CN117528512A - Communication authentication method and related equipment - Google Patents

Communication authentication method and related equipment Download PDF

Info

Publication number
CN117528512A
CN117528512A CN202210907581.1A CN202210907581A CN117528512A CN 117528512 A CN117528512 A CN 117528512A CN 202210907581 A CN202210907581 A CN 202210907581A CN 117528512 A CN117528512 A CN 117528512A
Authority
CN
China
Prior art keywords
network element
authenticatable
authentication
3gpp
home gateway
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210907581.1A
Other languages
Chinese (zh)
Inventor
刘玉冰
龙彪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202210907581.1A priority Critical patent/CN117528512A/en
Publication of CN117528512A publication Critical patent/CN117528512A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W28/00Network traffic management; Network resource management
    • H04W28/16Central resource management; Negotiation of resources or communication parameters, e.g. negotiating bandwidth or QoS [Quality of Service]
    • H04W28/24Negotiating SLA [Service Level Agreement]; Negotiating QoS [Quality of Service]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
    • H04W8/08Mobility data transfer
    • H04W8/14Mobility data transfer between corresponding nodes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Quality & Reliability (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the disclosure provides a communication authentication method and related equipment, and relates to the technical field of communication. The communication authentication method comprises the following steps: if a PDU session third party authentication request sent by the 5G home gateway through the AMF network element is received, initiating an NSWO authentication flow through an interface between the PDU session third party authentication request and the NSWOF network element, wherein the third party authentication request is used for requesting authentication of the non-3GPP equipment which is authenticated by the 5G home gateway; if the authentication is successful, qoS information signed by the non-3GPP equipment can be acquired; and returning a PDU session third party authentication result to the 5G home gateway through the AMF network element, wherein the third party authentication result comprises QoS information signed by the authenticatable non-3GPP equipment, so that the 5G home gateway maps the data stream of the authenticatable non-3GPP equipment into the QoS stream of the PDU session of the 5G home gateway. The communication authentication method solves the problems that the authenticatable non-3GPP equipment after the 5G home gateway cannot be authenticated and differentiated services cannot be provided for the authenticatable non-3GPP equipment.

Description

Communication authentication method and related equipment
Technical Field
The present disclosure relates to the field of communication technologies, and in particular, to a communication authentication method, an SMF network element, an electronic device, and a computer readable storage medium.
Background
In the application scenario of the fixed mobile convergence, if a 5G-RG (5G Residential Gateway,5G home gateway) is followed by an authenticatable non-3GPP device, the 5G network can authenticate the 5G-RG, but cannot authenticate the authenticatable non-3GPP device after the 5G-RG, and cannot provide differentiated quality of service (QoS, quality of Service) for the authenticatable non-3GPP device.
It should be noted that the information disclosed in the above background section is only for enhancing understanding of the background of the present disclosure and thus may include information that does not constitute prior art known to those of ordinary skill in the art.
Disclosure of Invention
The embodiment of the disclosure provides a communication authentication method, an SMF network element, electronic equipment and a computer readable storage medium, which solve the problems that an authenticatable non-3GPP device after a 5G home gateway cannot be authenticated and differentiated services cannot be provided for the authenticatable non-3GPP device.
Other features and advantages of the present disclosure will be apparent from the following detailed description, or may be learned in part by the practice of the disclosure.
According to one aspect of the present disclosure, there is provided a communication authentication method, the method being performed by an SMF network element, comprising: if a PDU session third party authentication request sent by the 5G home gateway through an AMF network element is received, initiating an NSWO authentication flow through an interface between the PDU session third party authentication request and an NSWOF network element, wherein the third party authentication request is used for requesting authentication of the authenticatable non-3GPP equipment after the 5G home gateway; if the authentication is successful, qoS information signed by the authenticatable non-3GPP equipment is obtained; and returning a PDU session third party authentication result to the 5G home gateway through the AMF network element, wherein the third party authentication result comprises QoS information signed by the authenticatable non-3GPP equipment, so that the 5G home gateway maps the data stream of the authenticatable non-3GPP equipment into the QoS stream of the PDU session of the 5G home gateway.
In some embodiments of the present disclosure, the third party authentication request is for requesting a determination of whether to authorize the authenticatable non-3GPP device to connect to the 5G home gateway and share a PDU session of the 5G home gateway; and carrying the identity of the authenticatable non-3GPP equipment in the third party authentication request.
In some embodiments of the present disclosure, the SMF network element supports a Swa interface with the NSWOF network element; wherein, initiating an NSWO authentication procedure through an interface between the NSWOF network element includes: and sending an NSWO authentication request to the NSWOF network element through the Swa interface, wherein the NSWO authentication request carries the identity of the authenticatable non-3GPP equipment, so that the NSWOF network element, the AUSF network element and the UDM network element authenticate the authenticatable non-3GPP equipment according to the identity of the authenticatable non-3GPP equipment, and an authentication result is returned to the SMF network element.
In some embodiments of the present disclosure, the obtaining QoS information signed by the authenticatable non-3GPP device if authentication is successful includes: and if the authentication success message is received, acquiring QoS information signed by the authenticatable non-3GPP equipment from the UDM network element.
In some embodiments of the present disclosure, the QoS information subscribed to by the authenticatable non-3GPP device includes a flow identification for marking a data flow of the authenticatable non-3GPP device, and QoS flow mapping information related to the data flow of the authenticatable non-3GPP device.
In some embodiments of the present disclosure, after obtaining the QoS information of the authenticatable non-3GPP device subscription, the method further includes: and sending an N4 session modification request to a UPF network element, wherein the N4 session modification request carries the equipment identifier of the authenticatable non-3GPP equipment and the flow identifier of the data flow of the authenticatable non-3GPP equipment so that the UPF network element can identify the data flow related to the authenticatable non-3GPP equipment.
In some embodiments of the present disclosure, after returning a PDU session third party authentication result to the 5G home gateway through the AMF network element, the 5G home gateway sends an authentication success message to the authenticatable non-3GPP device, so that a security context is established between the authenticatable non-3GPP device and the 5G home gateway.
In some embodiments of the present disclosure, the mapping, by the 5G home gateway, the data flow of the authenticatable non-3GPP device into the QoS flow of the PDU session of the 5G home gateway includes: if the mapped QoS flow does not exist, the 5G home gateway initiates a PDU session related flow to establish a new QoS flow, and maps the data flow of the authenticatable non-3GPP equipment into the new QoS flow.
According to yet another aspect of the present disclosure, there is provided an SMF network element, comprising: an authentication request initiating module, configured to initiate an NSWO authentication procedure through an interface between the authentication request initiating module and an NSWOF network element if a PDU session third party authentication request sent by the 5G home gateway through the AMF network element is received, where the third party authentication request is used to request authentication of an authenticatable non-3GPP device after the 5G home gateway; the subscription information acquisition module is used for acquiring QoS information signed by the authenticatable non-3GPP equipment if authentication is successful; and the authentication result returning module is used for returning a PDU session third party authentication result to the 5G home gateway through the AMF network element, wherein the third party authentication result comprises QoS information signed by the authenticatable non-3GPP equipment so that the 5G home gateway maps the data stream of the authenticatable non-3GPP equipment into the QoS stream of the PDU session of the 5G home gateway.
In some embodiments of the present disclosure, the third party authentication request is for requesting a determination of whether to authorize the authenticatable non-3GPP device to connect to the 5G home gateway and share a PDU session of the 5G home gateway; and carrying the identity of the authenticatable non-3GPP equipment in the third party authentication request.
In some embodiments of the present disclosure, the SMF network element supports a Swa interface with the NSWOF network element; wherein, the authentication request initiating module is further configured to: and sending an NSWO authentication request to the NSWOF network element through the Swa interface, wherein the NSWO authentication request carries the identity of the authenticatable non-3GPP equipment, so that the NSWOF network element, the AUSF network element and the UDM network element authenticate the authenticatable non-3GPP equipment according to the identity of the authenticatable non-3GPP equipment, and an authentication result is returned to the SMF network element.
In some embodiments of the present disclosure, the subscription information obtaining module is further configured to: and if the authentication success message is received, acquiring QoS information signed by the authenticatable non-3GPP equipment from the UDM network element.
In some embodiments of the present disclosure, the QoS information subscribed to by the authenticatable non-3GPP device includes a flow identification for marking a data flow of the authenticatable non-3GPP device, and QoS flow mapping information related to the data flow of the authenticatable non-3GPP device.
In some embodiments of the disclosure, the SMF network element further includes a session modifying module configured to: and sending an N4 session modification request to a UPF network element, wherein the N4 session modification request carries the equipment identifier of the authenticatable non-3GPP equipment and the flow identifier of the data flow of the authenticatable non-3GPP equipment so that the UPF network element can identify the data flow related to the authenticatable non-3GPP equipment.
According to still another aspect of the present disclosure, there is provided an electronic apparatus including: one or more processors; and a storage configured to store one or more programs that, when executed by the one or more processors, cause the one or more processors to implement the communication authentication method as described in the above embodiments.
According to still another aspect of the present disclosure, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the communication authentication method as described in the above embodiments.
According to the communication authentication method provided by the embodiment of the disclosure, after the SMF network element supports an interface between the NSWOF network element and a PDU session third party authentication request sent by the 5G home gateway through the AMF network element is received, an NSWO authentication process for the authenticatable non-3GPP equipment can be initiated through the supported interface between the SMF network element and the NSWOF network element, the authenticatable non-3GPP equipment which is accessed after the 5G home gateway is authenticated, and the authenticatable non-3GPP equipment can finish the authentication process to 5GS without registering to 5 GS; and if the authentication to the authenticatable non-3GPP equipment is successful, the SMF network element can acquire QoS information signed by the authenticatable non-3GPP equipment, and can also send a third party authentication result carrying the QoS information signed by the authenticatable non-3GPP equipment to the 5G home gateway through the AMF network element, so that the 5G home gateway maps the data stream of the authenticatable non-3GPP equipment into the QoS stream of the PDU session of the 5G home gateway according to the received information, thereby realizing differentiated QoS service.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure and do not constitute an undue limitation on the disclosure.
Fig. 1 illustrates a network architecture diagram of a communication system to which embodiments of the present disclosure are applicable;
FIG. 2 shows a flow chart of a communication authentication method of an embodiment of the present disclosure;
FIG. 3 illustrates an interaction diagram of a communication authentication method of an embodiment of the present disclosure;
fig. 4 shows a schematic structural diagram of an SMF network element according to an embodiment of the present disclosure;
fig. 5 shows a block diagram of an electronic device in an embodiment of the disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. However, the exemplary embodiments may be embodied in many forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus a repetitive description thereof will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in software or in one or more hardware modules or integrated circuits or in different networks and/or processor devices and/or microcontroller devices.
It should be noted that, the embodiments of the present disclosure refer to ordinal terms such as "first," "second," etc. for distinguishing a plurality of objects, and are not used to define an order, a timing, a priority, or an importance of the plurality of objects, and the descriptions of "first," "second," and the like do not necessarily define that the objects are different.
In the application scenario of the fixed shift fusion, if the 5G-RG is followed by the authenticatable non-3GPP equipment, the 5G network can only recognize and authenticate to the 5G-RG, but can not see the subsequent authenticatable non-3GPP equipment, and can not provide differentiated QoS for the authenticatable non-3GPP equipment. In order to better meet the requirements of different terminal devices in an industrial scene, such as a book management scene, higher QoS guarantee is required to be provided for devices used by a book manager, and proper QoS guarantee is provided for devices of common users. In order to solve the above-mentioned problems, embodiments of the present disclosure provide a communication authentication method and related devices.
Fig. 1 shows a network architecture diagram of a communication system to which embodiments of the present disclosure are applicable. In fig. 1, the network architecture includes a 5G-RG, an ANU3 device (Authenticable Non-3GPP device, authenticatable Non-3GPP device), an AMF (Access and Mobility Mangement Function, access and mobility management function) network element, an SMF (Session Management Function ) network element, an NSWOF (Non-Seamless WLAN Offload Function, non-seamless WLAN splitting function) network element, an AUSF (Authentication Server Function ) network element, a UDM (Unified Data Managemen, unified data management) network element, a UPF (User Plane Function ) network element, and a PCF (Policy Control Function ) network element.
The AMF network element is mainly used for mobility management, access authentication/authorization and is also responsible for transmitting user strategies. The SMF network element is mainly used for session management, internet protocol address allocation and management of terminal equipment, terminal node of a selected manageable user plane function, strategy control or charging function interface, downlink data notification and the like. The AUSF network element is mainly used for carrying out security authentication on the terminal equipment. The UDM network element is mainly used for managing subscription information of the terminal device, for example, in the authentication process, performing calculation of an authentication vector, key deduction, user identification decryption, and the like. The UPF network element may be used for packet routing and forwarding, qoS handling of user plane data, etc. The PCF network element is used for guiding a unified policy framework of network behavior, and provides policy rule information for control plane function network elements (such as AMF network elements, SMF network elements), and the like.
ANU3 device is an authenticatable non-3GPP device that accesses after 5G-RG, i.e., a terminal device that does not support non-access stratum (NAS, non Access Stratum) signaling but is authenticatable when accessed by non-3GPP (3 rd Generation Partnership Project, third Generation partnership project). The SMF network element supports a Swa interface with the NSWOF network element for connecting the untrusted 3GPP network and the 3GPP AAA (Authentication Authorization Accounting, authentication, authorization, and accounting) server and transmitting access authentication, authorization, and accounting related parameters. The SMF network element is connected with the NSWOF network element through the Swa interface, the NSWOF network element is connected with the AUSF network element through the N60 interface, and the AUSF network element is connected with the UDM network element through the N13 interface.
In the embodiment of the disclosure, the SMF network element may initiate an NSWO (Non-Seamless WLAN Offload, non-seamless WLAN offloading) authentication procedure for ANU device through the supported Swa interface, so that the NSWOF network element, the AUSF network element and the UDM network element authenticate ANU device to determine whether to authorize ANU3 devices to share a session of 5G-RG, thereby solving the problem that the Non-3GPP device can not be authenticated after the 5G home gateway is authenticated. If authentication is successful, the 5G-RG can initiate a PDU session modification procedure (if the mapped QoS flow does not exist), and further map the data flow of ANU device into the QoS flow of the PDU (Protocol Data Unit ) session, so that differentiated services can not be provided for ANU device. It should be noted that if the mapped QoS flow exists, the 5G-RG does not need to initiate the PDU session modification procedure, and the AUN3 device data flow may be mapped into the corresponding QoS flow.
Fig. 2 shows a flowchart of a communication authentication method according to an embodiment of the present disclosure. The communication authentication method provided by the embodiment of fig. 2 may be performed by an SMF network element. As shown in fig. 2, the communication authentication method specifically includes the following steps S201 to S203.
Step S201: if a PDU session third party authentication request sent by the 5G-RG through the AMF network element is received, initiating an NSWO authentication flow through an interface between the PDU session third party authentication request and the NSWOF network element;
step S202: if the authentication is successful, qoS information signed by ANU3 device is obtained;
step S203: and returning a PDU session third party authentication result to the 5G-RG through the AMF network element, wherein the third party authentication result comprises QoS information signed by the AUN3 device, so that the 5G-RG maps the data stream of the AUN3 device into the QoS stream of the PDU session of the 5G-RG.
The third party authentication request carries an identity of the AUN3 device. The identity of the AUN3 device may be a sui (Subscription Concealed Identifier, user hidden identifier) of the AUN3 device, which may be used to authenticate the AUN3 device.
The third party authentication request is for requesting authentication of the AUN3 device after the 5G-RG, and for requesting determination of whether to authorize the PDU session of the AUN3 device to connect to the 5G-RG and share the 5G-RG. That is, the SMF network element receives the PDU session third party authentication request sent by the 5G-RG through the AMF network element, needs to authenticate the AUN3 device, and needs to determine whether to authorize the AUN3 device to connect to the 5G-RG and share the PDU session established by the 5G-RG.
According to the communication authentication method provided by the embodiment of the disclosure, after the SMF network element supports an interface between the NSWOF network element and a PDU session third party authentication request sent by the 5G-RG through the AMF network element is received, an NSWO authentication process for ANU device can be initiated through the supported interface between the SMF network element and the NSWOF network element, ANU device accessed after the 5G-RG is authenticated, and the ANU3 device can complete the authentication process for 5GS without registering to 5 GS; and if the authentication of ANU3 device is successful, the SMF network element can acquire ANU QoS information signed by the device, and the SMF network element can also send a third party authentication result carrying ANU QoS information signed by the device to the 5G-RG through the AMF network element, so that the 5G-RG maps the AUN3 device data stream into the PDU session QoS stream of the 5G-RG according to the received information, thereby realizing differentiated QoS service.
Specific implementation modes of each method step of the communication authentication method are described in detail below.
In step S201, if a PDU session third party authentication request sent by the 5G-RG through the AMF network element is received, an NSWO authentication procedure is initiated through an interface with the NSWOF network element.
The 5G-RG can register with the 5GC by using the own identification and establish a corresponding PDU session, and the AUN3 device after the 5G-RG requests to connect with the 5G-RG, such as executing WiFi association with the 5G-RG. After receiving the connection request sent by the subsequent AUN3 device, the 5G-RG can send a PDU session third party authentication request to the SMF network element through the AMF network element. After receiving the authentication request of the PDU session third party, the SMF network element initiates NSWO authentication flow through the interface between the SMF network element and the NSWOF network element supported by the SMF network element to authenticate the AUN3 device after 5G-RG, and simultaneously requests to decide whether to authorize the AUN3 device to connect to 5G-RG and share the PDU session established by 5G-RG.
Wherein, the SMF network element supports the Swa interface with the NSWOF network element. The SMF network element is connected to the NSWOF network element through the Swa interface, and the NSWOF network element may be connected to the AUSF network element, i.e. the NSWOF network element may act as an AAA proxy between the SMF network element and the AUSF network element.
Further, initiating an NSWO authentication procedure through an interface with an NSWOF network element includes: and sending an NSWO authentication request to the NSWOF network element through the Swa interface, wherein the NSWO authentication request carries the identity of the AUN3 device, so that the NSWOF network element, the AUSF network element and the UDM network element authenticate the AUN3 device according to the identity of the AUN3 device, and returning an authentication result to the SMF network element.
And the SMF network element sends an NSWO authentication request carrying the identity of the AUN3 device to the NSWOF network element through the Swa interface. The identity of the AUN3 device may be the sui of the AUN3 device. The NSWO authentication request is used to authenticate the AUN3 device and to decide whether to authorize the AUN3 device to connect to the 5G-RG and share the PDU session established by the 5G-RG.
After receiving the NSWO authentication request sent by the SMF network element, the NSWOF network element sends the NSWO authentication request to the AUSF network element, so that the AUSF network element and the UDM network element perform authentication. Specifically, after receiving an NSWO authentication request carrying a sui of an AUN3 device, the AUSF network element sends the sui of the AUN3 device and corresponding parameters to the UDM network element, the UDM network element decrypts the sui of the AUN3 device to generate a sui (Subscription Permanent Identifier, a user permanent identifier) and selects a corresponding authentication mode, and then the UDM network element sends the decrypted sui to the AUSF network element for a subsequent authentication procedure.
In the embodiment of the disclosure, the SMF network element supports a Swa interface with the NSWOF network element, so that after receiving a PDU session third party authentication request sent by the 5G-RG, the SMF network element can directly initiate an NSWO authentication procedure for the AUN3 device and determine whether to authorize the AUN3 device to share the PDU session of the 5G-RG, so that the ANU device can complete the authentication procedure for the 5GS without registering to the 5 GS.
In step S202, if the authentication is successful, qoS information of the ANU device subscription is acquired.
Further, if authentication is successful, obtaining QoS information signed by the AUN3 device includes: and if the authentication success message is received, acquiring QoS information signed by the AUN3 device from the UDM network element. After the SMF network element receives the authentication success message, the QoS information signed by the AUN3 device may be obtained from the UDM network element through the nudm_sdm_get message.
The QoS information signed by the AUN3 device includes a flow identifier for marking a data flow of the AUN3 device, and QoS flow mapping information related to the data flow of the AUN3 device. Specifically, the flow identifier for marking the data flow of the AUN3 device refers to the traffic identifier for marking the traffic of the AUN3 device, and the QoS flow mapping information related to the data flow of the AUN3 device refers to information of which QoS flow the traffic is mapped to. After receiving the QoS flow mapping information, the 5G-RG knows into which data flow in the PDU session the transmitted data flow of the AUN3 device can be mapped and performs a corresponding operation.
Further, after obtaining the QoS information of the AUN3 device subscription, the communication authentication method may further include: and sending an N4 session modification request to the UPF network element, wherein the N4 session modification request carries the equipment identifier of the AUN3 device and the flow identifier of the data flow of the AUN3 device so that the UPF network element can identify the data flow related to the AUN3 device.
Specifically, after the SMF network element obtains QoS information signed by the AUN3 device, an N4 session modification procedure may be initiated, where the session modification procedure carries an equipment identifier of the AUN3 device and a flow identifier of a data flow of the AUN3 device, so that the UPF network element may identify a data flow related to the AUN3 device.
In the embodiment of the disclosure, after the SMF network element receives the successful authentication message, qoS information signed by AUN3 device can be obtained from the UDM network element through corresponding signaling, and the information is returned to the 5G-RG through a PDU session third party authentication result, so that the 5G-RG performs data flow mapping according to the received information; after the SMF network element acquires the QoS information signed by the AUN3 device, an N4 session modification flow carrying the related information of the AUN3 device can be initiated, so that the UPF network element can identify the related data flow of the AUN3 device.
In step S203, the AMF network element returns a PDU session third party authentication result to the 5G-RG, where the third party authentication result includes QoS information signed by the AUN3 device, so that the 5G-RG maps the data stream of the AUN3 device into the QoS stream of the PDU session of the 5G-RG.
After the SMF network element receives the authentication success message and acquires the QoS information signed by ANU device, the PDU session third party authentication result may be returned to the 5G-RG through the AMF network element. The 5G-RG returns PDU session third party authentication results including authentication success information and QoS information signed by AUN3 device.
After the 5G-RG receives the third party authentication result sent by the SMF network element through the AMF network element, an authentication success message can be sent to the AUN3 device, and then a security context is established between the AUN3 device and the 5G-RG so as to ensure the security of the air interface data flow.
In addition, the 5G-RG maps the data stream of the AUN3 device into the QoS stream of the PDU session of the 5G-RG, comprising: if the mapped QoS flow does not exist, the 5G-RG initiates a PDU session related flow to establish a new QoS flow, and maps the AUN3 device data flow into the new QoS flow.
If the 5G-RG determines that the mapped QoS flow does not exist, the 5G-RG may initiate a PDU session-related procedure, such as a PDU session modification procedure, based on the received information to establish a new QoS flow and map the traffic of the AUN3 device into the newly-built QoS flow. It should be noted that if the mapped QoS flow exists, the 5G-RG does not need to initiate the PDU session modification procedure, and the AUN3 device data flow may be mapped into the corresponding QoS flow.
In the embodiment of the disclosure, an SMF network element sends QoS information signed by AUN3 device to a 5G-RG through a PDU session third party authentication result; if the mapped QoS flow does not exist, the 5G-RG can initiate a PDU session modification flow according to the received information to establish a new QoS flow, and further map the AUN3 device data flow into the new QoS flow; if the mapped QoS flow exists, the 5G-RG does not need to initiate PDU session modification flow, and the AUN3 device data flow can be mapped into the corresponding QoS flow. Thus, differentiated services can be provided for AUN3 devices.
The following describes a communication authentication method provided in the embodiment of the present disclosure by way of specific examples.
Fig. 3 shows an interaction diagram of a communication authentication method of an embodiment of the present disclosure. As shown in fig. 3, the communication authentication method specifically includes:
in step S301, the 5G-RG registers with the 5GC by using its own identity and establishes a corresponding PDU session.
In step S302, the AUN3 device after 5G-RG requests to establish a connection with 5G-RG, e.g., the AUN3 device performs WiFi association with 5G-RG.
Step S303, the 5G-RG sends PDU session third party authentication request to the SMF network element through the AMF network element to authenticate the AUN3 device, and at the same time, requests to decide whether to authorize the AUN3 device to connect to the 5G-RG and share the PDU session of the 5G-RG. The third party authentication request carries the sui of the AUN3 device.
Step S304, after the SMF network element receives the PDU session third party authentication request, the SMF network element initiates NSWO authentication flow through the Swa interface supported by the SMF network element. Wherein, the NSWO authentication flow carries SUCI of AUN3 device.
Specifically, after receiving the authentication request of the third party of the PDU session, the SMF network element sends an NSWO authentication request carrying the identity of the AUN3 device to the NSWOF network element through the Swa interface. Then, the NSWOF network element sends the NSWO authentication request to the AUSF network element, so that the AUSF network element and the UDM network element perform authentication. The specific authentication is realized in that after receiving an NSWO authentication request carrying the SUCI of the AUN3 device, the AUSF network element sends the SUCI of the AUN3 device and corresponding parameters to the UDM network element, the UDM network element decrypts the SUCI of the AUN3 device to generate SUPI and selects a corresponding authentication mode, and then the UDM network element sends the decrypted SUPI to the AUSF network element to carry out a subsequent authentication flow.
In step S305, after the SMF network element receives the authentication success message, the QoS information signed by the AUN3 device is obtained from the UDM network element through the nudm_sdm_get message.
The QoS information signed by the AUN3 device includes a flow identifier for marking a data flow of the AUN3 device, and QoS flow mapping information related to the data flow of the AUN3 device. Specifically, the flow identifier for marking the data flow of the AUN3 device refers to the traffic identifier for marking the traffic of the AUN3 device, and the QoS flow mapping information related to the data flow of the AUN3 device refers to information of which QoS flow the traffic is mapped to.
Step S306, the SMF network element returns PDU session third party authentication result to the 5G-RG through the AMF network element.
The third party authentication result includes QoS information signed by the AUN3 device, that is, the third party authentication result includes a flow identifier for marking a data flow of the AUN3 device and QoS flow mapping information related to the data flow of the AUN3 device.
Step S307, the 5G-RG sends authentication success information to the AUN3 device, and then a security context is established between the AUN3 device and the 5G-RG to ensure the security of the air interface data stream.
In step S308, the SMF network element initiates an N4 session modification procedure. The N4 session modification procedure carries the device identifier of the AUN3 device and the data flow identifier, so that the UPF network element can identify the data flow related to the AUN3 device.
In step S309, if the mapped QoS flow does not exist, the 5G-RG initiates PDU session modification procedure according to the received information to establish a new QoS flow, and maps the AUN3 device data flow into the newly established QoS flow.
It should be noted that, if the mapped QoS flow exists, the 5G-RG does not need to initiate the PDU session modification procedure, and may directly map the data flow of the AUN3 device into the corresponding QoS flow.
In addition, step S306 is used to control the transmission of the uplink data stream, step S308 is used to control the transmission of the downlink data stream, the execution sequence of step S306 and step S308 may be adjusted, and step S306 and step S308 may be executed after step S305 and before step S309. The execution order of step S307 may be adjusted, and may be performed after step S306 and before step S309.
According to the communication authentication method provided by the embodiment of the disclosure, after receiving the PDU session third party authentication request sent by the 5G-RG through the AMF network element, the SMF network element supports the Swa interface, the NSWO authentication flow of ANU device can be initiated, namely ANU device accessed after the 5G-RG is authenticated through the Swa interface supported by the SMF network element, so that ANU device can complete the authentication flow to 5GS without registering to 5 GS; and if the authentication of ANU3 device is successful, the SMF network element can acquire ANU QoS information signed by the device, and the SMF network element can also send a third party authentication result carrying ANU QoS information signed by the device to the 5G-RG through the AMF network element, so that the 5G-RG maps the AUN3 device data stream into the PDU session QoS stream of the 5G-RG according to the received information, thereby realizing differentiated QoS service.
Fig. 4 shows a schematic structural diagram of an SMF network element according to an embodiment of the present disclosure. As shown in fig. 4, the SMF network element 400 may include: an authentication request initiating module 401, a subscription information acquiring module 402 and an authentication result returning module 403.
The authentication request initiation module 401 is configured to: and if a PDU session third party authentication request sent by the 5G-RG through the AMF network element is received, initiating an NSWO authentication flow through an interface between the PDU session third party authentication request and the NSWOF network element. The third party authentication request is used for requesting authentication of the AUN3 device after 5G-RG. The subscription information acquisition module 402 is configured to: if the authentication is successful, qoS information signed by AUN3 device is obtained. The authentication result return module 403 is configured to: and returning a PDU session third party authentication result to the 5G-RG through the AMF network element. The third party authentication result includes QoS information signed by the AUN3 device, so that the 5G-RG maps the data flow of the AUN3 device into the QoS flow of the PDU session of the 5G-RG.
In some embodiments of the present disclosure, the third party authentication request is further for requesting a determination of whether to authorize the PDU session of the AUN3 device to connect to the 5G-RG and share the 5G-RG; and carrying the identity of the AUN3 device in the third party authentication request.
In some embodiments of the present disclosure, the SMF network element supports a Swa interface with the NSWOF network element. Wherein the authentication request initiation module 401 is further configured to: and sending an NSWO authentication request to the NSWOF network element through the Swa interface, wherein the NSWO authentication request carries the identity of the AUN3 device, so that the NSWOF network element, the AUSF network element and the UDM network element authenticate the AUN3 device according to the identity of the AUN3 device, and returning an authentication result to the SMF network element.
In some embodiments of the present disclosure, the subscription information acquisition module 402 is further configured to: and if the authentication success message is received, acquiring QoS information signed by the AUN3 device from the UDM network element.
In some embodiments of the present disclosure, the QoS information subscribed to the AUN3 device includes a flow identification for marking the data flow of the AUN3 device, and QoS flow mapping information associated with the data flow of the AUN3 device.
In some embodiments of the present disclosure, the SMF network element 400 shown in fig. 4 further includes a session modifying module 404 configured to: and sending an N4 session modification request to the UPF network element. The N4 session modification request carries the device identifier of the AUN3 device and the flow identifier of the data flow of the AUN3 device, so that the UPF network element identifies the data flow related to the AUN3 device.
Fig. 5 shows a block diagram of an electronic device in an embodiment of the disclosure. An electronic device 500 according to such an embodiment of the invention is described below with reference to fig. 5. The electronic device 500 shown in fig. 5 is merely an example, and should not be construed as limiting the functionality and scope of use of embodiments of the present invention.
As shown in fig. 5, the electronic device 500 is embodied in the form of a general purpose computing device. The components of electronic device 500 may include, but are not limited to: the at least one processing unit 510, the at least one memory unit 520, a bus 530 connecting the different system components (including the memory unit 520 and the processing unit 510), and a display unit 540.
Wherein the storage unit stores program code that is executable by the processing unit 510 such that the processing unit 510 performs steps according to various exemplary embodiments of the present invention described in the above section of the "exemplary method" of the present specification. Specifically, when the electronic device 510 provided in the embodiment of the present disclosure is an SMF network element, the following steps in the foregoing embodiment may be performed: step S201, if receiving PDU conversation third party authentication request sent by 5G-RG through AMF network element, initiating NSWO authentication flow through interface with NSWOF network element; step S202, if authentication is successful, qoS information signed by ANU device is obtained; step S203, the PDU conversation third party authentication result is returned to the 5G-RG through the AMF network element, wherein the third party authentication result comprises QoS information signed by the AUN3 device, so that the 5G-RG maps the data flow of the AUN3 device into the QoS flow of the PDU conversation of the 5G-RG.
The storage unit 520 may include readable media in the form of volatile storage units, such as Random Access Memory (RAM) 5201 and/or cache memory unit 5202, and may further include Read Only Memory (ROM) 5203.
The storage unit 520 may also include a program/utility 5204 having a set (at least one) of program modules 5205, such program modules 5205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
Bus 530 may be one or more of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.
The electronic device 500 may also communicate with one or more external devices 570 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 500, and/or with any device (e.g., router, modem, etc.) that enables the electronic device 500 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 550. Also, electronic device 500 may communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet, through network adapter 560. As shown, network adapter 560 communicates with other modules of electronic device 500 over bus 530. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with electronic device 500, including, but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
In an exemplary embodiment of the present disclosure, a computer-readable storage medium having stored thereon a program product capable of implementing the method described above in the present specification is also provided. In some possible embodiments, the various aspects of the invention may also be implemented in the form of a program product comprising program code for causing a terminal device to carry out the steps according to the various exemplary embodiments of the invention as described in the "exemplary methods" section of this specification, when said program product is run on the terminal device.
A program product for implementing the above-described method according to an embodiment of the present invention may employ a portable compact disc read-only memory (CD-ROM) and include program code, and may be run on a terminal device such as a personal computer. However, the program product of the present invention is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable signal medium may include a data signal propagated in baseband or as part of a carrier wave with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
It should be noted that although in the above detailed description several modules or units of a device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.
Furthermore, although the steps of the methods in the present disclosure are depicted in a particular order in the drawings, this does not require or imply that the steps must be performed in that particular order or that all illustrated steps be performed in order to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform, etc.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, including several instructions to cause a computing device (may be a personal computer, a server, a mobile terminal, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any adaptations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It is to be understood that the present disclosure is not limited to the precise arrangements and instrumentalities shown in the drawings, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims (11)

1. A method of communication authentication, the method being performed by a session management function, SMF, network element, comprising:
if a protocol data unit PDU session third party authentication request sent by a 5G home gateway through an access and mobility management function AMF network element is received, initiating a non-seamless WLAN offload NSWO authentication flow through an interface between a non-seamless WLAN offload function NSWOF network element, wherein the third party authentication request is used for requesting authentication of an authenticatable non-3GPP device after the 5G home gateway;
if the authentication is successful, acquiring the QoS information signed by the authenticatable non-3GPP equipment;
and returning a PDU session third party authentication result to the 5G home gateway through the AMF network element, wherein the third party authentication result comprises QoS information signed by the authenticatable non-3GPP equipment, so that the 5G home gateway maps the data stream of the authenticatable non-3GPP equipment into the QoS stream of the PDU session of the 5G home gateway.
2. The method of claim 1, wherein the third party authentication request is for requesting a determination of whether to authorize the authenticatable non-3GPP device to connect to the 5G home gateway and share a PDU session of the 5G home gateway; and carrying the identity of the authenticatable non-3GPP equipment in the third party authentication request.
3. The method of claim 2, wherein the SMF network element supports a Swa interface with the NSWOF network element;
wherein, initiating an NSWO authentication procedure through an interface between the NSWOF network element includes:
and sending an NSWO authentication request to the NSWOF network element through the Swa interface, wherein the NSWO authentication request carries the identity of the authenticatable non-3GPP equipment, so that the NSWOF network element, the authentication service function AUSF network element and the unified data management function UDM network element authenticate the authenticatable non-3GPP equipment according to the identity of the authenticatable non-3GPP equipment, and returning an authentication result to the SMF network element.
4. The method of claim 3, wherein the obtaining QoS information for the authenticatable non-3GPP device subscription if authentication is successful comprises:
and if the authentication success message is received, acquiring QoS information signed by the authenticatable non-3GPP equipment from the UDM network element.
5. The method of claim 1, wherein the QoS information subscribed to by the authenticatable non-3GPP device includes a flow identification for marking data flows of the authenticatable non-3GPP device, and QoS flow mapping information associated with the data flows of the authenticatable non-3GPP device.
6. The method of claim 5, wherein after obtaining QoS information for the authenticatable non-3GPP device subscription, the method further comprises:
and sending an N4 session modification request to a user plane function UPF network element, wherein the N4 session modification request carries the equipment identifier of the authenticatable non-3GPP equipment and the flow identifier of the data flow of the authenticatable non-3GPP equipment so that the UPF network element can identify the data flow related to the authenticatable non-3GPP equipment.
7. The method of claim 1, wherein after returning a PDU session third party authentication result to the 5G home gateway through the AMF network element, the 5G home gateway sends an authentication success message to the authenticatable non-3GPP device to cause a security context to be established between the authenticatable non-3GPP device and the 5G home gateway.
8. The method of claim 5, wherein the mapping of the data flow of the authenticatable non-3GPP device by the 5G home gateway into the QoS flow of the PDU session of the 5G home gateway comprises:
if the mapped QoS flow does not exist, the 5G home gateway initiates a PDU session related flow to establish a new QoS flow, and maps the data flow of the authenticatable non-3GPP equipment into the new QoS flow.
9. An SMF network element, comprising:
an authentication request initiating module, configured to initiate an NSWO authentication procedure through an interface between the authentication request initiating module and an NSWOF network element if a PDU session third party authentication request sent by the 5G home gateway through the AMF network element is received, where the third party authentication request is used to request authentication of an authenticatable non-3GPP device after the 5G home gateway;
the subscription information acquisition module is used for acquiring QoS information signed by the authenticatable non-3GPP equipment if authentication is successful;
and the authentication result returning module is used for returning a PDU session third party authentication result to the 5G home gateway through the AMF network element, wherein the third party authentication result comprises QoS information signed by the authenticatable non-3GPP equipment so that the 5G home gateway maps the data stream of the authenticatable non-3GPP equipment into the QoS stream of the PDU session of the 5G home gateway.
10. An electronic device, comprising:
one or more processors;
storage means configured to store one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the method of any of claims 1 to 8.
11. A computer readable storage medium storing a computer program, characterized in that the computer program when executed by a processor implements the method according to any one of claims 1 to 8.
CN202210907581.1A 2022-07-29 2022-07-29 Communication authentication method and related equipment Pending CN117528512A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210907581.1A CN117528512A (en) 2022-07-29 2022-07-29 Communication authentication method and related equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210907581.1A CN117528512A (en) 2022-07-29 2022-07-29 Communication authentication method and related equipment

Publications (1)

Publication Number Publication Date
CN117528512A true CN117528512A (en) 2024-02-06

Family

ID=89740606

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210907581.1A Pending CN117528512A (en) 2022-07-29 2022-07-29 Communication authentication method and related equipment

Country Status (1)

Country Link
CN (1) CN117528512A (en)

Similar Documents

Publication Publication Date Title
US11463874B2 (en) User profile, policy, and PMIP key distribution in a wireless communication network
CN111865598B (en) Identity verification method and related device for network function service
EP3657894B1 (en) Network security management method and apparatus
US20210297410A1 (en) Mec platform deployment method and apparatus
WO2022233265A1 (en) Network access method and apparatus
CN111132305B (en) Method for 5G user terminal to access 5G network, user terminal equipment and medium
CN115801299A (en) Meta-universe identity authentication method, device, equipment and storage medium
JP7416984B2 (en) Service acquisition method, device, communication device and readable storage medium
CN114285522A (en) Access control method, system and medium for local service area
US10959097B1 (en) Method and system for accessing private network services
CN114301967B (en) Control method, device and equipment for narrowband Internet of things
CN114980262B (en) Access gateway selection method and device, storage medium and electronic equipment
CN117528512A (en) Communication authentication method and related equipment
CN115413014A (en) Network resource service method, device, system, readable medium and electronic equipment
CN116261137A (en) Network element security authentication method and device, electronic equipment and storage medium
WO2022067831A1 (en) Method and apparatus for establishing secure communication
CN115174558A (en) Cloud network terminal integrated identity authentication method, device, equipment and storage medium
CN117528513A (en) Communication authentication method and related equipment
CN116506842B (en) Method, terminal, system and related equipment for reporting capability information of user identification card
WO2024093534A1 (en) Npn identification method and apparatus, and related device
US20240022910A1 (en) Signaling protection method, apparatus, and system
CN114080004B (en) Private network access method and device
CN117479155A (en) Method for generating application layer key and communication system based on application layer key
CN107770772A (en) A kind of method and apparatus that unaware certification online is realized by APP
CN114040470A (en) Terminal route control method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination