WO2009152676A1 - Serveur aaa, p-gw, pcrf, procédé et système d'obtention de l'identifiant d'un équipement utilisateur - Google Patents

Serveur aaa, p-gw, pcrf, procédé et système d'obtention de l'identifiant d'un équipement utilisateur Download PDF

Info

Publication number
WO2009152676A1
WO2009152676A1 PCT/CN2008/073647 CN2008073647W WO2009152676A1 WO 2009152676 A1 WO2009152676 A1 WO 2009152676A1 CN 2008073647 W CN2008073647 W CN 2008073647W WO 2009152676 A1 WO2009152676 A1 WO 2009152676A1
Authority
WO
WIPO (PCT)
Prior art keywords
user equipment
authentication
identifier
authorization
real
Prior art date
Application number
PCT/CN2008/073647
Other languages
English (en)
Chinese (zh)
Inventor
霍玉臻
宗在峰
刘俊羿
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2009152676A1 publication Critical patent/WO2009152676A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W74/00Wireless channel access, e.g. scheduled or random access
    • H04W74/002Transmission of channel access control information
    • H04W74/006Transmission of channel access control information in the downlink, i.e. towards the terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/26Network addressing or numbering for mobility support

Definitions

  • AAA JI server P-GW, PCRF, user equipment identification
  • the present invention relates to the field of communications, and in particular, to an authentication and authorization charging server, a packet data network gateway, a policy and charging control function entity, and a method and system for acquiring a user equipment identifier.
  • 3GPP 3rd Generation Partnership Project
  • the working group is currently working on the Evolved Packet Core (EPC), which is an evolution of the core network system.
  • EPC Evolved Packet Core
  • the EPC system supports access to non-3GPP radio access networks and can be used for user equipment (User Equipment, referred to as UE) provides higher transmission rates and shorter transmission delays.
  • User Equipment User Equipment
  • WiMAX Worldwide Interoperability for Microwave Access
  • the scope enables the mobile UE to obtain consistent service access by using different characteristics of the two networks in different wireless access network environments.
  • 1 is a structural diagram of a non-3GPP radio access network accessing a Home Public Land Mobile Network (Home PLMN, referred to as HPLMN) by visiting a Public Land Mobile Network (VPLMN) according to the related art.
  • Home PLMN Home Public Land Mobile Network
  • VPN Public Land Mobile Network
  • the network architecture includes a ⁇ 'J network element: a Packet Data Network Gateway (P-GW), located in the 3GPP network, and is used for the UE to access the packet data network (Packet Data Network, referred to as PDN).
  • P-GW Packet Data Network Gateway
  • the Home Subscriber Server (HSS) is located in the 3GPP network and is used to permanently store the subscription data and security data of the UE.
  • the Evolved Packet Data Gateway (ePDG) is used.
  • PCRF Policy and Charging Rules Function
  • hPCRF home policy control and accounting function
  • vPCRF visited policy control and charging function
  • MAG Mobile Access Gateway
  • FA 4 ⁇ Foreign Agent
  • EPC EPC
  • the system also includes an authentication 4 3GPP Authentication, Authorization and Accounting Server (3GPP AAA Server for short) and an authentication 4 AAA Proxy.
  • the non-3GPP access network For a trusted non-3GPP access network, there is a trust relationship between the 3GPP network and the non-3GPP access network, and the non-3GPP access network can directly access the P-GW through the S2a or S2c interface.
  • the UE does not support the mobile IP protocol or the mobile IPv4 protocol
  • the UE first accesses the non-3GPP access system, and then accesses the P-GW through the S2a interface.
  • the UE supports the dual-stack mobile IP protocol
  • the UE directly accesses the P through the S2c interface.
  • -GW Currently, for a UE that accesses the EPC system by a non-3GPP access network, the access authentication authentication protocol uses an Extensible Authentication Protocol (EAP).
  • EAP Extensible Authentication Protocol
  • the EAP protocol The UE is required to use the real network access identifier (NAI) of the UE in the access authentication process, and is installed and encrypted in the EAP text, so that only the AAA server and the UE know that the UE is authentic.
  • NAI for other network elements, the true NAI of the UE is invisible, and the pseudo-random NAI is used in the message packet.
  • both the P-GW and the PCRF need to know the UE.
  • the unique identifier (such as the International Mobile Subscriber Identity (IMSI) or the real identity of the UE based on the IMSI-based NAI) identifies the UE to complete the subsequent service.
  • IMSI International Mobile Subscriber Identity
  • FIG. 2 shows a method for acquiring a UE identifier in a mobile IPv4 mode according to the related art, where the S2a interface branch Mobile IPv4 protocol, as shown in step 201 in FIG.
  • Step 202 Mobile IP Agent Advertisements
  • Step 203 the mobile IP registration request
  • Step 204 Gateway session establishment process
  • Step 205 Mobile IP registration request
  • Step 206 Mobile IP authentication and rights
  • Step 207 P-GW address update
  • Step 208 P-GW session establishment process
  • Step 209 Move IP registration response
  • step 210 Gateway session policy providing process
  • step 211 Mobile IP registration response.
  • the UE initiates a mobile IP registration request to the non-3GPP access network, and the non-3GPP access network forwards the mobile IP registration request to the FA/P-GW, and the FA/P-GW may request the mobile IP registration.
  • the identifier used to identify the UE is obtained. Mode 2, FIG.
  • step 301 access authentication and authorization
  • step 301a Access acceptance information
  • step 302 Layer 3 access trigger
  • step 303 Gateway session establishment procedure
  • Step 304 Mobile IP binding update request
  • Step 305 Mobile IP authentication and 4 ⁇
  • Step 306 P-GW address Update
  • step 307 P-GW session establishment process
  • step 308 Mobile IP binding update response
  • step 309 gateway session policy providing process
  • step 310 Layer 3 access ends.
  • FIG. 4 shows a flow of a method for acquiring a UE identifier in a dual-stack mobile IPv6 mode according to the related art, where the S2c interface supports a dual-stack mobile IP protocol, as shown in FIG.
  • step 401 access authentication And 4 MANN
  • step 402 Layer 3 access
  • step 403 Gateway session establishment process
  • Step 404 Establish security association
  • Step 405 Authentication and authentication
  • Step 406 Mobile IP binding
  • the update request step 407: Internet Protocol-Connected Access Network (IP-CAN) session establishment process
  • step 408 Mobile IP update binding response.
  • the eNB sends a unique identifier to the P-GW to identify the UE. At present, due to the new requirement for the UE, the UE is required to transmit its own real identity to the network through the air interface.
  • the NAI of the mobile IP registration request message initiated by the UE must be based on the IMSI. NAI.
  • the traditional non-3GPP UE such as the WiMAX UE
  • the UE identifier carried in the mobile IP registration request is a pseudo identifier instead of the real identifier, that is, the mobile IP registration request in step 203.
  • the UE carries the pseudo-identity of the UE.
  • the UE is required to send the UE identifier to the P-GW during the establishment of the security association with the P-GW.
  • the traditional non-3GPP still does not want to directly send the real identity. Therefore, the traditional non-3GPP UE must meet the requirement before accessing the EPC, otherwise it cannot be used normally, thus limiting the non-3GPP and EPC systems.
  • the scope of application of interoperability technology since the non-3GPP network and the P-GW cannot distinguish whether the UE identifier sent by the UE is the real identifier of the UE, if the identifier sent by the UE is simply the real UE identifier, the UE may be misidentified and cause the service.
  • the failure of the non-3GPP MAG does not require the use of the real UE identity in the original system to identify the UE, so the UE's real identity may not be sent to the P-GW according to the local policy.
  • the real identity of the UE is used by the network element (for example, P-GW, PCRF) in the 3GPP to identify the UE.
  • the real identity of the UE is obtained. The network element that is sent to the network side and requests the network element (such as P-GW, PCRF) that cannot identify the real identity of the UE to receive the real identity of the UE by default, which not only restricts the non-3GPP UE from directly accessing the EPC network.
  • the present invention has been made in view of the problem that the non-3GPP network existing in the related art cannot distinguish whether the UE identity transmitted by the UE is the real identity of the UE.
  • the main object of the present invention is to provide an improved user equipment identity. Obtain a solution to solve at least one of the above problems in the related art.
  • a method for acquiring a user equipment identifier is provided, and the method is based on a mobile IPv4 protocol.
  • the method for obtaining the user equipment identifier includes: the authentication authorization charging server and the user equipment perform access authentication and 4 MANN, and the authentication 4 MANN charging server sends an access accept message to the external proxy of the non-3GPP access network. And carrying the real identity of the user equipment in the access accepting message; in the authentication process of the authentication and authorization charging server and the packet data network gateway, when the authentication and authorization charging server verifies that the user equipment identifier is a pseudo user equipment identifier, The real identity of the user equipment is sent to the packet data network gateway.
  • a method for obtaining a user equipment identity the method being based on a Mobile IPv4 protocol.
  • the method for obtaining the user equipment identifier includes: authenticating an authorized charging server and using The user equipment performs access authentication and 4 MANN, and the authentication 4 MANN charging server sends an access accept message to the external proxy of the non-3GPP access network, where the access accept message carries the real identifier of the user equipment.
  • a method for obtaining a user equipment identity the method being based on a Mobile IPv6 protocol.
  • the method for obtaining the user equipment identifier includes: in the authentication process of the authentication and authorization charging server and the packet data network gateway, when the authentication and authorization accounting server verifies that the user equipment identifier is a pseudo user equipment identifier, the user equipment is The real identity is sent to the packet data network gateway.
  • a method for obtaining a user equipment identity the method being based on a dual stack mobile IP protocol.
  • the method for obtaining the user equipment identifier includes: the authentication and authorization charging server and the user equipment perform access authentication and 4 MANN, and the authentication 4 MANN charging server sends an access accept message to the non-3GPP access network, and The access accept message carries the real identity of the user equipment; in the authentication process of the authentication 4 MANN charging server and the packet data network gateway, when the authentication and authorization charging server verifies that the user equipment identifier is a pseudo user equipment identifier, the user is The real identity of the device is sent to the packet data network gateway.
  • an authentication 4 MANN charging server is provided.
  • the authentication 4 MANN charging server includes: the authentication 4 MANN charging server is configured to perform access authentication and 4 MANN with the user equipment, obtain the real identity of the user equipment, and send to the non-3GPP access network. The access accept message is sent, and the real identity of the user equipment is carried in the access accept message.
  • a packet data network gateway is provided.
  • the packet data network gateway according to the present invention includes: a packet data network gateway, configured to send a request message to the authentication and authorization charging server during the authentication process with the authentication and authorization accounting server, and receive the packet data network gateway in the request message.
  • the user equipment identifier sent by the user equipment so that the authentication and authorization charging server verifies whether the user equipment identifier is the real identifier of the user equipment; and is used to receive the authentication authorization charging in case the authentication and authorization accounting server fails to verify.
