CN114630311A - Data network re-authentication method, device, equipment and readable storage medium - Google Patents

Data network re-authentication method, device, equipment and readable storage medium Download PDF

Info

Publication number
CN114630311A
CN114630311A CN202011460759.XA CN202011460759A CN114630311A CN 114630311 A CN114630311 A CN 114630311A CN 202011460759 A CN202011460759 A CN 202011460759A CN 114630311 A CN114630311 A CN 114630311A
Authority
CN
China
Prior art keywords
authentication
terminal
data network
network
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011460759.XA
Other languages
Chinese (zh)
Inventor
陈旭
王丹
王珂
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Communications Ltd Research Institute
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Communications Ltd Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Communications Ltd Research Institute filed Critical China Mobile Communications Group Co Ltd
Priority to CN202011460759.XA priority Critical patent/CN114630311A/en
Publication of CN114630311A publication Critical patent/CN114630311A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the application provides a data network re-authentication method, a device, equipment and a readable storage medium, wherein the method comprises the following steps: receiving a first message indicating that an authentication server requires data network re-authentication for a terminal; determining an access management network element of the terminal according to the session management context of the user; and issuing a second message aiming at the data network re-authentication to the terminal through an access management network element. In the embodiment of the application, the change of the access network of the UE can be adapted, and the UE is supported to reside in different core networks (EPC or 5GC) to complete re-authentication.

Description

Data network re-authentication method, device, equipment and readable storage medium
Technical Field
The embodiment of the application relates to the technical field of communication, in particular to a data network re-authentication method, a device, equipment and a readable storage medium.
Background
A fifth generation mobile communication technology (5G) operator provides proprietary, differentiated and quality-guaranteed private Network services for vertical industry customers through slice and Non-Public Network (NPN) characteristics defined by a 5G Network.
A vertical industry client deploys a registration server in a Data Network (DN), an application server provides application service for a user who registers application, and a deployment authentication server performs Data Network authentication on the user. As shown in fig. 1, the DN-AAA server is located in an external data network and performs secondary authentication for a 5G subscriber using a data service.
Difference between 5G and fourth Generation mobile communication technology (Forth Generation, 4G) data network authentication: considering the differences between 5G and 4G in security requirements, session management, and algorithm flexibility, the 5G network makes some modifications to the data network authentication characteristics: (1) the algorithm changes: authentication of a Password Authentication Protocol (PAP)/a Challenge Handshake Authentication Protocol (Challege Handshake Authentication Protocol, CHAP ═ Extensible Authentication Protocol (EAP), (2) Authentication process change, namely user name/Password verification ═ is submitted once and a plurality of interactions and DN-AAA server initiation requests are submitted, (3) information security is verified, namely security is guaranteed for an IE encryption ═ application layer, (4) Authentication is carried out when an attachment process establishes a default bearer and Authentication is carried out when a Protocol Data Unit (PDU) session is established, (5) re-Authentication is supported, and Authentication is carried out after the PDU session is established.
The basic flow of re-authentication is as follows: (1) if the DN-AAA server decides to send re-authentication to the user, a re-authentication request is sent to a Session Management Function (SMF); or the SMF decides to initiate re-authentication according to the condition. (2) SMF informs the terminal to authenticate the terminal again; (3) and the DN-AAA server sends an authentication result to the terminal through the SMF. (4) And the SMF receives the authentication result and performs subsequent processing (such as authentication failure and release of related PDU session).
Under the influence of network coverage, a user may initially move from 5G to 4G after 5G attachment, the standard does not define that the user moves into 4G, and a 5G session management network element receives a re-authentication request of DN-AAA or decides to perform processing when re-authentication is performed on the user.
Disclosure of Invention
An object of the embodiments of the present application is to provide a method, an apparatus, a device and a readable storage medium for data network re-authentication, which solve the problem of how to perform re-authentication.
In a first aspect, a method for re-authenticating a data network is provided, which is performed by a first network element, and includes:
receiving a first message indicating that an authentication server requires data network re-authentication for a terminal;
determining an access management network element of the terminal according to the session management context of the user;
and issuing a second message aiming at the data network re-authentication to the terminal through an access management network element.
Optionally, the determining, according to the session management context of the user, an access management network element of the terminal includes:
judging a mobile network system where the terminal is located according to the type of an access network and/or the type of a wireless access technology in the session management context;
and determining the identifier/address of an access management network element for providing mobility management for the terminal according to the identifier/address of the service node of the mobile network system in which the terminal is positioned.
Optionally, the method further comprises:
determining an authentication mode of re-authentication according to the subscription data of the terminal, the interface protocol of the mobile network system where the terminal is located and the authentication server and the first message;
and determining the second message according to the mobile network system of the terminal and the authentication mode.
Optionally, the second message instructs the terminal to report authentication information corresponding to the data network, where the authentication information includes: a terminal identification of the data network authentication and/or verification information of the data network authentication.
Optionally, the method further comprises:
receiving a re-authentication result of the data network of the terminal sent by an authentication server, wherein the re-authentication result comprises: authentication is successful or failed;
and sending the re-authentication result to the terminal.
Optionally, the method further comprises:
and if the re-authentication result is authentication failure, sending a third message to the terminal, wherein the third message indicates the terminal to release the session or release the PDN connection of the packet data network, the third message carries a reason value and a timer, and the reason value indicates data network authentication failure.
Optionally, the method further comprises:
when a Protocol Data Unit (PDU) session or PDN connection is established, checking the mapping relation between a Data Network Name (DNN) of the terminal and an Access Point Name (APN);
when DNN is authorized, data network authentication is not initiated for PDN connection related to the mapped APN, and PDN connection establishment is allowed;
when APN is authorized, data network authentication is not initiated for the mapped DNN related PDU session, and PDU session establishment is allowed.
In a second aspect, a data network re-authentication method is provided, which is executed by a terminal and includes:
receiving a second message for re-authentication of the data network of the terminal, which is issued by a first network element through an access management network element, wherein the second message indicates the terminal to report authentication information corresponding to the data network, and the authentication information includes: the terminal identification of the data network authentication and/or the verification information of the data network authentication;
reporting the authentication information to an authentication server according to the second message;
receiving a re-authentication result sent by the authentication server, wherein the re-authentication result comprises: authentication is successful or authentication fails.
Optionally, the verification information is used to perform data network authentication on a DNN of the terminal, or perform data network authentication on an APN having a mapping relationship with the DNN.
Optionally, the method further comprises:
and if the re-authentication result is authentication failure, receiving a third message, wherein the third message indicates the terminal to release the session or PDN connection, the third message carries a reason value and a timer, and the reason value indicates data network authentication failure.
Optionally, the method further comprises:
and releasing all PDU sessions associated with the DNN corresponding to the session or all PDN connections associated with the APN corresponding to the PDN connection.
Optionally, if the terminal receives the third message from a fifth generation mobile communication technology 5G network, according to the cause value and a timer, before the timer times out, a PDU session establishment request is not initiated for the DNN corresponding to the session; through the mapping relation between DNN and APN, after the terminal is moved into a fourth generation mobile communication technology 4G network, before the timer is overtime, a PDN connection establishment request is not initiated to the APN corresponding to PDN connection;
if the terminal receives the third message from the 4G network, according to the reason value and the timer, before the timer is overtime, a PDN connection establishment request is not initiated to the APN corresponding to the PDN connection; and through the mapping relation between the DNN and the APN, after the terminal is moved into the 5G network, before the timer is overtime, a PDU session establishment request is not initiated aiming at the DNN corresponding to the session.
In a third aspect, a data network re-authentication method is provided, which is executed by an authentication server, and includes:
when a data network re-authentication request needs to be initiated for a terminal, selecting a converged SMF for providing session management service for a DNN (network driver node) of the terminal;
sending a data network re-authentication request aiming at the terminal to the fusion SMF;
receiving authentication information corresponding to the data network reported by the terminal from the fusion SMF;
re-authenticating the data network of the terminal according to the authentication information to obtain a re-authentication result, wherein the re-authentication result comprises: authentication is successful or failed;
and sending the re-authentication result aiming at the terminal to the fusion SMF.
Optionally, the method further comprises:
inquiring the home Unified Data Management (UDM) address of the terminal through a network storage function (NRF);
and according to the home UDM address, inquiring SMF providing session management service for the DNN of the terminal from the home UDM.
Optionally, the method further comprises:
pre-storing authentication information corresponding to the terminal and the data network, wherein the authentication information is used for carrying out data network authentication on DNN of the terminal or carrying out data network authentication on APN mapped by the DNN; the authentication information includes: a terminal identification of the data network authentication and/or verification information of the data network authentication.
In a fourth aspect, a data network re-authentication apparatus is provided, which is applied to a first network element, and includes:
a first receiving module, configured to receive a first message, where the first message indicates that an authentication server requires data network re-authentication for a terminal;
a first determining module, configured to determine an access management network element of the terminal according to a session management context of a user;
and the first sending module is used for sending a second message aiming at the data network re-authentication to the terminal through the access management network element.
In a fifth aspect, a data network re-authentication apparatus is provided, which is applied to a terminal, and includes:
a third receiving module, configured to receive a second message, which is issued by a first network element through an access management network element and is directed to re-authentication of a data network of the terminal, where the second message indicates the terminal to report authentication information corresponding to the data network, and the authentication information includes: the terminal identification of the data network authentication and/or the verification information of the data network authentication;
the fourth sending module is used for reporting the authentication information to an authentication server according to the second message;
a fourth receiving module, configured to receive a re-authentication result sent by the authentication server, where the re-authentication result includes: authentication is successful or authentication fails.
In a sixth aspect, a data network re-authentication apparatus is provided, which is applied to an authentication server, and includes:
the terminal comprises a selection module, a selection module and a management module, wherein the selection module is used for selecting a fusion SMF (short message format) for providing session management service for a DNN (network name network) of the terminal when a data network re-authentication request needs to be initiated to the terminal;
a fifth sending module, configured to send a data network re-authentication request for the terminal to the converged SMF;
a sixth receiving module, configured to receive, from the converged SMF, authentication information corresponding to the data network, which is reported by the terminal;
the re-authentication module is used for re-authenticating the data network of the terminal according to the authentication information to obtain a re-authentication result, and the re-authentication result comprises: authentication is successful or failed;
a sixth sending module, configured to send the re-authentication result for the terminal to the fusion SMF.
In a seventh aspect, a terminal is provided, including: a processor, a memory and a program stored on the memory and executable on the processor, which program, when executed by the processor, carries out the steps of the method according to the second aspect.
In an eighth aspect, a network side device is provided, which includes: a processor, a memory and a program stored on the memory and executable on the processor, which program, when executed by the processor, performs the steps of the method according to the first or third aspect.
A ninth aspect provides a readable storage medium having a program stored thereon, which when executed by a processor implements steps comprising a method as described in the first or second or third aspect.
In the embodiment of the application, the change of the access network of the UE can be adapted, and the UE is supported to reside in different core networks (EPC or 5GC) to complete re-authentication.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the application. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 is a schematic diagram of 5G network interworking with a data network;
FIG. 2 is a flowchart illustrating a data network re-authentication method according to an embodiment of the present invention;
FIG. 3 is a second flowchart of a data network re-authentication method according to an embodiment of the present application;
fig. 4 is a third flowchart of a data network re-authentication method in the embodiment of the present application;
FIG. 5 is a fourth flowchart illustrating a data network re-authentication method according to an embodiment of the present invention;
FIG. 6 is a fifth flowchart of a data network re-authentication method in an embodiment of the present application;
fig. 7 is a sixth flowchart of a data network re-authentication method in an embodiment of the present application;
fig. 8 is one of the structural diagrams of the data network re-authentication apparatus in the embodiment of the present application;
fig. 9 is a second block diagram of the data network re-authentication apparatus according to the embodiment of the present application;
fig. 10 is a third block diagram of a data network re-authentication apparatus according to an embodiment of the present invention;
fig. 11 is a structural diagram of a terminal in the embodiment of the present application;
fig. 12 is a block diagram of an authentication server in the embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some, but not all, embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The terms "comprises," "comprising," or any other variation thereof, in the description and claims of this application, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Furthermore, the use of "and/or" in the specification and claims means that at least one of the connected objects, such as a and/or B, means that three cases, a alone, B alone, and both a and B, exist.
In the embodiments of the present application, words such as "exemplary" or "for example" are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "e.g.," is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present concepts related in a concrete fashion.
It is noted that the techniques described in the embodiments of the present application are not limited to Long Term Evolution (LTE)/LTE-Advanced (LTE-a) systems, but may also be used in other wireless communication systems, such as Code Division Multiple Access (CDMA), Time Division Multiple Access (TDMA), Frequency Division Multiple Access (FDMA), Orthogonal Frequency Division Multiple Access (OFDMA), Single-carrier Frequency Division Multiple Access (SC-FDMA), and other systems. The terms "system" and "network" in the embodiments of the present application are often used interchangeably, and the described techniques can be used for both the above-mentioned systems and radio technologies, as well as for other systems and radio technologies. However, the following description describes a New Radio (NR) system for purposes of example, and NR terminology is used in much of the description below, although the techniques may also be applied to applications other than NR system applications, such as 6th Generation (6G) communication systems.
Referring to fig. 2, a main body of the method may be a first network element (or referred to as a converged network element), where the first network element supports a Fourth-Generation mobile communication technology (4G) and a Fifth-Generation mobile communication technology (5G) service flow and processing logic at the same time, and supports an interoperation between a 4G network and a 5G network, such as a converged Session Management Function (SMF) in the 5G network, and has a capability of a common data network gateway control plane (PGW-C) in a core network of the 4G network. When the 5G user attaches and establishes the session in the 5G, the user moves to the 4G network without replacing the session management entity so as to maintain the service continuity. When a 4G user attaches to a 4G network and establishes a session, the user moves to the 5G network without replacing a session management entity so as to maintain service continuity, and the method comprises the following steps: step 201, step 202 and step 203.
Step 201: receiving a first message indicating that an authentication server requires data network re-authentication for a terminal;
in this embodiment of the present application, between a first network element and an authentication server: a unified interface can be adopted, 4G/5G authentication information is compatible, and the access modes of users are not distinguished. The first Network element may record the Data Network authentication state of the UE based on a Data Network Name (DNN)/Access Point Name (APN).
Step 202: determining an access management network element of the terminal according to the session management context of the user;
optionally, determining a mobile network system in which the terminal is located according to an access network type and/or a radio access technology type in a session management context (for example, determining whether the mobile network system in which the terminal is located is 5G or 4G); and determining the identifier/address of an access management network element for providing mobility management for the terminal according to the identifier/address of the service node of the network in which the terminal is positioned.
For example, an access network includes: a next generation radio access network (NG RAN), an evolved universal terrestrial radio access network (E-UTRAN), a radio access technology type (RAT type) including: new Radio (NR), Terrestrial Radio Access (EUTRA) of the Evolved universal mobile telecommunications system.
It can be understood that, two ids/addresses may be present, one id/address is active (active), the other id/address is inactive (inactive), and an id/address of active may be selected, or an id/address of an Access and Mobility Management Function (AMF) of a 5G core network may be selected in a 5G network through Access network selection; an identity/address of a 4G core network Mobility Management Entity (MME) is selected in the 4G network.
TABLE 1 enumerating Access types (Enumeration Access Type)
Enumerated value (Enumeration value) Description (Description)
"3GPP_ACCESS" 3GPP Access (3GPP Access)
"NON_3GPP_ACCESS" Non-3GPP access (Non-3GPP access)
TABLE 2 enumerating Wireless Access technology types (Enumeration Rate Type)
Figure BDA0002831565760000091
Step 203: and issuing a second message aiming at the data network re-authentication to the terminal through an access management network element.
In an embodiment of the present application, the method further includes: determining an authentication mode of re-authentication according to the subscription data of the terminal, the interface protocol of the mobile network system where the terminal is located and the authentication server and the first message; and determining the second message according to the mobile network system of the terminal and the authentication mode.
Optionally, the second message instructs the terminal to report authentication information corresponding to the data network, where the authentication information includes: a terminal identification of the data network authentication and/or verification information of the data network authentication.
Optionally, the data network is indicated by a DNN or APN. Or may be indicated by an identifier corresponding to a session established by the user in the Data Network or a Packet Data Network (PDN) connection.
For example, a Protocol Data Unit (PDU) session ID may be associated with a DNN requested when a session is established in a 5G network. The PDN connection ID may be associated to an APN requested at PDN connection setup by the 4G network.
In an embodiment of the present application, the method further includes: receiving a re-authentication result of the data network of the terminal sent by an authentication server, wherein the re-authentication result comprises: authentication is successful or failed; and sending the re-authentication result to the terminal.
In an embodiment of the present application, the method further includes:
and if the re-authentication result is authentication failure, sending a third message to the terminal, wherein the third message indicates the terminal to release the session or PDN connection, the third message carries a reason value and a timer, and the reason value indicates data network authentication failure.
In this embodiment of the present application, after the re-authentication fails, the first network element (for example, the converged SMF) notifies the UE to release the PDU session related to the DNN or release the PDN connection, so as to avoid that when the release is initiated from the network side, a plurality of first network elements (converged SMFs) that need to be managed by different PDU sessions/PDN connections of the DNN of the UE initiate the session or release the PDN connection for the UE at the same time.
In an embodiment of the present application, the method further includes:
when a PDU session or PDN connection is established, checking the mapping relation between the DNN and the APN of the terminal;
when DNN is authorized, data network authentication is not initiated for PDN connection related to the mapped APN, and PDN connection establishment is allowed;
when APN is authorized, data network authentication is not initiated for the mapped DNN related PDU session, and PDU session establishment is allowed.
In this embodiment, the first network element (converged SMF) may associate the DNN/APN authentication result, and the PDU session/PDN connection for which the DN is authorized is established without authentication.
In the embodiment of the application, the change of the access network of the UE can be adapted, and the UE is supported to reside in different core networks (EPC or 5GC) to complete re-authentication.
Referring to fig. 3, an embodiment of the present application provides a data network re-authentication method, where an execution subject of the method may be a terminal, and the method includes the specific steps of: step 301-step 303.
Step 301: receiving a second message for re-authentication of the data network of the terminal, which is issued by a first network element through an access management network element, wherein the second message indicates the terminal to report authentication information corresponding to the data network, and the authentication information includes: the terminal identification of the data network authentication and/or the verification information of the data network authentication;
step 302: reporting the authentication information to an authentication server according to the second message;
step 303: receiving a re-authentication result sent by the authentication server, wherein the re-authentication result comprises: authentication is successful or authentication fails.
In this embodiment of the present application, the verification information is used to perform data network authentication on a DNN of the terminal, or perform data network authentication on an APN having a mapping relationship with the DNN.
In an embodiment of the present application, the method further includes:
and if the re-authentication result is authentication failure, receiving a third message, wherein the third message indicates the terminal to release the session or PDN connection, the third message carries a reason value and a timer, and the reason value indicates data network authentication failure.
In an embodiment of the present application, the method further includes:
and releasing all PDU sessions associated with the DNN corresponding to the session or all PDN connections associated with the APN corresponding to the PDN connection.
In this embodiment of the present application, if the terminal receives the third message from 5G, according to the cause value and the timer, before the timer times out, a PDU session establishment request is not initiated for the DNN corresponding to the session; through the mapping relation between DNN and APN, after the terminal is moved into 4G, before the timer is overtime, a PDN connection establishment request is not initiated for the APN corresponding to the PDN connection;
if the terminal receives the third message from 4G, according to the reason value and the timer, before the timer is overtime, a PDN connection establishment request is not initiated to the PDN corresponding to the PDN connection; and through the mapping relation between the DNN and the APN, after the terminal moves into 5G, before the timer is overtime, a PDU session establishment request is not initiated aiming at the DNN corresponding to the session.
In the embodiment of the application, the change of the access network of the UE can be adapted, and the UE is supported to reside in different core networks (EPC or 5GC) to complete the re-authentication.
Referring to fig. 4, an embodiment of the present application provides a data network re-authentication method, where an execution subject of the method may be an authentication server, and the method includes the specific steps of: step 401, step 402, step 403, step 404 and step 405.
Step 401: when a data network re-authentication request needs to be initiated for a terminal, selecting a converged SMF for providing session management service for a DNN (network driver node) of the terminal;
step 402: sending a data network re-authentication request aiming at the terminal to the fusion SMF;
step 403: receiving authentication information corresponding to the data network reported by the terminal from the fusion SMF;
step 404: re-authenticating the data network of the terminal according to the authentication information to obtain a re-authentication result, wherein the re-authentication result comprises: authentication is successful or failed;
step 405: and sending the re-authentication result aiming at the terminal to the fusion SMF.
In an embodiment of the present application, the method further includes: querying a home Unified Data Management (UDM) address of the terminal through a network storage function (NRF); and according to the home UDM address, inquiring SMF providing session management service for the DNN of the terminal from the home UDM.
In an embodiment of the present application, the method further includes: pre-storing authentication information corresponding to the terminal and the data network, wherein the authentication information is used for performing data network authentication on DNN (digital network connection) of the terminal or performing data network authentication on APN (access point name) mapped by the DNN; the authentication information includes: a terminal identification of the data network authentication and/or verification information of the data network authentication.
In the embodiment of the application, the change of the access network of the UE can be adapted, and the UE is supported to reside in different core networks (EPC or 5GC) to complete the re-authentication.
The following describes embodiments of the present application in conjunction with scenario 1, scenario 2, and scenario 3.
Scene 1: DN-AAA (authentication server) initiates re-authentication, and fusion SMF indicates that the user is re-authenticated in 5G, and the re-authentication is successful.
Referring to fig. 5, the UE configures a set of authentication information for the DNN/APN with mapping relationship (allowing handover), and the DN-AAA may maintain a set of authentication information for the same UE. Simplified UE and DN-AAA implementations, maintaining authentication information on a user basis rather than on an access network basis.
In the embodiment of the application, the UE and the DN-AAA configure a set of authentication information.
Specifically, the UE configures a set of authentication information for the DNN/APN with mapping relationship (allowing handover), without distinguishing whether the user accesses from 4G or 5G. A user can configure a set of verification information aiming at the DNN signed by the 5G, and the user performs data authentication on the DNN corresponding to the data application to use the set of verification information; the set of authentication information is also used for data authentication in the data application corresponding to the DNN mapped 4G APN.
Step 1: and the UE attaches to the 4G, initiates a PDN connection establishment process and completes the data network authentication of the APN1 in the 4G network.
And the UE reports the network authentication capability after the 4G is attached. And the fusion SMF acquires the user subscription and determines that the APN1 needs authentication. And the fusion SMF acquires the verification information of the APN1 from the UE and initiates an authentication request to an authentication server. And the DN-AAA performs authentication according to the stored authentication information of the UE, and allows the user to establish PDN connection of the APN1 after the authentication information passes. The fused SMF records the APN1 authentication result/authorization status (success) of the UE. Authentication is not recorded as unauthorized. The DN-AAA records the converged SMF address that initiated the authentication request. The user identification is recorded and may also contain session information. The authentication result/authorization status of the UE is recorded (success).
Step 2: the UE moves into 5G;
the PDN connection established in 4G is switched to 5G, and the converged SMF knows that the UE moves into 5G. The UE subsequently initiates a new PDU session setup request for DNN1 to the SMF at the 5G network. And the fusion SMF checks that the DNN1 of the UE has a mapping relation with the APN1, the APN1 is authorized, the data network authentication is not initiated, the PDScess is allowed to be established, and the subsequent session establishment process is executed.
And step 3: DN-AAA decides to initiate re-authentication to UE;
the DN-AAA decides to re-authenticate and selects an SMF that provides session management services for the DNN of the UE.
Mode 1: and according to the fused SMF address saved during data authentication. (the user needs to perform data network authentication when establishing a PDU session for the first time for a DNN, in this process, the authentication server records the authentication identifier of the UE, the authentication result (whether authenticated and authorized), and initiates the fused SMF address of the authentication request.
Mode 2: the dernrf queries the home UDM address of the user, after which the dernrf queries the SMFs providing session management services for that DNN of the user, from which one SMF can be selected if several are found.
And 4, step 4: DN-AAA sends re-authentication request to fusion SMF, which carries UE identification;
and 5: the fusion SMF determines an access management network element of the UE, namely AMF in the 5G network, according to the session management context of the UE;
step 6: the fusion SMF selects a re-authentication mode according to the subscription data of the terminal, an interface protocol of the authentication server and the received re-authentication request;
and the fusion SMF checks that the user is in the 5G network and decides to adopt the authentication mode of the 5G network.
And 7: the fusion SMF sends re-authentication information to the UE through the AMF, and indicates the UE to report authentication information of data network authentication;
the converged SMF receives the re-authentication request. Checking the user at 5G, and deciding to adopt an EAP authentication mode. And addressing the AMF according to the user identification, and issuing an EAP authentication message to the UE through the AMF.
And 8: executing a re-authentication message interaction process;
and the UE receives the EAP authentication message, interacts with the DN-AAA and completes the re-authentication. And the DN-AAA issues a re-authentication result.
And step 9: DN-AAA sends re-authentication result to fusion SMF (success);
step 10: and the fused SMF records that the UE successfully re-authenticates to the DNN 1. Establishing a session for the UE for DNN1 or PDN connection permission authorization for the APN1 mapped by DNN 1;
step 11: and the fusion SMF sends a re-authentication result to the UE through the AMF.
Scene 2: DN-AAA initiates re-authentication, and fusion SMF indicates that the user is in 4G re-authentication, and the re-authentication is successful.
Referring to fig. 6, the UE configures a set of authentication information for the DNN/APN with mapping relationship (allowing handover), and the DN-AAA may maintain a set of authentication information for the same UE.
Step 1: and the UE attaches to the 5G, initiates a PDN connection establishment process, and completes the data network authentication of DNN1 in the 5G network.
And the UE reports the network authentication capability after the 5G attachment. The converged SMF acquires the user subscription and determines that DNN2 needs authentication. And the fusion SMF acquires the verification information of the DNN2 from the UE and initiates an authentication request to the DN-AAA. The DN-AAA authenticates based on the stored authentication information of the UE, and allows the user to establish a DNN2 session after passing. The fused SMF records the DNN2 authentication result/authorization status of the UE (success). Authentication is not recorded as unauthorized. The authentication server records the fused SMF address initiating the authentication request. The user identity is recorded and may also contain session information. The authentication result/authorization status of the UE is recorded (success).
Step 2: UE moves into 4G;
and the UE moves into the 4G network, the PDU session established in the 5G is switched to the 4G, and the fusion SMF knows that the UE moves into the 4G. And the UE subsequently initiates a new PDN connection establishment request of the APN2 to the PGW-C combined with the SMF in the 4G network. And the fused SMF checks that the DNN2 of the UE has a mapping relation with the APN2, the APN2 is authorized, the data network authentication is not initiated, the PDN connection is allowed to be established, and the subsequent connection establishment process is executed.
And step 3: DN-AAA decides to initiate re-authentication for UE;
DN-AAA decides to re-authenticate, and selects one SMF according to SMF address stored by last authentication.
Mode 1: and according to the fusion SMF address stored in the data authentication process. (the user needs to perform data network authentication when establishing a PDU session for the first time for a DNN, and in this process, the DN-AAA records the authentication identifier of the UE, the authentication result (whether authenticated and authorized), and initiates the fused SMF address of the authentication request.
Mode 2: the dernrf queries the home UDM address of the user, after which the dernrf queries the SMFs providing session management services for that DNN of the user, from which one SMF can be selected if several are found.
And 4, step 4: DN-AAA sends re-authentication request to fusion SMF, which carries UE identification;
and 5: the fusion SMF determines an access management network element of the UE, namely an MME in the 4G network according to the session management context of the UE;
step 6: the fusion SMF selects a re-authentication mode according to the subscription data of the terminal, an interface protocol with an authentication server and the received re-authentication request;
and the fusion SMF checks that the user is in the 4G network and decides to adopt the authentication mode of the 4G network.
And 7: the fusion SMF sends re-authentication information to the UE through the MME to indicate the UE to report the authentication information of the data network authentication;
and step 8: executing a re-authentication message interaction process;
and step 9: DN-AAA sends re-authentication result to fusion SMF (success);
step 10: and the fusion SMF records that the UE successfully re-authenticates the APN 1. Session setup permission authorization for the UE to establish a PDN connection for APN1 or DNN1 mapped for APN 1;
step 11: and the fusion SMF sends a re-authentication result to the UE through the MMF.
Scene 3: DN-AAA initiates re-authentication, and fusion SMF indicates that the user is re-authenticated in 5G, and re-authentication fails.
Referring to fig. 7, the UE configures a set of authentication information for a DNN/APN with mapping relationship (allowing handover), and the DN-AAA may maintain a set of authentication information for the same UE.
Step 1: and the UE attaches to the 4G network, initiates a PDN connection establishment flow and completes the data network authentication of the APN1 in the 4G network.
And 2, step: the UE moves into 5G;
and 3, step 3: DN-AAA decides to initiate re-authentication for UE;
and 4, step 4: DN-AAA sends re-authentication request to fusion SMF, which carries UE identification;
and 5: the fusion SMF determines an access management network element of the UE, namely AMF in the 5G network, according to the session management context of the UE;
step 6: the fusion SMF selects a re-authentication mode according to the subscription data of the terminal, an interface protocol with an authentication server and the received re-authentication request;
and 7: the fusion SMF sends re-authentication information to the UE through the AMF, and indicates the UE to report authentication information of data network authentication;
and 8: executing a re-authentication message interaction process;
and step 9: DN-AAA sends re-authentication result to fusion SMF (failure);
step 10: the fused SMF records the UE failed to re-authenticate to DNN 1. And establishing a session for the UE aiming at DNN1 or establishing PDN connection cancellation authorization for the APN1 mapped by DNN1, and releasing the session corresponding to DNN1 and the PDN connection corresponding to APN 1. Establishing a PDN connection initiation suppression for a subsequent UE establishing a session for DNN1 or for an APN1 mapped by DNN 1;
step 11: the fusion SMF sends a session release command to the UE through the AMF, and the session release command carries the re-authentication failure, the reason value and the timer.
Step 12: the UE carries out local release on the PDU session corresponding to the DNN1 and the PDN connection corresponding to the APN1 according to the reason value; and the UE does not initiate a session establishment request for DNN1 before the timer expires according to the cause value and the timer; the APN1 mapped for DNN1 does not initiate PDN connection establishment.
Referring to fig. 8, an embodiment of the present application provides a data network re-authentication apparatus, which is applied to a first network element, where the apparatus 800 includes:
a first receiving module 801, configured to receive a first message, where the first message indicates that the authentication server requires data network re-authentication for the terminal;
a first determining module 802, configured to determine an access management network element of the terminal according to a session management context of a user;
a first sending module 803, configured to send a second message for re-authentication of the data network to the terminal through the access management network element.
In an embodiment of the present application, the first determining module 802 is further configured to: judging a mobile network system in which the terminal is located according to the type of an access network and/or the type of a radio access technology in the session management context (for example, judging whether the mobile network system in which the terminal is located is 5G or 4G); and determining the identifier/address of an access management network element for providing mobility management for the terminal according to the identifier/address of the service node of the mobile network system in which the terminal is positioned.
In an embodiment of the present application, the apparatus 800 further includes: a second determining module, configured to determine an authentication mode for re-authentication according to the subscription data of the terminal, an interface protocol between a mobile network system in which the terminal is located and an authentication server, and the first message; and determining the second message according to the mobile network system of the terminal and the authentication mode.
In this embodiment of the present application, the second message indicates the terminal to report authentication information corresponding to the data network, where the authentication information includes: a terminal identification of the data network authentication and/or verification information of the data network authentication.
In an embodiment of the present application, the apparatus 800 further includes:
a second receiving module, configured to receive a re-authentication result of the data network of the terminal sent by an authentication server, where the re-authentication result includes: authentication is successful or failed;
and the second sending module is used for sending the re-authentication result to the terminal.
In an embodiment of the present application, the apparatus 800 further includes:
and a third sending module, configured to send a third message to the terminal if the re-authentication result is authentication failure, where the third message indicates the terminal to release a session or a PDN connection, and the third message carries a cause value and a timer, and the cause value indicates data network authentication failure.
In an embodiment of the present application, the apparatus 800 further includes: the processing module is used for checking the mapping relation between the DNN of the terminal and the APN (access point name) when the PDU session or PDN connection is established; when DNN is authorized, data network authentication is not initiated for PDN connection related to the mapped APN, and PDN connection establishment is allowed; when APN is authorized, data network authentication is not initiated for the mapped DNN related PDU session, and PDU session establishment is allowed.
The device provided in the embodiment of the present application can implement each process implemented by the method embodiment shown in fig. 2, and achieve the same technical effect, and for avoiding repetition, details are not described here again.
Referring to fig. 9, an embodiment of the present application provides a data network re-authentication apparatus, which is applied to a terminal, where the apparatus 900 includes:
a third receiving module 901, configured to receive a second message, which is issued by a first network element through an access management network element and is directed to re-authentication of a data network of the terminal, where the second message indicates that the terminal reports authentication information corresponding to the data network, and the authentication information includes: the terminal identification of the data network authentication and/or the verification information of the data network authentication;
a fourth sending module 902, configured to report the authentication information to an authentication server according to the second message;
a fourth receiving module 903, configured to receive a re-authentication result sent by the authentication server, where the re-authentication result includes: authentication is successful or authentication fails.
In this embodiment of the present application, the verification information is used to perform data network authentication on a DNN of the terminal, or perform data network authentication on an APN having a mapping relationship with the DNN.
In an embodiment of the present application, the apparatus 900 further includes:
a fifth receiving module, configured to receive a third message if the re-authentication result is authentication failure, where the third message indicates the terminal to release a session or a PDN connection, and the third message carries a cause value and a timer, and the cause value indicates that data network authentication failure.
In an embodiment of the present application, the apparatus 900 further includes:
a releasing module, configured to release all PDU sessions associated with the DNN corresponding to the session or release all PDN connections associated with the APN corresponding to the PDN connection.
In an embodiment of the present application, the apparatus 900 further includes:
a processing module, configured to, if the terminal receives the third message from the 5G network, according to the cause value and the timer, before the timer times out, not initiate a PDU session establishment request for a DNN corresponding to the session; through the mapping relation between DNN and APN, after the terminal is moved into the 4G network, before the timer is overtime, a PDN connection establishment request is not initiated to the APN corresponding to the PDN connection;
if the terminal receives the third message from the 4G network, according to the reason value and the timer, before the timer is overtime, a PDN connection establishment request is not initiated to the APN corresponding to the PDN connection; and through the mapping relation between the DNN and the APN, after the terminal is moved into the 5G network, before the timer is overtime, a PDU session establishment request is not initiated aiming at the DNN corresponding to the session.
The device provided in the embodiment of the present application can implement each process implemented by the method embodiment shown in fig. 3, and achieve the same technical effect, and for avoiding repetition, details are not described here again.
Referring to fig. 10, an embodiment of the present application provides a data network re-authentication apparatus, which is applied to an authentication server, where the apparatus 1000 includes:
a selecting module 1001, configured to select a converged SMF that provides session management service for a DNN of a terminal when a data network re-authentication request needs to be initiated for the terminal;
a fifth sending module 1002, configured to send a data network re-authentication request for the terminal to the converged SMF;
a sixth receiving module 1003, configured to receive, from the fusion SMF, authentication information corresponding to the data network and reported by the terminal;
a re-authentication module 1004, configured to re-authenticate the data network of the terminal according to the authentication information to obtain a re-authentication result, where the re-authentication result includes: authentication is successful or failed;
a sixth sending module 1005, configured to send the re-authentication result for the terminal to the converged SMF.
In the embodiment of the present application, the apparatus 1000 further includes:
the query module is used for querying the home UDM address of the terminal through NRF; and according to the home UDM address, inquiring SMF providing session management service for the DNN of the terminal from the home UDM.
In the embodiment of the present application, the apparatus 1000 further includes:
the storage module is used for pre-storing authentication information corresponding to the terminal and the data network, wherein the authentication information is used for carrying out data network authentication on DNN of the terminal or carrying out data network authentication on APN mapped by the DNN; the authentication information includes: a terminal identification of the data network authentication and/or verification information of the data network authentication.
The device provided in the embodiment of the present application can implement each process implemented by the method embodiment shown in fig. 4, and achieve the same technical effect, and for avoiding repetition, details are not described here again.
Fig. 11 is a schematic hardware structure diagram of a terminal for implementing the embodiment of the present application.
The terminal 1100 includes, but is not limited to: a radio frequency unit 1101, a network module 1102, an audio output unit 1103, an input unit 1104, a sensor 1105, a display unit 1106, a user input unit 1107, an interface unit 1108, a memory 1109, a processor 1110, and the like.
Those skilled in the art will appreciate that terminal 1100 can also include a power supply (e.g., a battery) for powering the various components, which can be logically coupled to processor 1110 via a power management system to facilitate managing charging, discharging, and power consumption via the power management system. The terminal structure shown in fig. 11 does not constitute a limitation of the terminal, and the terminal may include more or less components than those shown, or combine some components, or have a different arrangement of components, and thus will not be described again.
It should be understood that in the embodiment of the present application, the input Unit 1104 may include a Graphics Processing Unit (GPU) 11041 and a microphone 11042, and the Graphics processor 11041 processes image data of still pictures or video obtained by an image capturing device (such as a camera) in a video capturing mode or an image capturing mode. The display unit 1106 may include a display panel 11061, and the display panel 11061 may be configured in the form of a liquid crystal display, an organic light emitting diode, or the like. The user input unit 1107 includes a touch panel 11071 and other input devices 11072. A touch panel 11071, also called a touch screen. The touch panel 11071 may include two portions of a touch detection device and a touch controller. Other input devices 11072 may include, but are not limited to, a physical keyboard, function keys (e.g., volume control keys, switch keys, etc.), a trackball, a mouse, and a joystick, which are not described in detail herein.
In this embodiment, the radio frequency unit 1101 receives downlink data from a network device and processes the downlink data to the processor 1110; in addition, the uplink data is sent to the network side equipment. In general, radio frequency unit 1101 includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a low noise amplifier, a duplexer, and the like.
The memory 1109 may be used for storing software programs or instructions as well as various data. The memory 1109 may mainly include a storage program or instruction area and a storage data area, wherein the storage program or instruction area may store an operating system, an application program or instruction (such as a sound playing function, an image playing function, etc.) required for at least one function, and the like. In addition, the Memory 1109 may include a high-speed random access Memory and may also include a nonvolatile Memory, which may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable Programmable PROM (EPROM), an Electrically Erasable Programmable ROM (EEPROM), or a flash Memory. Such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device.
Processor 1110 may include one or more processing units; alternatively, processor 1110 may integrate an application processor that primarily handles operating systems, user interfaces, and applications or instructions, etc. and a modem processor that primarily handles wireless communications, such as a baseband processor. It will be appreciated that the modem processor described above may not be integrated into processor 1110.
The terminal provided in the embodiment of the present application can implement each process implemented by the method embodiment shown in fig. 3, and achieve the same technical effect, and for avoiding repetition, details are not described here again.
The embodiment of the application also provides network side equipment. As shown in fig. 12, the network-side device 1200 includes: antenna 1201, radio frequency device 1202, baseband device 1203. Antenna 1201 is connected to radio frequency device 1202. In the uplink direction, the rf device 1202 receives information through the antenna 1201 and sends the received information to the baseband device 1203 for processing. In the downlink direction, the baseband device 1203 processes information to be transmitted and transmits the processed information to the radio frequency device 1202, and the radio frequency device 1202 processes the received information and transmits the processed information through the antenna 1201.
The above band processing means may be located in the baseband apparatus 1203, and the method performed by the network side device in the above embodiment may be implemented in the baseband apparatus 1203, where the baseband apparatus 1203 includes a processor 1204 and a memory 1205.
The baseband apparatus 1203 may include, for example, at least one baseband board, on which a plurality of chips are disposed, as shown in fig. 12, where one of the chips is, for example, a processor 1204, and is connected to the memory 1205 to call up a program in the memory 1205 to execute the network device operations shown in the foregoing method embodiments.
The baseband apparatus 1203 may further include a network interface 1206 for exchanging information with the radio frequency apparatus 1202, such as a Common Public Radio Interface (CPRI).
Specifically, the network side device of the embodiment of the present invention further includes: the instructions or programs stored in the memory 1205 and executable on the processor 1204 are called by the processor 1204 to execute the methods executed by the modules shown in fig. 3 or fig. 4, and achieve the same technical effects, which are not described herein in detail to avoid repetition.
The network side device provided in the embodiment of the present application can implement each process implemented by the method embodiment shown in fig. 3 or fig. 4, and achieve the same technical effect, and is not described here again to avoid repetition.
An embodiment of the present application further provides a readable storage medium, where a program or an instruction is stored on the readable storage medium, and when the program or the instruction is executed by a processor, the program or the instruction implements each process of the method embodiments shown in fig. 2, fig. 3, or fig. 4, and can achieve the same technical effect, and in order to avoid repetition, details are not repeated here.
Wherein, the processor is the processor in the terminal described in the above embodiment. The readable storage medium includes a computer readable storage medium, such as a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and so on.
The steps of a method or algorithm described in connection with the disclosure herein may be embodied in hardware or may be embodied in software instructions executed by a processor. The software instructions may consist of corresponding software modules that may be stored in RAM, flash memory, ROM, EPROM, EEPROM, registers, hard disk, a removable hard disk, a compact disk, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. Of course, the storage medium may also be integral to the processor. The processor and the storage medium may reside in an ASIC. In addition, the ASIC may be carried in a core network interface device. Of course, the processor and the storage medium may reside as discrete components in a core network interface device.
Those skilled in the art will recognize that in one or more of the examples described above, the functions described herein may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
The above-mentioned embodiments, objects, technical solutions and advantages of the present application are further described in detail, it should be understood that the above-mentioned embodiments are only examples of the present application, and are not intended to limit the scope of the present application, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the present application should be included in the scope of the present application.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, embodiments of the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the embodiments of the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the embodiments of the present application fall within the scope of the claims of the present application and their equivalents, the present application is also intended to encompass such modifications and variations.

Claims (21)

1. A data network re-authentication method performed by a first network element, comprising:
receiving a first message indicating that an authentication server requires data network re-authentication for a terminal;
determining an access management network element of the terminal according to the session management context of the user;
and issuing a second message aiming at the data network re-authentication to the terminal through an access management network element.
2. The method of claim 1, wherein determining the access management network element of the terminal according to the session management context of the user comprises:
judging a mobile network system where the terminal is located according to the type of an access network and/or the type of a wireless access technology in the session management context;
and determining the identifier/address of an access management network element for providing mobility management for the terminal according to the identifier/address of the service node of the mobile network system in which the terminal is positioned.
3. The method of claim 1, further comprising:
determining an authentication mode of re-authentication according to the subscription data of the terminal, the interface protocol of the mobile network system where the terminal is located and the authentication server and the first message;
and determining the second message according to the mobile network system of the terminal and the authentication mode.
4. The method of claim 1, wherein the second message instructs the terminal to report authentication information corresponding to the data network, and the authentication information comprises: a terminal identification of the data network authentication and/or verification information of the data network authentication.
5. The method of claim 1, further comprising:
receiving a re-authentication result of the data network of the terminal sent by an authentication server, wherein the re-authentication result comprises: authentication is successful or failed;
and sending the re-authentication result to the terminal.
6. The method of claim 5, further comprising:
and if the re-authentication result is authentication failure, sending a third message to the terminal, wherein the third message indicates the terminal to release the session or release the PDN connection of the packet data network, the third message carries a reason value and a timer, and the reason value indicates data network authentication failure.
7. The method of claim 1, further comprising:
when a Protocol Data Unit (PDU) session or PDN connection is established, checking the mapping relation between a Data Network Name (DNN) of the terminal and an Access Point Name (APN);
when DNN is authorized, data network authentication is not initiated for PDN connection related to the mapped APN, and PDN connection establishment is allowed;
when APN is authorized, data network authentication is not initiated for the mapped DNN related PDU session, and PDU session establishment is allowed.
8. A data network re-authentication method, executed by a terminal, is characterized by comprising:
receiving a second message for re-authentication of the data network of the terminal, which is issued by a first network element through an access management network element, wherein the second message indicates the terminal to report authentication information corresponding to the data network, and the authentication information includes: the terminal identification of the data network authentication and/or the verification information of the data network authentication;
reporting the authentication information to an authentication server according to the second message;
receiving a re-authentication result sent by the authentication server, wherein the re-authentication result comprises: authentication is successful or authentication fails.
9. The method of claim 8, wherein the verification information is used for data network authentication of a DNN of the terminal or data network authentication of an APN having a mapping relationship with the DNN.
10. The method of claim 8, further comprising:
and if the re-authentication result is authentication failure, receiving a third message, wherein the third message indicates the terminal to release the session or PDN connection, the third message carries a reason value and a timer, and the reason value indicates data network authentication failure.
11. The method of claim 10, further comprising:
and releasing all PDU sessions associated with the DNN corresponding to the session or all PDN connections associated with the APN corresponding to the PDN connection.
12. The method of claim 10,
if the terminal receives the third message from a fifth generation mobile communication technology 5G network, according to the reason value and the timer, before the timer is overtime, a PDU session establishment request is not initiated aiming at DNN corresponding to the session; through the mapping relation between DNN and APN, after the terminal is moved into a fourth generation mobile communication technology 4G network, before the timer is overtime, a PDN connection establishment request is not initiated to the APN corresponding to PDN connection;
if the terminal receives the third message from the 4G network, according to the reason value and the timer, before the timer is overtime, a PDN connection establishment request is not initiated to the APN corresponding to the PDN connection; and through the mapping relation between the DNN and the APN, after the terminal is moved into the 5G network, before the timer is overtime, a PDU session establishment request is not initiated aiming at the DNN corresponding to the session.
13. A data network re-authentication method performed by an authentication server, comprising:
when a data network re-authentication request needs to be initiated for a terminal, selecting a converged SMF for providing session management service for a DNN (network driver node) of the terminal;
sending a data network re-authentication request aiming at the terminal to the fusion SMF;
receiving authentication information corresponding to the data network reported by the terminal from the fusion SMF;
re-authenticating the data network of the terminal according to the authentication information to obtain a re-authentication result, wherein the re-authentication result comprises: authentication is successful or failed;
and sending the re-authentication result aiming at the terminal to the fusion SMF.
14. The method of claim 13, further comprising:
inquiring the home Unified Data Management (UDM) address of the terminal through a network storage function (NRF);
and according to the home UDM address, inquiring SMF providing session management service for the DNN of the terminal from the home UDM.
15. The method of claim 13, further comprising:
pre-storing authentication information corresponding to the terminal and the data network, wherein the authentication information is used for performing data network authentication on DNN of the terminal or performing data network authentication on APN mapped by the DNN; the authentication information includes: a terminal identification of the data network authentication and/or verification information of the data network authentication.
16. A data network re-authentication apparatus, applied to a first network element, comprising:
the terminal comprises a first receiving module, a second receiving module and a sending module, wherein the first receiving module is used for receiving a first message, and the first message indicates that the authentication server requires data network re-authentication aiming at the terminal;
a first determining module, configured to determine an access management network element of the terminal according to a session management context of a user;
and the first sending module is used for sending a second message aiming at the data network re-authentication to the terminal through the access management network element.
17. A data network re-authentication device is applied to a terminal, and is characterized by comprising:
a third receiving module, configured to receive a second message, which is issued by a first network element through an access management network element and is directed to re-authentication of a data network of the terminal, where the second message indicates the terminal to report authentication information corresponding to the data network, and the authentication information includes: the terminal identification of the data network authentication and/or the verification information of the data network authentication;
the fourth sending module is used for reporting the authentication information to an authentication server according to the second message;
a fourth receiving module, configured to receive a re-authentication result sent by the authentication server, where the re-authentication result includes: authentication is successful or authentication fails.
18. A data network re-authentication device is applied to an authentication server and is characterized by comprising:
the system comprises a selection module, a session management module and a management module, wherein the selection module is used for selecting a fusion SMF for providing session management service for a DNN of a terminal when a data network re-authentication request needs to be initiated for the terminal;
a fifth sending module, configured to send a data network re-authentication request for the terminal to the converged SMF;
a sixth receiving module, configured to receive, from the converged SMF, authentication information corresponding to the data network, which is reported by the terminal;
the re-authentication module is used for re-authenticating the data network of the terminal according to the authentication information to obtain a re-authentication result, and the re-authentication result comprises: authentication is successful or failed;
a sixth sending module, configured to send the re-authentication result for the terminal to the fusion SMF.
19. A terminal, comprising: processor, memory and program stored on the memory and executable on the processor, which when executed by the processor implements the steps of the method according to any one of claims 8 to 12.
20. A network-side device, comprising: a processor, a memory and a program stored on the memory and executable on the processor, the program implementing the steps of the method according to any one of claims 1 to 7 or the steps of the method according to any one of claims 13 to 15 when executed by the processor.
21. A readable storage medium, characterized in that it has stored thereon a program which, when being executed by a processor, carries out steps comprising the method according to any one of claims 1 to 15.
CN202011460759.XA 2020-12-11 2020-12-11 Data network re-authentication method, device, equipment and readable storage medium Pending CN114630311A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011460759.XA CN114630311A (en) 2020-12-11 2020-12-11 Data network re-authentication method, device, equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011460759.XA CN114630311A (en) 2020-12-11 2020-12-11 Data network re-authentication method, device, equipment and readable storage medium

Publications (1)

Publication Number Publication Date
CN114630311A true CN114630311A (en) 2022-06-14

Family

ID=81895906

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011460759.XA Pending CN114630311A (en) 2020-12-11 2020-12-11 Data network re-authentication method, device, equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN114630311A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116669042A (en) * 2023-07-26 2023-08-29 中国电信股份有限公司 Re-authentication method and device for voice wireless local area network and communication equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200186526A1 (en) * 2017-08-16 2020-06-11 Huawei Technologies Co., Ltd. Secure access method, device, and system
CN111328112A (en) * 2018-12-14 2020-06-23 华为技术有限公司 Method, device and system for isolating security context
US20200267223A1 (en) * 2019-02-14 2020-08-20 Samsung Electronics Co., Ltd. Method and apparatus for supporting reauthentication of dn authorized pdu session and managing pdu session according to change of dn authorization data

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200186526A1 (en) * 2017-08-16 2020-06-11 Huawei Technologies Co., Ltd. Secure access method, device, and system
CN111328112A (en) * 2018-12-14 2020-06-23 华为技术有限公司 Method, device and system for isolating security context
US20200267223A1 (en) * 2019-02-14 2020-08-20 Samsung Electronics Co., Ltd. Method and apparatus for supporting reauthentication of dn authorized pdu session and managing pdu session according to change of dn authorization data

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
HUAWEI等: ""Correction to initial EAP Authentication with an external AAA server"", 3GPP TSG-SA WG3 MEETING #98,S3-200274, 6 March 2020 (2020-03-06), pages 11 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116669042A (en) * 2023-07-26 2023-08-29 中国电信股份有限公司 Re-authentication method and device for voice wireless local area network and communication equipment
CN116669042B (en) * 2023-07-26 2023-11-14 中国电信股份有限公司 Re-authentication method and device for voice wireless local area network and communication equipment

Similar Documents

Publication Publication Date Title
KR102204365B1 (en) Registration method through network access belonging to identical plmn in wireless communication system, and device therefor
US11089480B2 (en) Provisioning electronic subscriber identity modules to mobile wireless devices
CN110557751B (en) Authentication based on server trust evaluation
US10841302B2 (en) Method and apparatus for authenticating UE between heterogeneous networks in wireless communication system
KR102428262B1 (en) Method and apparatus for realizing security of connection through heterogeneous access network
EP3585107A1 (en) Multi-access management implementation method and device, and computer storage medium
EP3029997B1 (en) Network handover method and system
US10911948B2 (en) Method and system for performing network access authentication based on non-3GPP network, and related device
US10432632B2 (en) Method for establishing network connection, gateway, and terminal
KR20200022512A (en) Network security management method and device
US8611859B2 (en) System and method for providing secure network access in fixed mobile converged telecommunications networks
EP1672945A1 (en) UMTS-WLAN interworking system and authentication method therefor
WO2013107136A1 (en) Terminal access authentication method and customer premise equipment
WO2011044825A1 (en) Method and system for enabling circuit switched fallback service in evolved packet system
US11871223B2 (en) Authentication method and apparatus and device
KR101734166B1 (en) Method, apparatus, and system for accessing mobile network
WO2010000185A1 (en) A method, apparatus, system and server for network authentication
WO2016155012A1 (en) Access method in wireless communication network, related device and system
US8948754B2 (en) Method and apparatus for establishing a communication connection
WO2014029267A1 (en) Method, apparatus, and system for implementing ue registration and service call
WO2012130133A1 (en) Access point and terminal access method
EP2486741B1 (en) System and method for managing security keys for multiple security contexts of a wireless user device to handover communications in a network
CN114630311A (en) Data network re-authentication method, device, equipment and readable storage medium
KR20230008697A (en) Prepare for non-3GPP handovers
WO2010091589A1 (en) Security authentication method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination