WO2009082910A1 - Method and device for network configuration to user terminal - Google Patents

Method and device for network configuration to user terminal Download PDF

Info

Publication number
WO2009082910A1
WO2009082910A1 PCT/CN2008/073466 CN2008073466W WO2009082910A1 WO 2009082910 A1 WO2009082910 A1 WO 2009082910A1 CN 2008073466 W CN2008073466 W CN 2008073466W WO 2009082910 A1 WO2009082910 A1 WO 2009082910A1
Authority
WO
WIPO (PCT)
Prior art keywords
user terminal
configuration
server
address
network
Prior art date
Application number
PCT/CN2008/073466
Other languages
French (fr)
Chinese (zh)
Inventor
Chuan Li
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2009082910A1 publication Critical patent/WO2009082910A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0806Configuration setting for initial configuration or provisioning, e.g. plug-and-play

Definitions

  • Network configuration of user terminals using the OMA framework can be divided into two processes: an initial configuration process and a reconfiguration process.
  • the authentication, authorization, and accounting protocol (Authentication, Authorization, Account, AAA for short) informs the Open Mobile Terminal Alliance Data Management (OMADM) server that the user terminal accesses the network, and the OMA DM server initiates the The network configuration process of the user terminal; in the process of the user terminal performing the reconfiguration process, the AAA server provides related information of the user terminal to the OMA DM server, and the OMA DM server initiates network configuration of the user terminal according to the related information of the user terminal.
  • OMADM Open Mobile Terminal Alliance Data Management
  • the AAA server and the OMA DM server belong to different subnets (the AAA server is a service processing domain).
  • the OMA DM server is a device that operates the maintenance domain.
  • the two devices are separately networked. In the two isolated subnets, the two devices can be enabled.
  • ASN-GW Access Service Network Gate
  • NAT Network Address Translation
  • a method for network configuration of a user terminal is applied to a global microwave access interoperability network; and includes the following steps:
  • a user terminal accessing a global microwave access interoperability network, including:
  • a tunnel creation unit configured to establish a secure transport layer protocol tunnel between the user terminal and the configuration server
  • the method and device for performing network configuration on a user terminal the user terminal actively initiates establishment of a secure transport layer protocol tunnel to the configuration server according to the IP address of the configuration server, and the user terminal passes the
  • the method for obtaining the configuration data by the secure transport layer protocol tunnel overcomes the prior art.
  • the configuration data actively sent by the configuration server cannot pass through a firewall or a device with a NAT function, thereby configuring
  • the problem that the server cannot perform network configuration on the user terminal ensures the communication security between the user terminal and the configuration device.
  • FIG. 3 is a timing diagram of establishing a TLS tunnel between an MS/SS and an OMA DM server according to a method for performing network configuration on a user terminal according to an embodiment of the present invention
  • FIG. 4 is a schematic diagram of a network configuration method for a user terminal according to an embodiment of the present invention shown in FIG. 2, A timing diagram of network configuration of the MS/SS by the OMA DM server;
  • Step 102 Acquire configuration data by using the established TLS tunnel, and configure parameters of the MS/SS according to the acquired configuration data.
  • the network configuration of the MS/SS in step 101 can be divided into two types: one is, when the MS/SS enters the network for the first time, the MS/SS is initially configured; the other is After the MS/SS has accessed the network, the network configuration of the MS/SS is updated, that is, the MS/SS is reconfigured. The following describes them separately:
  • Step 201 The MS/SS and the BS negotiate air interface parameters, and the air interface parameters are negotiated to enable the MS/SS and the BS to perform normal communication.
  • the MS/SS When the MS/SS loses its network configuration data due to an abnormality in the network, the MS/SS may also set the service type field in its identity to be needed. Perform network configuration; After receiving the MS/SS identity information, the AAA server uses the extended authentication protocol - Transport Layer Security (Ext Ensible Authentication Protocol - Transport Layer Security (EAP-TLS), or the Extensible Authentication Protocol - Tunneled Transport Layer Security (EAP-TTLS) protocol for the identity of the MS/SS Certification.
  • EAP-TLS Ext Ensible Authentication Protocol - Transport Layer Security
  • EAP-TTLS Extensible Authentication Protocol - Tunneled Transport Layer Security
  • Step 203 After the AAA server successfully authenticates the MS/SS, the AAA server may determine, according to the service type field in the MS/SS identity, that the MS/SS needs to perform network configuration. Of course, the AAA server may also determine the MS by itself. Whether the SS needs to perform network configuration; when the AAA server sends an authentication success message to the MS/SS, the authentication success message carries a command ASN-GW to start a pre-configured message to the MS/SS;
  • the authentication success message carries a message that the ASN-GW is enabled to enable the hotline function on the MS/SS, where the function of the hotline function is: causing the ASN-GW to prohibit the user terminal from other than the network configuration process.
  • Business data is passed;
  • the steps of establishing a TLS tunnel between the MS/SS and the OMADM server mainly include:
  • the MS/SS is based on the process of mutual authentication between the IP address of the OMA DM server and the OMA DM server.
  • the specific steps include:
  • Step 301 The MS/SS sends a ClientHello (Client Negotiation) message to the OMA DM server to indicate that the TLS handshake process starts.
  • the ClientHello message requests the OMA DM server to negotiate a TLS-related security service, where the message is by version number, random number, and session. ID, cipher suite, compression method, etc.
  • Step 306 the OMADM server sends a ServerHelloDone (Server Negotiation Complete) message to notify the MS/SS that the OMA DM server has completed the negotiation process; the ServerHelloDone message itself does not carry any information, and the MS/SS only successfully receives the message. After entering the interaction of subsequent messages;
  • ServerHelloDone Server Negotiation Complete
  • Step 307 The MS/SS authenticates the digital certificate of the OMA DM server by using the CA certificate, that is, whether the authentication OMA DM server is legal, and the OMA DM server authenticates the TLS key through the RSA algorithm;
  • Step 308 the MS/SS sends its own digital certificate to the OMA DM server through a Certificate (Certificate) message, and the same trusted CA certificate;
  • Step 309 if the RSA public key is relatively long and cannot be placed in the Certificate message in step 308, the MS/SS then distributes the RSA public key to the OMADM server through a ClientKeyExchange (Client Public Key Exchange) message;
  • ClientKeyExchange Client Public Key Exchange
  • Step 314 the OMA DM server sends a Finished message to the MS/SS, checking Whether the TLS negotiation option activated in step 313 is valid.
  • a TLS tunnel can be established between the MS/SS and the OMA DM server by the steps shown in FIG.
  • Step 404 After the MS/SS authentication is performed, the OMA DM server performs an indication of network configuration on the OMA DM server, and returns an execution result to the OMA DM server.
  • the MS/SS communicates directly, and the network layout between the AAA server and the configuration server does not have to be considered in the process of networking, so that the networking is more flexible. Live, reducing the cost of networking; since the configuration data between the MS/SS and the OMA DM server is transmitted through the TLS tunnel, communication security between the MS/SS and the OMA DM server is guaranteed;
  • the authentication process used in the embodiment is the same as the original authentication process of the WiMAX network in the prior art, which reduces the maintenance and allocation of the network, and separately counts the pre-configured data traffic, so that the charging method of the WiMAX network is more reasonable.
  • Step 501 Determine whether the MS/SS needs to update a network configuration.
  • the OMA DM server may determine whether the MS/SS needs to update the network configuration, but also may be configured by the MS/SS according to the updated user terminal network sent by the AAA server, the DHCP server, or the ASN-GW. Time to determine if you need to update your network configuration.
  • the MS/SS can determine whether it needs to update the network configuration according to the time of updating the network configuration of the user terminal, the MS/SS can directly obtain the time to update the network configuration of the user (when the time of updating the network configuration expires), and the OMA DM
  • the server saves the process that the OMA DM server sends a request to update the network configuration message to the MS/SS compared to whether the MS/SS needs to update the network configuration, thereby saving network resources.
  • the present invention solves the problem that the configuration data sent by the configuration server cannot pass through a firewall or a device having a NAT function, so that the configuration server cannot perform network configuration on the user terminal, in the prior art, in the presence of a device having a firewall or a NAT function.
  • Embodiments provide a user terminal and a configuration server. The present invention is described in detail below with reference to the accompanying drawings and embodiments.
  • the user terminal is an MS/SS
  • the configuration server is an OMA DM server
  • the configuration server performs network configuration on the user terminal through the WiMAX network.
  • the MS/SS includes:
  • the obtaining unit 601 is configured to obtain an IP address of the OMA DM server, where the IP address of the OMA DM server can be obtained by using an authentication success message sent by the AAA server, or when the MS/SS applies for an IP address to the DHCP server, The server or the ASN-GW obtains the IP address information of the OMA DM server added in the Option field of the DHCP message.
  • the obtaining unit 601 is further configured to acquire a time for updating the network configuration of the user terminal, where the time for updating the network configuration of the user terminal can be The authentication success message sent by the AAA server is obtained.
  • the MS/SS requests the IP address from the DHCP server
  • the DHCP server or the ASN-GW adds the time address of the network configuration of the user terminal added in the Option field of the DHCP message. Information is obtained.
  • the MS/SS can detect whether it needs to update the network configuration, so as to initiate the process of updating the network configuration in time, and send a request to the MS/SS to update the network configuration message by the OMA DM server, the MS/SS Compared with the process of initiating the update of the network configuration after receiving the request message, the network resources are saved, and the speed of updating the network configuration to the MS/SS is improved.
  • a tunnel creation unit 603, configured to establish a TLS tunnel between the MS/SS and the OMA DM server according to the IP address;
  • the configuration unit 605 is configured to obtain the configuration data through the established secure transport layer protocol tunnel, and configure the parameters of the user terminal according to the obtained configuration data.
  • the specific configuration process is shown in FIG. 4, and details are not described herein.
  • the configuration data sending unit 608 is configured to send configuration data to the MS/SS through the TLS tunnel, and the specific configuration process is shown in FIG. 4, and details are not described herein again.
  • the user terminal and the configuration server provided by the embodiment of the present invention, because the user terminal actively initiates establishment of a secure transport layer protocol tunnel according to the IP address of the configuration server, and transmits the configuration data through the secure transport layer protocol tunnel Therefore, the prior art is overcome when the configuration data sent by the configuration server is not present in a firewall or a device having a NAT function.
  • the method and apparatus for network configuration of a user terminal provided by the present invention can be applied to a WiMAX network, and the MS/SS is configured by the framework provided by the OMA.

Abstract

A method for network configuration to a user terminal is disclosed, the user terminal is applied in a Worldwide Interoperability for Microwave Access network, the method includes: acquiring an IP address of a configuration server, establishing a Transport Layer Security (TLS) tunnel between the user terminal and the configuration server based on the IP address (101); acquiring configuration data through the established TLS tunnel, and configuring parameters of the user terminal based on the acquired configuration data (102).

Description

对用户终端进行网络配置的方法和装置 本申请要求于 2007 年 12 月 25 日提交中国专利局、 申请号为 200710301584. 6、发明名称为"对用户终端进行网络配置的方法和装置"的中国 专利申请的优先权, 其全部内容通过引用结合在本申请中。  Method and device for network configuration of user terminal This application claims to be submitted to the Chinese Patent Office on December 25, 2007, and the application number is 200710301584. 6. The Chinese patent entitled "Method and Device for Network Configuration of User Terminal" Priority of the application, the entire contents of which are incorporated herein by reference.
技术领域 Technical field
本发明涉及通信领域, 特别涉及一种在全球微波接入互操作性 ( Wor ldwide Interoperabi l i ty for Microwave Acces s , 简称: WiMAX ) 网 络中对用户终端进行网络配置的方法和装置。  The present invention relates to the field of communications, and in particular, to a method and apparatus for network configuration of user terminals in a global network access interoperability (WMAX) network.
背景技术 Background technique
在现有技术中, 当用户终端接入到 WiMAX 网络时, 为了保证所述用户 终端能够正常运行, 必须对所述用户终端进行网络配置。 目前, 市场上大多 釆用开放移动终端联盟( OMA )提出的框架, 对所述用户终端进行网络配置。  In the prior art, when the user terminal accesses the WiMAX network, in order to ensure that the user terminal can operate normally, the user terminal must be configured with a network. At present, most of the market uses the framework proposed by the Open Mobile Terminal Alliance (OMA) to perform network configuration on the user terminal.
利用所述 OMA框架对用户终端进行网络配置可以分为两个过程:初始配 置过程和再配置过程。 用户终端在进行初始配置的过程中, 验证、 授权、 计 费协议 ( Authentication、 Authorization、 Account, 简称: AAA )通知开放移 动终端联盟数据管理(OMADM )服务器有用户终端入网, OMADM服务器 发起对所述用户终端的网络配置过程; 在用户终端进行再配置过程的过程中 , AAA服务器向 OMADM服务器提供用户终端的相关信息, OMADM服务器 根据所述用户终端的相关信息发起对该用户终端进行网络配置。  Network configuration of user terminals using the OMA framework can be divided into two processes: an initial configuration process and a reconfiguration process. During the initial configuration process, the authentication, authorization, and accounting protocol (Authentication, Authorization, Account, AAA for short) informs the Open Mobile Terminal Alliance Data Management (OMADM) server that the user terminal accesses the network, and the OMA DM server initiates the The network configuration process of the user terminal; in the process of the user terminal performing the reconfiguration process, the AAA server provides related information of the user terminal to the OMA DM server, and the OMA DM server initiates network configuration of the user terminal according to the related information of the user terminal.
在实现本发明的过程中, 发明人发现, 现有技术至少存在如下问题: 在实际的网络构架中, 所述 AAA服务器和 OMA DM服务器属于不同的 子网 (所述 AAA服务器是业务处理域的设备; 所述 OMA DM服务器是操作 维护域的设备), 在组网的过程中, 两个设备是分开组网的, 在两个隔离的子 网中, 要使所述两台设备之间能够进行通信, 就要考虑到设备的部署问题, 使得所述 AAA服务器和 MADM服务器部署困难。 并且, 在商用组网时, 出于安全性的考虑, 接入服务网络网关 (Access Service Network Gate Way, 简称: ASN-GW )需要连接防火墙或者具有网络地 址转换(Network Address Translation, 简称: NAT )功能的设备, 所述 AAA 服务器与防火墙或者具有 NAT 功能的设备出接口相连。 防火墙和具有 NAT 功能的设备只允许 ASN-GW内侧(用户终端侧)设备主动发起的请求消息通 过, 并可以接收与所述请求消息匹配的 ASN-GW外侧 ( OMADM服务器侧 ) 设备发送的响应消息, 但是, 其不允许外侧 (OMADM服务器侧)设备主动 发起的请求消息通过。 在实现上述对用户终端进行初始配置和再配置的过程 中, OMADM服务器主动向用户终端发送的配置文件不能够通过防火墙或者 具有 NAT功能的设备, 使 OMADM服务器对用户终端进行网络配置失败。 发明内容 In the process of implementing the present invention, the inventors have found that the prior art has at least the following problems: In an actual network architecture, the AAA server and the OMA DM server belong to different subnets (the AAA server is a service processing domain). The OMA DM server is a device that operates the maintenance domain. In the process of networking, the two devices are separately networked. In the two isolated subnets, the two devices can be enabled. To communicate, it is necessary to consider the deployment of the device, making the deployment of the AAA server and the MADM server difficult. In addition, for the sake of security, the Access Service Network Gate (ASN-GW) needs to be connected to a firewall or has Network Address Translation (NAT). A function device, the AAA server is connected to a firewall or a device with a NAT function. The firewall and the device with the NAT function only allow the request message initiated by the device on the inner side (user terminal side) of the ASN-GW to pass, and can receive the response message sent by the device outside the ASN-GW (the OMA DM server side) that matches the request message. However, it does not allow the request message that is initiated by the outside (OMA DM server side) device to pass. During the initial configuration and reconfiguration of the user terminal, the configuration file sent by the OMA DM server to the user terminal fails to pass the firewall or the device with the NAT function, so that the OMA DM server fails to perform network configuration on the user terminal. Summary of the invention
本发明的实施例提供一种对用户终端进行网络配置的方法和装置, 解决 目前全球微波接入互操作性网络中有防火墙或者具有 NAT 功能的设备存在 时, 配置服务器无法对用户终端进行网络配置的问题。  Embodiments of the present invention provide a method and apparatus for network configuration of a user terminal. When a device with a firewall or a NAT function exists in the current global microwave access interoperability network, the configuration server cannot perform network configuration on the user terminal. The problem.
本发明解决上述技术问题的一个实施例是:  One embodiment of the present invention that solves the above technical problems is:
一种对用户终端进行网络配置的方法, 应用于全球微波接入互操作性网 络中; 包括如下步骤:  A method for network configuration of a user terminal is applied to a global microwave access interoperability network; and includes the following steps:
获取配置服务器的 IP地址,根据所述 IP地址建立用户终端和配置服务器 之间的安全传输层协议隧道; 通过所建立的安全传输层协议隧道获取配置数 据, 并根据所述获取的配置数据配置用户终端的参数。  Obtaining an IP address of the configuration server, establishing a secure transport layer protocol tunnel between the user terminal and the configuration server according to the IP address; acquiring configuration data through the established secure transport layer protocol tunnel, and configuring the user according to the acquired configuration data The parameters of the terminal.
本发明解决上述技术问题的另一个实施例是:  Another embodiment of the present invention that solves the above technical problems is:
一种用户终端, 所述用户终端接入到全球微波接入互操作性网络中, 包 括:  A user terminal, the user terminal accessing a global microwave access interoperability network, including:
获取单元, 用于获取配置服务器的 IP地址;  An obtaining unit, configured to obtain an IP address of the configuration server;
隧道创建单元, 用于根据所述 IP地址建立用户终端和配置服务器之间的 安全传输层协议隧道; 配置单元, 用于通过所建立的安全传输层协议隧道获取配置数据, 并根 据所述获取的配置数据配置用户终端的参数。 a tunnel creation unit, configured to establish a secure transport layer protocol tunnel between the user terminal and the configuration server according to the IP address; And a configuration unit, configured to acquire configuration data by using the established secure transport layer protocol tunnel, and configure parameters of the user terminal according to the acquired configuration data.
本发明解决上述技术问题的再一个实施例是:  Still another embodiment of the present invention that solves the above technical problems is:
一种配置服务器, 所述配置服务器连接到全球微波接入互操作性网络中, 包括:  A configuration server, the configuration server being connected to a global microwave access interoperability network, including:
隧道创建单元, 用于在用户终端与配置服务器之间建立安全传输层协议 隧道;  a tunnel creation unit, configured to establish a secure transport layer protocol tunnel between the user terminal and the configuration server;
配置数据发送单元, 用于通过所述安全传输层协议隧道向用户终端发送 配置数据。  And a configuration data sending unit, configured to send configuration data to the user terminal by using the secure transport layer protocol tunnel.
本发明实施例所提供的对用户终端进行网络配置的方法和装置, 由于釆 用了用户终端根据配置服务器的 IP地址主动向所述配置服务器发起建立安全 传输层协议隧道, 所述用户终端通过所述安全传输层协议隧道获取配置数据 的方法, 克服了现有技术在有防火墙或者具有 NAT功能的设备存在时, 由配 置服务器主动发送的配置数据不能通过防火墙或者具有 NAT功能的设备, 从 而使配置服务器不能对用户终端进行网络配置的问题, 保证了用户终端与配 置设备之间的通信安全; 由于所述安全传输层协议隧道是由用户终端主动向 配置服务器发起建立的, 所以, 不需要再由 AAA服务器通知配置服务器有用 户终端入网,从而在组网的过程中不必考虑 AAA服务器和配置服务器之间的 网络布局问题, 使组网更加灵活, 降低了组网和维护网络所需的费用。  The method and device for performing network configuration on a user terminal according to the embodiment of the present invention, the user terminal actively initiates establishment of a secure transport layer protocol tunnel to the configuration server according to the IP address of the configuration server, and the user terminal passes the The method for obtaining the configuration data by the secure transport layer protocol tunnel overcomes the prior art. In the presence of a firewall or a device with a NAT function, the configuration data actively sent by the configuration server cannot pass through a firewall or a device with a NAT function, thereby configuring The problem that the server cannot perform network configuration on the user terminal ensures the communication security between the user terminal and the configuration device. Since the secure transport layer protocol tunnel is initiated by the user terminal to the configuration server, it does not need to be The AAA server notifies the configuration server that the user terminal is connected to the network. Therefore, the network layout problem between the AAA server and the configuration server is not considered in the process of networking, which makes the networking more flexible and reduces the cost of networking and maintaining the network.
附图说明 DRAWINGS
图 1为本发明实施例提供的对用户终端进行网络配置的方法流程图; 图 2为本发明实施例利用图 1所示的对用户终端进行网络配置的方法,对 用户终端进行初始配置的时序图;  FIG. 1 is a flowchart of a method for performing network configuration on a user terminal according to an embodiment of the present invention; FIG. 2 is a timing diagram of initially configuring a user terminal by using a method for performing network configuration on a user terminal according to the embodiment of the present invention; Figure
图 3为本发明实施例提供的对用户终端进行网络配置的方法, 在 MS/SS 与 OMA DM服务器之间建立 TLS隧道的时序图;  FIG. 3 is a timing diagram of establishing a TLS tunnel between an MS/SS and an OMA DM server according to a method for performing network configuration on a user terminal according to an embodiment of the present invention;
图 4为图 2所示的本发明实施例提供的对用户终端进行网络配置的方法, OMA DM服务器对 MS/SS进行网络配置的时序图; FIG. 4 is a schematic diagram of a network configuration method for a user terminal according to an embodiment of the present invention shown in FIG. 2, A timing diagram of network configuration of the MS/SS by the OMA DM server;
图 5为本发明实施例利用图 1所示的对用户终端进行网络配置的方法,对 用户终端进行再配置的时序图;  FIG. 5 is a sequence diagram of reconfiguring a user terminal by using a method for performing network configuration on a user terminal shown in FIG. 1 according to an embodiment of the present invention; FIG.
图 6为本发明实施例提供的用户终端和配置服务器的结构示意图。  FIG. 6 is a schematic structural diagram of a user terminal and a configuration server according to an embodiment of the present invention.
具体实施方式 detailed description
为了解决现有技术在有防火墙或者具有 NAT功能的设备存在时, 由配置 服务器发送的配置数据不能通过防火墙或者具有 NAT功能的设备, 从而使配 置服务器不能对用户终端进行网络配置的问题, 本发明的实施例提供一种对 用户终端进行网络配置的方法。 下面结合附图和实施例对本发明作详细说明: 在本实施例中, 所述对用户终端进行网络配置的方法, 应用于 WiMAX 网络中,所述用户终端为移动台(Mobile Station,简称: MS )/用户站( Subscribe Station, 简称: SS ), 所述配置服务器为 OMA DM服务器。 如图 1所示, 所 述方法包括如下步骤:  The present invention solves the problem that the configuration data sent by the configuration server cannot pass through a firewall or a device having a NAT function, so that the configuration server cannot perform network configuration on the user terminal, in the prior art, in the presence of a device having a firewall or a NAT function. Embodiments provide a method of network configuration for a user terminal. The present invention will be described in detail below with reference to the accompanying drawings and embodiments. In this embodiment, the method for network configuration of a user terminal is applied to a WiMAX network, and the user terminal is a mobile station (Mobile Station, referred to as MS). / Subscriber station (Subscribe Station, referred to as: SS), the configuration server is an OMA DM server. As shown in FIG. 1, the method includes the following steps:
步骤 101 ,获取 OMADM服务器的 IP地址,根据所述 IP地址建立 MS/SS 和 OMA DM服务器之间的安全传输层协议( Transport Layer Security , 简称: TLS ) 隧道;  Step 101: Obtain an IP address of the OMADM server, and establish a Transport Layer Security (TLS) tunnel between the MS/SS and the OMA DM server according to the IP address.
步骤 102, 通过所建立的 TLS隧道获取配置数据, 并根据所述获取的配 置数据配置 MS/SS的参数。  Step 102: Acquire configuration data by using the established TLS tunnel, and configure parameters of the MS/SS according to the acquired configuration data.
在实际的网络中,步骤 101为 MS/SS进行网络配置的情况可以分为两种: 一种是, MS/SS第一次入网时,对所述 MS/SS进行初始配置;另一种是, MS/SS 已经接入网络后, 更新所述 MS/SS的网络配置, 即: 对所述 MS/SS进行再配 置。 下面分别对其进行介绍:  In an actual network, the network configuration of the MS/SS in step 101 can be divided into two types: one is, when the MS/SS enters the network for the first time, the MS/SS is initially configured; the other is After the MS/SS has accessed the network, the network configuration of the MS/SS is updated, that is, the MS/SS is reconfigured. The following describes them separately:
第一种情况, 如图 2 所示, 利用本发明实施例所提供的对用户终端进行 网络配置的方法, 对 MS/SS进行初始配置的步骤包括:  In the first case, as shown in FIG. 2, the method for performing initial configuration on the MS/SS by using the method for performing network configuration on the user terminal provided by the embodiment of the present invention includes:
步骤 201 , MS/SS与 BS之间协商空中接口参数,通过协商空中接口参数, 使所述 MS/SS与 BS能够进行正常的通信; 步骤 202, AAA服务器对 MS/SS进行身份认证; Step 201: The MS/SS and the BS negotiate air interface parameters, and the air interface parameters are negotiated to enable the MS/SS and the BS to perform normal communication. Step 202: The AAA server performs identity authentication on the MS/SS.
AAA服务器对 MS/SS 进行身份认证的过程中, 首先, 由 ASN-GW向 MS/SS 发送请求用户终端身份消息; 为了使 AAA服务器能够主动判断出 MS/SS是否需要进行网络配置,所述 MS/SS接收到请求用户终端身份消息后, 向 AAA服务器返回携带其身份标识的身份信息, 其中, 所述用户终端的身份 标识包括: 服务类型、 用户名和用户终端所属的域, 在本实施例中, 所述用 户终端的身份标识格式为: {服务类型}用户名 @用户终端所属的域,在 MS/SS 第一次接入网络时, MS/SS发现自身缺少网络配置的数据, 所以将其身份标 识中的服务类型字段设置成需要进行网络配置, 在 MS/SS因为网络出现异常 而丟失了其网络配置数据时, 所述 MS/SS也可以将其身份标识中的服务类型 字段设置成需要进行网络配置; AAA服务器收到 MS/SS身份信息以后, 釆用 扩展认证协议 -传输层安全 ( Extensible Authentication Protocol - Transport Layer Security , 简称: EAP-TLS ) , 或者扩展认证协议-隧道传输层安全 ( Extensible Authentication Protocol - Tunneled Transport Layer Security, 简称: EAP-TTLS )协议对所述 MS/SS的身份进行认证。  In the process of authenticating the MS/SS by the AAA server, first, the ASN-GW sends a requesting user terminal identity message to the MS/SS; in order to enable the AAA server to actively determine whether the MS/SS needs network configuration, the MS After receiving the requesting user terminal identity message, the SS returns the identity information carrying the identity of the user terminal to the AAA server, where the identity of the user terminal includes: the service type, the user name, and the domain to which the user terminal belongs, in this embodiment. The identity format of the user terminal is: {service type} user name@domain to which the user terminal belongs. When the MS/SS first accesses the network, the MS/SS finds that it lacks data of the network configuration, so it is The service type field in the identity is set to require network configuration. When the MS/SS loses its network configuration data due to an abnormality in the network, the MS/SS may also set the service type field in its identity to be needed. Perform network configuration; After receiving the MS/SS identity information, the AAA server uses the extended authentication protocol - Transport Layer Security (Ext Ensible Authentication Protocol - Transport Layer Security (EAP-TLS), or the Extensible Authentication Protocol - Tunneled Transport Layer Security (EAP-TTLS) protocol for the identity of the MS/SS Certification.
步骤 203 , AAA服务器对 MS/SS认证成功以后, AAA服务器可以根据 所述 MS/SS身份标识中的服务类型字段判断该 MS/SS需要进行网络配置, 当 然, AAA服务器也可以自己决定所述 MS/SS是否需要进行网络配置; 所述 AAA服务器对 MS/SS发送认证成功消息时,在所述认证成功消息中携带了命 令 ASN-GW对 MS/SS启动预配置的消息;  Step 203: After the AAA server successfully authenticates the MS/SS, the AAA server may determine, according to the service type field in the MS/SS identity, that the MS/SS needs to perform network configuration. Of course, the AAA server may also determine the MS by itself. Whether the SS needs to perform network configuration; when the AAA server sends an authentication success message to the MS/SS, the authentication success message carries a command ASN-GW to start a pre-configured message to the MS/SS;
本实施例中, 所述认证成功消息携带命令 ASN-GW对所述 MS/SS开启 hotline功能的消息, 其中, 所述 hotline功能的作用是: 使 ASN-GW禁止用户 终端除了网络配置过程的其他业务数据通过;  In this embodiment, the authentication success message carries a message that the ASN-GW is enabled to enable the hotline function on the MS/SS, where the function of the hotline function is: causing the ASN-GW to prohibit the user terminal from other than the network configuration process. Business data is passed;
为了能够使 MS/SS获取 OMADM服务器的 IP地址,从而根据所述 IP地 址主动向 OMA DM服务器发起建立 TLS隧道的过程, AAA服务器可以将其 上预先配置的 OMA DM服务器的 IP地址, 通过认证成功消息发送给所述 MS/SS; In order to enable the MS/SS to obtain the IP address of the OMA DM server, and then initiate the process of establishing a TLS tunnel to the OMA DM server according to the IP address, the AAA server can successfully authenticate the IP address of the pre-configured OMA DM server. a message is sent to the MS/SS;
为了能够使所述 MS/SS能够在以后的网络运行过程中, 定时更新其网络 配置, 所述 AAA服务器也可以为 MS/SS设置更新 MS/SS网络配置的时间, 该更新 MS/SS网络配置的时间可以由网络管理员手动设置, 例如: 2小时、 1 天或者 1个月等, 具体的更新 MS/SS网络配置的时间可以根据实际网络运行 需要而定, 所述 AAA服务器将该更新 MS/SS网络配置的时间通过认证成功 消息发送给 MS/SS。  In order to enable the MS/SS to periodically update its network configuration during future network operations, the AAA server may also set the time for updating the MS/SS network configuration for the MS/SS, the update MS/SS network configuration. The time can be manually set by the network administrator, for example: 2 hours, 1 day or 1 month, etc. The specific update time of the MS/SS network configuration can be determined according to the actual network operation needs, and the AAA server will update the MS. The time of the /SS network configuration is sent to the MS/SS through the authentication success message.
步骤 204, AAA服务器向 MS/SS发送的认证成功消息经过 ASN-GW时, 所述 ASN-GW发现认证成功消息中携带了启动 hotline功能的命令, ASN-GW 对所述 MS/SS启动 hotline功能, 同时, 为所述 MS/SS建立预配置业务流; 步骤 205, MS/SS接收所述认证成功消息以后, 通过 ASN-GW为其建立 的预配置业务流, 向动态主机配置协议 ( Dynamic Host Configuration Protocol, 简称: DHCP )服务器申请 IP地址;  Step 204: When the authentication success message sent by the AAA server to the MS/SS passes the ASN-GW, the ASN-GW discovers that the authentication success message carries the command to start the hotline function, and the ASN-GW starts the hotline function on the MS/SS. And establishing a pre-configured service flow for the MS/SS; Step 205: After the MS/SS receives the authentication success message, the pre-configured service flow established by the ASN-GW is configured to the dynamic host configuration protocol (Dynamic Host) Configuration Protocol, abbreviation: DHCP) The server applies for an IP address;
在 MS/S S向 DHCP服务器申请 IP地址的过程中,为了使 MS/S S获取 OMA DM服务器的 IP地址,从而根据所述 OMADM服务器的 IP地址主动向 OMA DM服务器发起建立 TLS隧道的过程, 所述 DHCP服务器可以将其上预先配 置的 OMA DM服务器的 IP添加到 DHCP报文的 Option (选择 )字段, 通过 所述 DHCP报文传送给 MS/SS; 所述 ASN-GW也可以在传输 DHCP报文的 过程中, 在所述 DHCP报文的 Option字段添加预先保存的 OMA DM服务器 的 IP地址信息, 从而将所述 OMADM服务器的 IP地址传送给 MS/SS;  In the process of the MS/SS requesting the IP address from the DHCP server, in order to enable the MS/SS to obtain the IP address of the OMA DM server, the process of establishing a TLS tunnel is initiated to the OMA DM server according to the IP address of the OMA DM server. The DHCP server may add the IP of the pre-configured OMA DM server to the Option field of the DHCP message, and transmit the DHCP message to the MS/SS. The ASN-GW may also transmit the DHCP message. The process of adding the IP address information of the pre-stored OMA DM server to the Option field of the DHCP message, so as to transmit the IP address of the OMA DM server to the MS/SS;
在 MS/SS 向 DHCP服务器申请 IP地址的过程中, DHCP服务器或者 ASN-GW也可以为所述 MS/SS设置更新 MS/SS网络配置的时间, 并将该更 新 MS/SS网络配置的时间添加在 HCP报文的 Option字段中, 通过所述 HCP 报文传送给 MS/SS。  In the process of the MS/SS requesting the IP address from the DHCP server, the DHCP server or the ASN-GW may also set the time for updating the MS/SS network configuration for the MS/SS, and add the time for updating the MS/SS network configuration. The HCP packet is transmitted to the MS/SS through the HCP packet in the Option field of the HCP packet.
步骤 206,当 MS/SS获取 DHCP服务器为其分配的 IP地址以后, ASN-GW 向 AAA服务器上报所述预配置业务流的计费话单; 为了使所述计费话单的计费情况更合理, 在本实施例中, 所述计费话单 将预配置数据流量和用户终端的数据流量进行单独记录。 其中, 所述预配置 数据流量是 MS/SS和 OMA DM服务器之间传输的数据流量, ASN-GW可以 根据传输数据的 IP报文头部是否含有 OMADM服务器的 IP地址, 判断出所 述数据是否为 MS/SS和 OMA DM服务器之间传输的数据流量; 所述用户终 端的数据流量为预配置数据流量以外的数据流量。 所述预配置数据流量不是 MS/SS本身上网产生的数据流量, 所以 ASN-GW所属的 ASN网络运营商可 以向 AAA服务器所属的 CSN网络运营商收费。 Step 206: After the MS/SS obtains the IP address assigned by the DHCP server, the ASN-GW reports the charging bill of the pre-configured service flow to the AAA server. In order to make the charging situation of the charging bill more reasonable, in the embodiment, the charging bill separately records the pre-configured data traffic and the data traffic of the user terminal. The pre-configured data traffic is data traffic transmitted between the MS/SS and the OMA DM server, and the ASN-GW can determine whether the data is based on whether the IP packet header of the transmitted data contains an IP address of the OMADM server. Data traffic transmitted between the MS/SS and the OMA DM server; the data traffic of the user terminal is data traffic other than the pre-configured data traffic. The pre-configured data traffic is not the data traffic generated by the MS/SS itself. Therefore, the ASN network operator to which the ASN-GW belongs may charge the CSN network operator to which the AAA server belongs.
步骤 207 , MS/SS根据 OMA DM服务器的 IP地址, 向所述 OMA DM服 务器发起建立 TLS隧道的过程;  Step 207: The MS/SS initiates a process of establishing a TLS tunnel to the OMA DM server according to an IP address of the OMA DM server.
所述 MS/SS与 OMADM服务器之间建立 TLS隧道的步骤主要包括: The steps of establishing a TLS tunnel between the MS/SS and the OMADM server mainly include:
MS/SS根据所述 OMADM服务器的 IP地址和所述 OMADM服务器之间 相互身份认证的过程。 The MS/SS is based on the process of mutual authentication between the IP address of the OMA DM server and the OMA DM server.
如图 3所示, 其具体步骤包括:  As shown in Figure 3, the specific steps include:
步骤 301 , MS/SS主动向 OMADM服务器发送 ClientHello (客户端协商 ) 消息, 指示 TLS握手流程开始; 所述 ClientHello消息向 OMA DM服务器请 求协商 TLS相关安全服务, 该消息由版本号, 随机数, 会话 ID,密码套件, 压 缩方法等字段组成  Step 301: The MS/SS sends a ClientHello (Client Negotiation) message to the OMA DM server to indicate that the TLS handshake process starts. The ClientHello message requests the OMA DM server to negotiate a TLS-related security service, where the message is by version number, random number, and session. ID, cipher suite, compression method, etc.
步骤 302 , OMA DM服务器接收到所述 ClientHello消息后, 向 MS/SS发 送 ServerHello (服务器协商 )消息,所述 ServerHello消息的组成与 ClientHello 消息相同, 通常是 ClientHello消息给出各个字段建议值, OMADM服务器将 最终选择结果通过 ServerHello消息发给 MS/SS;  Step 302: After receiving the ClientHello message, the OMA DM server sends a ServerHello (Server Negotiation) message to the MS/SS. The composition of the ServerHello message is the same as the ClientHello message. Usually, the ClientHello message gives the recommended value of each field. The OMADM server Send the final selection result to the MS/SS through the ServerHello message;
步骤 303 , OMADM服务器通过 Certificate (证书 )消息将自身的数字证 书, 连同一个可以信任的 CA证书发送给 MS/SS;  Step 303, the OMADM server sends its own digital certificate, together with a trusted CA certificate, to the MS/SS through a Certificate message;
步骤 304, 如果 RSA公钥比较长, 不能放在步骤 303的 Certificate消息 中, 则 OMADM服务器再通过 ServerKeyExchange (服务器公钥交换)消息, 将 RSA公钥分发给所述 MS/SS; Step 304: If the RSA public key is relatively long and cannot be placed in the Certificate message in step 303, the OMADM server passes the ServerKeyExchange (Server Public Key Exchange) message. Distributing an RSA public key to the MS/SS;
步骤 305, OMA DM服务器发送 ServerRequest (服务器请求) 消息, 向 MS/SS申请其数字证书;  Step 305: The OMA DM server sends a ServerRequest message to apply for a digital certificate to the MS/SS.
步骤 306, OMADM服务器通过发送 ServerHelloDone (服务器协商完成 ) 消息, 通知 MS/SS 所述 OMA DM 服务器已经完成了协商的过程; 该 ServerHelloDone消息本身并不携带任何信息, MS/SS只有成功接收到该消息 后才进入后续消息的交互;  Step 306, the OMADM server sends a ServerHelloDone (Server Negotiation Complete) message to notify the MS/SS that the OMA DM server has completed the negotiation process; the ServerHelloDone message itself does not carry any information, and the MS/SS only successfully receives the message. After entering the interaction of subsequent messages;
步骤 307, MS/SS通过所述 CA证书认证 OMA DM服务器的数字证书是 否合法, 即: 认证 OMA DM服务器是否合法, 对认证合法的 OMA DM服务 器, 通过 RSA算法计算 TLS密钥;  Step 307: The MS/SS authenticates the digital certificate of the OMA DM server by using the CA certificate, that is, whether the authentication OMA DM server is legal, and the OMA DM server authenticates the TLS key through the RSA algorithm;
步骤 308, MS/SS通过 Certificate (证书) 消息将其自身的数字证书, 连 同一个可以信任的 CA证书发送给 OMA DM服务器;  Step 308, the MS/SS sends its own digital certificate to the OMA DM server through a Certificate (Certificate) message, and the same trusted CA certificate;
步骤 309, 如果 RSA公钥比较长, 不能放在步骤 308的 Certificate消息 中, 则 MS/SS再通过 ClientKeyExchange (客户端公钥交换) 消息, 将 RSA 公钥分发给所述 OMADM服务器;  Step 309, if the RSA public key is relatively long and cannot be placed in the Certificate message in step 308, the MS/SS then distributes the RSA public key to the OMADM server through a ClientKeyExchange (Client Public Key Exchange) message;
步骤 310, MS/SS向 OMADM服务器发送 ChangeCipherSpec (更改密码 规则) 消息, 激活 OMA DM服务器端的 TLS协商选项, 其中所述 TLS协商 选项包括: TLS会话密钥, 密码套件的有效性等;  Step 310: The MS/SS sends a ChangeCipherSpec (Change Password Rule) message to the OMADM server, and activates the TLS negotiation option of the OMA DM server, where the TLS negotiation option includes: a TLS session key, a validity of the cipher suite, and the like;
步骤 311 , MS/SS向 OMA DM服务器发送 Finished (完成 ) 消息, 检查 在步骤 310中激活的 TLS协商选项是否有效;  Step 311: The MS/SS sends a Finished message to the OMA DM server, and checks whether the TLS negotiation option activated in step 310 is valid.
步骤 312, OMA DM服务器通过所述 CA证书认证 MS/SS的数字证书是 否合法, 即: 认证 MS/SS是否合法, 对认证合法的 MS/SS, 通过 RSA算法计 算 TLS密钥;  Step 312: The OMA DM server authenticates the digital certificate of the MS/SS by using the CA certificate, that is, whether the authentication MS/SS is legal, and the AAA key is calculated by the RSA algorithm for the authenticated MS/SS;
步骤 313 , OMA DM服务器通过发送 ChangeCipherSpec消息,激活 MS/SS 端的 TLS协商选项;  Step 313: The OMA DM server activates the TLS negotiation option of the MS/SS by sending a ChangeCipherSpec message.
步骤 314, OMA DM服务器向 MS/SS发送 Finished (完成) 消息, 检查 在步骤 313中激活的 TLS协商选项是否有效。 Step 314, the OMA DM server sends a Finished message to the MS/SS, checking Whether the TLS negotiation option activated in step 313 is valid.
通过图 3所示的步骤可以在 MS/SS和 OMA DM服务器之间建立 TLS隧 道。  A TLS tunnel can be established between the MS/SS and the OMA DM server by the steps shown in FIG.
步骤 208, OMA DM服务器通过所述步骤 207中建立的 TLS隧道向 MS/SS 传输网络配置数据, 如图 4所示, 包括:  Step 208: The OMA DM server transmits the network configuration data to the MS/SS by using the TLS tunnel established in the step 207. As shown in FIG. 4, the OMA DM server includes:
步骤 401 , OMADM服务器向 MS/SS发送启动配置文件, 该启动配置文 件包括: OMA DM服务器的地址和管理对象树。 所述管理对象树包含 OMA 协议中定义的可管理的属性, 釆用树型结构管理。  Step 401: The OMADM server sends a startup configuration file to the MS/SS, where the startup configuration file includes: an address of the OMA DM server and a management object tree. The management object tree contains manageable attributes defined in the OMA protocol, and is managed by a tree structure.
步骤 402, MS/SS接收到所述启动配置文件以后, 向 OMADM服务器上 报 MS/SS上运行用户以及 MS/SS的身份信息;  Step 402: After receiving the startup configuration file, the MS/SS reports the identity information of the running user and the MS/SS on the MS/SS to the OMADM server.
步骤 403 , OMADM服务器根据 MS/SS上报的身份信息判断其合法, 向 所述 MS/SS下发自身的身份信息, 并对所述 MS/SS进行网络配置, 所述网络 配置包括: 指示 MS/SS进行读、 写、 替换或创建节点属性等操作;  Step 403: The OMA DM server determines the legality according to the identity information reported by the MS/SS, and sends its own identity information to the MS/SS, and performs network configuration on the MS/SS. The network configuration includes: SS performs operations such as reading, writing, replacing, or creating node attributes;
步骤 404, MS/SS认证 OMA DM服务器合法后, 执行所述 OMA DM服 务器对其进行网络配置的指示, 并向所述 OMADM服务器返回执行结果。  Step 404: After the MS/SS authentication is performed, the OMA DM server performs an indication of network configuration on the OMA DM server, and returns an execution result to the OMA DM server.
步骤 209 ,在 OMA DM服务器结束对 MS/SS的网络配置以后,所述 MS/SS 釆用 OMADM服务器对其发送的网络配置数据, 发起重新入网的过程。  Step 209: After the OMA DM server ends the network configuration of the MS/SS, the MS/SS initiates the process of re-entering the network configuration data sent by the OMA DM server.
本实施例在对 MS/SS进行初始配置时, 由于所述 MS/SS向 AAA服务器 认证身份的同时, 发送了其身份标识, 所以 AAA服务器可以通过该身份标识 判断出所述 MS/SS是否需要进行网络配置,对需要进行网络配置的 MS/SS 自 动启动预配置过程, 与现有技术相比, WiMAX网络运行更加自主灵活; 由于 所述 TLS隧道是由 MS/SS根据 OMADM服务器的 IP地址主动发起建立的, 所以在 WiMAX网络中有防火墙或者具有 NAT功能的设备存在时, OMADM 服务器也可以通过所述 TLS隧道对 MS/SS进行网络配置, 并且, OMA DM 服务器通过 TLS隧道与需要进行网络配置的 MS/SS直接进行通信,在组网的 过程中不必考虑 AAA服务器和配置服务器之间的网络布局, 使组网更加灵 活, 降低了组网所需的费用; 由于 MS/SS和 OMA DM服务器之间的配置数 据是通过所述 TLS隧道传输的, 所以保证了 MS/SS和 OMA DM服务器之间 的通信安全; 本实施例所使用的认证流程与现有技术中 WiMAX 网络原有的 认证流程相同, 降低了网络的维护配用, 并且单独统计预配置数据流量, 使 WiMAX网络的计费方法更加合理。 In this embodiment, when the MS/SS is initially configured, the MS/SS sends an identity to the AAA server, and the AAA server can determine whether the MS/SS needs to be determined by the identity identifier. Performing network configuration, the MS/SS automatic startup pre-configuration process that requires network configuration, the WiMAX network operation is more autonomous and flexible than the prior art; since the TLS tunnel is initiated by the MS/SS according to the IP address of the OMADM server Initiated, so when there is a firewall or a NAT-enabled device in the WiMAX network, the OMA DM server can also perform network configuration on the MS/SS through the TLS tunnel, and the OMA DM server needs to perform network configuration through the TLS tunnel. The MS/SS communicates directly, and the network layout between the AAA server and the configuration server does not have to be considered in the process of networking, so that the networking is more flexible. Live, reducing the cost of networking; since the configuration data between the MS/SS and the OMA DM server is transmitted through the TLS tunnel, communication security between the MS/SS and the OMA DM server is guaranteed; The authentication process used in the embodiment is the same as the original authentication process of the WiMAX network in the prior art, which reduces the maintenance and allocation of the network, and separately counts the pre-configured data traffic, so that the charging method of the WiMAX network is more reasonable.
第二种情况, 如图 5 所示, 利用本发明实施例所提供的对用户终端进行 网络配置的方法, 对 MS/SS进行再配置的步骤包括:  In the second case, as shown in FIG. 5, the method for reconfiguring the MS/SS by using the method for performing network configuration on the user terminal provided by the embodiment of the present invention includes:
步骤 501 , 判断所述 MS/SS是否需要更新网络配置;  Step 501: Determine whether the MS/SS needs to update a network configuration.
在本实施例中, 不仅可以由 OMA DM服务器判断所述 MS/SS是否需要 更新网络配置, 也可以由 MS/SS 根据 AAA服务器、 DHCP 服务器或者 ASN-GW向其发送的更新用户终端网络配置的时间来判断是否需要更新网络 配置。  In this embodiment, not only the OMA DM server may determine whether the MS/SS needs to update the network configuration, but also may be configured by the MS/SS according to the updated user terminal network sent by the AAA server, the DHCP server, or the ASN-GW. Time to determine if you need to update your network configuration.
由于 MS/SS可以才艮据更新用户终端网络配置的时间判断自身是否需要更 新网络配置, 所以 MS/SS可以直接获得更新自身网络配置的时间 (更新网络 配置的时间到期时), 与 OMA DM服务器判断所述 MS/SS是否需要更新网络 配置相比, 节省了 OMA DM服务器向 MS/SS发送请求更新网络配置消息的 过程, 从而节省了网络资源。  Since the MS/SS can determine whether it needs to update the network configuration according to the time of updating the network configuration of the user terminal, the MS/SS can directly obtain the time to update the network configuration of the user (when the time of updating the network configuration expires), and the OMA DM The server saves the process that the OMA DM server sends a request to update the network configuration message to the MS/SS compared to whether the MS/SS needs to update the network configuration, thereby saving network resources.
步骤 502,在判断所述 MS/SS需要更新网络配置时, MS/SS根据 OMADM 服务器的 IP地址主动向所述 OMA DM服务器发起建立 TLS隧道, 所述 TLS 隧道的具体建立过程如图 3所示, 此处不再赘述;  Step 502: When it is determined that the MS/SS needs to update the network configuration, the MS/SS initiates the establishment of the TLS tunnel to the OMA DM server according to the IP address of the OMA DM server, and the specific establishment process of the TLS tunnel is as shown in FIG. , will not repeat them here;
步骤 503 , OMADM服务器通过所述 TLS隧道向 MS/SS传递配置数据, 所述 OMA DM服务器通过 TLS隧道更新 MS/SS的网络配置过程如图 4所示, 此处不再赘述。  Step 503: The OMA DM server delivers configuration data to the MS/SS through the TLS tunnel, and the network configuration process of the OMA DM server to update the MS/SS through the TLS tunnel is shown in FIG. 4, and details are not described herein again.
本发明实施例所提供的对用户终端进行网络配置的方法, 在对用户终端 进行网络配置时, 由于用户终端根据配置服务器的 IP地址主动向所述配置服 务器发起建立安全传输层协议隧道, 并且, 所述配置服务器通过所述安全传 输层协议隧道对用户终端进行网络配置, 克服了现有技术在有防火墙或者具 有 NAT功能的设备存在时, 由配置服务器发送的配置数据不能通过防火墙或 者具有 NAT功能的设备, 从而使配置服务器不能对用户终端进行网络配置的 问题, 并且保证了用户终端与配置设备之间的通信安全; 由于所述安全传输 层协议隧道是由用户终端主动向配置服务器发起建立的, 所以, 不需要再由 AAA服务器通知配置服务器有用户终端入网, 从而在组网的过程中不必考虑 AAA服务器和配置服务器之间的网络布局, 使组网更加灵活, 降低了组网和 维护网络所需的费用。 The method for performing network configuration on a user terminal according to the embodiment of the present invention, when performing network configuration on the user terminal, the user terminal initiates a secure transport layer protocol tunnel to the configuration server according to the IP address of the configuration server, and The configuration server passes the secure transmission The transport layer protocol tunnel performs network configuration on the user terminal, and overcomes the prior art. When a firewall or a device with a NAT function exists, the configuration data sent by the configuration server cannot pass through a firewall or a device with a NAT function, so that the configuration server cannot The problem of network configuration for the user terminal, and ensuring communication security between the user terminal and the configuration device; since the secure transport layer protocol tunnel is initiated by the user terminal to the configuration server, it is not required to be AAA. The server notifies the configuration server that the user terminal is connected to the network. Therefore, the network layout between the AAA server and the configuration server is not considered in the networking process, which makes the networking more flexible and reduces the cost of networking and maintaining the network.
为了解决现有技术在有防火墙或者具有 NAT功能的设备存在时, 由配置 服务器发送的配置数据不能通过防火墙或者具有 NAT功能的设备, 从而使配 置服务器不能对用户终端进行网络配置的问题, 本发明的实施例提供一种用 户终端以及一种配置服务器。 下面结合附图和实施例对本发明作详细说明: 在本实施例中, 所述用户终端为 MS/SS, 所述配置服务器为 OMADM服 务器, 所述配置服务器通过 WiMAX网络对用户终端进行网络配置。  The present invention solves the problem that the configuration data sent by the configuration server cannot pass through a firewall or a device having a NAT function, so that the configuration server cannot perform network configuration on the user terminal, in the prior art, in the presence of a device having a firewall or a NAT function. Embodiments provide a user terminal and a configuration server. The present invention is described in detail below with reference to the accompanying drawings and embodiments. In this embodiment, the user terminal is an MS/SS, and the configuration server is an OMA DM server, and the configuration server performs network configuration on the user terminal through the WiMAX network.
如图 6所示, 所述 MS/SS包括:  As shown in FIG. 6, the MS/SS includes:
获取单元 601 , 用于获取 OMADM服务器的 IP地址, 所述 OMADM服 务器的 IP地址可以通过 AAA服务器发送的认证成功消息获得, 也可以在 MS/SS 向 DHCP服务器申请 IP地址的时候, 通过所述 DHCP服务器或者 ASN-GW在 DHCP报文的 Option字段添加的 OMADM服务器的 IP地址信息 获得。  The obtaining unit 601 is configured to obtain an IP address of the OMA DM server, where the IP address of the OMA DM server can be obtained by using an authentication success message sent by the AAA server, or when the MS/SS applies for an IP address to the DHCP server, The server or the ASN-GW obtains the IP address information of the OMA DM server added in the Option field of the DHCP message.
为了能够在所述 MS/SS入网以后能够定时进行网络配置的更新, 即进行 再配置, 所述获取单元 601 还用于获取更新用户终端网络配置的时间, 该更 新用户终端网络配置的时间可以通过 AAA服务器发送的认证成功消息获得, 也可以在 MS/SS向 DHCP服务器申请 IP地址的时候, 通过所述 DHCP服务 器或者 ASN-GW在 DHCP报文的 Option字段添加的更新用户终端网络配置 的时间地址信息获得。 通过计时单元 602, MS/SS可以检测出自身是否需要更新网络配置,从而 及时发起更新网络配置的过程, 与由 OMA DM服务器向所述 MS/SS发送请 求更新网络配置消息, 所述 MS/SS接收到所述请求消息后再发起更新网络配 置的过程相比, 节省了网络资源, 提高了对 MS/SS更新网络配置的速度。 In order to be able to periodically update the network configuration after the MS/SS is connected to the network, that is, to perform reconfiguration, the obtaining unit 601 is further configured to acquire a time for updating the network configuration of the user terminal, where the time for updating the network configuration of the user terminal can be The authentication success message sent by the AAA server is obtained. When the MS/SS requests the IP address from the DHCP server, the DHCP server or the ASN-GW adds the time address of the network configuration of the user terminal added in the Option field of the DHCP message. Information is obtained. Through the timing unit 602, the MS/SS can detect whether it needs to update the network configuration, so as to initiate the process of updating the network configuration in time, and send a request to the MS/SS to update the network configuration message by the OMA DM server, the MS/SS Compared with the process of initiating the update of the network configuration after receiving the request message, the network resources are saved, and the speed of updating the network configuration to the MS/SS is improved.
隧道创建单元 603 , 用于根据所述 IP地址建立 MS/SS和 OMA DM服务 器之间的 TLS隧道;  a tunnel creation unit 603, configured to establish a TLS tunnel between the MS/SS and the OMA DM server according to the IP address;
在建立 TLS隧道的过程中 ,所述隧道创建单元 603可以通过认证单元 604 与 OMA DM服务器之间身份认证, 从而建立 TLS隧道, 其具体的建立过程 可以参见如图 3所示的方法, 此处不再赘述;  In the process of establishing a TLS tunnel, the tunnel creation unit 603 may perform identity authentication between the authentication unit 604 and the OMA DM server, thereby establishing a TLS tunnel. For the specific establishment process, refer to the method shown in FIG. 3, where No longer;
在对所述 MS/SS进行再配置的过程中, 由计时单元 602对获取单元 601 接收到的更新用户终端网络配置的时间进行计时, 当计时超时时, 所述隧道 创建单元 603发起建立 TLS隧道的过程。  In the process of reconfiguring the MS/SS, the timing of updating the network configuration of the user terminal received by the obtaining unit 601 is counted by the timing unit 602. When the timing expires, the tunnel creation unit 603 initiates establishment of the TLS tunnel. the process of.
配置单元 605 , 用于通过所建立的安全传输层协议隧道获取配置数据, 并 根据所述获取的配置数据配置用户终端的参数, 其具体的配置过程如图 4 所 示, 此处不再赘述。  The configuration unit 605 is configured to obtain the configuration data through the established secure transport layer protocol tunnel, and configure the parameters of the user terminal according to the obtained configuration data. The specific configuration process is shown in FIG. 4, and details are not described herein.
如图 6所示, 所述 OMA DM服务器包括:  As shown in FIG. 6, the OMA DM server includes:
隧道创建单元 606, 用于在 MS/SS与 OMA DM服务器之间建立 TLS隧 道,在建立 TLS隧道的过程中,所述隧道创建单元 606可以通过认证单元 607 与 MS/SS之间身份认证, 从而建立 TLS隧道, 其具体的建立过程可以参见如 图 3所示的方法, 此处不再赘述;  The tunnel creation unit 606 is configured to establish a TLS tunnel between the MS/SS and the OMA DM server. In the process of establishing the TLS tunnel, the tunnel creation unit 606 can perform identity authentication between the authentication unit 607 and the MS/SS. For the establishment of a TLS tunnel, refer to the method shown in Figure 3 for details.
配置数据发送单元 608, 用于通过 TLS隧道向 MS/SS发送配置数据, 其 具体的配置过程如图 4所示, 此处不再赘述。  The configuration data sending unit 608 is configured to send configuration data to the MS/SS through the TLS tunnel, and the specific configuration process is shown in FIG. 4, and details are not described herein again.
本发明实施例所提供的用户终端以及配置服务器, 由于釆用了用户终端 根据配置服务器的 IP地址向配置服务器主动发起建立安全传输层协议隧道, 通过所述安全传输层协议隧道传输配置数据的方法, 所以克服了现有技术在 有防火墙或者具有 NAT功能的设备存在时, 由配置服务器发送的配置数据不 能通过防火墙或者具有 NAT功能的设备, 从而使配置服务器不能对用户终端 进行网络配置的问题, 并且保证了用户终端与配置设备之间的通信安全; 由 于所述安全传输层协议隧道是由用户终端主动向配置服务器发起建立的, 所 以不需要再由 AAA服务器通知配置服务器有用户终端入网,从而在组网的过 程中不必考虑 AAA服务器和配置服务器之间的网络布局, 使组网更加灵活, 降低了组网和维护网络所需的费用。 The user terminal and the configuration server provided by the embodiment of the present invention, because the user terminal actively initiates establishment of a secure transport layer protocol tunnel according to the IP address of the configuration server, and transmits the configuration data through the secure transport layer protocol tunnel Therefore, the prior art is overcome when the configuration data sent by the configuration server is not present in a firewall or a device having a NAT function. The problem that the configuration server cannot perform network configuration on the user terminal through the firewall or the device having the NAT function, and the communication security between the user terminal and the configuration device is ensured; since the secure transport layer protocol tunnel is the user terminal Proactively initiated to the configuration server, so the AAA server does not need to notify the configuration server that the user terminal is connected to the network. Therefore, the network layout between the AAA server and the configuration server is not considered in the networking process, which makes the networking more flexible and reduces. The cost of networking and maintaining the network.
本发明所提供的对用户终端进行网络配置的方法和装置能够应用在 WiMAX网络中, 通过 OMA提供的框架对 MS/SS进行网络配置。  The method and apparatus for network configuration of a user terminal provided by the present invention can be applied to a WiMAX network, and the MS/SS is configured by the framework provided by the OMA.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分步骤 是可以通过程序来指令相关的硬件完成, 所述的程序可以存储于一计算机可 读存储介质中, 如 ROM/RAM、 磁碟或光盘等。  A person skilled in the art can understand that all or part of the steps of implementing the above embodiments can be completed by a program to instruct related hardware, and the program can be stored in a computer readable storage medium, such as ROM/RAM, magnetic. Disc or CD.
以上所述, 仅为本发明实施例的具体实施方式, 但本发明实施例的保护 范围并不局限于此, 任何熟悉本技术领域的技术人员在本发明揭露的技术范 围内所做的变化或替换, 都应涵盖在本发明的保护范围之内。 因此, 本发明 实施例的保护范围应该以权利要求的保护范围为准。  The foregoing is only a specific embodiment of the embodiments of the present invention, but the scope of protection of the embodiments of the present invention is not limited thereto, and any changes made by those skilled in the art within the technical scope disclosed by the present invention may be Alternatives are intended to be covered by the scope of the present invention. Therefore, the scope of protection of the embodiments of the present invention should be determined by the scope of the claims.

Claims

权 利 要求 书 Claim
1、 一种对用户终端进行网络配置的方法, 其特征在于, 应用于全球微波接 入互操作性网络中; 包括如下步骤:  A method for network configuration of a user terminal, which is characterized in that it is applied to a global microwave access interoperability network; and includes the following steps:
获取配置服务器的 IP地址,根据所述 IP地址建立用户终端和配置服务器之 间的安全传输层协议隧道;  Obtaining an IP address of the configuration server, and establishing a secure transport layer protocol tunnel between the user terminal and the configuration server according to the IP address;
通过所建立的安全传输层协议隧道获取配置数据, 并根据所述获取的配置 数据配置用户终端的参数。  The configuration data is obtained through the established secure transport layer protocol tunnel, and the parameters of the user terminal are configured according to the obtained configuration data.
2、 根据权利要求 1所述的对用户终端进行网络配置的方法, 其特征在于, 所述获取配置服务器的 IP地址包括:  The method for performing network configuration on a user terminal according to claim 1, wherein the obtaining an IP address of the configuration server includes:
从验证、 授权、 计费协议服务器获取配置服务器的 IP地址。  Obtain the IP address of the configuration server from the authentication, authorization, and accounting protocol server.
3、 根据权利要求 2所述的对用户终端进行网络配置的方法, 其特征在于, 所述从验证、 授权、 计费协议服务器获取配置服务器的 IP地址包括:  The method for performing network configuration on a user terminal according to claim 2, wherein the obtaining, by the verification, authorization, and accounting protocol server, the IP address of the configuration server includes:
验证、 授权、 计费协议服务器将配置服务器的 IP地址通过身份认证成功消 息发送给用户终端。  The authentication, authorization, and accounting protocol server sends the IP address of the configuration server to the user terminal through the identity authentication success message.
4、 根据权利要求 1所述的对用户终端进行网络配置的方法, 其特征在于, 所述获取配置服务器的 IP地址包括:  The method for performing network configuration on a user terminal according to claim 1, wherein the obtaining an IP address of the configuration server includes:
从动态主机配置协议服务器获取配置服务器的 IP地址, 所述动态主机配置 协议服务器预先配置有配置服务器的 IP地址; 或者  Obtaining an IP address of the configuration server from the dynamic host configuration protocol server, where the dynamic host configuration protocol server is pre-configured with an IP address of the configuration server; or
从接入服务网络网关获取配置服务器的 IP地址, 所述接入服务网络网关预 先配置有配置服务器的 IP地址。  Obtaining an IP address of the configuration server from the access service network gateway, where the access service network gateway is configured with an IP address of the configuration server.
5、 根据权利要求 4所述的对用户终端进行网络配置的方法, 其特征在于, 所述从动态主机配置协议服务器获取配置服务器的 IP地址包括: 用户终端 向动态主机配置协议服务器发起获取 IP地址的过程中, 从动态主机配置协议服 务器获取配置服务器的 IP地址;  The method for performing network configuration on a user terminal according to claim 4, wherein the obtaining the IP address of the configuration server from the dynamic host configuration protocol server comprises: the user terminal initiating acquisition of an IP address from the dynamic host configuration protocol server In the process, obtaining the IP address of the configuration server from the dynamic host configuration protocol server;
所述从接入服务网络网关获取配置服务器的 IP地址包括: 用户终端向动态 主机配置协议服务器发起获取 IP地址的过程中, 从接入服务网络网关获取配置 服务器的 IP地址。 The obtaining the IP address of the configuration server from the access service network gateway includes: obtaining, by the user terminal, the configuration from the access service network gateway during the process of obtaining the IP address from the dynamic host configuration protocol server The IP address of the server.
6、 根据权利要求 4所述的对用户终端进行网络配置的方法, 其特征在于, 所述从动态主机配置协议服务器获取配置服务器的 IP地址包括: 用户终端 从动态主机配置协议服务器发送的动态主机配置协议报文的 Option字段中获取 配置服务器的 IP地址;  The method for performing network configuration on a user terminal according to claim 4, wherein the obtaining the IP address of the configuration server from the dynamic host configuration protocol server comprises: the dynamic host sent by the user terminal from the dynamic host configuration protocol server Configure the IP address of the configuration server in the Option field of the protocol packet.
所述从接入服务网络网关获取配置服务器的 IP地址包括: 用户终端从接入 服务网络网关传送的动态主机配置协议报文的 Option字段中获取配置服务器的 IP地址。  The obtaining, by the access service network gateway, the IP address of the configuration server includes: obtaining, by the user terminal, an IP address of the configuration server from an Option field of the dynamic host configuration protocol packet transmitted by the access service network gateway.
7、 根据权利要求 1所述的对用户终端进行网络配置的方法, 其特征在于, 所述根据所述 IP地址建立用户终端和配置服务器之间的安全传输层协议隧道之 前还包括: 根据用户终端的身份标识判断是否对所述用户终端进行网络配置。  The method for performing network configuration on a user terminal according to claim 1, wherein before the establishing a secure transport layer protocol tunnel between the user terminal and the configuration server according to the IP address, the method further comprises: according to the user terminal The identity identifies whether the network configuration of the user terminal is performed.
8、 根据权利要求 7所述的对用户终端进行网络配置的方法, 其特征在于, 所述用户终端的身份标识包括: 服务类型、 用户名和用户终端所属的域;  The method for performing network configuration on a user terminal according to claim 7, wherein the identity identifier of the user terminal includes: a service type, a user name, and a domain to which the user terminal belongs;
所述根据用户终端的身份标识判断是否对所述用户终端进行网络配置包 括: 根据用户终端身份标识中的服务类型字段判断是否对所述用户终端进行网 络配置。  Determining whether to perform network configuration on the user terminal according to the identity of the user terminal includes: determining, according to a service type field in the identity identifier of the user terminal, whether to perform network configuration on the user terminal.
9、 根据权利要求 1所述的对用户终端进行网络配置的方法, 其特征在于, 所述根据所述 IP地址建立用户终端和配置服务器之间的安全传输层协议隧道之 前还包括:  The method for performing network configuration on a user terminal according to claim 1, wherein before the establishing a secure transport layer protocol tunnel between the user terminal and the configuration server according to the IP address, the method further comprises:
获取更新用户终端网络配置的时间。  Get the time to update the user terminal network configuration.
10、 根据权利要求 9所述的对用户终端进行网络配置的方法, 其特征在于, 所述获取更新用户终端网络配置的时间包括:  The method for performing network configuration on a user terminal according to claim 9, wherein the obtaining the time for updating the network configuration of the user terminal comprises:
从验证、 授权、 计费协议服务器获取所述更新用户终端网络配置的时间。  The time for updating the network configuration of the user terminal is obtained from the authentication, authorization, and accounting protocol server.
11、根据权利要求 10所述的对用户终端进行网络配置的方法,其特征在于, 所述从验证、 授权、 计费协议服务器获取所述更新用户终端网络配置的时间包 括: 验证、 授权、 计费协议服务器将更新用户终端网络配置的时间通过身份认 证成功消息发送给用户终端。 The method for performing network configuration on a user terminal according to claim 10, wherein the time for obtaining the updated user terminal network configuration from the verification, authorization, and accounting protocol server comprises: The authentication, authorization, and accounting protocol server sends the time when the user terminal network configuration is updated to the user terminal through the identity authentication success message.
12、 根据权利要求 9所述的对用户终端进行网络配置的方法, 其特征在于, 所述获取更新用户终端网络配置的时间包括:  The method for performing network configuration on a user terminal according to claim 9, wherein the obtaining the time for updating the network configuration of the user terminal comprises:
从动态主机配置协议服务器获取更新用户终端网络配置的时间, 所述动态 主机配置协议服务器预先配置有更新用户终端网络配置的时间; 或者  Obtaining a time for updating the network configuration of the user terminal from the dynamic host configuration protocol server, where the dynamic host configuration protocol server is pre-configured with a time for updating the network configuration of the user terminal; or
从接入服务网络网关获取更新用户终端网络配置的时间, 所述接入服务网 络网关预先配置有更新用户终端网络配置的时间。  And obtaining, by the access service network gateway, a time for updating the network configuration of the user terminal, where the access service network gateway is pre-configured with a time for updating the network configuration of the user terminal.
13、根据权利要求 12所述的对用户终端进行网络配置的方法,其特征在于, 所述从动态主机配置协议服务器获取更新用户终端网络配置的时间包括: 用户终端向动态主机配置协议服务器发起获取 IP地址的过程中, 从动态主机配 置协议服务器获取更新用户终端网络配置的时间;  The method for performing network configuration on a user terminal according to claim 12, wherein the obtaining, by the dynamic host configuration protocol server, the time for updating the network configuration of the user terminal comprises: the user terminal initiating acquisition to the dynamic host configuration protocol server During the process of obtaining an IP address, the time of updating the network configuration of the user terminal is obtained from the dynamic host configuration protocol server;
所述从接入服务网络网关获取更新用户终端网络配置的时间包括: 用户终 端向动态主机配置协议服务器发起获取 IP地址的过程中, 从接入服务网络网关 获取更新用户终端网络配置的时间。  The obtaining, by the access service network gateway, the time for updating the network configuration of the user terminal comprises: obtaining, by the user terminal, the time for updating the network configuration of the user terminal from the access service network gateway in the process of initiating the obtaining of the IP address from the dynamic host configuration protocol server.
14、根据权利要求 12所述的对用户终端进行网络配置的方法,其特征在于, 所述从动态主机配置协议服务器获取更新用户终端网络配置的时间包括: 用户终端从动态主机配置协议服务器发送的动态主机配置协议报文的 Option字 段中获取更新用户终端网络配置的时间;  The method for performing network configuration on a user terminal according to claim 12, wherein the obtaining, by the dynamic host configuration protocol server, the time for updating the network configuration of the user terminal comprises: sending, by the user terminal, the dynamic host configuration protocol server Obtaining the time for updating the network configuration of the user terminal in the Option field of the dynamic host configuration protocol packet;
所述从接入服务网络网关获取更新用户终端网络配置的时间包括: 用户终 端从接入服务网络网关传送的动态主机配置协议报文的 Option字段中获取所述 更新用户终端网络配置的时间。  The time for obtaining the updated user terminal network configuration from the access service network gateway includes: obtaining, by the user terminal, the time for updating the network configuration of the user terminal from an Option field of the dynamic host configuration protocol message transmitted by the access service network gateway.
15、 根据权利要求 9 - 14 中任意一项所述的对用户终端进行网络配置的方 法, 其特征在于, 还包括:  The method for network configuration of a user terminal according to any one of claims 9 to 14, further comprising:
所述用户终端根据更新用户终端网络配置的时间建立用户终端和配置服务 器之间的安全传输层协议隧道。 The user terminal establishes a secure transport layer protocol tunnel between the user terminal and the configuration server according to the time when the network configuration of the user terminal is updated.
16、 根据权利要求 1 - 14任意一项所述的对用户终端进行网络配置的方法, 其特征在于, 所述根据所述 IP地址建立用户终端和配置服务器之间的安全传输 层协议隧道包括: The method for performing network configuration on a user terminal according to any one of claims 1 to 14, wherein the establishing a secure transport layer protocol tunnel between the user terminal and the configuration server according to the IP address comprises:
根据所述 IP地址用户终端和配置服务器之间相互身份认证。  According to the IP address, the user terminal and the configuration server authenticate each other.
17、 根据权利要求 1 - 14任意一项所述的对用户终端进行网络配置的方法, 其特征在于, 所述根据所述获取的配置数据配置用户终端的参数之前, 还包括: 为该用户终端建立预配置业务流, 将预配置业务流的计费话单上 4艮给验证、 授权、 计费协议服务器, 所述预配置数据流量是用户终端和配置服务器之间传 输的数据流量。  The method for performing network configuration on a user terminal according to any one of claims 1 to 14, wherein before the configuring the parameter of the user terminal according to the acquired configuration data, the method further includes: A pre-configured service flow is established, and the charging CDR of the pre-configured service flow is sent to the authentication, authorization, and accounting protocol server, where the pre-configured data traffic is data traffic transmitted between the user terminal and the configuration server.
18、 一种用户终端, 其特征在于, 所述用户终端接入到全球微波接入互操 作性网络中, 包括:  18. A user terminal, wherein the user terminal accesses a global microwave access interoperability network, and includes:
获取单元, 用于获取配置服务器的 IP地址;  An obtaining unit, configured to obtain an IP address of the configuration server;
隧道创建单元, 用于根据所述 IP地址建立用户终端和配置服务器之间的安 全传输层协议隧道;  a tunnel creation unit, configured to establish a security transport layer protocol tunnel between the user terminal and the configuration server according to the IP address;
配置单元, 用于通过所建立的安全传输层协议隧道获取配置数据, 并根据 所述获取的配置数据配置用户终端的参数。  And a configuration unit, configured to acquire configuration data by using the established secure transport layer protocol tunnel, and configure parameters of the user terminal according to the obtained configuration data.
19、 根据权利要 18所述的用户终端, 其特征在于,  19. The user terminal of claim 18, wherein
所述获取单元还用于获取更新用户终端网络配置的时间;  The obtaining unit is further configured to acquire a time for updating a network configuration of the user terminal;
所述隧道创建单元根据获取单元获取的更新用户终端网络配置的时间发起 隧道创建。  The tunnel creation unit initiates tunnel creation according to the time of the configuration of the updated user terminal network acquired by the acquisition unit.
20、 根据权利要求 18所述的用户终端, 其特征在于, 还包括:  The user terminal according to claim 18, further comprising:
计时单元, 用于控制隧道创建单元建立用户终端和配置服务器之间的安全 传输层协议隧道。  The timing unit is configured to control the tunnel creation unit to establish a secure transport layer protocol tunnel between the user terminal and the configuration server.
21、 根据权利要求 18所述的用户终端, 其特征在于, 隧道创建单元包括: 认证单元, 用于根据所述 IP地址与配置服务器之间进行身份认证。  The user terminal according to claim 18, wherein the tunnel creation unit comprises: an authentication unit, configured to perform identity authentication between the IP address and the configuration server.
22、 一种配置服务器, 其特征在于, 所述配置服务器连接到全球微波接入 互操作性网络中, 包括: 22. A configuration server, wherein the configuration server is connected to global microwave access In an interoperability network, including:
隧道创建单元, 用于在用户终端与配置服务器之间建立安全传输层协议隧 道;  a tunnel creation unit, configured to establish a secure transport layer protocol tunnel between the user terminal and the configuration server;
配置数据发送单元, 用于通过所述安全传输层协议隧道向用户终端发送配 置数据。  And a configuration data sending unit, configured to send configuration data to the user terminal by using the secure transport layer protocol tunnel.
23、根据权利要求 22所述的配置服务器, 其特征在于, 隧道创建单元包括: 认证单元, 用于与用户终端之间进行身份认证。  The configuration server according to claim 22, wherein the tunnel creation unit comprises: an authentication unit, configured to perform identity authentication with the user terminal.
PCT/CN2008/073466 2007-12-25 2008-12-11 Method and device for network configuration to user terminal WO2009082910A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2007103015846A CN101197721B (en) 2007-12-25 2007-12-25 Method and device for network configuration of subscriber terminal
CN200710301584.6 2007-12-25

Publications (1)

Publication Number Publication Date
WO2009082910A1 true WO2009082910A1 (en) 2009-07-09

Family

ID=39547885

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/073466 WO2009082910A1 (en) 2007-12-25 2008-12-11 Method and device for network configuration to user terminal

Country Status (2)

Country Link
CN (1) CN101197721B (en)
WO (1) WO2009082910A1 (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101197721B (en) * 2007-12-25 2010-07-07 华为技术有限公司 Method and device for network configuration of subscriber terminal
CN101351046B (en) * 2008-08-29 2014-02-19 华为终端有限公司 Method for activating terminal equipment software component, terminal equipment and equipment management server
CN101631331B (en) * 2009-08-10 2012-11-21 华为技术有限公司 Terminal management method and terminal management device
CN101998378A (en) * 2009-08-24 2011-03-30 中兴通讯股份有限公司 Method and system for providing multiple network services in Wimax system
CN101790155A (en) * 2009-12-30 2010-07-28 中兴通讯股份有限公司 Method, device and system for updating security algorithm of mobile terminal
EP3468238B1 (en) 2016-07-06 2021-12-08 Huawei Technologies Co., Ltd. Network connection configuration methods and apparatuses
DE102017214071A1 (en) * 2017-08-11 2019-02-14 Robert Bosch Gmbh Method and device for charging an electric vehicle
CN113507498A (en) * 2021-06-02 2021-10-15 浪潮软件股份有限公司 Government affair hall device data exchange method and model

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7096273B1 (en) * 2001-04-25 2006-08-22 Cisco Technology, Inc. DHCP over mobile IP
CN101197721A (en) * 2007-12-25 2008-06-11 华为技术有限公司 Method and device for network configuration of subscriber terminal

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100596229C (en) * 2006-03-08 2010-03-24 华为技术有限公司 Method for apprizing the binding result of the target network address and mobile user terminal
CN101043706B (en) * 2006-03-23 2011-03-09 华为技术有限公司 Terminal entering idle mode, network reentrance method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7096273B1 (en) * 2001-04-25 2006-08-22 Cisco Technology, Inc. DHCP over mobile IP
CN101197721A (en) * 2007-12-25 2008-06-11 华为技术有限公司 Method and device for network configuration of subscriber terminal

Also Published As

Publication number Publication date
CN101197721A (en) 2008-06-11
CN101197721B (en) 2010-07-07

Similar Documents

Publication Publication Date Title
EP1330073B1 (en) Method and apparatus for access control of a wireless terminal device in a communications network
US9450951B2 (en) Secure over-the-air provisioning solution for handheld and desktop devices and services
US8266681B2 (en) System and method for automatic network logon over a wireless network
RU2556468C2 (en) Terminal access authentication method and customer premise equipment
KR100759489B1 (en) Method and appratus for security of ip security tunnel using public key infrastructure in a mobile communication network
JP3869392B2 (en) User authentication method in public wireless LAN service system and recording medium storing program for causing computer to execute the method
CA2413944C (en) A zero-configuration secure mobility networking technique with web-base authentication method for large wlan networks
JP5934364B2 (en) Mobile device and method for secure online sign-up and provision for WI-FI hotspots using SOAP-XML technology
WO2009082910A1 (en) Method and device for network configuration to user terminal
US20130276076A1 (en) Mobile device and method for secure on-line sign-up and provisioning for wi-fi hotspots using soap-xml techniques
WO2019017837A1 (en) Network security management method and apparatus
WO2009000206A1 (en) Method and system for access control of home node b
US20180198786A1 (en) Associating layer 2 and layer 3 sessions for access control
US20200137056A1 (en) Client device re-authentication
WO2011144174A1 (en) Method, device and system for configuring access device
US10284562B2 (en) Device authentication to capillary gateway
US20230080836A1 (en) Determination of trust relationship of non-3gpp access networks in 5gc
WO2014101449A1 (en) Method for controlling access point in wireless local area network, and communication system
WO2014176964A1 (en) Communication managing method and communication system
US11496894B2 (en) Method and apparatus for extensible authentication protocol
WO2010000157A1 (en) Configuration method, device and system for access device
US9137661B2 (en) Authentication method and apparatus for user equipment and LIPA network entities
WO2012022212A1 (en) Method, apparatus and system for user equipment access
CN113498055B (en) Access control method and communication equipment
WO2023011158A1 (en) Certificate management method and apparatus

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08866380

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08866380

Country of ref document: EP

Kind code of ref document: A1