CN1674497A - Certification method for WLAN terminal switching in mobile network - Google Patents
Certification method for WLAN terminal switching in mobile network Download PDFInfo
- Publication number
- CN1674497A CN1674497A CNA2004100309100A CN200410030910A CN1674497A CN 1674497 A CN1674497 A CN 1674497A CN A2004100309100 A CNA2004100309100 A CN A2004100309100A CN 200410030910 A CN200410030910 A CN 200410030910A CN 1674497 A CN1674497 A CN 1674497A
- Authority
- CN
- China
- Prior art keywords
- access
- wlan terminal
- service unit
- authentication
- certificate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
- H04W12/72—Subscriber identity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/10—Small scale networks; Flat hierarchical networks
- H04W84/12—WLAN [Wireless Local Area Networks]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The present invention discloses an authentication method of WLAN terminal access mobile network. Said method includes the following steps: WLAN terminal utilizes AP to send the access request containing said WLAN terminal common key certificate to discrimination authorization service unit; the discrimination authorization service unit can utilize WLAN terminal common key certificate to obtain mobile user identification of said WLAN terminal in mobile network, and utilize the obtained mobile user identification to obtain WLAN access configuration file of current WLAN terminal from mobile network attached authentication unit; according to said configuration file the discrimination authorization service unit can be used for judging that the current WLAN terminal is passed through access authentication or not.
Description
Technical field
The present invention relates to the access technology of wireless device, be meant a kind of authentication method of wireless lan (wlan) terminal access to mobile network especially the mobile network.
Background technology
WLAN is mainly used in transport of internet protocol (IP) packet data package, and the wireless access of user terminal generally is provided by access point (AP), finishes the transmission of IP bag then by network controller and connection device.
WLAN (wireless local area network) comprises multiple different technologies, the IEEE 802.11b that a present widely used technical standard is an Institute of Electrical and Electronics Engineers (IEEE), and its adopts 2.4GHz frequency range, and the maximum data transmission rate can reach 11Mbps.Use the IEE802.11g and bluetooth (Bluetooth) technology in addition of this frequency range, wherein, 802.11g the maximum data transmission rate can reach 54Mbps.The ETSI BRANHiperlan2 of other new technology such as IEEE802.11a and ETS association (ETSI) uses the 5GHz frequency range, and maximum transmission rate also can reach 54Mbps.
Rise and development along with the WLAN technology, WLAN and various wireless mobile communication network, such as: the intercommunication of systems such as GSM, code division multiple access (CDMA), Wideband Code Division Multiple Access (WCDMA) (WCDMA), time division duplex-S-CDMA (TD-SCDMA), CDMA2000 is just becoming the emphasis of current research.Insert the 3GPP/3GPP2 network for the WLAN terminal, the scheme standardization body of third generation partner program (3GPP) and third generation partner program 2 (3GPP2) is carrying out related work.
The 3GPP tissue has determined that employing Extensible Authentication Protocol-contracted user's identification module (EAP-SIM) or Extensible Authentication Protocol-Authentication and Key Agreement (EAP-AKA) mechanism realize the access intercommunication of wlan network and 3GPP network.For the access intercommunication of WLAN-3GPP2 network, EAP-AKA, Extensible Authentication Protocol-wireless authentication and voice encryption mechanism such as (EAP-CAVE) is not then determined as yet.
Said method all adopts based on the intercommunication that realizes the WLAN-3GPP/3GPP2 network on the basis of the existing access authentication mechanism of 3GPP/3GPP2.In China, formulated wlan network safety at present and inserted standard, promptly based on the access authentication mechanism of WLAN authentication and privacy infrastructure (WAPI) system.
WLAN authentication and privacy infrastructure (WAPI) is made up of wireless local area network authentication infrastructure (WAI) and wireless local area network security foundation structure (WPI).WAI finishes authentication function, and WPP provides the encryption function of eating dishes without rice or wine.WAPI mechanism adopts public key cryptography technology to realize the client identity authentication discriminating.Asu (authentication service unit) (ASU) distributes public key certificate for each user.The form of public key certificate ginseng is shown in Table 1 in the authentication public key process:
| Public key certificate version number |
| The sequence number of certificate |
| The signature algorithm that the certificate authority person adopts |
| Certificate authority person title |
| Certificate authority person's public key information |
| The term of validity of certificate |
| Certificate holder title |
| Certificate holder's public key information |
| Certificate type |
| Reserved field |
| The certificate authority person is to the signature of certificate |
Table 1
In the table 1, the sequence number of certificate all needs a unique number distributing for each public key certificate of being issued by ASU.The signature algorithm that the signature algorithm that the certificate authority person adopts has specified the certificate authority person to be adopted comprises the PKI length that signature algorithm title, signature length and signer adopt.The issuer title of certificate is specified the identity of issuer.Certificate holder title is specified certificate holder's identity.Certificate type is represented certificate holder's device type, and promptly STA, AP or ASU certificate authority person are signed to all the field items on this certificate by the certificate authority person to the signature of certificate and obtain.
Prior art adopts the wlan network access authentication procedure of WAI mechanism WLAN terminal, referring to shown in Figure 1.Comprise:
Step 101, AP gives the WLAN terminal, is exemplified as wireless terminal (STA) herein, sends to differentiate activation message.
Step 102 after STA receives and differentiates activation message, differentiates that by inserting request message sends to AP with the public key certificate of STA.
Step 103, AP receives after access that STA sends differentiates request message, extracts the certificate of WLAN terminal, and it is encapsulated in the request of certificate authentication message together with the public key certificate of AP self and the signature of AP, sends to ASU.
Step 104, after ASU received request of certificate authentication message, the signature of checking AP and the validity of AP certificate judged whether correctly, if incorrect, then discrimination process failure; If correct, then ASU further verifies the public key certificate of STA.
Step 105, ASU sends to AP with the signature formation certificate identification response message of identification result and ASU.
Step 106, the certificate that AP returns ASU are differentiated to respond and are carried out signature verification, obtain asking the identification result of STA, according to this result the WLAN terminal are carried out access control, promptly when STA differentiates successfully, allow this STA to insert, otherwise, refuse this STA and insert.AP differentiates that with certificate response sends to request STA, and the signature of STA checking ASU is judged identification result, determines whether to insert AP according to this result, and promptly when differentiating successfully, this STA can insert AP, enters step 107; Otherwise this STA does not insert from this AP.
If differentiate successfully, STA and AP carry out key agreement, obtain being used to the encrypted secret key of eating dishes without rice or wine.
When the WLAN terminal is the contracted user of 3GPP/3GPP2 network, and when the WLAN terminal is wished by wlan network access 3GPP/3GPP2 Network, for example: the WLAN terminal receives short message (SMS)/multimedia short message (MMS) by wlan network, and when this WLAN net must adopt the WAI authentication, how to realize that WLAN terminal based on WAPI mechanism to mobile network's access authentication, does not have solution at present as yet.
Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of authentication method of WLAN terminal access to mobile network, makes the WLAN terminal can realize access authentication to the mobile network under WAPI mechanism.
The authentication method of a kind of WLAN terminal access to mobile network provided by the invention comprises:
A) the WLAN terminal sends the access request that includes this WLAN terminal public key certificate through AP to discriminating authorization service unit;
B) differentiate that the authorization service unit is according to the mobile user identification of current this WLAN terminal of WLAN terminal public key certificate acquisition in the mobile network in the access request of receiving;
C) differentiate that the authorization service unit inserts configuration file by the current mobile user identification that obtains obtains current WLAN terminal in mobile network's attribution authentication service unit WLAN;
D) differentiate that the authorization service unit inserts configuration file according to the WLAN that obtains and judges whether current WLAN terminal passes through access authentication, if, then the successful information with access authentication is sent to current WLAN terminal through AP, otherwise, the failure information of access authentication is sent to current WLAN terminal through AP.
Corresponding one by one in the public key certificate of the described WLAN terminal of this method with the mobile user identification of this WLAN terminal in the mobile network.
Certificate holder name in the public key certificate of the described WLAN terminal of this method is called the mobile user identification of this WLAN terminal in mobile network.
This method sets in advance the certificate holder title of public key certificate and the corresponding relation of mobile user identification, then step b) specifically comprises: differentiate that the authorization service unit extracts certificate holder title from the public key certificate of described current WLAN terminal, obtain the mobile user identification of this WLAN terminal in the mobile network according to the corresponding relation of certificate holder title and mobile user identification.
The described step a) of this method takes a step forward and comprises: described AP sends to the WLAN terminal and differentiates activation message.
The described step a) of this method specifically comprises: a1) described WLAN terminal sends the access include self public key certificate to AP and differentiates request message;
A2) access that will receive of described AP differentiates that the current WLAN terminal public key certificate in the request message sends by the discriminating authorization service unit of request of certificate authentication message to the mobile network together with public key certificate and the AP signature of AP self;
Described step a) and b) between further comprise: b1) AP signature and AP public key certificate whether effective in the request of certificate authentication message received of described discriminating authorization service unit judges, if, then enter step b2), otherwise, the failure information of access authentication is sent to current WLAN terminal through AP;
B2) described discriminating authorization service unit judges inserts the whether effective of WLAN public key certificate in the request, if, then enter step b), otherwise, the failure information of access authentication is sent to current WLAN terminal through AP;
Differentiate described in the step d) that the authorization service unit is sent to current WLAN terminal with the successful information of access authentication through AP, specifically comprise: differentiate that the authorization service unit will include the authentication successful information and differentiate that the certificate identification response message of the signature of authorization service unit self is sent to AP;
Differentiate whether the signature of authorization service unit is correct in the certificate identification response message that the AP checking is received, if mistake, then abandon this certificate identification response message, if correct, then AP is sent to current WLAN terminal with the information in the certificate identification response message by inserting identification response message;
Whether the ASU signature is correct in the access identification response message that current WLAN terminal checking is received, if mistake then abandons this access identification response message, if correct, be the information of authentication success then, prepare by this AP access to mobile network by judging that this inserts in the identification response message;
Step b1), b2) and d) differentiate that the authorization service unit is sent to current WLAN terminal with the failure information of access authentication through AP, specifically comprises: differentiate that the authorization service unit will include failed authentication information and differentiate that the certificate identification response message of the signature of authorization service unit self is sent to AP;
Differentiate whether the signature of authorization service unit is correct in the certificate identification response message that the AP checking is received, if mistake, then abandon this certificate identification response message, if correct, then AP is sent to current WLAN terminal with the information in the certificate identification response message by inserting identification response message;
Whether the ASU signature is correct in the access identification response message that current WLAN terminal checking is received, if mistake then abandons this access identification response message, if correct, be the information of authentication success then, abandon from this AP access to mobile network by judging that this inserts in the identification response message.
This method step c) specifically comprise: c1) described discriminating authorization service unit sends the contracted user's configuration file request message that includes current WLAN terminal mobile user identification to mobile network's attribution authentication service unit;
C2) attribution authentication service unit is searched the WLAN access configuration file of this mobile user identification correspondence according to the mobile user identification in contracted user's configuration file request message, if find, then the WLAN that finds is inserted profile information and return described discriminating authorization service unit by contracted user's configuration file request response message, otherwise the access configuration file that will include failure information returns described discriminating authorization service unit by contracted user's configuration file request response message;
The described discriminating authorization service of step d) unit inserts configuration file according to the WLAN that obtains and judges that whether current WLAN terminal specifically comprises by the process of access authentication: differentiate that the authorization service unit analyzes the contracted user's configuration file request response message that returns, allow this wlan client to be linked into the mobile network if insert profile information in this response message, then mobile network's access authentication passes through, if include the information of searching failure in this response message, perhaps the access profile information in the response message is refused this wlan client and is linked into the mobile network, then mobile network's access authentication failure.
This method step c2) if described in attribution authentication service unit find WLAN to insert configuration file, then described WLAN inserts profile information and comprises at least: authorization message, charge information.
If current WLAN terminal is by access authentication in the described step d) of this method, comprise further that then described discriminating authorization service unit arrives described attribution authentication service unit with current WLAN endpoint registration.
Include ASU and mobile network's aaa server in the described discriminating authorization service of this method unit.
ASU in the described discriminating authorization service of this method unit and mobile network's aaa server independently are provided with separately, then
Described step a) is that the WLAN terminal sends the request of access through AP to ASU;
Described step b) is that ASU obtains mobile user identification according to public key certificate;
And at step b) and c) between further comprise: ASU sends the access request message include described mobile user identification to aaa server;
Described step c) is that aaa server inserts configuration file according to the mobile user identification in the access request message of receiving obtains current WLAN terminal from attribution authentication service unit WLAN;
Described step d) is that aaa server judges according to the WLAN access configuration file that obtains whether current WLAN terminal passes through access authentication, if, then aaa server is sent to ASU with the successful information of access authentication by inserting request response, ASU is sent to current WLAN terminal with the information of access authentication success through AP, otherwise, aaa server is sent to ASU with the information of access authentication failure by inserting request response, and ASU is sent to current WLAN terminal with the information of access authentication failure through AP.
The described attribution authentication service unit of this method is HLR or HSS or H-AAA.
The described mobile user identification of this method is IMSI or MSISDN or MIN or MDN.
From such scheme as can be seen, the authentication method of a kind of WLAN terminal access to mobile network provided by the invention adopts WAPI mechanism to make the WLAN terminal carry out access authentication to mobile network, by obtain the mobile user identification of WLAN terminal by discriminating authorization service unit, and obtain WLAN according to this mobile user identification to mobile network's attribution authentication service unit and insert configuration file, thereby realize the access authentication of WLAN terminal to the mobile network.The present invention program makes scheme simpler, and has more versatility owing to make full use of existing technical standard.Make Mobile Network Operator can utilize the WAPI authentication ciphering mechanism of wlan network to finish WLAN user's access control function by the present invention, make WLAN user can pass through wlan network access to mobile network business easily.
Description of drawings
Fig. 1 adopts the access authentication procedure schematic diagram of the WLAN terminal of WAI mechanism to wlan network for prior art;
Fig. 2 is the verification process schematic diagram of the WLAN terminal access to mobile network of preferred embodiment of the present invention;
Fig. 3 is the verification process schematic diagram of the WLAN terminal access to mobile network of another preferred embodiment of the present invention.
Embodiment
The present invention is further described in more detail below in conjunction with drawings and the specific embodiments.
Prerequisite of the present invention is: the wlan network access authentication of WLAN terminal adopts WAI mechanism, and in the case, ASU issues the PKI digital certificate for each WLAN client, and the WLAN terminal adopts the public key certificate indicating self.After the WLAN terminal is by the WAI authentication, promptly can visit Internet network or other proprietary network, the WLAN terminal eats dishes without rice or wine to adopt WPI mechanism to encrypt when inserting WLAN, with the communication security of protection wlan network.
For mobile networks such as 3GPP/3GPP2, the mobile subscriber adopts international mobile contracted user's sign (IMSI), mobile subscriber's integrated service digital number (MSISDN), Mobile Identification Number (MIN) or mobile directory number, MDN (MDN) indicating self, and 3GPP/3GPP2 network using Authentication and Key Agreement (AKA) or CAVE mechanism are carried out access authentication to the mobile subscriber.Meanwhile, attribution authentication service unit in the 3GPP/3GPP2 network, as: store mobile subscriber's CAMEL-Subscription-Information in attaching position register (HLR), home subscribed services device (HSS) or attribution authentication, mandate and the accounting server (Home AAA), comprise user's mobile user identification, user's service number, user's parameters such as service attribute in the CAMEL-Subscription-Information at least.Wherein, described mobile user identification is IMSI or mobile subscriber's phone number (MSISDN) or mobile user identification number (MIN) or a mobile directory number, MDN (MDN).User's service attribute parameter comprises: parameters such as voice service parameter, supplementary service parameter, packet switch domain service parameter, positioning service parameter, multimedia short message (MMS) parameter, note (SMS) parameter, Streaming Media.
The scheme of WLAN terminal access to mobile network of the present invention is that the WLAN terminal sends the access request that includes this WLAN terminal public key certificate through AP to ASU and the common discriminating authorization service unit that constitutes of aaa server; Differentiate the authorization service unit according to the mobile user identification of this WLAN terminal of WLAN terminal public key certificate acquisition in the mobile network, in mobile network's attribution authentication service unit, obtain the WLAN access configuration file of current WLAN terminal again by mobile user identification; Then, differentiate that the authorization service unit inserts configuration file according to the WLAN that obtains and judges whether current WLAN terminal passes through access authentication, if, then the successful information with access authentication is sent to current WLAN terminal through AP, otherwise, the failure information of access authentication is sent to current WLAN terminal through AP.
The idiographic flow of the embodiment of the invention is referring to shown in Figure 2.
Step 201, AP gives the WLAN terminal, is exemplified as STA herein, sends to differentiate activation message.
Step 202 after STA receives and differentiates activation message, differentiates that by inserting request message sends to AP with the public key certificate of this STA.
Step 203, AP receives after access that STA sends differentiates request message, extracts the public key certificate of STA, and with its public key certificate together with AP self.The signature of AP is encapsulated in the request of certificate authentication message, sends to ASU.
Step 204, after ASU received request of certificate authentication message, the signature of checking AP and the validity of AP public key certificate judged whether correctly, if incorrect, then access authentication failure enters step 209; If correct, then ASU further verifies the public key certificate of STA, if the public key certificate of STA is proved to be successful, then enters step 205, otherwise the access authentication failure enters step 209.
Step 205, ASU obtains the mobile user identification of STA according to the public key certificate of STA, i.e. and IMSI or MSISDN send the access request message that includes the STA mobile user identification to the aaa server of 3GPP/3GPP2.
Step 206, after aaa server received the access request message, according to the mobile user identification in the message, the WLAN that obtains this user from the HLR/HSS/H-AAA of 3GPP/3GPP2 inserted configuration file.
According to existing standard, aaa server specifically comprises from the process that HLR/HSS/H-AAA obtains WLAN access configuration information:
206a) AAA sends contracted user's configuration file request message to HLR/HSS/H-AAA, comprises the mobile user identification of this request STA in the message.
206b) HLR/HSS/H-AAA is according to mobile user identification, search the configuration file of this request STA, if find, the WLAN that will include this STA of information such as authorization message, charging inserts configuration file and sends to AAA by contracted user's configuration file request response message; If do not find, the WLAN that then will include failure information inserts configuration file and sends to AAA by contracted user's configuration file request response message.
206c) AAA returns acknowledge message to HLR/HSS/H-AAA after receiving contracted user's configuration file request response message.
Step 207, aaa server judges whether to allow this STA to be linked into the 3GPP/3GPP2 network according to contracted user's configuration file request response message content of obtaining from HLR/HSS/H-AAA, if allow, then send the access sign that comprises success to ASU and insert request response, indication allows this STA to be linked into the 3GPP/3GPP2 network; If contracted user's configuration file request response message content is failure, then send the access sign that comprises failure and insert request response to ASU, indicate this STA not allow to be linked into the 3GPP/3GPP2 network.
Step 208 after ASU receives the access request response that aaa server sends, is judged message content, if insert the access sign that success is arranged in the request response, then access authentication success enters step 209; If be the access sign of failure in the access request response, then access authentication failure enters step 209.
Step 209, if access authentication success, then ASU will constitute the certificate identification response message by the signature of differentiating successful information and ASU and send to AP, enter step 210; If access authentication failure, then ASU will constitute the certificate identification response message by the signature of differentiating failure information and ASU and send to AP, enter step 210.
Step 210, whether the certificate identification response message that AP returns ASU is carried out signature verification correct, if mistake, then abandon this message, if correct, as then to judge in the identification response message to be comprised identification result is if be successfully, then allow STA to insert, the information in the certificate identification response message is returned STA by inserting identification response message; If be failure, then refuse this STA and insert, the information in the certificate identification response message is returned STA by inserting identification response message.
After STA received and inserts identification response message, whether checking inserts the signature of ASU in the identification response message correct, if mistake, then abandon this message,, then judge the identification result in the message if correct, if be successfully, then STA prepares to insert the 3GPP/3GPP2 network from this AP; Otherwise this STA does not insert from this AP, process ends.
If access authentication procedure success is carried out key agreement at STA and AP, after the encrypted secret key that obtains being used to eat dishes without rice or wine, the notice aaa server is registered to HLR/HSS/H-AAA by aaa server with STA.
According to existing standard, aaa server specifically comprises the process that STA is registered to HLR/HSS/H-AAA:
1a) AAA sends the WLAN registration message to HLR/HSS/H-AAA, comprises the address of mobile user identification and the AAA of described STA in the message.
1b) HLR/HSS/H-AAA stores the address of the corresponding AAA of mobile user identification therewith, and returns WLAN endpoint registration acknowledge message to AAA, comprises the mobile user identification of described STA in this message.
In addition, this aaa server is registered to STA with the process of HLR/HSS/H-AAA and also can directly carries out after determining to allow this STA to be linked into the 3GPP/3GPP2 network according to contracted user's configuration file request response message content of obtaining from HLR/HSS/H-AAA by aaa server in described step 207.
ASU is in the different entities with aaa server in the above-described embodiments, and when the actual deployment network, ASU and AAA may be same entity, such as: the ASU functional module is set in AAA.Be called and differentiate the authorization service unit in order to narrate the set that makes things convenient among the present invention ASU and aaa server, ASU and aaa server can be as described above independently of one another in differentiating the authorization service unit, also can constitute an entity jointly, in this case, corresponding WLAN terminal use access procedure is referring to shown in Figure 3.
Step 301, AP gives the WLAN terminal, is exemplified as STA herein, sends to differentiate activation message.
Step 302 after STA receives and differentiates activation message, differentiates that by inserting request message sends to AP with the public key certificate of this STA.
Step 303, AP receives after access that STA sends differentiates request message, extracts the public key certificate of STA, and the signature of its public key certificate together with AP self, AP is encapsulated in the request of certificate authentication message, sends to and differentiates the authorization service unit.
Step 304, after discriminating authorization service unit received request of certificate authentication message, the signature of checking AP and the validity of AP public key certificate judged whether correctly, if incorrect, then access authentication failure failure enters step 307; If correct, differentiate that then the authorization service unit further verifies the public key certificate of STA, if the public key certificate of STA is proved to be successful, then enter step 305, otherwise access authentication failure failure enters step 307.
Step 305 differentiates that the authorization service unit obtains the mobile user identification of STA according to the public key certificate of STA, and the WLAN that obtains this user from HLR/HSS/H-AAA inserts configuration file.
According to existing standard, differentiate that the authorization service unit specifically comprises from the process that HLR/HSS/H-AAA obtains WLAN access configuration information:
305a) differentiate that the authorization service unit sends contracted user's configuration file request message to HLR/HSS/H-AAA, comprises the mobile user identification of this request STA in the message.
305b) HLR/HSS/H-AAA is according to user ID, search the configuration file of this request STA, if find, the WLAN that will include this STA of information such as authorization message, charging inserts configuration file and sends to discriminating authorization service unit by contracted user's configuration file request response message; If do not find, the WLAN that then will include failure information inserts configuration file and sends to discriminating authorization service unit by contracted user's configuration file request response message.
Return acknowledge message to HLR/HSS/H-AAA after 305c) contracted user's configuration file request response message is received in discriminating authorization service unit.
Step 306 differentiates that the authorization service unit determines whether to allow this STA to be linked into the 3GPP/3GPP2 network according to contracted user's configuration file request response message content of obtaining from HLR/HSS/H-AAA, if allow, then access authentication success enters step 307; Otherwise the access authentication failure enters step 307.
Step 307 if the access authentication success differentiates that then the authorization service unit will constitute the certificate identification response message by the signature of differentiating successful information and ASU and send to AP, enters step 308; If the access authentication failure differentiates that then the authorization service unit will constitute the certificate identification response message by the signature of differentiating failure information and ASU and send to AP, enter step 308.
Step 308, whether the signature of ASU is correct in the AP authentication certificate identification response message, if mistake, then abandon this message, if correct, as then to judge in the identification response message to be comprised identification result is if be successfully, then allow STA to insert, the information in the certificate identification response message is returned STA by inserting identification response message; If be failure, then refuse this STA and insert, the information in the certificate identification response message is returned STA by inserting identification response message.
After STA received and inserts identification response message, whether checking inserts the signature of ASU in the identification response message correct, if mistake, then abandon this message,, then judge the identification result in the message if correct, if be successfully, then STA prepares to insert the 3GPP/3GPP2 network from this AP; Otherwise this STA does not insert from this AP, process ends.
If access authentication procedure success is carried out key agreement at STA and AP, after the encrypted secret key that obtains being used to eat dishes without rice or wine, notice is differentiated the authorization service unit, by differentiating that the authorization service unit is registered to HLR/HSS/H-AAA with STA.
According to existing standard, A differentiates that the authorization service unit specifically comprises the process that STA is registered to HLR/HSS/H-AAA:
2a) differentiate that the authorization service unit sends the WLAN registration message to HLR/HSS/H-AAA, comprise the address of mobile user identification and the discriminating authorization service unit of described STA in the message.
2b) HLR/HSS/H-AAA stores the address of the corresponding discriminating authorization service of user ID unit therewith, and to differentiating that the authorization service unit returns WLAN endpoint registration acknowledge message, comprises the mobile user identification of described STA in this message.
In addition, this discriminating authorization service unit process that STA is registered to HLR/HSS/H-AAA also can be differentiated in described step 306 after the authorization service unit determines to allow this STA to be linked into the 3GPP/3GPP2 network according to contracted user's configuration file request response message content of obtaining from HLR/HSS/H-AAA and directly carry out.
The public key certificate of the described WLAN terminal that the present invention is preferable is corresponding one by one with the mobile user identification of this WLAN terminal in the mobile network.In the step 205 and step 305 of above two embodiment, the process of the mobile user identification of the described STA of obtaining can have two kinds of schemes: a kind of scheme can be set the mobile user identification that certificate holder name in the public key certificate of STA is called this user in the mobile network, and ASU can directly extract the mobile network sign that certificate holder name in the public key certificate of STA is referred to as the user like this.
Another kind of scheme is LIST SERVER of configuration, storage user's the certificate holder title and the corresponding relation of mobile user identification in this server.This LIST SERVER can be arranged in ASU or AAA, also can separate configurations.ASU at first extracts the certificate holder title in the public key certificate of STA like this, searches the mobile user identification of this certificate holder title correspondence again by LIST SERVER.
The present invention program is applicable to the access to mobile networks such as 3GPP, 3GPP2.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (13)
1, a kind of authentication method of WLAN terminal access to mobile network is characterized in that, comprising:
A) the WLAN terminal sends the access request that includes this WLAN terminal public key certificate through AP to discriminating authorization service unit;
B) differentiate that the authorization service unit is according to the mobile user identification of current this WLAN terminal of WLAN terminal public key certificate acquisition in the mobile network in the access request of receiving;
C) differentiate that the authorization service unit inserts configuration file by the current mobile user identification that obtains obtains current WLAN terminal in mobile network's attribution authentication service unit WLAN;
D) differentiate that the authorization service unit inserts configuration file according to the WLAN that obtains and judges whether current WLAN terminal passes through access authentication, if, then the successful information with access authentication is sent to current WLAN terminal through AP, otherwise, the failure information of access authentication is sent to current WLAN terminal through AP.
2, method according to claim 1 is characterized in that, and is corresponding one by one with the mobile user identification of this WLAN terminal in the mobile network in the public key certificate of described WLAN terminal.
3, method according to claim 2 is characterized in that, the certificate holder name in the public key certificate of described WLAN terminal is called the mobile user identification of this WLAN terminal in mobile network.
4, method according to claim 2, it is characterized in that, set in advance the certificate holder title of public key certificate and the corresponding relation of mobile user identification, then step b) specifically comprises: differentiate that the authorization service unit extracts certificate holder title from the public key certificate of described current WLAN terminal, obtain the mobile user identification of this WLAN terminal in the mobile network according to the corresponding relation of certificate holder title and mobile user identification.
5, method according to claim 1 is characterized in that, described step a) takes a step forward and comprises: described AP sends to the WLAN terminal and differentiates activation message.
6, method according to claim 1 is characterized in that, described step a) specifically comprises: a1) described WLAN terminal sends the access include self public key certificate to AP and differentiates request message;
A2) access that will receive of described AP differentiates that the current WLAN terminal public key certificate in the request message sends by the discriminating authorization service unit of request of certificate authentication message to the mobile network together with public key certificate and the AP signature of AP self;
Described step a) and b) between further comprise: b1) AP signature and AP public key certificate whether effective in the request of certificate authentication message received of described discriminating authorization service unit judges, if, then enter step b2), otherwise, the failure information of access authentication is sent to current WLAN terminal through AP;
B2) described discriminating authorization service unit judges inserts the whether effective of WLAN public key certificate in the request, if, then enter step b), otherwise, the failure information of access authentication is sent to current WLAN terminal through AP;
Differentiate described in the step d) that the authorization service unit is sent to current WLAN terminal with the successful information of access authentication through AP, specifically comprise: differentiate that the authorization service unit will include the authentication successful information and differentiate that the certificate identification response message of the signature of authorization service unit self is sent to AP;
Differentiate whether the signature of authorization service unit is correct in the certificate identification response message that the AP checking is received, if mistake, then abandon this certificate identification response message, if correct, then AP is sent to current WLAN terminal with the information in the certificate identification response message by inserting identification response message;
Whether the ASU signature is correct in the access identification response message that current WLAN terminal checking is received, if mistake then abandons this access identification response message, if correct, be the information of authentication success then, prepare by this AP access to mobile network by judging that this inserts in the identification response message;
Step b1), b2) and d) differentiate that the authorization service unit is sent to current WLAN terminal with the failure information of access authentication through AP, specifically comprises: differentiate that the authorization service unit will include failed authentication information and differentiate that the certificate identification response message of the signature of authorization service unit self is sent to AP;
Differentiate whether the signature of authorization service unit is correct in the certificate identification response message that the AP checking is received, if mistake, then abandon this certificate identification response message, if correct, then AP is sent to current WLAN terminal with the information in the certificate identification response message by inserting identification response message;
Whether the ASU signature is correct in the access identification response message that current WLAN terminal checking is received, if mistake then abandons this access identification response message, if correct, be the information of authentication success then, abandon from this AP access to mobile network by judging that this inserts in the identification response message.
7, method according to claim 1, it is characterized in that step c) specifically comprises: c1) described discriminating authorization service unit sends the contracted user's configuration file request message that includes current WLAN terminal mobile user identification to mobile network's attribution authentication service unit;
C2) attribution authentication service unit is searched the WLAN access configuration file of this mobile user identification correspondence according to the mobile user identification in contracted user's configuration file request message, if find, then the WLAN that finds is inserted profile information and return described discriminating authorization service unit by contracted user's configuration file request response message, otherwise the access configuration file that will include failure information returns described discriminating authorization service unit by contracted user's configuration file request response message;
The described discriminating authorization service of step d) unit inserts configuration file according to the WLAN that obtains and judges that whether current WLAN terminal specifically comprises by the process of access authentication: differentiate that the authorization service unit analyzes the contracted user's configuration file request response message that returns, allow this wlan client to be linked into the mobile network if insert profile information in this response message, then mobile network's access authentication passes through, if include the information of searching failure in this response message, perhaps the access profile information in the response message is refused this wlan client and is linked into the mobile network, then mobile network's access authentication failure.
8, method according to claim 7 is characterized in that, step c2) if described in attribution authentication service unit find WLAN to insert configuration file, then described WLAN inserts profile information and comprises at least: authorization message, charge information.
9, method according to claim 1 is characterized in that, if current WLAN terminal is by access authentication in the described step d), comprises further that then described discriminating authorization service unit arrives described attribution authentication service unit with current WLAN endpoint registration.
10, method according to claim 1 is characterized in that, includes ASU and mobile network's aaa server in the described discriminating authorization service unit.
11, method according to claim 10 is characterized in that, ASU in the described discriminating authorization service unit and mobile network's aaa server independently are provided with separately, then
Described step a) is that the WLAN terminal sends the request of access through AP to ASU;
Described step b) is that ASU obtains mobile user identification according to public key certificate;
And at step b) and c) between further comprise: ASU sends the access request message include described mobile user identification to aaa server;
Described step c) is that aaa server inserts configuration file according to the mobile user identification in the access request message of receiving obtains current WLAN terminal from attribution authentication service unit WLAN;
Described step d) is that aaa server judges according to the WLAN access configuration file that obtains whether current WLAN terminal passes through access authentication, if, then aaa server is sent to ASU with the successful information of access authentication by inserting request response, ASU is sent to current WLAN terminal with the information of access authentication success through AP, otherwise, aaa server is sent to ASU with the information of access authentication failure by inserting request response, and ASU is sent to current WLAN terminal with the information of access authentication failure through AP.
12, method according to claim 1 is characterized in that, described attribution authentication service unit is HLR or HSS or H-AAA.
13, method according to claim 1 is characterized in that, described mobile user identification is IMSI or MSISDN or MIN or MDN.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2004100309100A CN1674497A (en) | 2004-03-26 | 2004-03-26 | Certification method for WLAN terminal switching in mobile network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2004100309100A CN1674497A (en) | 2004-03-26 | 2004-03-26 | Certification method for WLAN terminal switching in mobile network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1674497A true CN1674497A (en) | 2005-09-28 |
Family
ID=35046785
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2004100309100A Pending CN1674497A (en) | 2004-03-26 | 2004-03-26 | Certification method for WLAN terminal switching in mobile network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1674497A (en) |
Cited By (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008080351A1 (en) * | 2006-12-29 | 2008-07-10 | China Iwncomm Co., Ltd. | Wireless local network operation method based on wapi |
| CN100454876C (en) * | 2007-02-06 | 2009-01-21 | 西安西电捷通无线网络通信有限公司 | Method for applying for certificate in wireless LAN WAPI safety mechanism |
| CN100456725C (en) * | 2007-03-15 | 2009-01-28 | 北京安拓思科技有限责任公司 | Network system and method for obtaining the public key certificate for WAPI |
| WO2009106003A1 (en) * | 2008-02-29 | 2009-09-03 | 西安西电捷通无线网络通信有限公司 | An apparatus and a method for implementing access authentication of mobile phone in wireless local area network |
| CN101754203A (en) * | 2009-12-25 | 2010-06-23 | 宇龙计算机通信科技(深圳)有限公司 | Method, device and network system for obtaining WAPI certificate |
| CN101800984A (en) * | 2010-01-14 | 2010-08-11 | 宇龙计算机通信科技(深圳)有限公司 | Method and server terminal for obtaining WAPI certification and WAPI authentication system |
| WO2010102493A1 (en) * | 2009-03-11 | 2010-09-16 | 西安西电捷通无线网络通信股份有限公司 | Method for providing special access process to different terminals in wlan |
| CN101841525A (en) * | 2010-03-02 | 2010-09-22 | 中国联合网络通信集团有限公司 | Secure access method, system and client |
| CN1805441B (en) * | 2005-11-23 | 2011-01-05 | 西安电子科技大学 | Integrated WLAN authentication architecture and method of implementing structural layers |
| CN101527908B (en) * | 2009-04-08 | 2011-04-20 | 中兴通讯股份有限公司 | Method for pre-identifying wireless local area network terminal and wireless local area network system |
| CN102421097A (en) * | 2010-09-27 | 2012-04-18 | 中国移动通信集团公司 | User authorization method, device and system |
| CN102420799A (en) * | 2010-09-27 | 2012-04-18 | 中国移动通信集团公司 | User authentication method, device and system |
| US8195935B2 (en) | 2006-09-23 | 2012-06-05 | China Iwncomm Co., Ltd. | Systems, methods and computer-accessible media for acquiring and authenticating public key certificate status |
| CN102893669A (en) * | 2012-07-02 | 2013-01-23 | 华为技术有限公司 | Method, device and system of accessing mobile network |
| US8417951B2 (en) | 2008-05-09 | 2013-04-09 | China Iwncomm Co., Ltd. | Roaming authentication method based on WAPI |
| US8516133B2 (en) | 2008-02-07 | 2013-08-20 | Telefonaktiebolaget Lm Ericsson (Publ) | Method and system for mobile device credentialing |
| CN103379494A (en) * | 2012-04-26 | 2013-10-30 | 丛林网络公司 | Non-mobile authentication for mobile network gateway connectivity |
| WO2013174190A1 (en) * | 2012-05-23 | 2013-11-28 | 中兴通讯股份有限公司 | Routing selection method and functional network element |
| CN104349295A (en) * | 2013-07-31 | 2015-02-11 | 中国电信股份有限公司 | WAPI (WLAN authentication and privacy infrastructure) charging method, system and access controller |
| CN105981345A (en) * | 2013-09-27 | 2016-09-28 | 瑞典爱立信有限公司 | Lawful interception in a wi-fi / packet core network access |
| CN103379494B (en) * | 2012-04-26 | 2016-11-30 | 丛林网络公司 | The non-moving certification that mobile network gateway connects |
| WO2017035781A1 (en) * | 2015-09-01 | 2017-03-09 | Telefonaktiebolaget Lm Ericsson (Publ) | Methods and devices of authenticating non-sim mobile terminals accessing a wireless communication network |
| CN107005927A (en) * | 2015-09-22 | 2017-08-01 | 华为技术有限公司 | Cut-in method, equipment and the system of user equipment (UE) |
| CN107360124A (en) * | 2016-05-10 | 2017-11-17 | 普天信息技术有限公司 | Access authentication method and device, WAP and user terminal |
| US10693770B2 (en) | 2013-09-30 | 2020-06-23 | Juniper Networks, Inc. | Service chaining within computer networks |
| CN111669756A (en) * | 2020-07-24 | 2020-09-15 | 广西电网有限责任公司 | System and method for transmitting access network information in WAPI network |
-
2004
- 2004-03-26 CN CNA2004100309100A patent/CN1674497A/en active Pending
Cited By (40)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1805441B (en) * | 2005-11-23 | 2011-01-05 | 西安电子科技大学 | Integrated WLAN authentication architecture and method of implementing structural layers |
| US8195935B2 (en) | 2006-09-23 | 2012-06-05 | China Iwncomm Co., Ltd. | Systems, methods and computer-accessible media for acquiring and authenticating public key certificate status |
| WO2008080351A1 (en) * | 2006-12-29 | 2008-07-10 | China Iwncomm Co., Ltd. | Wireless local network operation method based on wapi |
| CN100454876C (en) * | 2007-02-06 | 2009-01-21 | 西安西电捷通无线网络通信有限公司 | Method for applying for certificate in wireless LAN WAPI safety mechanism |
| CN100456725C (en) * | 2007-03-15 | 2009-01-28 | 北京安拓思科技有限责任公司 | Network system and method for obtaining the public key certificate for WAPI |
| US8516133B2 (en) | 2008-02-07 | 2013-08-20 | Telefonaktiebolaget Lm Ericsson (Publ) | Method and system for mobile device credentialing |
| WO2009106003A1 (en) * | 2008-02-29 | 2009-09-03 | 西安西电捷通无线网络通信有限公司 | An apparatus and a method for implementing access authentication of mobile phone in wireless local area network |
| US8417951B2 (en) | 2008-05-09 | 2013-04-09 | China Iwncomm Co., Ltd. | Roaming authentication method based on WAPI |
| WO2010102493A1 (en) * | 2009-03-11 | 2010-09-16 | 西安西电捷通无线网络通信股份有限公司 | Method for providing special access process to different terminals in wlan |
| CN101527908B (en) * | 2009-04-08 | 2011-04-20 | 中兴通讯股份有限公司 | Method for pre-identifying wireless local area network terminal and wireless local area network system |
| CN101754203B (en) * | 2009-12-25 | 2014-04-09 | 宇龙计算机通信科技(深圳)有限公司 | Method, device and network system for obtaining WAPI certificate |
| CN101754203A (en) * | 2009-12-25 | 2010-06-23 | 宇龙计算机通信科技(深圳)有限公司 | Method, device and network system for obtaining WAPI certificate |
| CN101800984A (en) * | 2010-01-14 | 2010-08-11 | 宇龙计算机通信科技(深圳)有限公司 | Method and server terminal for obtaining WAPI certification and WAPI authentication system |
| CN101841525A (en) * | 2010-03-02 | 2010-09-22 | 中国联合网络通信集团有限公司 | Secure access method, system and client |
| CN102421097A (en) * | 2010-09-27 | 2012-04-18 | 中国移动通信集团公司 | User authorization method, device and system |
| CN102420799A (en) * | 2010-09-27 | 2012-04-18 | 中国移动通信集团公司 | User authentication method, device and system |
| CN102420799B (en) * | 2010-09-27 | 2015-03-11 | 中国移动通信集团公司 | User authentication method, device and system |
| CN102421097B (en) * | 2010-09-27 | 2015-12-09 | 中国移动通信集团公司 | A kind of user authen method, Apparatus and system |
| CN103379494B (en) * | 2012-04-26 | 2016-11-30 | 丛林网络公司 | The non-moving certification that mobile network gateway connects |
| CN103379494A (en) * | 2012-04-26 | 2013-10-30 | 丛林网络公司 | Non-mobile authentication for mobile network gateway connectivity |
| US9264898B2 (en) | 2012-04-26 | 2016-02-16 | Juniper Networks, Inc. | Non-mobile authentication for mobile network gateway connectivity |
| US10021566B2 (en) | 2012-04-26 | 2018-07-10 | Juniper Networks, Inc. | Non-mobile authentication for mobile network gateway connectivity |
| WO2013174190A1 (en) * | 2012-05-23 | 2013-11-28 | 中兴通讯股份有限公司 | Routing selection method and functional network element |
| CN103428800A (en) * | 2012-05-23 | 2013-12-04 | 中兴通讯股份有限公司 | Route selection method and functional network element |
| WO2014005267A1 (en) * | 2012-07-02 | 2014-01-09 | 华为技术有限公司 | Method, apparatus, and system for accessing mobile network |
| CN102893669A (en) * | 2012-07-02 | 2013-01-23 | 华为技术有限公司 | Method, device and system of accessing mobile network |
| CN102893669B (en) * | 2012-07-02 | 2016-05-25 | 华为技术有限公司 | The method of access to mobile network, Apparatus and system |
| CN104349295A (en) * | 2013-07-31 | 2015-02-11 | 中国电信股份有限公司 | WAPI (WLAN authentication and privacy infrastructure) charging method, system and access controller |
| CN104349295B (en) * | 2013-07-31 | 2018-02-16 | 中国电信股份有限公司 | WAPI charging methods, system and access controller |
| CN105981345A (en) * | 2013-09-27 | 2016-09-28 | 瑞典爱立信有限公司 | Lawful interception in a wi-fi / packet core network access |
| CN105981345B (en) * | 2013-09-27 | 2019-06-18 | 瑞典爱立信有限公司 | The Lawful intercept of WI-FI/ packet-based core networks access |
| US10693770B2 (en) | 2013-09-30 | 2020-06-23 | Juniper Networks, Inc. | Service chaining within computer networks |
| WO2017035781A1 (en) * | 2015-09-01 | 2017-03-09 | Telefonaktiebolaget Lm Ericsson (Publ) | Methods and devices of authenticating non-sim mobile terminals accessing a wireless communication network |
| EP3345416A4 (en) * | 2015-09-01 | 2019-03-06 | Telefonaktiebolaget LM Ericsson (PUBL) | Methods and devices of authenticating non-sim mobile terminals accessing a wireless communication network |
| US10582382B2 (en) | 2015-09-01 | 2020-03-03 | Telefonaktiebolaget Lm Ericsson (Publ) | Methods and devices of authenticating non-SIM mobile terminals accessing a wireless communication network |
| CN107005927A (en) * | 2015-09-22 | 2017-08-01 | 华为技术有限公司 | Cut-in method, equipment and the system of user equipment (UE) |
| CN107005927B (en) * | 2015-09-22 | 2022-05-31 | 华为技术有限公司 | Access method, device and system of User Equipment (UE) |
| CN107360124A (en) * | 2016-05-10 | 2017-11-17 | 普天信息技术有限公司 | Access authentication method and device, WAP and user terminal |
| CN111669756A (en) * | 2020-07-24 | 2020-09-15 | 广西电网有限责任公司 | System and method for transmitting access network information in WAPI network |
| CN111669756B (en) * | 2020-07-24 | 2023-07-04 | 广西电网有限责任公司 | System and method for transmitting access network information in WAPI network |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1674497A (en) | Certification method for WLAN terminal switching in mobile network | |
| CN1310476C (en) | Method for building session connection to wireless local network user | |
| US9392435B2 (en) | Method, system and apparatus for accessing a visited network | |
| CN1689369A (en) | Method and system for establishing a connection via an access network | |
| CN1265607C (en) | Method for building up service tunnel in wireless local area network | |
| AU2007232622B2 (en) | System and method for optimizing authentication procedure during inter access system handovers | |
| CN1274181C (en) | Method for managing local terminal equipment accessing network | |
| CN1298194C (en) | Radio LAN security access method based on roaming key exchange authentication protocal | |
| CN1645960A (en) | Interactive method for re-selecting operating network to wireless local network | |
| CN1549526A (en) | Method for realizing radio local area network authentication | |
| CN1848994A (en) | Method for realizing right discrimination of microwave cut-in global interoperating system | |
| CN1842000A (en) | Method for realizing access authentication of WLAN | |
| CN1283062C (en) | Cut-in identification realizing method for wireless local network | |
| CN1259811A (en) | Method and device used for secret in communication system | |
| CN1762129A (en) | Service in wlan inter-working, address management system, and method | |
| CN1610319A (en) | Analytic switch-in processing method for selecting business in radio local area network | |
| CN1809072A (en) | Network architecture of backward compatible authentication, authorization and accounting system and implementation method | |
| CN1889781A (en) | Identification method for multi-mode terminal roaming among heterogenous inserting technology networks | |
| CN1859335A (en) | Radio local network connecting gateway strategy loading method in radio local network | |
| CN1756428A (en) | Method for carrying out authentication for terminal user identification module in IP multimedia subsystem | |
| CN1277368C (en) | Interactive method for reselecting operation network for radio local net user terminal | |
| CN1695132A (en) | Terminal authentication system, terminal authentication method, and terminal authentication server | |
| CN1901486A (en) | Tunnel establishing method and system in radio local area net | |
| CN1848823A (en) | System and method for intercommunicating with mobile network short message based on IP switch-in network | |
| CN1691582A (en) | Method for implementing compatibility between WAPI protocol and 802.1X protocol |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20050928 |