CN116828467A

CN116828467A - Authentication method, system, electronic equipment and storage medium for terminal network access

Info

Publication number: CN116828467A
Application number: CN202310922418.7A
Authority: CN
Inventors: 张停; 季新生; 陶剑; 王春晓; 姜坤; 杨梅樾; 贲星
Original assignee: Network Communication and Security Zijinshan Laboratory
Current assignee: Network Communication and Security Zijinshan Laboratory
Priority date: 2023-07-26
Filing date: 2023-07-26
Publication date: 2023-09-29

Abstract

The application discloses a terminal networking authentication method, a terminal networking authentication system, electronic equipment and a storage medium, and belongs to the technical field of mobile communication technology. The authentication method for terminal access to the network is applied to session management network elements of a core network and comprises the following steps: receiving a PDU session establishment request initiated by a terminal device; wherein the PDU session establishment request includes a PDU session request parameter; inquiring PDU session subscription parameters corresponding to terminal equipment; the PDU session subscription parameters comprise PDU session subscription addresses and PDU session subscription types; judging whether the PDU session request parameter accords with the PDU session subscription parameter; if yes, judging that the terminal equipment passes authentication, and establishing PDU session so that the terminal equipment can access the network through the PDU session. The application can avoid illegal user accessing to network, and improves the security of terminal accessing to network, which is a technical problem to be solved by the skilled in the art.

Description

Authentication method, system, electronic equipment and storage medium for terminal network access

Technical Field

The present application relates to the field of mobile communications technologies, and in particular, to a method and system for authenticating terminal access to a network, an electronic device, and a storage medium.

Background

The 5G communication network is known by the technical characteristics of high reliability, low time delay, large capacity, high speed and the like, and mainly supports three application scenes: enhanced mobile broadband (emmbb), mass machine type communication (mctc), and Ultra Reliable Low Latency Communication (URLLC). Therefore, the 5G communication network can support more mobile terminals to access, and can create a good communication environment for man-machine interaction technology and everything interconnection technology.

With the wide popularization of 5G networks, more and more users access to the 5G networks through mobile terminals, and access of massive users brings higher security requirements for 5G network access, so that 5G network security is also gaining more and more importance. User terminals (UE) access to a 5G network and identity authentication are used as a first barrier for the security of the 5G communication network, and also become an important link for guaranteeing the security in the 5G communication link.

Therefore, how to avoid an illegal user from accessing the network and improve the security of terminal access is a technical problem that needs to be solved by those skilled in the art at present.

Disclosure of Invention

The application aims to provide an authentication method, an authentication system, electronic equipment and a storage medium for terminal access, which can prevent illegal users from accessing to a network and improve the security of terminal access.

In order to solve the technical problems, the present application provides an authentication method for terminal access to a network, which is applied to a session management network element of a core network, and the authentication method for terminal access to the network includes:

receiving a PDU session establishment request initiated by a terminal device; wherein the PDU session establishment request includes a PDU session request parameter;

inquiring PDU session subscription parameters corresponding to the terminal equipment; the PDU session subscription parameters comprise PDU session subscription addresses and PDU session subscription types;

judging whether the PDU session request parameter accords with the PDU session subscription parameter;

if yes, judging that the terminal equipment passes authentication, and establishing PDU session so that the terminal equipment can access to a network through the PDU session.

Optionally, before determining whether the PDU session request parameter meets the PDU session subscription parameter, the method further includes:

judging whether the PDU session request parameter comprises a PDU session request address and a PDU session request type;

if yes, a step of judging whether the PDU session request parameter accords with the PDU session subscription parameter is entered;

if not, judging that the terminal equipment does not pass the authentication.

Optionally, determining whether the PDU session request parameter meets the PDU session subscription parameter includes:

judging whether the PDU session request address is the same as the PDU session subscription address or not, and obtaining a first judgment result;

judging whether the PDU session request type is the same as the PDU session subscription type or not, and obtaining a second judgment result;

if the first judging result and the second judging result are both yes, judging that the PDU session request parameter accords with the PDU session subscription parameter;

and if the first judging result and the second judging result are not equal, judging that the PDU session request parameter does not accord with the PDU session subscription parameter.

Optionally, the establishing the PDU session includes:

determining a target PDU session type according to the PDU session request address and the PDU session subscription address;

and establishing the PDU session according to the PDU session subscription address and the target PDU session type.

Optionally, the querying the PDU session subscription parameter corresponding to the terminal device includes:

and acquiring a user identifier corresponding to the terminal equipment, and inquiring the PDU session subscription parameters according to the user identifier.

Optionally, querying the PDU session subscription parameter according to the user identifier includes:

and initiating a subscription data acquisition process to a unified data management function network element according to the user identification to obtain PDU session subscription parameters corresponding to the terminal equipment returned by the unified data management function network element.

Optionally, the PDU session subscription parameter further comprises an authentication flag field;

correspondingly, before judging whether the PDU session request parameter accords with the PDU session subscription parameter, the method further comprises:

judging whether the authentication mark field is a preset value or not;

and if not, allowing the terminal equipment to access the network.

The application also provides an authentication system for terminal network access, which is applied to a session management network element of a core network, and comprises:

a request receiving module, configured to receive a PDU session establishment request initiated by a terminal device; wherein the PDU session establishment request includes a PDU session request parameter;

the subscription information inquiry module is used for inquiring PDU session subscription parameters corresponding to the terminal equipment; the PDU session subscription parameters comprise PDU session subscription addresses and PDU session subscription types;

the judging module is used for judging whether the PDU session request parameter accords with the PDU session subscription parameter; if yes, judging that the terminal equipment passes authentication, and establishing PDU session so that the terminal equipment can access to a network through the PDU session.

The application also provides a storage medium, on which a computer program is stored, which when executed implements the steps performed by the authentication method for terminal access.

The application also provides an electronic device, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps executed by the authentication method for terminal access when calling the computer program in the memory.

The application provides an authentication method for terminal network access, which is applied to session management network elements of a core network, and comprises the following steps: receiving a PDU session establishment request initiated by a terminal device; wherein the PDU session establishment request includes a PDU session request parameter; inquiring PDU session subscription parameters corresponding to the terminal equipment; the PDU session subscription parameters comprise PDU session subscription addresses and PDU session subscription types; judging whether the PDU session request parameter accords with the PDU session subscription parameter; if yes, judging that the terminal equipment passes authentication, and establishing PDU session so that the terminal equipment can access to a network through the PDU session.

After receiving PDU session establishment request initiated by terminal equipment, session management network element obtains PDU session signing parameters when terminal equipment signs up. The session management network element compares the PDU session request parameter carried in the PDU session establishment request with the PDU session subscription parameter when signing, if the PDU session request parameter accords with the PDU session subscription parameter, the terminal device can be indicated to pass authentication, and then PDU session is established, so that the terminal device can access the network through the PDU session. The application compares the information in the PDU session establishment request with the information in signing so as to realize the authentication of the terminal equipment, avoid the illegal user from accessing the network and improve the security of terminal access to the network. The application also provides an authentication system for terminal access, a storage medium and an electronic device, which have the beneficial effects and are not repeated here.

Drawings

For a clearer description of embodiments of the present application, the drawings that are required to be used in the embodiments will be briefly described, it being apparent that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to the drawings without inventive effort for those skilled in the art.

Fig. 1 is a flowchart of a method for authenticating a terminal to access a network according to an embodiment of the present application;

fig. 2 is a system diagram of a 5G terminal access authentication according to an embodiment of the present application;

fig. 3 is a diagram of a 5G core network authorization IP address access authentication system architecture according to an embodiment of the present application;

fig. 4 is a service logic diagram of a PDU access authentication system of a 5G terminal according to an embodiment of the present application;

fig. 5 is a flowchart of authentication of an access SMF network element of a 5G terminal according to an embodiment of the present application;

fig. 6 is a schematic structural diagram of an authentication system for terminal access according to an embodiment of the present application.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.

Referring to fig. 1, fig. 1 is a flowchart of an authentication method for terminal access according to an embodiment of the present application.

The specific steps may include:

s101: receiving a PDU session establishment request initiated by a terminal device;

the present embodiment may be applied to a session management network element SMF (Session Management function) of a core network, where the terminal device UE (User Equipment) is a device that wants to access the core network, and the session management network element may receive a PDU session establishment request initiated by the terminal device through a 5G base station (gNB). Specifically, the terminal device may initiate a PDU (Protocol Data Unit ) session establishment request to the access and mobility management network element AMF (Access and Mobility Management function) through the 5G base station, where the PDU session establishment request received by the access and mobility management network element is transmitted to the session management network element.

The PDU session establishment request may include a PDU session request parameter. If the PDU session establishment request is a request initiated by a legal user through the terminal equipment, the PDU session request parameters can include a PDU session request type and a PDU session request address. The PDU session request type is used to describe the type of PDU session that the terminal device wants to establish, and the PDU session request address is used to describe the IP address requested to establish the PDU session.

S102: inquiring PDU session subscription parameters corresponding to the terminal equipment;

before this step, there may be an operation of the terminal device to perform network access subscription, where the PDU session parameters specified during subscription are PDU session subscription parameters, where the PDU session subscription parameters include a PDU session subscription type and a PDU session subscription address, and the PDU session subscription parameters correspond to user identifiers of subscribers one by one, and based on the correspondence, the PDU session subscription type may be queried according to the user identifier corresponding to the terminal device. For example, the embodiment may obtain a user identifier corresponding to the terminal device, and query the PDU session subscription parameter according to the user identifier.

As a possible implementation manner, if the PDU session subscription parameter is not queried or the PDU session subscription type and the PDU session subscription address are not included in the PDU session subscription parameter, it may be determined that the terminal device fails authentication.

The PDU session subscription type may include IPv4, IPv6, etc.; the PDU session subscription address refers to an address, such as an IPv4 address and an IPv6 address, used when establishing a PDU session, specified when a user subscribes, and can determine a target PDU session type allowed by a current PDU session according to the PDU session subscription address in the network access process to establish the PDU session.

S103: judging whether the PDU session request parameter accords with the PDU session subscription parameter; if yes, go to step S104; if not, ending the flow;

after obtaining the PDU session request parameter and the PDU session subscription parameter, comparing the PDU session request parameter with the PDU session subscription parameter, and if the PDU session request parameter is consistent with the PDU session subscription parameter during subscription, executing the related operation of S104. Further, if the PDU session request parameter is inconsistent with the PDU session subscription parameter during subscription, the process may be ended, and it may be determined that the terminal device fails authentication.

S104: and judging that the terminal equipment passes authentication, and establishing a PDU session so that the terminal equipment can access a network through the PDU session.

In this embodiment, after receiving a PDU session establishment request initiated by a terminal device, a session management network element obtains a PDU session subscription parameter when the terminal device signs a subscription. The session management network element compares the PDU session request parameter carried in the PDU session establishment request with the PDU session subscription parameter when signing, if the PDU session request parameter accords with the PDU session subscription parameter, the terminal device can be indicated to pass authentication, and then PDU session is established, so that the terminal device can access the network through the PDU session. The embodiment compares the information in the PDU session establishment request with the information in signing so as to realize the authentication of the terminal equipment, avoid the illegal user from accessing the network and improve the security of terminal access to the network.

As a further introduction to the corresponding embodiment of fig. 1, before determining whether the PDU session request parameter corresponds to the PDU session subscription parameter, the identity of the terminal device may be pre-determined by: judging whether the PDU session request parameter comprises a PDU session request address and a PDU session request type; if yes, a step of judging whether the PDU session request parameter accords with the PDU session subscription parameter is entered; if not, judging that the terminal equipment does not pass the authentication. By the method, the PDU session establishment request which does not contain the PDU session request address and the PDU session request type can be refused, the authentication efficiency is improved, and the calculation amount of the authentication operation is reduced.

On the basis that the PDU session request parameter contains a PDU session request address and a PDU session request type, whether the PDU session request parameter accords with the PDU session subscription parameter can be judged by the following modes: judging whether the PDU session request address is the same as the PDU session subscription address or not, and obtaining a first judgment result; judging whether the PDU session request type is the same as the PDU session subscription type or not, and obtaining a second judgment result; if the first judging result and the second judging result are both yes, judging that the PDU session request parameter accords with the PDU session subscription parameter; and if the first judging result and the second judging result are not equal, judging that the PDU session request parameter does not accord with the PDU session subscription parameter. By the method, the access request of the terminal equipment which is not signed can be filtered, and the network access safety of the terminal is improved.

Specifically, the present embodiment may establish a PDU session by: determining a target PDU session type according to the PDU session request address and the PDU session subscription address; and establishing the PDU session according to the PDU session subscription address and the target PDU session type. By the method, the stability of establishing the PDU session can be improved.

As a further introduction to the corresponding embodiment of fig. 1, the PDU session subscription parameters determined by the terminal device at the time of subscription may be determined by: inquiring a user identifier corresponding to a terminal device, and initiating a subscription data acquisition process to a unified data management function network element UDM (Unified Data Management) according to the user identifier to obtain PDU session subscription parameters corresponding to the terminal device returned by the unified data management function network element.

The PDU session subscription parameter may further include an authentication flag field CRAF (also referred to as a strong authentication identifier), so that before determining whether the PDU session request parameter meets the PDU session subscription parameter, it may further determine whether the authentication flag field is a preset value (such as wire); if yes, a step of judging whether the PDU session request parameter accords with the PDU session subscription parameter is entered; if not, it is indicated that the terminal device may directly allow the terminal device to access the network without performing the authentication procedures of the corresponding embodiments S103 to S104 of fig. 1.

The flow described in the above embodiment is explained below by way of an embodiment in practical application. In order to further improve the security of the 5G network, the embodiment provides an access authentication scheme supporting the authorization IP address of the 5G terminal, thereby avoiding the tracking of network hackers and stealing user data and ensuring the security of the 5G network.

Referring to fig. 2, fig. 2 is a system diagram of 5G terminal access authentication provided by the embodiment of the present application, in fig. 2, a terminal device, a 5G base station, an access and mobility management network element AMF, a session management network element SMF, a unified data management function network element UDM, a user plane function network element UPF, a unified data warehouse function network element UDR (Unified Data Repository), and a 5GC network management system, a 5G core network management system OAM (Operation and Maintenance) may be shown, where normal network access parameters, a strong authentication flag, and a subscription static IP address may be transmitted between the above network elements.

In the initial stage of the core network to carry out the number setting on the terminal equipment, the core network management system configures normal access parameters of the terminal equipment based on SUPI (Subscription Permanent Identifier, user permanent identifier) access authentication, and also needs to newly enhance an authentication identification field CRAF and a signed static IP address field (namely PDU session signed address). Considering that the terminal equipment needs to carry a number-setting authorization IP address (namely PDU session request address) when establishing the PDU session, the IP address is similar to a SUPI identifier, has whole network uniqueness and can be used as an identifier of a user identity, and the terminal equipment needs to support configuration of the PDU session request address. Under specific scenes such as tracking users, backtracking sources and the like, when the terminal equipment is accessed to the network, the core network needs to check whether the PDU session request type carried by the terminal equipment is consistent with the PDU session type (namely PDU session subscription type) when the terminal equipment is subscribed. If the PDU session request type carried by the terminal equipment is not the PDU session type when signing, the terminal equipment is not authorized at present and is not allowed to track the user and trace back the source, and the access is refused.

Referring to fig. 3, fig. 3 is a schematic diagram of a 5G core network authorization IP address access authentication system according to an embodiment of the present application, and NSSF in fig. 3 represents a network slice selection function (Network Slice Selection Function); NEF denotes a network open function (Network Exposure Function); NRF represents a network storage function (Network Repository Function); PCF represents a policy control function (Policy Control Function); UDM denotes a unified data management function network element (Unified Data Management); AF represents an application layer function (Application Function); nnssf represents the servitization interface provided by NSSF; nnef denotes the servitization interface provided by the NEF; npcf represents a serviced interface provided by the PCF; nudm represents the servitization interface provided by UDM; naf represents the server interface provided by the AF; nnssaaf represents the servitization interface provided by NSSAAF; nausf represents a servitization interface provided by AUSF; namf represents the servitization interface provided by AMF; nsmf represents the servitization interface provided by the SMF; nudr represents the server interface provided by UDR; NSSAAF means network slice specific authentication and authorization functions (Network Slice Specific Authentication and Authorization Function); AUSF represents an authentication server function (Authentication Server Function); AMF represents an access and mobility management network element (Access and Mobility Management Function); SMF represents a session management network element (Session Management Function); SCP represents a service communication proxy (Service Communication Proxy); UDR denotes a data unified storage function (Unified Data Repository); n1, N2, N3, N4, N6, and N9 represent the respective interfaces of the PDU session; UE represents 5G terminal equipment; (R) AN represents a (Radio) Access Network; UPF denotes a user plane function network element (User Plane Function); DN denotes a Data Network (Data Network).

Referring to fig. 4, fig. 4 is a service logic diagram of a PDU access authentication system of a 5G terminal provided by an embodiment of the present application, in which an access network/terminal device initiates a PDU session establishment request (including a PDU session request type, a PDU session request address, etc.) to an access and mobility management network element, the access and mobility management network element sends a PDU session creation request message (including a user identifier, a PDU session ID, slice information, etc.) to the session management network element, and the session management network element performs session management subscription data retrieval (PDU session subscription type, PDU session subscription address, CRAF strong authentication identifier, etc.) with a unified data management function network element so as to check validity of the PDU session request type and the PDU session request address. After passing the validity detection, the session management network element returns a PDU session creation response message to the access and mobility management network element so as to enter an N4 session creation process, and updates the tunnel endpoint identifier of the base station N3 to the core network IPv6. Within the core network IPv6, the session management network element may receive router solicitations and send router advertisements via an N4 GTP (a set of IP-based higher layer protocols) packet.

Referring to fig. 5, fig. 5 is a flowchart of authentication of an access SMF network element of a 5G terminal according to an embodiment of the present application, and the specific process is as follows:

step 1) at the initial moment, a 5G terminal device initiates a PDU session establishment request through a base station;

if the PDU session establishment request is initiated by a legal user through the terminal equipment, the PDU session establishment request carries a PDU session request type, a PDU session request address and other PDU establishment parameters, wherein the PDU session request address is set as an authorized IP address of the network management system for number placement and is used as an identifier of the terminal equipment. If the PDU session establishment request is a request initiated by an illegal user through the terminal device, there may be a loss of parameters in the PDU session establishment request.

Step 2), the session management network element receives the PDU session creation request message transmitted by the access and mobility management network element, judges the current message as a PDU session creation request, stores the request information, and initiates a subscription data flow for obtaining the terminal equipment to the unified data management function network element to obtain PDU session subscription parameters for signing the terminal equipment, such as PDU session subscription type, PDU session subscription address, strong authentication identifier CRAF and other normal parameters.

Step 3), the session management network element judges whether the current user starts a strong authentication mark CRAF; and if the strong authentication flag CRAF is started, executing the subsequent PDU session request address authentication flow. If the strong authentication mark CRAF is not started, the authentication is directly judged to be successful, the step is transferred to the step 6), and the subsequent PDU session establishment flow is continued.

And 4) the session management network element judges whether the PDU session establishment request carries a PDU session request type and a PDU session request address, if so, the subsequent step is executed, and if not, the authentication fails, the access is refused. Judging whether the PDU session request parameter is the same as the PDU session subscription parameter (namely, the PDU session request type is the same as the PDU session subscription type, and the PDU session request address is the same as the PDU session subscription address); if the authentication is the same, executing the subsequent steps, and if the authentication is not the same, judging that the authentication fails.

And 5) determining a target PDU session type according to the PDU session request address and the PDU session subscription address, and informing a user plane function network element to establish a PDU session by using the target PDU session type and the PDU session subscription address by the session management network element.

In the process, the session management network element replies the PDU session creation response message of the access and mobility management network element, and decides the PDU session type allowed by the current PDU session according to the PDU session request address and the PDU session subscription address.

After the PDU session is established successfully, the successful authentication can be judged to continue the network access flow. In the network access procedure, the session management network element may notify the user plane function network element UPF of the establishment of the new N4 session using the PDU session. The base station updates its Tunnel Endpoint Identifier (TEID) information to the core network user plane function element. When the PDU session request type is IPv6, IPv6 address Prefix IPv6Prefix is transmitted to the terminal equipment through Router Advertisement (RA) information. The Router Advertisement (RA) message may be sent to the terminal device either actively by the session management network element or in response to a Router Solicitation (RS) message. The session management network element may start a timer after a new N4 session is established to wait for a router Request (RS) message sent by the terminal device, and send a Router Advertisement (RA) message to the user plane function network element by using the N4-u tunnel if the router Request (RS) message is received or the timer times out. The user plane functional network element strips the GTP head of the N4 tunnel according to the forwarding rule, encapsulates the GTP head of the N3 tunnel and sends the GTP head to the terminal equipment.

In the embodiment, under specific scenes such as tracking users, backtracking sources and the like, the terminal equipment initiates a PDU connection establishment request to the core network through a PDU session request address, and the core network judges whether to allow the terminal equipment to be accessed or not by comparing whether the PDU session subscription type is consistent with the PDU session request type, so that tracking and data stealing of a 'network hacker' are avoided, the communication safety of the 5G network is further improved, and the good communication environment of the users is ensured.

Specific 5G core network OAM needs to add CRAF strong authentication identification and current user authorization IP address signing authorization address; the UDR needs to modify table subscription data, data provision, session management data structure, besides storing normal parameters, also needs to store CRAF strong authentication identification and current user authorization IP address subscription authorization address; and storing and supporting the authentication of the authorized IP address of the 5G terminal, namely, modifying the session establishment request message of the PDU of the N1 interface, and newly adding a session request address of the PDU of the custom field to represent the IP address carried by the UE when the UE is accessed. When the UE side initiates PDU session establishment, the PDU session request address appointed by subscription needs to be carried; the SMF network element receives the PDU session creation request, acquires subscription session management subscription data, and then performs IP network access authentication. Besides returning normal parameters, the subscription data also needs to modify the configuration structure of the data network in the N10 interface, and returns the CRAF strong authentication identifier and the current user authorization IP address subscription authorization address. The specific change content is as follows:

5G core network OAM:

CRAF strong authentication identification, namely taking a value of a pool type, wherein true represents that strong authentication access is needed, and false represents that strong authentication access is not needed. The current user authorization IP address signs up for the authorization address: the value is a custom type and comprises whether an authorized address HasStaticIPAddress, a signed authorized IP address type StaticIPAddress type and a signed authorized address StaticIPAddress are configured or not.

1) Whether to configure the authorized address HasStaticIPAddress: the value pool type, true represents the configured grant address, false represents the non-configured grant address.

2) Subscription authorized IP address type staticipddress type: the value type is enumeration type, and enumeration values of 0, 1,2 and 3 respectively represent IPv4, IPv6 and IPv4v6.

3) Subscription authorization IP address value StaticIPAddress: the value type is IP address, which contains IPv4Addr, IPv6Addr and IPv6Prefix. If the type of the signing authorization IP address is IPv4, only filling in the IPv4 address; if the type of the signing authorization IP address is IPv6, only filling in the IPv6 address; if the subscription authorization IP address type is IPv4v6, both IPv4 and IPv6 addresses need to be filled in. When the IPv6 address needs to be filled, the IPv6Addr and the IPv6Prefix fields need to be filled, wherein the IPv6Addr is a complete IPv6Addr address, and the IPv6Addr represents an IPv6 address Prefix.

N1 interface PDU session establishment request message: and newly adding a user-defined field PDU session request address, which represents an IP address carried by the UE when accessing authentication.

The embodiment can add an optional element "PDU session request address" in a definition table of PDU session establishment request type, the format of the element is TLV, and the length of the element is 5-21.

The present embodiment may further set table 1, table 1 being a PDU address table of an add type definition request.

TABLE 1

This embodiment can also add that the PDU session type value Octet 3 consists of 8 bits, where bits 4 to 8 are spare bits, which should be encoded as 0. Session request address information (ottet 4 to ottet 23); if the PDU session type indicates IPv4, then the OCtet 4 through OCtet7 of the session request address information contains an IPv4 address. If the PDU session type indicates IPv6, then the OCtet 4 through OCtet19 of the session request address information contains the full address of IPv6. If the PDU session type indicates IPv6, then the OCtet 4 through OCtet19 of the session request address information contains the full address of IPv6 and OCtet 20 through OCtet 23 contain the IPv4 address.

In this embodiment, the static IP address of the selectable element may be added to the definition table of the Dnn configuration type, where the data type is an IP address array, and the cardinal number is 1,2,3, … …. The static IP address is used to describe subscribed IPv4 or/and IPv6 type addresses. In this embodiment, an optional element strong authentication identification field may be added to the above table, where the data type is boolean type, and the cardinality is 1,2,3 and … …. The strong authentication identification field is used to describe whether IP identity authentication and authorization is required, true indicates that identity authentication and authorization is required, false indicates that identity authentication and authorization is not required. If a strong authentication identification field does not exist, this indicates that the subscription data does not require IP authentication and authorization.

Referring to fig. 6, fig. 6 is a schematic structural diagram of an authentication system for terminal access, which is provided by an embodiment of the present application, and the system may be applied to a session management network element of a core network, where the authentication system for terminal access includes:

a request receiving module 601, configured to receive a PDU session establishment request initiated by a terminal device; wherein the PDU session establishment request includes a PDU session request parameter;

a subscription information query module 602, configured to query PDU session subscription parameters corresponding to the terminal device; the PDU session subscription parameters comprise PDU session subscription addresses and PDU session subscription types;

a judging module 603, configured to judge whether the PDU session request parameter meets the PDU session subscription parameter;

and the network access module 604 is configured to determine that the terminal device passes authentication if the PDU session request parameter meets the PDU session subscription parameter, and establish a PDU session so that the terminal device accesses the network through the PDU session.

Further, the method further comprises the following steps:

the pre-judging module is used for judging whether the PDU session request parameter comprises a PDU session request address and a PDU session request type; if yes, entering a workflow corresponding to a judging module 603; if not, judging that the terminal equipment does not pass the authentication.

Further, the process of determining whether the PDU session request parameter meets the PDU session subscription parameter by the determining module 603 includes: judging whether the PDU session request address is the same as the PDU session subscription address or not, and obtaining a first judgment result; judging whether the PDU session request type is the same as the PDU session subscription type or not, and obtaining a second judgment result; if the first judging result and the second judging result are both yes, judging that the PDU session request parameter accords with the PDU session subscription parameter; and if the first judging result and the second judging result are not equal, judging that the PDU session request parameter does not accord with the PDU session subscription parameter.

Further, the procedure of establishing the PDU session by the network access module 604 includes: determining a target PDU session type according to the PDU session request address and the PDU session subscription address; and establishing the PDU session according to the PDU session subscription address and the target PDU session type.

Further, the process of querying the PDU session subscription parameters corresponding to the terminal device by the subscription information querying module 602 includes: and acquiring a user identifier corresponding to the terminal equipment, and inquiring the PDU session subscription parameters according to the user identifier.

Further, the process of the subscription information query module 602 for querying the PDU session subscription parameters according to the user id includes: and initiating a subscription data acquisition process to a unified data management function network element according to the user identification to obtain PDU session subscription parameters corresponding to the terminal equipment returned by the unified data management function network element.

Further, the PDU session subscription parameter further comprises an authentication mark field;

correspondingly, the method further comprises the steps of:

the authentication mark judging module is used for judging whether the authentication mark field is a preset value or not; if yes, entering a workflow corresponding to a judging module 603; and if not, allowing the terminal equipment to access the network.

Since the embodiments of the system portion and the embodiments of the method portion correspond to each other, the embodiments of the system portion refer to the description of the embodiments of the method portion, which is not repeated herein.

The present application also provides a storage medium having stored thereon a computer program which, when executed, performs the steps provided by the above embodiments. The storage medium may include: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.

The application also provides an electronic device, which can comprise a memory and a processor, wherein the memory stores a computer program, and the processor can realize the steps provided by the embodiment when calling the computer program in the memory. Of course the electronic device may also include various network interfaces, power supplies, etc.

In the description, each embodiment is described in a progressive manner, and each embodiment is mainly described by the differences from other embodiments, so that the same similar parts among the embodiments are mutually referred. For the system disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section. It should be noted that it will be apparent to those skilled in the art that various modifications and adaptations of the application can be made without departing from the principles of the application and these modifications and adaptations are intended to be within the scope of the application as defined in the following claims.

It should also be noted that in this specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

Claims

1. The authentication method for terminal network access is characterized by being applied to session management network elements of a core network, and comprises the following steps:

2. The authentication method for terminal access according to claim 1, further comprising, before determining whether the PDU session request parameter corresponds to the PDU session subscription parameter:

if not, judging that the terminal equipment does not pass the authentication.

3. The authentication method for terminal access according to claim 2, wherein determining whether the PDU session request parameter meets the PDU session subscription parameter comprises:

4. The authentication method for terminal access to network according to claim 2, wherein the establishing a PDU session comprises:

5. The authentication method for terminal access to the network according to claim 1, wherein the querying the PDU session subscription parameters corresponding to the terminal device includes:

6. The authentication method for terminal access to network according to claim 5, wherein querying the PDU session subscription parameter according to the user id comprises:

7. The authentication method for terminal access according to any one of claims 1 to 6, wherein the PDU session subscription parameter further comprises an authentication flag field;

judging whether the authentication mark field is a preset value or not;

and if not, allowing the terminal equipment to access the network.

8. An authentication system for terminal access to a network, which is characterized by being applied to a session management network element of a core network, comprising:

9. An electronic device comprising a memory and a processor, the memory having stored therein a computer program, the processor, when invoking the computer program in the memory, performing the steps of the method for authenticating a terminal to network according to any of claims 1 to 7.

10. A storage medium having stored therein computer executable instructions which when loaded and executed by a processor perform the steps of the terminal access authentication method according to any of claims 1 to 7.