  • the real identity of the user device sent by the server is provided.
  • the policy and charging control function entity according to the present invention includes: the policy and charging control function entity is configured to receive a session establishment message sent by the non-3GPP access network, where the session establishment message carries the real identity of the user equipment, where the user equipment The real identity is obtained by the non-3GPP access network from the authentication 4 Manpower Accounting Server; and the real identity of the user equipment is obtained according to the received session establishment message.
  • an acquisition system for user equipment identification includes: an authentication and authorization charging server, a non-3GPP access network, a packet data network gateway, and a policy and charging control function entity, wherein the authentication and authorization charging server is used for the user equipment Performing access authentication and authorization, obtaining the real identity of the user equipment, sending an access accept message to the non-3GPP access network, and carrying the real identity of the user equipment in the access accept message; the non-3GPP access network is configured to receive the authentication and authorization The access accept message sent by the billing server, and obtains the real identifier of the user equipment; the packet data network gateway is configured to send a request message to the authentication and authorization billing server during the authentication process with the authentication and authorization billing server, and in the request message And carrying the user equipment identifier sent by the user equipment received by the packet data network gateway, so that the authentication and authorization accounting server verifies whether the user equipment identifier is a real identifier of the user equipment;
  • the policy and charging control function entity is configured to receive a session establishment message sent by the non-3GPP access network, where the session establishment message carries the real identity of the user equipment, where the real identity of the user equipment is a non-3GPP access network. Obtained from the authentication and authorization accounting server; and obtains the real identifier of the user equipment according to the received session establishment message.
  • the related network elements of the 3GPP access network and the 3GPP system are mutually authenticated with the authentication and authorization accounting server, and the real identification of the UE is obtained from the authentication and authorization accounting server, and the non-3GPP network existing in the related technology cannot be distinguished from the UE transmitted by the terminal.
  • the problem of whether the identity is a true identity of the UE can ensure that the non-3GPP terminal directly accesses the EPC network.
  • FIG. 1 is a network architecture diagram of a non-3GPP access network and a 3GPP EPC network according to the related art
  • FIG. 2 is a flowchart of a method for acquiring a user equipment identifier in a mobile IPv4 mode according to the related art
  • FIG. 4 is a flowchart of a method for acquiring user equipment identifiers in a dual-stack mobile IPv6 mode according to the related art
  • FIG. 5 is a flowchart of a method for acquiring user equipment identifiers according to the related art
  • FIG. 6 is a flowchart of a detailed process of acquiring a user equipment identifier according to Embodiment 1 of the method of the present invention
  • FIG. 7 is a user equipment identifier according to Embodiment 3 of the method according to the present invention
  • FIG. 8 is a flowchart of a method for acquiring user equipment identifier according to Embodiment 4 of the method of the present invention
  • FIG. 9 is a detailed processing method for acquiring user equipment identifier according to Embodiment 4 of the method of the present invention
  • FIG. 10 is a structural block diagram of an acquisition system for user equipment identification according to an embodiment of the system of the present invention.
  • DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS The present invention provides an improved acquisition scheme of user equipment identity, in view of the fact that the non-3GPP network existing in the related art cannot distinguish whether the UE identity sent by the UE is the real identity of the UE.
  • the relevant network elements of the non-3GPP access network and the 3GPP system are mutually authenticated with the authentication and authorization accounting server, and the UE can be obtained from the authentication and authorization accounting server. Real identity.
  • a method for acquiring a UE identifier according to an embodiment of the present invention includes the following steps (step S502 to step S504): Step S502, The AAA server performs access authentication and 4 MANN rights with the UE, and the AAA server sends an access accept message to the external proxy of the non-3GPP access network, and carries the real target of the UE in the access accept message; Receiving the access accept message, obtaining the real identity of the UE, sending the session establishment information to the PCRF, and carrying the real identity of the UE in the session establishment information; the PCRF receiving the session establishment information, and acquiring the real identity of the UE; Step S504, In the authentication process of the AAA server and the P-GW, when the AAA server verifies that the UE identifier is a pseudo UE identifier, the AAA server sends the real identifier of the UE to the P-GW;
  • the request establishes the real identity of the UE.
  • the PCRF receives the session establishment request, and sends the policy information of the UE to the P-GW according to the real identity of the UE.
  • the authentication process of the AAA server and the P-GW includes: The AAA server receives the access request from the P-GW, where the access request carries the UE identifier sent by the UE received by the P-GW.
  • the relevant network elements of the non-3GPP access network and the 3GPP system are mutually authenticated with the AAA server, and the real identifier of the UE is obtained from the AAA server. It can ensure that non-3GPP UEs directly access the EPC network.
  • Step S601 The non-3GPP UE initializes the access network, performs UE access authentication and 4 MANN-, step S601a, after the access authentication and the 4 MANN flow are completed, the AAA server sends AAA to the non-3GPP access network authenticator.
  • the protocol message access accept message (that is, the access accept message described above), the message carries the real identity of the user equipment, and the FA is located in the authenticator when performing access authentication and authorization, so the FA Obtaining the real identity of the UE at the same time; Step S602, the FA located in the non-3GPP access network sends a mobile IP proxy advertisement to the UE; Step S603, after receiving the proxy advertisement, the UE sends a mobile IP registration request to the non-3GPP access network (ie, The access request mentioned in the above;), wherein the mobile IP registration request carries a UE identifier, and the UE identifier may be a pseudo UE identifier, or may be a real identifier of the UE.
  • a traditional non-3GPP UE may Using the pseudo UE identifier; Step S604, the non-3GPP access network and the PCRF interact to complete the gateway session establishment process, in the process, the non-3GPP access network sends the real UE identifier obtained in step S601a to the PCRF to identify the UE; S605, the FA that is located in the non-3GPP network forwards the UE-initiated mobile IP registration request to the P-GW, and forwards the UE identifier from the UE to the P-GW.
  • Step S606 After receiving the mobile IP registration request, the P-GW receives the mobile IP registration request, AAA server interaction, mobile IP authentication and 4 MANN rights, since the P-GW cannot identify whether the UE identity from the UE is the real identity of the UE, in the mobile IP authentication and 4 MANN rights process, the P-GW to the AAA month
  • the server sends a request message, where the request message carries the user equipment identifier from the UE.
  • Step S606a the AAA server receives the request message, obtains the UE identifier from the UE, and determines whether the UE identifier is the real identifier of the UE.
  • the AAA server determines whether the UE identity acquired by the P-GW is the real identity of the UE; Step S606b, if the UE identity acquired by the P-GW is a pseudo UE identity, after the mobile IP authentication and the 4 MAN rights process are completed, the AAA server To P-GW Sending an AAA protocol message access accept message, where the message carries the real identity of the UE; if the UE identity acquired by the P-GW is the UE The AAA server may send the real identity of the UE to the P-GW, or may not send the real target of the UE to the P-GW. Step S607: The P-GW interacts with the AAA server to perform P-GW.
  • Step S608 the P-GW uses the real UE identifier obtained in the step S606b to interact with the PCRF, completes the IP-CAN (IP connection access network) session establishment process, and acquires the policy of the UE;
  • Step S609 the P-GW sends The mobile IP registration response message is sent to the FA to complete the mobile IP registration process.
  • Step S610 the non-3GPP access network and the PCRF interact to complete the gateway session policy providing process.
  • Step S611 the FA forwards the mobile IP registration response message to the UE, and completes the mobile IP registration. .
  • both the FA and the P-GW can identify the UE by obtaining the correct identity of the correct UE from the AAA server by authenticating with the AAA server, and ensuring that the non-3GPP UE can directly access the EPC.
  • the internet Method Embodiment 2
  • a method for acquiring a user equipment identifier is provided, and the method is based on a mobile IPv4 protocol.
  • the method for obtaining the UE identifier according to the embodiment of the present invention includes: the AAA server and the UE perform access authentication and 4 MANN, and the AAA server sends an access accept message to the external proxy of the non-3GPP access network, where the access The acceptance message carries the real identity of the UE.
  • the external proxy For the external proxy, it receives the access accept message, obtains the real identity of the UE, sends session establishment information to the PCRF, and carries the real identity of the UE in the session establishment information; the PCRF receives the session establishment information, and obtains the reality of the UE. logo. Then, the AAA server and the P-GW perform authentication, and in the case that the AAA server 3 identifies the UE identity as a pseudo UE identity, the real identity of the UE is sent to the P-GW. Then, the P-GW sends a session establishment request to the PCRF, and carries the real identity of the UE in the session establishment request.
  • the PCRF receives the session establishment request, and sends the policy information of the UE to the P-GW according to the real identity of the UE.
  • the AAA server and the P-GW authentication process specifically include: the AAA server receives an access request from the P-GW, where the access request carries the UE sent by the P-GW. UE identification.
  • the relevant network elements of the non-3GPP access network and the 3GPP system are mutually authenticated with the AAA server, and the real identifier of the UE is obtained from the AAA server. It can ensure that non-3GPP UEs directly access the EPC network.
  • Method Embodiment 3 According to an embodiment of the present invention, a method for acquiring a user equipment identifier is provided.
  • the method is based on a mobile IPv6 protocol, and includes the following steps: in the authentication process of the AAA server and the P-GW, the AAA calendar
  • the server 3 sends the real identity of the UE to the P-GW in the case that the UE identity is a pseudo UE identity.
  • the P-GW sends a session establishment request to the PCRF, and carries the real identity of the UE in the session establishment request.
  • the PCRF receives the session establishment request, and sends the policy information of the UE to the P-GW according to the real identity of the UE.
  • FIG. 7 is a detailed processing flowchart of the method for obtaining an identifier based on the mobile IPv6 mode according to the third embodiment of the method of the present invention. As shown in FIG.
  • the method includes the following steps (step S701 to step S710): Step S701, The non-3GPP UE initializes the access network, performs the access authentication of the UE and the 4 MANN rights; Step S701a, after the access authentication and the 4 MANN flow are completed, the AAA server sends the AAA protocol message to the MAG of the non-3GPP access network.
  • the incoming message ie, the access accept message described above
  • the UE initiates a layer 3 access triggering process, and the UE that does not support the mobile IP can pass the dynamic host.
  • the Dynamic Host Configuration Protocol (DHCP) process is configured to trigger the access of the layer 3;
  • Step S703, the non-3GPP access network and the PCRF interact to complete the gateway session establishment process, in the process, the non-3GPP access network Sending the real UE identifier obtained in step S701a to the PCRF to identify the UE;
  • Step S704, the MAG located in the non-3GPP network sends a proxy binding update request to the P-GW, according to the local policy, the MAG is The proxy binding update request may not carry the real UE label of the UE.
  • the P-GW Since the P-GW cannot identify whether the UE identity from the UE is the real identity of the UE, In the process of the mobile IP authentication and the 4 MANN, the P-GW sends a request message to the AAA server, where the request message carries the UE identifier from the UE.
  • step S705a the AAA server receives the request message and obtains the The UE identifier of the UE, that is, whether the UE identifier acquired by the P-GW is the real identifier of the UE;
  • Step S705b if the UE identifier acquired by the P-GW is a pseudo UE identifier, after the mobile IP authentication and the 4 MAN rights process are completed, the AAA server Sending an AAA protocol message access accept message to the P-GW, where the message carries the real identity of the UE; if the UE identity acquired by the P-GW is the real identity of the UE, then the AAA server can forward to the P- The GW sends the real identity of the UE, and may not send the real identity of the UE to the P-GW.
  • step S706 the P-GW exchanges with the AAA server to update the P-GW address.
  • step S707 The P-GW uses the step S705b to obtain the P-GW address. Real UE identity and PCRF Mutual, complete the IP-CAN session establishment process, acquire the UE's policy; Step S708, the P-GW sends a proxy binding update response message to the MAG to complete the proxy mobile IP registration procedure; Step S709, the non-3GPP access network and the PCRF interact with each other.
  • the gateway session policy providing process is performed; Step S710, interacting with the non-3GPP access network to complete layer 3 access.
  • the non-3GPP UE accesses the EPC network through the non-3GPP access network through the S2a interface
  • the protocol on the S2a interface is the proxy mobile IP6
  • the P-GW and the AAA server are used to authenticate the 4 MANN flow, so that no MAG is obtained from the MAG.
  • the P-GW that obtains the real identity of the UE obtains the real identity of the UE, and is used to identify the UE.
  • Method Embodiment 4 provides a method for obtaining a user equipment identifier according to an embodiment of the present invention, which is based on a dual-stack mobile IP protocol, and FIG.
  • Step S802 the AAA server performs access authentication and 4 MANN rights, and the AAA server sends an access accept message to the non-3GPP access network, and carries the real identity of the UE in the access accept message.
  • the non-3GPP access network receives the access accept message, obtains the real identity of the UE, sends the session establishment information to the PCRF, and carries the real identity of the UE in the session establishment information; the PCRF receives the session establishment information, and acquires the UE's Real identity.
  • Step S804 In the process of authenticating the AAA server and the P-GW, if the AAA server verifies that the UE identifier is a pseudo UE identifier, the AAA server sends the real identifier of the UE to the P-GW.
  • the AAA server and the P-GW authentication process specifically include: The AAA server receives the establishment of the security association request from the P-GW, where the establishment of the security association request carries the UE identity sent by the UE received by the P-GW.
  • the method further includes: the P-GW sends a session establishment request to the PCRF, and carries the real identity of the UE in the session establishment request; the PCRF receives the session establishment request, and sends the policy information of the UE to the UE according to the real identity of the UE. P-GW.
  • the relevant network elements of the non-3GPP access network and the 3GPP system are mutually authenticated with the AAA server, and the real identifier of the UE is obtained from the AAA server. It ensures that non-3GPP UEs can directly access the EPC network.
  • Step S901 The non-3GPP UE initializes the access network, performs UE access authentication and 4 MANN rights; Step S901a, after the access authentication and the 4 MANN flow are completed, the AAA server sends AAA protocol message access to the non-3GPP access network.
  • Step S902 the UE initiates the layer 3 access procedure in the non-3GPP access network and obtains the local IP address; S903, the non-3GPP access network and the PCRF interact to complete the gateway session establishment process, where In the process, the non-3GPP access network sends the real UE identifier obtained in step S901a to the PCRF to identify the UE.
  • step S904 the UE establishes a security association with the P-GW. In the security association establishment process, the UE sends the P-GW to the P-GW.
  • the security association request carries a user equipment identifier, where the UE identifier may be a pseudo UE identifier, or may be a real identifier of the UE, for example, the traditional UE sends a pseudo UE identifier; Step S905, in the security alliance
  • the P-GW interacts with the AAA server to perform authentication and 4 MANN rights. Since the P-GW cannot identify whether the UE identity from the UE is the real identity of the UE, in the mobile IP authentication and the 4 MANN rights process, The P-GW sends a request message to the AAA server, where the request message carries the UE identifier from the UE.
  • Step S905a the AAA server receives the request message, and obtains the UE identifier from the UE, that is, the P-GW acquires. Whether the UE identity is the real identity of the UE; Step S905b, if the UE identity acquired by the P-GW is a pseudo UE identity, after the mobile IP authentication and the 4 MAN rights process are completed, the AAA server sends an AAA protocol message to the P-GW. Accepting the message, where the message carries the real identity of the UE; if the UE identity acquired by the P-GW is the real identity of the UE, the AAA server may send the real identity of the UE to the P-GW according to the policy, or may not The P-GW sends the real identity of the UE.
  • step S906 the UE initiates a mobile IP binding process, and sends a mobile IP binding update request to the P-GW.
  • step S907 The P-GW uses the real identity of the UE and the PCRF obtained in step 705b.
  • the IP-CAN session establishment process is completed, and the UE's policy is obtained.
  • Step S908 The P-GW sends a mobile IP binding update response message to the UE to complete the mobile IP binding process.
  • the non-3GPP UE accesses the EPC network through the S3c interface through the non-3GPP access network, and the ten-node on the S2c interface is dual-stack mobile IPv6, and the non-3GPP access network and the P-GW can pass the AAA.
  • an authentication and authorization charging server (AAA server) is further provided, where the AAA server is configured to perform access authentication and 4 MANN rights with the UE, obtain the real identity of the UE, and send the message to the non-3GPP access network. Accessing the acceptance message, and carrying the real identity of the UE in the access accept message, and the AAA server is further configured to verify the UE identity sent by the P-GW, and in the case that the UE identity is not the real identity of the UE, The real identity of the UE is sent to the P-GW.
  • AAA server authentication and authorization charging server
  • a packet data network gateway is further provided, where the P-GW is configured to send a request message to an AAA server during the authentication process with the AAA server, and request The message carries the UE identifier sent by the UE received by the P-GW, used by the AAA server to verify whether the UE identifier is the real identifier of the UE, and used to receive the UE sent by the AAA server if the AAA server fails to be verified.
  • the third embodiment of the present invention provides a policy and charging control function entity (PCRF) for receiving a session establishment message sent by a non-3GPP access network, where the session setup message carries the UE.
  • PCRF policy and charging control function entity
  • FIG. 10 is a structural block diagram of an apparatus for acquiring a user equipment identifier according to an embodiment of the present invention. As shown in FIG. 10, the system includes an authentication and authorization charging server (AAA server) 10, a non-3GPP access network 20, and a packet data network gateway. (P-GW) 30 and Policy and Charging Control Function Entity (PCRF) 40.
  • AAA server authentication and authorization charging server
  • P-GW packet data network gateway
  • PCRF Policy and Charging Control Function Entity
  • At least one of the AAA server 10, the P-GW 30, and the PCRF 40 used in the embodiment of the system can be implemented by using the corresponding device provided in the above device embodiment.
  • the above various components are specifically described below.
  • the AAA server 10 is configured to perform access authentication and 4 MANN rights with the UE, obtain the real identity of the UE, send an access accept message to the non-3GPP access network 20, and carry the real identity of the UE in the access accept message;
  • the AAA server 10 is further configured to verify the UE identity sent by the P-GW 30, and send the real identity of the UE to the P-GW 30 if the 3 identity UE identity is not the real identity of the UE;
  • the non-3GPP access network 20 is connected to the AAA server 10 and the PCRF 40 for receiving the access accept message sent by the AAA server 10 and acquiring the real identity of the UE.
  • the P-GW 30 is connected to the AAA server 10 and the PCRF 40, and is configured to send a request message to the AAA server 10 during the authentication process with the AAA server 10, and carry the UE received by the P-GW 30 in the request message.
  • the UE identifier is used by the AAA server to verify whether the UE identity is the real identity of the UE; and for receiving the real identity of the UE sent by the AAA server 10 in case the AAA server 10 fails to verify;
  • the P-GW 30 is further configured to send a session establishment request to the PCRF 40, and carry the true identity of the UE in the session establishment request.
  • the PCRF 40 is connected to the non-3GPP access network 20 and the P-GW 30, and is configured to receive a session setup message sent by the non-3GPP access network 20.
  • the session setup message carries the real identity of the UE, where the real identity of the UE is non-
  • the 3GPP access network obtains the real identity of the UE according to the received session establishment message; in addition, the PCRF 40 is further configured to receive the session establishment request sent by the P-GW 30, and according to The real identity of the UE carried in the session establishment request is sent to the P-GW 30.
  • the relevant network elements of the non-3GPP access network and the 3GPP system are mutually authenticated with the authentication and authorization accounting server at different stages of the UE network access process, and the authentication and authorization accounting server is authenticated.
  • Obtaining the real identity of the UE ensures that the non-3GPP UE can directly access the EPC network.
  • the acquisition method and/or system of the user equipment identifier provided by the present invention, the FA located in the non-3GPP access network and the P-GW located in the 3GPP network are performed by the AAA server at different stages of the network access process.
  • the interaction between the authentication and the authorization process is performed by the AAA server to deliver the real identity of the UE to the relevant network element, which not only ensures that the network element on the network side can accurately obtain the real UE identifier, but also can no longer restrict the UE from transmitting the real UE identifier.
  • Traditional non-3GPP UEs can directly access the 3GPP EPC network.

Abstract

L'invention concerne un procédé d'obtention de l'identifiant d'un équipement utilisateur qui comprend les opérations suivantes : un serveur AAA traite une authentification et une autorisation avec un UE, et le serveur AAA envoie un message d'acceptation d'accès qui contient un identifiant réel de l'UE à un FA d'un réseau d'accès non-3GPP. Au cours du processus d'authentification entre le serveur AAA et le P-GW, si le serveur AAA s'assure que l'identifiant de l'UE est un pseudo-identifiant, le serveur AAA envoie l'identifiant réel de l'UE au P-GW. La présente invention comprend également un serveur AAA, un P-GW, un PCRF et un système d'obtention de l'identifiant de l'équipement utilisateur. La présente invention est avantageuse en ce qu’elle garantit que l'UE non-3GPP accède directement au réseau EPC.
PCT/CN2008/073647 2008-06-17 2008-12-22 Serveur aaa, p-gw, pcrf, procédé et système d'obtention de l'identifiant d'un équipement utilisateur WO2009152676A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200810128801.0 2008-06-17
CN2008101288010A CN101459904B (zh) 2008-06-17 2008-06-17 Aaa服务器、p-gw、pcrf、用户设备标识的获取方法和系统

Publications (1)

Publication Number Publication Date
WO2009152676A1 true WO2009152676A1 (fr) 2009-12-23

Family

ID=40770471

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/073647 WO2009152676A1 (fr) 2008-06-17 2008-12-22 Serveur aaa, p-gw, pcrf, procédé et système d'obtention de l'identifiant d'un équipement utilisateur

Country Status (2)

Country Link
CN (1) CN101459904B (fr)
WO (1) WO2009152676A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103781048A (zh) * 2012-10-19 2014-05-07 电信科学技术研究院 策略和计费控制实体的寻址方法和设备

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101945449B (zh) * 2009-07-10 2015-06-03 中兴通讯股份有限公司 终端切换到家庭基站的方法与装置
CN101998444B (zh) * 2009-08-14 2014-02-05 中国电信股份有限公司 代理移动IPv4处理方法及系统
CN102413452B (zh) * 2010-09-20 2016-08-03 中兴通讯股份有限公司 一种获取用户标识的方法和系统
CN105553923A (zh) * 2014-11-04 2016-05-04 中兴通讯股份有限公司 一种获取用户标识的方法及网络侧设备
CA2985663C (fr) * 2015-05-12 2020-04-14 Telefonaktiebolaget Lm Ericsson (Publ) Procede et noeuds destines a la gestion d'acces a des services d'epc par l'intermediaire d'un reseau non 3gpp
CN108848112B (zh) * 2015-09-22 2019-07-12 华为技术有限公司 用户设备ue的接入方法、设备及系统
EP3151599A1 (fr) * 2015-09-30 2017-04-05 Apple Inc. Gestion d'échec d'authentification d'accès àu réseau cellulaire par wlan
CN109768947A (zh) * 2017-11-09 2019-05-17 中国移动通信有限公司研究院 一种用户身份认证方法、装置和介质
US11736484B2 (en) * 2017-12-28 2023-08-22 Paxgrid Cdn Inc. System for authenticating and authorizing access to and accounting for wireless access vehicular environment consumption by client devices
CN115396866A (zh) * 2019-06-04 2022-11-25 华为技术有限公司 用于发送终端策略的方法、装置和系统

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007071275A1 (fr) * 2005-12-22 2007-06-28 Telefonaktiebolaget L.M. Ericsson Authentification d'abonnes dans des reseaux de communications mobiles utilisant des reseaux d'acces non autorises
CN101159679A (zh) * 2004-01-14 2008-04-09 华为技术有限公司 一种无线局域网中分组数据关口获取用户身份标识的方法

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
ES2236471T3 (es) * 2002-06-04 2005-07-16 Alcatel Un metodo, un servidor de acceso a red, un servidor de autenticacion-autorizacion-contabilidad y un producto de programa de ordenador para apoderar mensajes de autenticacion-autorizacion-contabilidad de usuario via un servidor de acceso a red.
CN100370767C (zh) * 2003-09-30 2008-02-20 华为技术有限公司 对移动用户使用无线局域网业务进行管理的方法
CN100355251C (zh) * 2003-11-10 2007-12-12 华为技术有限公司 一种使用更新后的临时用户标识发送数据的方法
CN100411335C (zh) * 2004-01-14 2008-08-13 华为技术有限公司 一种无线局域网中分组数据关口获取用户身份标识的方法
CN101159625B (zh) * 2007-11-07 2011-04-20 中兴通讯股份有限公司 WiMAX网络实现警用监听的系统及方法

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101159679A (zh) * 2004-01-14 2008-04-09 华为技术有限公司 一种无线局域网中分组数据关口获取用户身份标识的方法
WO2007071275A1 (fr) * 2005-12-22 2007-06-28 Telefonaktiebolaget L.M. Ericsson Authentification d'abonnes dans des reseaux de communications mobiles utilisant des reseaux d'acces non autorises

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"3GPP 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Architecture Enhancements for non-3GPP accesses", 3GPP TS 23.402 V1.5.1,, November 2007 (2007-11-01) *
"ZTE. Informing UE permanent ID to FA/PDN GW", CHANGE REQUEST S2-084587, 27 June 2008 (2008-06-27), pages - 084587 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103781048A (zh) * 2012-10-19 2014-05-07 电信科学技术研究院 策略和计费控制实体的寻址方法和设备

Also Published As

Publication number Publication date
CN101459904A (zh) 2009-06-17
CN101459904B (zh) 2010-12-29

Similar Documents

Publication Publication Date Title
WO2009152676A1 (fr) Serveur aaa, p-gw, pcrf, procédé et système d'obtention de l'identifiant d'un équipement utilisateur
US8769626B2 (en) Web authentication support for proxy mobile IP
EP3160176B1 (fr) Usage d'un service d'un réseau central à commutation de paquets mobile sans avoir une carte sim
US7545768B2 (en) Utilizing generic authentication architecture for mobile internet protocol key distribution
KR101814969B1 (ko) 네트워크에 액세스하는 시스템 및 방법
JP4723158B2 (ja) パケット・データ・ネットワークにおける認証方法
RU2491733C2 (ru) Способ аутентификации пользовательского терминала и сервер аутентификации и пользовательский терминал для него
US10432632B2 (en) Method for establishing network connection, gateway, and terminal
KR102390380B1 (ko) 비인증 사용자에 대한 3gpp 진화된 패킷 코어로의 wlan 액세스를 통한 긴급 서비스의 지원
US9226153B2 (en) Integrated IP tunnel and authentication protocol based on expanded proxy mobile IP
EP1770940A1 (fr) Procédé et dispositif pour établir une connexion de communication entre un dispositif mobile et un réseau
US20060294363A1 (en) System and method for tunnel management over a 3G-WLAN interworking system
US20070022476A1 (en) System and method for optimizing tunnel authentication procedure over a 3G-WLAN interworking system
WO2012145134A1 (fr) Procédé et système d'utilisation d'un premier résultat d'authentification de réseau pour un second réseau
WO2013189217A1 (fr) Procédé pour mettre à jour des informations d'identité au sujet d'une passerelle de paquets, serveur aaa et passerelle de paquets
WO2016155012A1 (fr) Procédé d'accès dans un réseau de communication sans fil, dispositif et système associés
US20140307651A1 (en) Internet Protocol Address Registration
WO2011127774A1 (fr) Procédé et appareil pour contrôler un mode d'accès d'un terminal utilisateur à internet
WO2009135371A1 (fr) Procédé de détermination de mode de connexion de réseau
WO2014005267A1 (fr) Procédé, appareil et système d'accès à un réseau mobile
WO2014048197A1 (fr) Procédé, système et dispositif permettant à un équipement d'utilisateur de sélectionner un réseau mobile terrestre public visité
WO2008099254A2 (fr) Autorisation d'accès ip non 3gpp dans une passerelle de réseau de données par paquets lors de l'établissement d'un tunnel
TWI428031B (zh) 區域網協存取網路元件與終端設備的認證方法與裝置
WO2013107243A1 (fr) Procédé et dispositif d'établissement de session
KR100668660B1 (ko) 휴대 인터넷 망과 3g 망간의 로밍을 위한 사용자 인증처리 방법 및 이를 수행하는 라우터

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08874680

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08874680

Country of ref document: EP

Kind code of ref document: A1