim 1, wherein the method further comprises:
synchronizing, via the northbound interface, a user identification of a private network subscriber from a core network;
pushing a user identifier of the private network subscriber to a private network user so that the private network user configures a user state for the pushed user identifier;
and establishing the access control information based on the user identification of the private network subscriber and the user state configured by the private network subscriber.
3. The method according to claim 1 or 2, wherein the transparently passing registration signaling to the core network AMF performs a private network registration procedure, comprising:
and the access and mobile management function module is used for transmitting the access request to the core network, so that the core network executes an access flow based on the access request.
4. A method according to any one of claims 1-3, wherein said performing a refusal process comprises:
and returning an access failure message to the access user.
5. A private network access control apparatus, the apparatus being disposed on a private network side between a 5G private network base station and a 5G core network AMF, comprising:
the request receiving module is used for receiving an access request of an access user forwarded by the base station;
the identity verification module is used for verifying the access user based on the access control information configured by the private network user; wherein the access control information includes at least one of: access control information acquired through a northbound interface connected to the access and mobile management function module and access control information input by a private network user through an interactive interface;
the access processing module is used for executing access processing or refusing processing according to the matching condition of the access user and the access control information;
the access control information comprises a user identifier and a user state; the access processing module is specifically configured to:
if the access user is not recorded in the access control information, or the access user is recorded in the access control information and the corresponding user state is an allowed state, transmitting registration signaling to a core network AMF to perform private network registration flow;
and if the access user is recorded in the access control information and the corresponding user state is a refused state, transmitting registration signaling to a core network AMF to carry out a large network registration process.
6. The apparatus of claim 5, wherein the apparatus further comprises:
the user synchronization unit is used for synchronizing the user identification of the private network subscriber from the core network through the northbound interface;
the identity pushing unit is used for pushing the user identification of the private network subscriber to the private network user so that the private network user configures a user state for the pushed user identification;
and the information establishing unit is used for establishing the access control information based on the user identification of the private network subscriber and the user state configured by the private network subscriber.
7. The apparatus according to claim 5 or 6, wherein said performing access processing comprises:
and the access and mobile management function module is used for transmitting the access request to the core network, so that the core network executes an access flow based on the access request.
8. The apparatus according to claim 5 or 6, wherein the performing the rejection process includes:
and returning an access failure message to the access user.
9. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-4.
10. A computer readable storage medium having stored therein computer executable instructions which when executed by a processor are adapted to carry out the method of any one of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111676897.6A CN114339837B (en) | 2021-12-31 | 2021-12-31 | Private network access control method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111676897.6A CN114339837B (en) | 2021-12-31 | 2021-12-31 | Private network access control method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114339837A CN114339837A (en) | 2022-04-12 |
| CN114339837B true CN114339837B (en) | 2023-12-22 |
Family
ID=81022155
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111676897.6A Active CN114339837B (en) | 2021-12-31 | 2021-12-31 | Private network access control method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114339837B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114938508B (en) * | 2022-05-31 | 2024-09-27 | 中国联合网络通信集团有限公司 | 5G private network control method and device, electronic equipment and storage medium |
| CN115484602A (en) * | 2022-09-15 | 2022-12-16 | 中国联合网络通信集团有限公司 | Single-user-level policy control method, device, base station and medium |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102791044A (en) * | 2012-07-27 | 2012-11-21 | 上海顶竹通讯技术有限公司 | Interconnecting device between private-network switch and mobile core network and interconnecting method |
| CN103237342A (en) * | 2013-04-28 | 2013-08-07 | 哈尔滨工业大学 | Cross identity registration method for co-group users of time division-long term evolution-based (TD-LTE-based) public network and cluster |
| CN105636006A (en) * | 2015-12-24 | 2016-06-01 | 阳光凯讯(北京)科技有限公司 | 2G/3G core network interworking method and system in condition that terminal roams to 4G special network |
| KR101669165B1 (en) * | 2015-07-07 | 2016-10-25 | 주식회사 케이티 | Method for providing private network service and mobility management entity for the same |
| CN109561430A (en) * | 2017-09-26 | 2019-04-02 | 大唐移动通信设备有限公司 | A kind of implementation method and equipment of public network user access private network |
| CN110832909A (en) * | 2017-07-26 | 2020-02-21 | 华为技术有限公司 | Network registration method, related equipment and system |
| CN110944366A (en) * | 2014-09-30 | 2020-03-31 | 华为技术有限公司 | Private network switching method, private network type notification method and device |
| CN112423301A (en) * | 2020-11-02 | 2021-02-26 | 中国联合网络通信集团有限公司 | Private network registration management method and AMF network element |
| CN112583628A (en) * | 2019-09-30 | 2021-03-30 | 中兴通讯股份有限公司 | Method and system for calling core network capability |
| KR20210088306A (en) * | 2020-01-06 | 2021-07-14 | 삼성전자주식회사 | Method and apparatus for controlling access of a ue in a non-public mobile communication network |
| CN113438647A (en) * | 2020-03-05 | 2021-09-24 | 大唐移动通信设备有限公司 | Method for accessing public network user to private network, call service processing method and equipment |
| WO2021232919A1 (en) * | 2020-05-22 | 2021-11-25 | 华为技术有限公司 | Network accessing method, apparatus, and system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11316855B2 (en) * | 2019-05-14 | 2022-04-26 | Verizon Patent And Licensing Inc. | Systems and methods for private network authentication and management services |
-
2021
- 2021-12-31 CN CN202111676897.6A patent/CN114339837B/en active Active
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102791044A (en) * | 2012-07-27 | 2012-11-21 | 上海顶竹通讯技术有限公司 | Interconnecting device between private-network switch and mobile core network and interconnecting method |
| CN103237342A (en) * | 2013-04-28 | 2013-08-07 | 哈尔滨工业大学 | Cross identity registration method for co-group users of time division-long term evolution-based (TD-LTE-based) public network and cluster |
| CN110944366A (en) * | 2014-09-30 | 2020-03-31 | 华为技术有限公司 | Private network switching method, private network type notification method and device |
| KR101669165B1 (en) * | 2015-07-07 | 2016-10-25 | 주식회사 케이티 | Method for providing private network service and mobility management entity for the same |
| CN105636006A (en) * | 2015-12-24 | 2016-06-01 | 阳光凯讯(北京)科技有限公司 | 2G/3G core network interworking method and system in condition that terminal roams to 4G special network |
| CN110832909A (en) * | 2017-07-26 | 2020-02-21 | 华为技术有限公司 | Network registration method, related equipment and system |
| WO2019062384A1 (en) * | 2017-09-26 | 2019-04-04 | 大唐移动通信设备有限公司 | Method and device for public network user accessing private network |
| CN109561430A (en) * | 2017-09-26 | 2019-04-02 | 大唐移动通信设备有限公司 | A kind of implementation method and equipment of public network user access private network |
| CN112583628A (en) * | 2019-09-30 | 2021-03-30 | 中兴通讯股份有限公司 | Method and system for calling core network capability |
| KR20210088306A (en) * | 2020-01-06 | 2021-07-14 | 삼성전자주식회사 | Method and apparatus for controlling access of a ue in a non-public mobile communication network |
| CN113438647A (en) * | 2020-03-05 | 2021-09-24 | 大唐移动通信设备有限公司 | Method for accessing public network user to private network, call service processing method and equipment |
| WO2021232919A1 (en) * | 2020-05-22 | 2021-11-25 | 华为技术有限公司 | Network accessing method, apparatus, and system |
| CN112423301A (en) * | 2020-11-02 | 2021-02-26 | 中国联合网络通信集团有限公司 | Private network registration management method and AMF network element |
Non-Patent Citations (5)
| Title |
|---|
| "Approved_Report_v100_SA2_112".3GPP tsg_sa\WG2_Arch.2016,全文. * |
| 5G专网核心网高可靠组网设计与研究;王杉;《邮电设计技术》;全文 * |
| Nokia Siemens Networks, Nokia.S2-091113 "23.402 CR0616: PDN type checking in case of S2a and S2b and S2c".3GPP tsg_sa\WG2_Arch.2009,(TSGS2_71_Budapest),全文. * |
| Optical;Stephen French;《SPRINGER LINK》;全文 * |
| 基于LTE面向专网的小型化核心网设计;石雨轩;《中国优秀硕士学位论文全文数据库》;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114339837A (en) | 2022-04-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111865598B (en) | Identity verification method and related device for network function service | |
| CN109315004B (en) | PDU type setting method and related entity | |
| CN114339837B (en) | Private network access control method and device, electronic equipment and storage medium | |
| CN110214459A (en) | The method and apparatus of business processing | |
| EP3644556B1 (en) | Alias management method and device | |
| CN110291837A (en) | Network registry and network slice selection system and method | |
| CN110493184B (en) | Method and device for processing login page in client and electronic device | |
| CN112997518B (en) | Security management in a disaggregated base station in a communication system | |
| CN110049031B (en) | Interface security authentication method, server and authentication center server | |
| EP3648512A1 (en) | Method for processing session in wireless communication, and terminal device | |
| CN112637819A (en) | Service opening method and device in converged network | |
| CN112262613B (en) | Method and apparatus for operating a network gateway service in a service-based telecommunications system | |
| CN114302481A (en) | Slice selection method, MEP, application server, device and computer readable medium | |
| CN109729139A (en) | Access request retransmission method, device, equipment and readable storage medium storing program for executing | |
| RU2502225C2 (en) | Service processing method, communication system and corresponding devices | |
| CN113541981B (en) | Member management method and system for network slice | |
| CN107343285B (en) | Management equipment and equipment management method | |
| RU2447613C2 (en) | Method for service processing, communication system and associated device | |
| ES2342171T3 (en) | SYNCHRONIZATION OF DATABASE. | |
| KR102358371B1 (en) | Platform system for controlling vertical service in mobile network and controlling method thereof | |
| EP3316608A1 (en) | A communication network and a method for establishing non-access stratum connections in a communication network | |
| KR20230017311A (en) | Method, apparatus and system for determining user plane security enforcement information | |
| CN116249226B (en) | Method and device for accessing terminal to network and communication system | |
| CN112153580A (en) | Method, equipment and system for setting MCPTT group | |
| CN115103423B (en) | Service information determining method, device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |