CN114945172A - Network access method and system, communication network, electronic device and storage medium - Google Patents
Network access method and system, communication network, electronic device and storage medium Download PDFInfo
- Publication number
- CN114945172A CN114945172A CN202210667138.1A CN202210667138A CN114945172A CN 114945172 A CN114945172 A CN 114945172A CN 202210667138 A CN202210667138 A CN 202210667138A CN 114945172 A CN114945172 A CN 114945172A
- Authority
- CN
- China
- Prior art keywords
- gateway
- network element
- authentication
- user temporary
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 61
- 238000004891 communication Methods 0.000 title claims abstract description 23
- 238000003860 storage Methods 0.000 title claims abstract description 21
- 238000007726 management method Methods 0.000 claims abstract description 53
- 238000013523 data management Methods 0.000 claims abstract description 46
- 230000006870 function Effects 0.000 claims description 114
- 238000009826 distribution Methods 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 29
- 238000004590 computer program Methods 0.000 description 7
- 238000012545 processing Methods 0.000 description 5
- 238000013475 authorization Methods 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- GVVPGTZRZFNKDS-JXMROGBWSA-N geranyl diphosphate Chemical compound CC(C)=CCC\C(C)=C\CO[P@](O)(=O)OP(O)(O)=O GVVPGTZRZFNKDS-JXMROGBWSA-N 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
- H04W76/12—Setup of transport tunnels
Abstract
The present disclosure relates to a network access method and system, a communication network, an electronic device, and a storage medium. The network access method comprises the following steps: after the gateway is started, performing gateway authentication; after the gateway passes the authentication, the gateway acquires a plurality of user temporary numbers distributed to the gateway by the unified data management network element; in the case where the device is attached to the gateway, the gateway assigns a user temporary number to the device so that the device performs terminal authentication using the user temporary number to the wired access gateway function network element. The method and the system can perform differentiated control and management on different devices under the access gateway.
Description
Technical Field
The present disclosure relates to the field of wireless communications, and in particular, to a network access method and system, a communication network, an electronic device, and a storage medium.
Background
The 3GPP defines three schemes of non-3 GPP access 5GC at R15/R16, untrusted access, trusted access and wired access, respectively. The wired access is a method in which a gateway (e.g., 5G RG) into which a 5G SIM card is inserted is wired to a 5GC (5G core network). In the wired access scheme, the gateway is used as a single user, and 5GC performs access control on the gateway.
Disclosure of Invention
The inventor finds out through research that: in the related technology, under the condition of wired access, a core network can only identify 5G RG, and can not identify non-5G equipment such as common WiFi access equipment under 5G RG and equipment without 5G SIM card.
In view of at least one of the above technical problems, the present disclosure provides a network access method and system, a communication network, an electronic device, and a storage medium, which can perform differentiated control and management of different devices under an access gateway.
According to an aspect of the present disclosure, there is provided a network access method, including:
after the gateway is started, performing gateway authentication;
after the gateway passes the authentication, the gateway acquires a plurality of user temporary numbers distributed to the gateway by the unified data management network element;
in the case where the device is attached to the gateway, the gateway assigns a user temporary number to the device so that the device performs terminal authentication using the user temporary number to the wired access gateway function network element.
In some embodiments of the disclosure, said in case that the device is attached to the gateway, the gateway assigning the user temporary number to the device comprises:
in the case where a plurality of devices are attached to the gateway, the gateway assigns different user temporary numbers to different devices;
and establishing a corresponding relation between the physical address of the device and the temporary number of the user.
According to another aspect of the present disclosure, there is provided a network access method, including:
when the gateway is started and the gateway passes the authentication, the unified data management network element allocates a plurality of user temporary numbers to the gateway, so that when the device is attached to the gateway, the gateway allocates the user temporary numbers to the device, and the device adopts the user temporary numbers to the wired access gateway function network element for terminal authentication.
According to another aspect of the present disclosure, there is provided a network access method, including:
a wired access gateway function network element receives a terminal authentication request which is sent by a device and is based on a user temporary number, wherein the user temporary number is allocated to the device by a gateway under the condition that the device is attached to the gateway; after the gateway is started, performing gateway authentication; after the gateway passes the authentication, the gateway acquires a plurality of user temporary numbers distributed to the gateway by the unified data management network element;
and the wired access gateway functional network element performs terminal authentication on the device based on the user temporary number.
In some embodiments of the present disclosure, the network access method further includes:
after the gateway authentication is passed, the wired access gateway function network element receives a gateway authentication result sent by the unified data management network element through the authentication server function network element and the access and mobile management function network element, wherein the gateway authentication result comprises a plurality of user temporary numbers distributed to the gateway by the unified data management network element, and the authentication server function network element stores the gateway authentication result;
and the wired access gateway function network element stores the binding relationship between the gateway number and the user temporary number.
In some embodiments of the present disclosure, the performing, by the wired access gateway function network element, terminal authentication on a device based on a user temporary number includes:
the method comprises the steps that a wired access gateway function network element inquires the binding relation between a gateway number and a user temporary number and determines the gateway number corresponding to the user temporary number;
the method comprises the steps that a wired access gateway function network element sends an authentication request to an access and mobility management function network element, wherein the authentication request comprises a user temporary number and a corresponding gateway number, so that the access and mobility management function network element inquires a gateway authentication result of a gateway corresponding to the gateway number;
and the wired access gateway function network element receives a terminal authentication result returned by the access and mobility management function network element, wherein the access and mobility management function network element returns the terminal authentication result under the condition that the gateway authentication result of the gateway corresponding to the gateway number is successful, and the terminal authentication result comprises the user temporary number.
In some embodiments of the present disclosure, the network access method further includes:
and after the terminal authentication is successful, the wired access gateway function network element and the device establish an Internet security protocol tunnel.
According to another aspect of the present disclosure, there is provided a gateway comprising:
the gateway authentication module is configured to perform gateway authentication after the gateway is started;
the temporary number management module is configured to acquire a plurality of user temporary numbers distributed to the gateway by the unified data management network element after the gateway passes the authentication; and under the condition that the device is attached to the gateway, allocating a user temporary number to the device so that the device adopts the user temporary number to a wired access gateway function network element for terminal authentication.
In some embodiments of the present disclosure, a temporary number management module configured to assign different user temporary numbers to different devices in a case where a plurality of devices are attached to a gateway; and establishing a corresponding relation between the physical address of the device and the temporary number of the user.
According to another aspect of the present disclosure, there is provided a unified data management network element, including:
the temporary number distribution module is configured to distribute a plurality of user temporary numbers to the gateway under the conditions that the gateway is powered on and the gateway passes authentication, so that the gateway distributes the user temporary numbers to the device under the condition that the device is attached to the gateway, and the device adopts the user temporary numbers to a wired access gateway function network element for terminal authentication.
According to another aspect of the present disclosure, there is provided a wired access gateway function network element, including:
an authentication request receiving module configured to receive a terminal authentication request based on a user temporary number transmitted by a device, wherein the user temporary number is allocated to the device by a gateway in the case that the device is attached to the gateway; after the gateway is started, performing gateway authentication; after the gateway passes the authentication, the gateway acquires a plurality of user temporary numbers distributed to the gateway by the unified data management network element;
a terminal authentication module configured to perform terminal authentication on the device based on the user temporary number.
In some embodiments of the disclosure, the wired access gateway function network element further includes:
the gateway authentication result receiving module is configured to receive a gateway authentication result sent by the unified data management network element through the authentication server function network element and the access and mobility management function network element after the gateway authentication is passed, wherein the gateway authentication result comprises a plurality of user temporary numbers distributed to the gateway by the unified data management network element, and the authentication server function network element stores the gateway authentication result;
and the binding relation storage module is configured to store the binding relation between the gateway number and the user temporary number.
In some embodiments of the present disclosure, the terminal authentication module is configured to query a binding relationship between a gateway number and a user temporary number, and determine a gateway number corresponding to the user temporary number; sending an authentication request to an access and mobility management function network element, wherein the authentication request comprises a user temporary number and a corresponding gateway number so that the access and mobility management function network element can inquire a gateway authentication result of a gateway corresponding to the gateway number; and receiving a terminal authentication result returned by the access and mobility management function network element, wherein the access and mobility management function network element returns the terminal authentication result under the condition that the gateway authentication result of the gateway corresponding to the gateway number is successful, and the terminal authentication result comprises the user temporary number.
In some embodiments of the disclosure, the wired access gateway function network element further includes:
and the tunnel establishing module is configured to establish an Internet security protocol tunnel between the wired access gateway function network element and the device after the terminal authentication is successful.
According to another aspect of the present disclosure, there is provided an electronic device including:
a memory to store instructions;
a processor configured to execute the instructions to cause the electronic device to perform operations to implement the network access method according to any of the embodiments.
According to another aspect of the present disclosure, there is provided a communication network comprising a unified data management network element as described in any of the above embodiments and a wired access gateway function network element as described in any of the above embodiments.
According to another aspect of the present disclosure, there is provided a network access system comprising a gateway as in any one of the above embodiments and a communication network as in any one of the above embodiments.
According to another aspect of the present disclosure, a computer-readable storage medium is provided, wherein the computer-readable storage medium stores computer instructions, which when executed by a processor, implement the network access method according to any one of the above embodiments.
The method and the system can perform differentiated control and management on different devices under the access gateway.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present disclosure, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a schematic diagram of some embodiments of a network access method of the present disclosure.
Fig. 2 is a schematic diagram of another embodiment of a network access method according to the present disclosure.
Fig. 3 is a schematic diagram of some further embodiments of the network access method of the present disclosure.
Fig. 4 is a schematic diagram of further embodiments of the network access method of the present disclosure.
Figure 5 is a schematic diagram of some embodiments of gateways of the present disclosure.
Fig. 6 is a schematic diagram of some embodiments of a unified data management network element according to the present disclosure.
Fig. 7 is a schematic diagram of some embodiments of a wired access gateway function network element according to the present disclosure.
Fig. 8 is a schematic structural diagram of some embodiments of an electronic device of the present disclosure.
Fig. 9 is a schematic structural diagram of some embodiments of the network access system of the present disclosure.
Fig. 10 is a schematic structural diagram of another embodiment of a network access system according to the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present disclosure will be described clearly and completely with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the embodiments described are only some embodiments of the present disclosure, rather than all embodiments. The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
The relative arrangement of the components and steps, the numerical expressions, and numerical values set forth in these embodiments do not limit the scope of the present disclosure unless specifically stated otherwise.
Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.
Techniques, network access methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail, but are intended to be part of the authorization specification where appropriate.
In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be discussed further in subsequent figures.
The inventor finds out through research that: in the related art, the core network cannot identify non-5G devices such as a general WiFi access device under a 5G RG (residential gateway) or devices without a 5G SIM card, and cannot perform differentiated QoS (Quality of Service) control, for example, the library RG cannot meet the requirements of a manager for high QoS guarantee and a visitor for low QoS guarantee.
In view of at least one of the above technical problems, the present disclosure provides a network access method and system, a communication network, an electronic device, and a storage medium, and the present disclosure is described below by specific embodiments.
Fig. 1 is a schematic diagram of some embodiments of a network access method of the present disclosure. Preferably, this embodiment may be performed by the disclosed gateway or the disclosed network access system. The network access method may include at least one of steps 11 to 13, wherein:
and step 11, after the gateway is started, performing gateway authentication.
In some embodiments of the present disclosure, the gateway may be a 5G-RG.
In some embodiments of the present disclosure, the gateway Authentication may be a normal EAP (Extensible Authentication Protocol) Authentication to the gateway.
And step 12, after the gateway passes the authentication, the gateway acquires a plurality of user temporary numbers distributed to the gateway by the unified data management network element.
In some embodiments of the present disclosure, the apparatus may be a non-wireless wide area network device such as a normal WiFi access device or a device without a wireless wide area network SIM card, where the wireless wide area network may be a carrier wireless communication network such as 5G, 6G, and the like.
In some embodiments of the present disclosure, step 13 may comprise: in the case where a plurality of devices are attached to the gateway, the gateway assigns different user temporary numbers to different devices; and establishing a corresponding relation between the physical address of the device and the temporary number of the user.
In some embodiments of the present disclosure, the device physical Address may be a Media Access Control (MAC) Address of the device.
In the embodiment of the present disclosure, after the gateway passes the authentication, the gateway obtains a plurality of temporary user numbers allocated to the gateway by the unified data management network element; when the device accesses 5G-RG (gateway), the gateway allocates user temporary numbers to the device, simultaneously saves the relation between the physical address of the device and the user temporary numbers, and can allocate different user temporary numbers to a plurality of devices respectively; the user temporary number may then be made available to the device for subsequent session flow.
The method provided by the embodiment of the disclosure can bind the gateway and the users, thereby realizing differentiated policy control for each user under the gateway.
The above embodiments of the present disclosure can identify non-5G RGs such as a common WiFi access device under a 5G RG, that is, devices without a 5G SIM card.
Fig. 2 is a schematic diagram of another embodiment of a network access method according to the present disclosure. Preferably, this embodiment can be executed by the disclosed UDM (Unified Data Management function network element) or the disclosed network access system. The network access method may comprise at least step 20, wherein:
and 20, under the conditions that the gateway is started up and the gateway passes authentication, the unified data management network element allocates a plurality of user temporary numbers to the gateway, so that the gateway allocates the user temporary numbers to the device under the condition that the device is attached to the gateway, and the device adopts the user temporary numbers to the wired access gateway function network element for terminal authentication.
Fig. 3 is a schematic diagram of some further embodiments of the network access method of the present disclosure. Preferably, this embodiment may be implemented by a wired Access Gateway Function (wired Access Gateway Function) or a network Access system of the present disclosure. The network access method may include at least one of steps 31 to 32, wherein:
And step 32, the wired access gateway functional network element performs terminal authentication on the device based on the user temporary number.
In some embodiments of the present disclosure, the network access method may further include: after the gateway authentication is passed, the wired access gateway function network element receives a gateway authentication result sent by the unified data management network element through the authentication server function network element and the access and mobile management function network element, wherein the gateway authentication result comprises a plurality of user temporary numbers distributed to the gateway by the unified data management network element, and the authentication server function network element stores the gateway authentication result; and the wired access gateway function network element stores the binding relationship between the gateway number and the user temporary number.
In some embodiments of the present disclosure, step 32 in the embodiment of fig. 3 may include at least one of steps 321-323, wherein:
in step 321, the wired access gateway function network element queries the binding relationship between the gateway number and the user temporary number, and determines the gateway number corresponding to the user temporary number.
In some embodiments of the present disclosure, the gateway number may be a gateway identification.
In some embodiments of the present disclosure, the gateway number may be an IMSI (International Mobile Subscriber Identity) of the gateway.
Step 322, the wired access gateway function network element sends an authentication request to the access and mobility management function network element, where the authentication request includes the user temporary number and the corresponding gateway number, so that the access and mobility management function network element queries the gateway authentication result of the gateway corresponding to the gateway number.
Step 323, the wired access gateway function network element receives a terminal authentication result returned by the access and mobility management function network element, wherein the access and mobility management function network element returns a terminal authentication result under the condition that the gateway authentication result of the gateway corresponding to the gateway number is successful, and the terminal authentication result includes the user temporary number.
In some embodiments of the present disclosure, the network access method may further include: and after the terminal authentication is successful, the wired access gateway functional network element and the device establish an Internet security protocol tunnel.
Fig. 4 is a schematic diagram of further embodiments of the network access method of the present disclosure. Preferably, this embodiment may be performed by the network access system of the present disclosure. The network access method may include at least one of steps 401 to 421, wherein:
step 401-step 404, after the 5G-RG is powered on, normal EAP authentication is performed through W-AGF to AMF (Access and Mobility Management Function, Access and Mobility Management Function network element). Step 401 is to establish a W-CP (wired Access Control Protocol) EAP connection between the 5G RG and the W-AGF; step 402 is 5G RG sends EAP authentication request to W-AGF through W-CP message; step 403 is that the W-AGF sends an EAP authentication request to the AMF through an N2 message; step 404 is that the AUSF (Authentication Server Function element) acquires the EAP Authentication vector from the AMF through an AAA (Authentication, Authorization, Accounting) message.
Step 405-step 406, after the authentication is passed, the UDM returns to the AMF several temporary user numbers assigned to the 5G-RG through the AUSF. In step 405, the UDM allocates a plurality of user temporary numbers to the 5G-RG, and sends the plurality of user temporary numbers allocated to the 5G-RG to the AUSF; in step 406, the AUSF sends an EAP authentication result (authentication success message, for example) including several user temporary numbers assigned to the 5G-RG to the AMF through the AAA message.
In step 407, the AMF stores the authentication result of the 5G-RG.
In step 408, the AMF returns the authentication result to the W-AGF through the N2 message, and carries a plurality of user temporary numbers assigned to the 5G-RG.
And step 409, the W-AGF stores the binding relationship between the RG and the user and the temporary number.
And step 410, the W-AGF informs the 5G-RG of successful authentication through the W-CP message and carries the temporary number.
In step 412, the Device attaches the 5G-RG via the 802.1x protocol.
Step 413, the 5G-RG allocates a user temporary number to the Device, and binds the Device MAC address with the user temporary number.
In step 414, the Device carries the temporary number to the W-AGF for EAP authentication.
Step 415, the W-AGF queries the binding relationship between the RG and the user and the temporary number.
Step 416, the W-AGF carries the temporary number @ RG number to the AMF for authentication.
Step 417-step 419, the AMF queries the authentication result of the previous RG,
in step 418, the AMF returns an authentication result to the W-AGF through a N2 message, where the authentication result includes the user temporary number.
Step 419, the W-AGF returns the authentication result to the Device through an IKE (Internet Key Exchange) message, and the W-AGF and the Device establish an IPSec (Internet Protocol Security Internet Protocol) tunnel.
Step 420-step 421, the User Plane data of the Device is transmitted to the W-AGF through the IPSEC tunnel, and then is transmitted to the UPF (User Plane Function network element) through the N3 interface.
The above embodiments of the present disclosure provide a method for associating a Device and an RG, so as to implement differentiated control and management functions for a terminal accessing a gateway. The above embodiments of the present disclosure may be used as a reference scheme for a future 6G fully-connected network architecture.
The embodiment of the invention can realize the differentiated policy control of each access user under the gateway by the mobile core network.
In the above embodiment of the present disclosure, the device and the 5G gateway may be bound by assigning the user temporary number to the device, so that each device can be separately identified by the core network, and thus, a single device may be subjected to targeted differential control.
In practical applications, many scenarios require differentiated policy control for individual users, for example: by adopting the library RG of the embodiment of the present disclosure, a manager can be given high QoS guarantee, and a visitor can be given low QoS guarantee, such as: by adopting the home gateway RG of the embodiment of the disclosure, high QoS guarantee can be given to family members, and low QoS guarantee can be given to visitors. Therefore, the embodiment of the disclosure can better meet the requirement of customers.
Figure 5 is a schematic diagram of some embodiments of gateways of the present disclosure. As shown in fig. 5, the gateway of the present disclosure may include a gateway authentication module 51 and a temporary number management module 52, where:
and a gateway authentication module 51 configured to perform gateway authentication after the gateway is powered on.
The temporary number management module 52 is configured to obtain a plurality of user temporary numbers allocated to the gateway by the unified data management network element after the gateway passes authentication; and under the condition that the device is attached to the gateway, allocating a user temporary number to the device so that the device adopts the user temporary number to a wired access gateway function network element for terminal authentication.
In some embodiments of the present disclosure, the temporary number management module 52 may be configured to assign different user temporary numbers to different devices in the case where multiple devices are attached to the gateway; and establishing a corresponding relation between the physical address of the device and the temporary number of the user.
The new terminal temporary number management module in the 5G-RG of the above embodiment of the present disclosure is configured to store the user temporary number sent by the 5GC and allocate the user temporary number to the terminal.
Fig. 6 is a schematic diagram of some embodiments of a unified data management network element according to the present disclosure. As shown in fig. 6, the unified data management network element 60 of the present disclosure may include a temporary number assignment module 61, where:
the temporary number allocation module 61 is configured to allocate a plurality of user temporary numbers to the gateway when the gateway is powered on and the gateway passes authentication, so that the gateway allocates the user temporary numbers to the devices when the devices are attached to the gateway, and the devices use the user temporary numbers to the wired access gateway function network elements for terminal authentication.
In some embodiments of the present disclosure, the temporary number allocating module 61 is configured to allocate a plurality of user temporary numbers to the gateway according to the user subscription information when the gateway is powered on and the gateway passes the authentication.
The unified data management network element of the embodiment of the present disclosure adds a temporary number allocation module, which is configured to allocate a certain number of temporary user numbers to the successfully authenticated 5G-RG according to the user subscription information when the gateway is powered on and the gateway passes authentication.
Fig. 7 is a schematic diagram of some embodiments of a wired access gateway function network element according to the present disclosure. As shown in fig. 7, the wired access gateway function network element of the present disclosure may include an authentication request receiving module 71 and a terminal authentication module 72, where:
an authentication request receiving module 71 configured to receive a terminal authentication request based on a user temporary number sent by a device, where the user temporary number is allocated to the device by a gateway when the device is attached to the gateway, and the gateway performs gateway authentication after the gateway is powered on; and after the gateway passes the authentication, the gateway acquires a plurality of user temporary numbers distributed to the gateway by the unified data management network element.
A terminal authentication module 72 configured to perform terminal authentication of the device based on the user temporary number.
In some embodiments of the present disclosure, as shown in fig. 7, the wired access gateway function network element may further include a gateway authentication result receiving module 73 and a binding relationship storing module 74, where:
and a gateway authentication result receiving module 73, configured to receive, after the gateway authentication passes, a gateway authentication result sent by the unified data management network element through the authentication server functional network element and the access and mobility management functional network element, where the gateway authentication result includes a plurality of user temporary numbers allocated to the gateway by the unified data management network element, and the authentication server functional network element stores the gateway authentication result.
A binding relation storage module 74 configured to store a binding relation between the gateway number and the user temporary number.
In some embodiments of the present disclosure, the terminal authentication module 72 may be configured to query a binding relationship between a gateway number and a user temporary number, and determine a gateway number corresponding to the user temporary number; sending an authentication request to an access and mobility management function network element, wherein the authentication request comprises a user temporary number and a corresponding gateway number so that the access and mobility management function network element can inquire a gateway authentication result of a gateway corresponding to the gateway number; and receiving a terminal authentication result returned by the access and mobility management function network element, wherein the access and mobility management function network element returns the terminal authentication result under the condition that the gateway authentication result of the gateway corresponding to the gateway number is successful, and the terminal authentication result comprises the user temporary number.
In some embodiments of the present disclosure, as shown in fig. 7, the wired access gateway function network element may further include a tunnel establishment module 75, where:
the tunnel establishing module 75 is configured to establish an internet security protocol tunnel between the wired access gateway function network element and the device after the terminal authentication is successful.
In the embodiment of the disclosure, a Device user data management module is newly added in the W-AGF, and is used for storing the binding relationship between the user temporary number and the 5G-RG; in the embodiment of the present disclosure, a Device user plane module is newly added in the W-AGF, and is used to establish an IPSec tunnel with the Device, acquire user plane data from the IPSec tunnel, and forward the user plane data to the UPF.
Fig. 8 is a schematic structural diagram of some embodiments of an electronic device of the present disclosure. As shown in fig. 8, the electronic device includes a memory 81 and a processor 82.
The memory 81 is used for storing instructions, the processor 82 is coupled to the memory 81, and the processor 82 is configured to execute a network access method related to implementing any of the above-mentioned embodiments (for example, any of the embodiments of fig. 1 to 4) based on the instructions stored in the memory.
In some embodiments of the present disclosure, the electronic device of the present disclosure may be implemented as a gateway of the present disclosure in the case where the processor 82 performs the network access method of the embodiment of fig. 1.
In some embodiments of the present disclosure, in a case where the processor 82 executes the network access method of the embodiment of fig. 2, the electronic device of the present disclosure may be implemented as a gateway virtual number management network element of the present disclosure.
In some embodiments of the present disclosure, in a case where the processor 82 executes the network access method of the embodiment of fig. 3, the electronic device of the present disclosure may be implemented as a unified data management network element of the present disclosure.
As shown in fig. 8, the electronic device further comprises a communication interface 83 for information interaction with other devices. Meanwhile, the electronic device further comprises a bus 84, and the processor 82, the communication interface 83 and the memory 81 are communicated with each other through the bus 84.
The memory 81 may include a high-speed RAM memory, and may further include a non-volatile memory (e.g., at least one disk memory). The memory 81 may also be a memory array. The storage 81 may also be partitioned and the blocks may be combined into virtual volumes according to certain rules.
Further, the processor 82 may be a central processing unit CPU, or may be an application specific integrated circuit ASIC, or one or more integrated circuits configured to implement embodiments of the present disclosure.
Fig. 9 is a schematic structural diagram of some embodiments of the network access system of the present disclosure. As shown in fig. 9, the network access system of the present disclosure may include a gateway 100 and a communication network 200, wherein:
a gateway 100 configured to perform gateway authentication after the gateway is powered on; after the gateway passes the authentication, acquiring a plurality of user temporary numbers distributed to the gateway by the communication network 200; and under the condition that the device is attached to the gateway, allocating a user temporary number to the device so that the device adopts the user temporary number to a wired access gateway function network element for terminal authentication.
In some embodiments of the present disclosure, the gateway 100 may be implemented as a gateway as described in any of the embodiments above (e.g., the embodiment of fig. 5).
The communication network 200 is configured to allocate a plurality of user temporary numbers to the gateway when the gateway is powered on and the gateway passes the authentication, so that the gateway allocates the user temporary numbers to the devices when the devices are attached to the gateway, and the devices adopt the user temporary numbers to the wired access gateway function network elements for terminal authentication.
In some embodiments of the present disclosure, the communication network 200 may be implemented as a core network.
Fig. 10 is a schematic structural diagram of another embodiment of a network access system according to the present disclosure. Fig. 10 also presents a schematic structural view of some embodiments of the communication network of the present disclosure. Fig. 4 also shows a schematic structural diagram of some further embodiments of the network access system and the communication network according to the present disclosure.
As shown in fig. 4 and 10, a communication network (e.g., the communication network 200 in the embodiment of fig. 9) of the present disclosure may include a wired access gateway Function network element (W-AGF)210, an access and mobility management Function network element (AMF)220, an authentication server Function network element (AUSF)230, a unified data management network element (UDM)240, and a UPF (User Plane Function network element) 250, where:
and the gateway 100 is a newly added terminal temporary number management module, and is configured to store the user temporary number issued by the 5GC and allocate the user temporary number to the terminal.
In some embodiments of the present disclosure, the gateway 100 may be implemented as a gateway as described in any of the above embodiments (e.g., the embodiment of fig. 7).
The wired access gateway function network element 210 is used for adding a Device user data management module in the W-AGF, and storing the binding relationship between the user temporary number and the 5G-RG; and a Device user plane module is newly added, and is used for establishing an IPSec tunnel with the Device, acquiring user plane data from the IPSec tunnel, and forwarding the user plane data to the user plane function network element 250.
In some embodiments of the present disclosure, the wired access gateway function network element 210 may be implemented as the wired access gateway function network element described in any of the above embodiments (e.g., the embodiment of fig. 7).
In some embodiments of the present disclosure, the Device of the embodiment of fig. 9 may be implemented as a plurality of devices, such as Device1, Device2, and Device 3.
And the unified data management network element 240 is configured to add a temporary number allocation module, and allocate a certain number of temporary user numbers to the successfully authenticated 5G-RG according to the user subscription information.
In some embodiments of the present disclosure, the unified data management network element 240 may be implemented as the unified data management network element described in any of the above embodiments (e.g., the embodiment of fig. 6).
And the access and mobility management function network element 220 is used for adding an RG user authentication module and authenticating the format of 'user temporary number @5G-RG number'.
In some embodiments of the present disclosure, in the process of executing the network access method of the present disclosure, each component of the network access system of the present disclosure may specifically be configured to:
and 5G-RG is used for carrying out normal EAP authentication from W-AGF to AMF after starting up.
And the UDM is used for returning a plurality of temporary user numbers allocated to the 5G-RG to the AMF through the AUSF after the authentication is passed.
AMF, for saving 5G-RG authentication result, returning authentication result to W-AGF through N2 message, carrying several temporary user numbers allocated to the 5G-RG,
W-AGF for storing the binding relation between RG and temporary number, W-AGF informs 5G-RG of successful authentication through W-CP message and carries temporary number,
5G-RG for storing temporary numbers. So far, the RG authentication procedure is completed.
And the Device is used for attaching the 5G-RG through the 802.1x protocol, and allocating a temporary number to the Device, and the Device carries the temporary number to the W-AGF for EAP authentication.
The W-AGF is used for inquiring the binding relationship, carrying the temporary number @ RG number to the AMF for authentication, inquiring the authentication result of the previous 5G-RG by the AMF, and returning the authentication result to the W-AGF; and establishing an IPSec tunnel between the W-AGF and the Device, transmitting the user plane data of the Device to the W-AGF through the IPSEC tunnel, and transmitting the user plane data to the UPF through the N3 interface.
The present disclosure provides a system architecture for differentiated control and management of different devices under an access gateway that a mobile core network can perform.
The above embodiments of the present disclosure provide a Device and RG association system to implement differentiated control and management functions for terminals accessing a gateway. The above embodiments of the present disclosure can be used as a reference scheme for a future 6G fully-connected network architecture.
The embodiment of the disclosure can realize the differentiated policy control of each access user under the gateway by the mobile core network.
The patent provides a Device and RG association scheme, which can realize the differentiated control and management functions of the terminal of the access gateway.
According to another aspect of the present disclosure, a computer-readable storage medium is provided, wherein the computer-readable storage medium stores computer instructions, which when executed by a processor, implement the network access method according to any of the embodiments described above (e.g., any of the embodiments of fig. 1-4).
The above embodiments of the present disclosure provide a way for a core network to allocate a user temporary number to a device through a gateway, and bind the device (apparatus) and the gateway, so that the core network can identify a single device under the gateway and perform individual policy control on the single device.
It will be appreciated by those skilled in the art that embodiments of the present disclosure may be provided as a network access method, apparatus, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable non-transitory storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of network access methods, apparatus (systems) and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The electronic device, gateway virtual number management network element, unified data management network element, authentication result sending module 91, number authentication module 92, number synchronization module 93, number assignment module 94, number management unit 85, number synchronization unit 84, correspondence establishment unit 83, number application receiving unit 81, number assignment unit 82, session establishment procedure initiation module 76, gateway authentication module 75, correspondence establishment module 74, number application module 71, number reception module 72, and authentication request initiation module 73 described above may be implemented as a general purpose processor, a Programmable Logic Controller (PLC), a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, a discrete gate or transistor logic device, a programmable logic controller (FPGA), a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, a discrete gate or transistor logic device, a programmable logic device (FPGA), a programmable logic device (PLC), a programmable logic device (FPGA), a processor, a communication interface, a, Discrete hardware components or any suitable combination thereof.
Thus far, the present disclosure has been described in detail. Some details well known in the art have not been described in order to avoid obscuring the concepts of the present disclosure. It will be fully apparent to those skilled in the art from the foregoing description how to practice the presently disclosed embodiments.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware to implement the above embodiments, where the program may be stored in a non-transitory computer readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic or optical disk, and the like.
The description of the present disclosure has been presented for purposes of illustration and description, and is not intended to be exhaustive or limited to the disclosure in the form disclosed. Many modifications and variations will be apparent to practitioners skilled in this art. The embodiment was chosen and described in order to best explain the principles of the disclosure and the practical application, and to enable others of ordinary skill in the art to understand the disclosure for various embodiments with various modifications as are suited to the particular use contemplated.
Claims (18)
1. A network access method, comprising:
after the gateway is started, performing gateway authentication;
after the gateway passes the authentication, the gateway acquires a plurality of user temporary numbers distributed to the gateway by the unified data management network element;
in the case where the device is attached to the gateway, the gateway assigns a user temporary number to the device so that the device performs terminal authentication using the user temporary number to the wired access gateway function network element.
2. The network access method of claim 1, wherein the gateway assigning the user temporary number to the device in the case that the device is attached to the gateway comprises:
in the case where a plurality of devices are attached to the gateway, the gateway assigns different user temporary numbers to different devices;
and establishing a corresponding relation between the physical address of the device and the temporary number of the user.
3. A network access method, comprising:
when the gateway is started and the gateway passes the authentication, the unified data management network element allocates a plurality of user temporary numbers to the gateway, so that when the device is attached to the gateway, the gateway allocates the user temporary numbers to the device, and the device adopts the user temporary numbers to the wired access gateway function network element for terminal authentication.
4. A network access method, comprising:
a wired access gateway function network element receives a terminal authentication request which is sent by a device and is based on a user temporary number, wherein the user temporary number is allocated to the device by a gateway under the condition that the device is attached to the gateway; after the gateway is started, performing gateway authentication; after the gateway passes the authentication, the gateway acquires a plurality of user temporary numbers distributed to the gateway by the unified data management network element;
and the wired access gateway functional network element performs terminal authentication on the device based on the user temporary number.
5. The network access method of claim 4, further comprising:
after the gateway authentication is passed, the wired access gateway function network element receives a gateway authentication result sent by the unified data management network element through the authentication server function network element and the access and mobility management function network element, wherein the gateway authentication result comprises a plurality of user temporary numbers distributed to the gateway by the unified data management network element, and the authentication server function network element stores the gateway authentication result;
and the wired access gateway function network element stores the binding relationship between the gateway number and the user temporary number.
6. The network access method of claim 5, wherein the performing, by the wired access gateway function network element, terminal authentication of the device based on the user temporary number comprises:
the method comprises the steps that a wired access gateway function network element inquires the binding relation between a gateway number and a user temporary number and determines the gateway number corresponding to the user temporary number;
the method comprises the steps that a wired access gateway function network element sends an authentication request to an access and mobility management function network element, wherein the authentication request comprises a user temporary number and a corresponding gateway number, so that the access and mobility management function network element inquires a gateway authentication result of a gateway corresponding to the gateway number;
and the wired access gateway function network element receives a terminal authentication result returned by the access and mobility management function network element, wherein the access and mobility management function network element returns the terminal authentication result under the condition that the gateway authentication result of the gateway corresponding to the gateway number is successful, and the terminal authentication result comprises the user temporary number.
7. The network access method of claim 6, further comprising:
and after the terminal authentication is successful, the wired access gateway functional network element and the device establish an Internet security protocol tunnel.
8. A gateway, comprising:
the gateway authentication module is configured to perform gateway authentication after the gateway is started;
the temporary number management module is configured to acquire a plurality of user temporary numbers distributed to the gateway by the unified data management network element after the gateway passes the authentication; and under the condition that the device is attached to the gateway, allocating a user temporary number to the device so that the device adopts the user temporary number to a wired access gateway function network element for terminal authentication.
9. The gateway of claim 8, wherein:
a temporary number management module configured to assign different user temporary numbers to different devices in a case where a plurality of devices are attached to the gateway; and establishing a corresponding relation between the physical address of the device and the temporary number of the user.
10. A unified data management network element, comprising:
the temporary number distribution module is configured to distribute a plurality of user temporary numbers to the gateway under the condition that the gateway is powered on and the gateway passes authentication, so that the gateway distributes the user temporary numbers to the device under the condition that the device is attached to the gateway, and the device adopts the user temporary numbers to a wired access gateway function network element for terminal authentication.
11. A wired access gateway function network element, comprising:
an authentication request receiving module configured to receive a terminal authentication request based on a user temporary number transmitted by a device, wherein the user temporary number is allocated to the device by a gateway in the case that the device is attached to the gateway; after the gateway is started, performing gateway authentication; after the gateway passes the authentication, the gateway acquires a plurality of user temporary numbers distributed to the gateway by the unified data management network element;
a terminal authentication module configured to perform terminal authentication on the device based on the user temporary number.
12. The wired access gateway function network element of claim 11, further comprising:
the gateway authentication result receiving module is configured to receive a gateway authentication result sent by the unified data management network element through the authentication server function network element and the access and mobility management function network element after the gateway authentication is passed, wherein the gateway authentication result comprises a plurality of user temporary numbers allocated to the gateway by the unified data management network element, and the authentication server function network element stores the gateway authentication result;
and the binding relation storage module is configured to store the binding relation between the gateway number and the user temporary number.
13. The wired access gateway function network element of claim 12, wherein:
the terminal authentication module is configured to inquire the binding relationship between the gateway number and the user temporary number and determine the gateway number corresponding to the user temporary number; sending an authentication request to an access and mobility management function network element, wherein the authentication request comprises a user temporary number and a corresponding gateway number so that the access and mobility management function network element can inquire a gateway authentication result of a gateway corresponding to the gateway number; and receiving a terminal authentication result returned by the access and mobility management function network element, wherein the access and mobility management function network element returns the terminal authentication result under the condition that the gateway authentication result of the gateway corresponding to the gateway number is successful, and the terminal authentication result comprises the user temporary number.
14. The wired access gateway function network element of claim 13, further comprising:
and the tunnel establishing module is configured to establish an Internet security protocol tunnel between the wired access gateway function network element and the device after the terminal authentication is successful.
15. An electronic device, comprising:
a memory to store instructions;
a processor configured to execute the instructions to cause the electronic device to perform operations to implement the network access method of any of claims 1-7.
16. A communication network comprising a unified data management network element according to claim 10 and a wired access gateway function network element according to any of claims 11-14.
17. A network access system comprising a gateway as claimed in claim 8 or 9 and a communications network as claimed in claim 16.
18. A computer readable storage medium, wherein the computer readable storage medium stores computer instructions which, when executed by a processor, implement the network access method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210667138.1A CN114945172A (en) | 2022-06-14 | 2022-06-14 | Network access method and system, communication network, electronic device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210667138.1A CN114945172A (en) | 2022-06-14 | 2022-06-14 | Network access method and system, communication network, electronic device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114945172A true CN114945172A (en) | 2022-08-26 |
Family
ID=82909516
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210667138.1A Pending CN114945172A (en) | 2022-06-14 | 2022-06-14 | Network access method and system, communication network, electronic device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114945172A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020201207A1 (en) * | 2019-04-02 | 2020-10-08 | Telefonaktiebolaget Lm Ericsson (Publ) | System information for wireline access |
| US20210076301A1 (en) * | 2018-05-22 | 2021-03-11 | Huawei Technologies Co., Ltd. | Network access method, related apparatus, and system |
| CN113055879A (en) * | 2019-12-10 | 2021-06-29 | 华为技术有限公司 | User identification access method and communication device |
| WO2022087947A1 (en) * | 2020-10-29 | 2022-05-05 | Lenovo (Beijing) Limited | Correlating a user equipment and an access and mobility management function |
-
2022
- 2022-06-14 CN CN202210667138.1A patent/CN114945172A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20210076301A1 (en) * | 2018-05-22 | 2021-03-11 | Huawei Technologies Co., Ltd. | Network access method, related apparatus, and system |
| WO2020201207A1 (en) * | 2019-04-02 | 2020-10-08 | Telefonaktiebolaget Lm Ericsson (Publ) | System information for wireline access |
| CN113055879A (en) * | 2019-12-10 | 2021-06-29 | 华为技术有限公司 | User identification access method and communication device |
| WO2022087947A1 (en) * | 2020-10-29 | 2022-05-05 | Lenovo (Beijing) Limited | Correlating a user equipment and an access and mobility management function |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110800331B (en) | Network verification method, related equipment and system | |
| RU2719447C1 (en) | Method of configuring key, method of determining security policy and device | |
| CN110214459B (en) | Service processing method and device | |
| WO2018202284A1 (en) | Authorizing access to user data | |
| CN109756896B (en) | Information processing method, network equipment and computer readable storage medium | |
| CN106656547B (en) | Method and device for updating network configuration of household electrical appliance | |
| CN111654862B (en) | Registration method and device of terminal equipment | |
| US11422786B2 (en) | Method for interoperating between bundle download process and eSIM profile download process by SSP terminal | |
| US11265244B2 (en) | Data transmission method, PNF SDN controller, VNF SDN controller, and data transmission system | |
| CN110944319B (en) | 5G communication identity verification method, equipment and storage medium | |
| CN111132305B (en) | Method for 5G user terminal to access 5G network, user terminal equipment and medium | |
| CN106101078B (en) | A kind of IP multimedia subsystem, terminal and service implementation method | |
| WO2018076922A1 (en) | System and method for enabling mobile terminal of single imsi multiple msisdn to be concurrently online | |
| CN108024241A (en) | Terminal accessing authentication method, system and authentication server | |
| CN109729515B (en) | Method for realizing machine-card binding, user identification card and Internet of things terminal | |
| CN112398800A (en) | Data processing method and device | |
| CN114945172A (en) | Network access method and system, communication network, electronic device and storage medium | |
| CN107046568B (en) | Authentication method and device | |
| US20200314630A1 (en) | Physical address-based communication method, mobile terminal and communication database | |
| CN102282800A (en) | Terminal authentication method and apparatus | |
| WO2019047714A1 (en) | Temporary user credential generation method, user card, terminal, and network device | |
| US11818572B2 (en) | Multiple authenticated identities for a single wireless association | |
| CN110062440B (en) | WLAN connection control method, electronic device and storage medium | |
| WO2022270228A1 (en) | Device and method for providing communication service for accessing ip network, and program therefor | |
| WO2021026927A1 (en) | Communication method and related devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |