WO2012149783A1 - Method, device, and user equipment applicable in accessing mobile network - Google Patents

Method, device, and user equipment applicable in accessing mobile network Download PDF

Info

Publication number
WO2012149783A1
WO2012149783A1 PCT/CN2011/080377 CN2011080377W WO2012149783A1 WO 2012149783 A1 WO2012149783 A1 WO 2012149783A1 CN 2011080377 W CN2011080377 W CN 2011080377W WO 2012149783 A1 WO2012149783 A1 WO 2012149783A1
Authority
WO
WIPO (PCT)
Prior art keywords
user equipment
eap
authentication
response message
message
Prior art date
Application number
PCT/CN2011/080377
Other languages
French (fr)
Chinese (zh)
Inventor
王珊珊
郑磊斌
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to CN201180001958.7A priority Critical patent/CN102388639B/en
Priority to PCT/CN2011/080377 priority patent/WO2012149783A1/en
Publication of WO2012149783A1 publication Critical patent/WO2012149783A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys

Definitions

  • Embodiments of the present invention relate to the field of communications technologies, and, more particularly, to a method and apparatus for accessing a mobile network and user equipment. Background technique
  • the evolved mobile network can simultaneously support 3GPP (The 3rd Generation Project Partnership) access technology and non-3GPP access technologies, such as WiFi. (Wireless Fidelity, Wireless Compatibility), WLAN (Wireless Local Area Networks), CDMA (Code Division Multiple Access), etc.
  • 3GPP The 3rd Generation Project Partnership
  • non-3GPP access technologies such as WiFi. (Wireless Fidelity, Wireless Compatibility), WLAN (Wireless Local Area Networks), CDMA (Code Division Multiple Access), etc.
  • WLAN AViFi can access the 3GPP network access packet service in the trusted access mode.
  • the UE User Equipment
  • the UE supports basic WLAN/WiFi access and EAP access authentication, and BRAS (Broadband Remote Access Server) with WLAN/WiFi access network.
  • EAP authentication is performed between the access server) and 3GPP AAA ( Authority, Authentication and Accounting, authentication, authorization, and accounting).
  • the WLAN access network needs to support the GTP (General Packet Radio Service Tunnel Protocol) / PMIP (Proxy Mobile IP Proxy Mobile IP) tunnel, so that the WLAN access network can directly communicate with the PGW (Packet Data Network). Gateway, Packet Data Gateway) communicates.
  • GTP General Packet Radio Service Tunnel Protocol
  • PMIP Proxy Mobile IP Proxy Mobile IP
  • the BRAS In the trusted access mode, the BRAS needs to be modified to support various functions involved in the trusted access mode, such as GTP/PMIP interface and EAP function. However, it may not be possible to support these features by simply upgrading the BRAS, and may even need to replace the BRAS. Summary of the invention
  • the embodiments of the present invention provide a method and apparatus for accessing a mobile network and a user equipment, which can reduce the modification of the access server, thereby facilitating access to the mobile network.
  • an apparatus for accessing a mobile network including: a receiving module, configured to receive an EAP success response message from an authentication server; and a sending module, configured to send the EAP success response message to the access server, and The Internet Protocol IP address assigned by the user device.
  • an apparatus for accessing a mobile network including: a receiving module, configured to: after the EAP authentication to the user equipment succeeds, receive an EAP success response message from the gateway device and serve the user The IP address assigned by the device; and the sending module, configured to send the EAP success response message to the user equipment, where the receiving module further receives an IP connection establishment request message sent by the user equipment after receiving the EAP success response message, where After the receiving module receives the IP connection establishment request message, the sending module sends an IP connection setup response message to the user equipment, where the IP connection setup response message carries the IP address, so that the user equipment accesses the IP address according to the IP address. mobile network.
  • a user equipment including: a sending module, configured to send an EAP authentication message to an access server, to complete EAP authentication with the authentication server, and a receiving module, Receiving an EAP success response message from the access server, where the sending module sends an IP connection establishment request message to the access server before the EAP authentication succeeds, after the receiving module receives the EAP success response message,
  • the sending module sends a new IP connection establishment request message to the access server to obtain an IP address configured by the gateway device for the user equipment, and the receiving module further receives an IP connection establishment response message from the access server, where the IP connection establishment response is The message carries the IP address.
  • a method for accessing a mobile network including: receiving an EAP success response message from an authentication server; transmitting the EAP success response message and an IP address assigned to the user equipment to the access server So that the access server forwards the EAP success response message to the user equipment, and after the user equipment obtains the IP address from the access server, accesses the mobile network according to the IP address.
  • a method for accessing a mobile network including: receiving an EAP success response message from a gateway device and an IP address assigned by the gateway device to the user equipment; sending the EAP to the user equipment Receiving an IP connection establishment request message sent by the user equipment after receiving the EAP success response message; after receiving the IP connection establishment request message, sending an IP connection establishment response message to the user equipment, the IP connection
  • the setup response message carries the IP address, so that the user equipment accesses the mobile network according to the IP address.
  • a method for accessing a mobile network including: sending an EAP authentication message to an access server to complete EAP authentication with a user equipment with the authentication server; Sending an IP connection establishment request message to the access server before the authentication succeeds, after receiving the EAP success response message from the access server, The access server sends a new IP connection establishment request message to obtain an IP address configured by the gateway device for the user equipment.
  • the IP connection establishment response message is received from the access server, and the IP connection establishment response message carries the IP address.
  • the embodiment of the present invention can use the foregoing apparatus for accessing the mobile network to send the EAP success response message returned by the authentication server to the access server together with the IP address allocated for the user equipment. Since the basic functions already supported by the access server are utilized in the above process, the modification of the access server can be reduced, thereby making it easier to access the mobile network. DRAWINGS
  • FIG. 1 is a schematic diagram of an architecture of a system in accordance with one embodiment of the present invention.
  • FIG. 2 is a schematic block diagram of an apparatus for accessing a mobile network, in accordance with one embodiment of the present invention.
  • FIG. 3 is a schematic block diagram of an apparatus for accessing a mobile network, in accordance with one embodiment of the present invention.
  • FIG. 4 is a schematic block diagram of an apparatus for accessing a mobile network, in accordance with one embodiment of the present invention.
  • FIG. 5 is a schematic block diagram of an apparatus for accessing a mobile network, in accordance with one embodiment of the present invention.
  • Figure 6 is a schematic block diagram of an apparatus for accessing a mobile network, in accordance with one embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of a user equipment according to an embodiment of the present invention.
  • Figure 8 is a schematic flow diagram of a method for accessing a mobile network, in accordance with one embodiment of the present invention.
  • FIG. 9 is a schematic flow diagram of a method for accessing a mobile network, in accordance with one embodiment of the present invention.
  • FIG. 10 is a schematic flowchart of a method for accessing a mobile network according to an embodiment of the present invention.
  • 11 is a schematic flow chart of a process of accessing a mobile network according to an embodiment of the present invention.
  • FIG. 12 is a schematic flowchart of a process of accessing a mobile network according to an embodiment of the present invention.
  • 13 is a schematic diagram of a system architecture for accessing a mobile network, in accordance with one embodiment of the present invention.
  • 14 is a schematic diagram of a system architecture for accessing a mobile network, in accordance with one embodiment of the present invention.
  • the technical solution of the present invention can be applied to various communication systems, such as: Global System of Mobile Communication (GSM), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access ( WCDMA, Wideband Code Division Multiple Access), General Packet Radio Service (GPRS), Long Term Evolution (LTE), LTE-Advanced (LTE-Advanced), etc.
  • GSM Global System of Mobile Communication
  • CDMA Code Division Multiple Access
  • WCDMA Wideband Code Division Multiple Access
  • GPRS General Packet Radio Service
  • LTE Long Term Evolution
  • LTE-Advanced LTE-Advanced
  • the embodiment of the present invention is described by using a WLAN/WiFi access 3GPP SAE (System Architecture Evolution) network as an example, but the embodiment of the present invention is not limited thereto, and is applicable to other non-3GPP networks according to the embodiment of the present invention. (eg, CDMA, etc.) access to the 3GPP network access packet service scenario.
  • 3GPP SAE System Architecture Evolution
  • the UE may also be referred to as a mobile terminal, a mobile user equipment, or the like.
  • the UE may be a mobile terminal, such as a mobile phone (or "cellular" phone) and a computer with a mobile terminal, for example, a portable, pocket-sized, handheld, computer-integrated or in-vehicle mobile device that is connected to the wireless device.
  • System 10 includes: UE 11, AP (Access Point, Wireless Access Point) 12, access server 13, gateway device 14, and authentication server 15.
  • the UE 11 accesses the WLAN WiFi through the AP 12, the AP 12 is connected to the access server 13, the access server 13 is connected to the gateway device 14, and the gateway device 14 is connected to the authentication server 15.
  • FIG. 2 is a schematic block diagram of an apparatus 100 for accessing a mobile network, in accordance with one embodiment of the present invention.
  • An example of the apparatus 100 of FIG. 2 is a gateway device 14 in the system of FIG. 1, for example, an AGW (Access Gateway) or a PGW, including: a receiving module 110 and transmitting Module 120.
  • AGW Access Gateway
  • PGW Packet Data Network
  • the receiving module 110 receives an EAP (Extensible Authentication Protocol) success response message from the authentication server.
  • the sending module 120 sends the EAP success response message and the IP address assigned to the UE to the access server, so that the access server forwards the EAP success response message to the UE, and the UE obtains the IP from the access server. After the address, the mobile network is accessed according to the IP address.
  • EAP Extensible Authentication Protocol
  • the foregoing authentication server may be a 3GPP AAA server/HSS (Home Subscriber Server), and the foregoing access server may be a BRAS in WLAN/WiFi or other non-3GPP networks capable of performing similar functions. Access the server or gateway device.
  • 3GPP AAA server/HSS Home Subscriber Server
  • HSS Home Subscriber Server
  • the embodiment of the present invention can use the gateway device to participate in the EAP authentication process for the user equipment, and use the gateway device to send the EAP success response message returned by the authentication server to the access server together with the IP address allocated for the user equipment. Since the basic functions already supported by the access server are utilized in the above process, the modification of the access server can be reduced, thereby making it easier to access the mobile network.
  • the receiving module 110 when performing the EAP authentication, receives the EAP authentication message sent by the UE from the access server, and the sending module 120 sends the EAP authentication message to the authentication server, so that the UE and the authentication The EAP authentication of the UE is completed between the servers, and after the EAP authentication of the user equipment by the authentication server is successful, the receiving module 110 receives the EAP success response message from the authentication server.
  • the foregoing EAP authentication message may be an EAP authentication response message.
  • the UE may send a message for triggering EAP authentication to the BRAS.
  • the BRAS may send an EAP Authentication Request message to the UE.
  • the UE may send the foregoing EAP authentication response message to the BRAS.
  • the receiving module 110 receives the encapsulation from the access server at the first
  • the sending module 120 sends an EAP authentication message encapsulated in the first RADIUS/Diameter protocol packet to the authentication server, and sends an IP address and an EAP successful response encapsulated in the second RADIUS/Diameter protocol packet to the access server. Message.
  • the UE accesses the packet service network through the above tunnelless mode, and the service experience is consistent with the 3GPP access technology.
  • the above-mentioned gateway device for example, PGW or AGW
  • the BRAS can communicate with each other through the RADIUS/Diameter protocol.
  • the gateway device may also encapsulate the IP address and the EAP success response message in a RADIUS/Diameter protocol packet and send the packet to the BRAS.
  • the gateway device participates in the EAP authentication process between the BRAS and the authentication server, and only utilizes the RADIUS/Diameter function supported by the BRAS, and does not need to implement the interface with the authentication server and the EAP message identification function on the BRAS. So can you reduce the BRAS? The creation makes it easier to access mobile networks.
  • FIG. 3 is a schematic block diagram of an apparatus 200 for accessing a mobile network, in accordance with one embodiment of the present invention.
  • An example of a device 200 is a gateway device 14, such as a PGW, in the system 10 of FIG.
  • the receiving module 210 and the transmitting module 220 of Fig. 3 are similar to those of 110 and 120 of Fig. 2, and thus detailed descriptions are omitted as appropriate herein.
  • the apparatus 200 also includes an allocation module 230.
  • the allocating module 230 allocates an IP address to the UE according to the pre-configured access point name (APN, Access Point Name) or the access point name included in the subscription data of the UE.
  • the receiving module 210 receives the contract data of the UE from the authentication server while receiving the EAP success response message from the authentication server.
  • the gateway device may also be responsible for assigning an IP address to the UE.
  • the foregoing APN may be pre-configured by the network side or may be obtained from the subscription data of the UE.
  • the present invention is not limited thereto, and the APN may be acquired by other means.
  • the foregoing authentication server may send the EAP success response message, the subscription data, and the APN encapsulated in the RADIUS/Diameter protocol message to the PGW, so that the PGW allocates an IP address to the UE according to the APN.
  • the apparatus 200 further includes: a configuration module 240.
  • the configuration module 240 configures a VPN (Virtual Private Network) tunnel between the device 200 and the access server to exchange data with the access server through the VPN tunnel.
  • VPN Virtual Private Network
  • the PGW can configure a VPN tunnel between the PGW and the BRAS according to the IP address, for example, a GRE (Generic Route Encapsulation) tunnel, after the IP address is assigned to the UE. Since the BRAS also supports the VPN tunnel function, the PGW and the BRAS can perform user plane data communication through the VPN tunnel. For example, the PGW selects the VPN tunnel according to the IP address of the UE to send downlink data to the BRAS. According to an embodiment of the present invention, when implementing access to a mobile network, it is only necessary to perform a function pair supported by the BRAS. The BRAS is configured without adding new features.
  • GRE Generic Route Encapsulation
  • the embodiment of the present invention can use the gateway device to participate in the authentication process of the user equipment, and use the gateway device to send the success response message returned by the authentication server to the access server together with the IP address allocated for the user equipment.
  • you can use the VPN tunnel function of the access server to perform data communication on the user plane. Since only the basic functions supported by the access server are utilized in the above process, the modification of the access server can be reduced, thereby making it easier to access the mobile network.
  • FIG. 4 is a schematic block diagram of an apparatus 300 for accessing a mobile network, in accordance with one embodiment of the present invention.
  • An example of a device 300 is a gateway device 14, such as an AGW, in the system 10 of FIG. 1, including a receiving module 310 and a transmitting module 320.
  • 310 and 320 of Fig. 4 are similar to 110 and 120 of Fig. 2, and thus detailed descriptions are omitted as appropriate herein.
  • the apparatus 300 further includes an acquisition module 330.
  • the obtaining module 330 obtains an IP address assigned to the UE from an independent packet data gateway (e.g., PGW) after receiving the EAP success response message from the authentication server.
  • PGW packet data gateway
  • the obtaining module 330 acquires an IP address allocated for the UE from the packet data gateway according to an access point name or a pre-configured access point name included in the subscription data of the UE, where the receiving module is at 310. Receiving the EAP success response message from the authentication server, receiving the subscription data of the UE from the authentication server.
  • the AGW may carry the APN in the GTP/PMIP tunnel request message sent to the PGW, and the PGW allocates an IP address to the UE according to the APN, and carries the PGW to the UE in the GTP/PMIP tunnel response message returned to the AGW. IP address.
  • the above APN can be pre-configured by the network side.
  • the APN may also be obtained from the subscription data of the UE. The present invention is not limited thereto, and the above APN may be acquired by other means.
  • the authentication server can send the EAP success response message, the subscription data, and the APN package to the AGW in the R ADIUS/Diameter protocol message.
  • the apparatus 300 further includes: a configuration module 340, an establishing module 360, and a binding module 350.
  • the configuration module 340 configures a VPN tunnel between the device 300 and the access server.
  • the setup module 360 establishes a GTP/PMIP tunnel with the packet data gateway described above.
  • the binding module 350 binds the GTP/PMIP tunnel and the VPN tunnel to exchange data between the access server and the score group gateway through the bound GTP/PMIP tunnel and the VPN tunnel.
  • the AGW may configure, by the configuration module 340, the VPN tunnel (for example, a GRE tunnel) between the AGW and the BRAS according to the IP address after the obtaining module 330 obtains the IP address from the PGW, and may establish a GTP/between the PGW. PMIP tunnel.
  • the VPN tunnel for example, a GRE tunnel
  • the AGW can establish a mapping relationship between the VPN tunnel and the GTP PMIP tunnel to bind the VPN tunnel and the GTP/PMIP tunnel. Since the BRAS also supports the VPN tunnel function, the AGW and the BRAS can perform user plane data communication through the VPN tunnel. For example, after receiving the downlink data sent by the PGW from the GTP PMIP tunnel, the AGW according to the VPN tunnel and the GTP/PMIP tunnel. The mapping relationship between the VPN tunnels is selected to send downlink data to the BRAS. In addition, after receiving the uplink data sent by the BRAS from the VPN tunnel, the AGW selects the GTP tunnel to send uplink data to the PGW according to the mapping relationship between the VPN tunnel and the GTP/PMIP tunnel.
  • the embodiment of the present invention can use the gateway device to participate in the EAP authentication process for the user equipment, and use the gateway device to send the EAP success response message returned by the authentication server to the access server together with the IP address allocated for the user equipment.
  • FIG. 5 is a schematic block diagram of an apparatus 400 for accessing a mobile network, in accordance with one embodiment of the present invention.
  • An example of a device 400 is the access server 13, such as the BRAS, in the system 10 of FIG.
  • the apparatus 400 includes: a receiving module 410 and a transmitting module 420.
  • the receiving module 410 receives an EAP Success Response message from the gateway device and an IP address assigned to the UE.
  • the sending module 420 sends the EAP success response message to the user equipment, where the receiving module 410 further receives an IP connection setup request message sent by the user equipment after receiving the EAP success response message, and the sending module 420 further receives the message in the receiving module 410.
  • the IP connection establishment response message is sent to the user equipment, and the IP connection establishment response message carries the IP address, so that the user equipment accesses the mobile network according to the IP address.
  • the embodiment of the present invention can use the gateway device to participate in the EAP authentication process for the user equipment, and use the gateway device to send the EAP success response message returned by the authentication server to the access server together with the IP address allocated for the user equipment. Since the basic functions already supported by the access server are utilized in the above process, the modification of the access server can be reduced, thereby making it easier to access the mobile network.
  • the receiving module 410 when performing the EAP authentication, is connected from the UE. Receiving an EAP authentication message, and the sending module 420 sends the UI authentication message to the gateway device, so that the gateway device forwards the UI authentication message to the authentication server, and completes the UI authentication between the UE and the authentication server. And after the authentication of the user equipment is successful, the receiving module 410 receives the success response message and the IP address assigned to the user equipment from the gateway device.
  • the foregoing EAP authentication message may be an EAP authentication response message.
  • the UE may send a message for triggering EAP authentication to the BRAS.
  • the BRAS may send an EAP Authentication Request message to the UE.
  • the UE may send the foregoing EAP authentication response message to the BRAS.
  • the foregoing EAP authentication message may be an EAP authentication response message.
  • the UE sends a message triggering EAP authentication to the BRAS when performing authentication or accessing the PS service.
  • the BRAS After receiving the message, the BRAS sends an EAP authentication request message to the UE, and the UE sends an EAP to the BRAS after receiving the EAP authentication request message.
  • Authentication response message After receiving the message, the BRAS sends an EAP authentication request message to the UE, and the UE sends an EAP to the BRAS after receiving the EAP authentication request message.
  • the receiving module 410 receives an EAP success response message and an IP address encapsulated in the first RADIUS/Diameter protocol, and the sending module 420 sends the encapsulated in the first RADIUS/Diameter to the gateway device.
  • EAP authentication message in the protocol packet.
  • the receiving module 410 receives the IP connection establishment request message from the user equipment before the EAP authentication succeeds, the EAP authentication succeeds and the receiving module 410 receives the new IP connection from the user equipment again.
  • the sending module 420 sends an IP connection setup response message to the user equipment, where the IP connection setup response message carries the IP address.
  • the above-mentioned EAP success response message and the above-mentioned IP address can be sent to the BRAS by the gateway device in the RADIUS/Diameter protocol packet, and the BRAS obtains the IP address, for example, decapsulating the RADIUS/Diameter protocol packet.
  • the embodiment according to the present invention is not limited thereto.
  • the above EAP success response message and the above IP address may also be sent in separate messages.
  • only the RADIUS/Diameter function supported by the BRAS is used to communicate with the authentication server through the gateway device, and the EAP authentication can be realized without implementing the interface with the authentication server and the EAP message identification function on the BRAS, thereby reducing the BRAS transformation. , making it easier to access mobile networks.
  • the above IP connection establishment request message may be DHCP (Dynamic) Host Configuration Protocol, request message
  • the above IP connection setup response message may be a DHCP response message.
  • the DHCP request message may be sent before the EAP authentication process is completed.
  • the EAP authentication may be performed.
  • the gateway device configures an IP address for the UE and sends it to the BRAS
  • the UE sends an IP connection establishment request message to the BRAS again.
  • the access server when accessing the mobile network, may receive an IP address sent together with the EAP success response message from the gateway device participating in the EAP authentication. Since the basic functions already supported by the access server are utilized in the above process, the modification of the access server can be reduced, thereby making it easier to access the mobile network.
  • FIG. 6 is a schematic block diagram of an apparatus 500 for accessing a mobile network, in accordance with one embodiment of the present invention.
  • An example of the device 500 is the access server 13, for example, the BRAS in the system 10 of FIG. 1, comprising: a receiving module 510, a transmitting module 520, and a configuration module 530.
  • 510 and 520 of Fig. 6 are similar to 410 and 420 of Fig. 5, and thus detailed descriptions are omitted as appropriate herein.
  • the configuration module 530 configures a VPN tunnel between the device 500 and the gateway device to exchange data with the gateway device through the VPN tunnel.
  • the BRAS can statically configure a VPN tunnel (eg, a GRE tunnel) between the BRAS and the gateway device through the configuration module 530. Since the BRAS itself supports the VPN tunnel function, the BRAS and the gateway device can perform user plane data communication through the VPN tunnel. For example, the BRAS can select the VPN tunnel according to the user's domain information ( Domain ) according to the statically configured VPN routing table ( For example, a GRE tunnel) encapsulates and forwards upstream data.
  • Domain domain information
  • the statically configured VPN routing table For example, a GRE tunnel
  • the access server when accessing the mobile network, may use the supported functions to receive the IP address sent from the gateway device along with the EAP success response message, and use the VPN tunnel function to perform data communication on the user plane. Since the basic functions already supported by the access server are utilized in the above process, the modification of the access server can be reduced, thereby making it easier to access the mobile network.
  • FIG. 7 is a schematic structural diagram of a user equipment UE 600 according to an embodiment of the present invention.
  • the UE 600 includes: a receiving module 610 and a transmitting module 620.
  • the UE 600 is an example of the UE 11 in the system 10 of Fig. 1, for example, a data card type UE.
  • the sending module 610 sends an EAP authentication message to the access server, so as to be associated with the authentication server. EAP authentication for the UE is completed.
  • the receiving module 610 receives an EAP success response message from the access server, where the sending module 620 sends an IP connection establishment request message to the access server before the EAP authentication succeeds, after the receiving module 610 receives the EAP success response message.
  • the sending module 620 sends a new IP connection establishment request message to the access server to obtain an IP address configured by the gateway device for the user equipment, and the receiving module 610 further receives an IP connection establishment response message from the access server, where the IP connection is The establishment response message carries the IP address.
  • the EAP success response message and the foregoing IP address may be sent by the gateway device to the BRAS in a RADIUS/Diameter protocol message, and the BRAS may extract the IP address from the RADIUS/Diameter protocol message by decapsulating the BRAS.
  • the foregoing IP connection establishment request message may be a DHCP request message
  • the IP connection establishment response message may be a DHCP response message
  • the DHCP request message may be sent before the EAP authentication process is completed.
  • the EAP authentication may be performed.
  • the gateway device configures an IP address for the UE and sends it to the BRAS
  • the UE sends a DHCP request message to the BRAS again.
  • the embodiment of the present invention can utilize the gateway device to participate in the EAP authentication process for the user equipment, and publicly utilize the basic functions of the access server, thereby reducing the modification of the access server.
  • the UE sends an IP connection setup request message to the access server again after the EAP authentication is completed, to ensure successful acquisition of the allocated IP address.
  • FIG. 8 is a schematic flow diagram of a method 700 for accessing a mobile network, in accordance with one embodiment of the present invention.
  • the method 700 of Figure 8 can be performed by the gateway device of Figures 2, 3 and 4.
  • the embodiment of the present invention can use the gateway device to participate in the EAP authentication process for the user equipment, and use the gateway device to send the EAP success response message returned by the authentication server to the access server together with the IP address allocated for the user equipment. Since the basic functions already supported by the access server are utilized in the above process, the modification of the access server can be reduced, thereby making it easier to access the mobile network.
  • the EAP authentication message sent by the UE is received from the access server, and the EAP authentication message is sent to the authentication server, so that the UE and the authentication server complete the pair.
  • the EAP authentication of the UE, and after the EAP authentication of the user equipment by the authentication server is successful the EAP success response message is received from the authentication server.
  • the method 700 further includes: after the EAP authentication to the UE is successful, receiving an EAP success response message from the authentication server; according to the pre-configured access point name or the subscription included in the subscription data of the UE The in-point name assigns the IP address to the UE, and the subscription data of the UE is received from the authentication server while receiving the EAP success response message from the authentication server.
  • the method 700 further includes: transmitting the EAP success response message and an IP address assigned to the UE to the access server, so that the access server forwards the EAP success response message to the UE, and After acquiring the IP address from the access server, the UE accesses the mobile network according to the IP address.
  • the method 700 further includes: configuring a VPN tunnel with the access server to interact with the access server through the VPN tunnel.
  • the method 700 further includes: obtaining the IP address assigned to the UE from the packet data gateway after receiving the EAP Success Response message from the authentication server.
  • the access point name included in the subscription data of the UE or the pre-configured access point name is obtained from the packet data gateway.
  • the method 700 further includes: configuring a VPN tunnel with the access server; establishing a GTP/PMIP tunnel with the packet data gateway; binding the GTP/PMIP tunnel and the VPN tunnel, so that Data is exchanged between the access server and the score group gateway by the bound GTP/PMIP tunnel and the VPN tunnel.
  • the EAP authentication message encapsulated in the first RADIUS/Diameter protocol packet is received from the access server, and the EAP authentication message encapsulated in the first RADIUS/Diameter protocol packet is sent to the authentication server.
  • FIG. 9 is a schematic flow diagram of a method 800 for accessing a mobile network, in accordance with one embodiment of the present invention.
  • the method 800 of Figure 9 can be performed by the access server of Figures 5 and 6, for example, by the BRAS.
  • IP connection setup request message After receiving the IP connection setup request message, send an IP connection setup response message to the user equipment, where the IP connection setup response message carries the IP address, so that the user equipment accesses the mobile network according to the IP address.
  • the embodiment of the present invention can use the gateway device to participate in the EAP authentication process for the user equipment, and use the gateway device to send the EAP success response message returned by the authentication server to the access server together with the IP address allocated for the user equipment. Since the basic functions already supported by the access server are utilized in the above process, the modification of the access server can be reduced, thereby making it easier to access the mobile network.
  • an EAP authentication message is received from the UE, and the EAP authentication message is sent to the gateway device, so that the gateway device forwards the EAP authentication message to the authentication server, and causes the UE to
  • the authentication server completes the EAP authentication for the UE, and after the authentication server succeeds in EAP authentication to the user equipment, receives an EAP success response message from the gateway device and an IP address assigned by the gateway device to the user equipment.
  • the method further comprises: if the IP connection establishment request message is received from the UE before the EAP authentication succeeds, then in 840, the EAP authentication is successful and a new one is received from the user equipment again. After the IP connection setup request message, the IP connection setup response message is sent to the user equipment.
  • the method 800 further includes: configuring a VPN tunnel with the gateway device to interact with the gateway device through the VPN tunnel.
  • the EAP success response message encapsulated in the first RADIUS/Diameter protocol packet and the IP address are received from the gateway device.
  • FIG. 10 is a schematic flowchart of a method for accessing a mobile network according to an embodiment of the present invention.
  • the method 900 of FIG. 10 can be performed by the UE of FIG.
  • IP connection establishment request message is sent to the access server before the EAP authentication succeeds, after receiving the EAP success response message from the access server, send a new IP connection establishment request to the access server again.
  • the message is obtained by obtaining the IP address configured by the gateway device for the user device.
  • the foregoing EAP success response message and the foregoing IP address may be encapsulated in a RADIUS/Diameter protocol message by the gateway device and sent to the BRAS, and may be decapsulated by the BRAS from the RADIUS/Diameter protocol message. Extract the IP address.
  • the embodiment of the present invention can utilize the gateway device to participate in the EAP authentication process for the user equipment, and publicly utilize the basic functions of the access server, thereby reducing the modification of the access server.
  • the UE sends an IP connection establishment request message to the access server again after the EAP authentication is completed, to ensure successful acquisition of the allocated IP address.
  • FIG. 11 is a schematic flow chart of a process of accessing a mobile network according to an embodiment of the present invention.
  • the process of Figure 11 is an example of the method of Figures 8, 9, and 10, wherein the WLAN WiFi accesses the 3GPP SAE (System Architecture Evolution) network in a trusted access method.
  • 3GPP SAE System Architecture Evolution
  • the UE sends a message for triggering EAP authentication. For example, when the UE performs authentication or accesses the packet service, the AP sends an EAPOL-start message to the AC (Access Controller, Wireless Controller) / BRAS to trigger the EAP authentication process.
  • AC Access Controller, Wireless Controller
  • the BRAS After receiving the message triggering EAP authentication, the BRAS sends an EAP authentication request message to the UE. For example, after receiving the EAPOL-start message, the BRAS sends an EAP request/Identity message to the UE to request the UE's ID (identity, Identity).
  • the BRAS After receiving the EAPOL-start message, the BRAS sends an EAP request/Identity message to the UE to request the UE's ID (identity, Identity).
  • IMSI International Mobile Subscriber Identification Number
  • the BRAS encapsulates the EAP authentication response message into a RADIUS Diameter protocol packet, and sends the RADIUS/Diameter protocol packet to the corresponding PGW. For example, in order to implement the routing of the signaling, the BRAS configures the PGW as the next hop route of the RADIUS/Diameter protocol packet.
  • the PGW forwards the RADIUS/Diameter protocol packet encapsulating the EAP authentication response message to the 3GPP AAA Server/HSS according to the NAI.
  • EAP-SIM/AKA process is similar to the conventional EAP-SIM/AKA process and will not be described here.
  • the UE receives a request/SIM/notification during the EAP-SIM/AKA process (eg,
  • an EAP authentication response/SIM/notification message (for example, EAP Response/SIM otification) is sent to the BRAS through the AP.
  • BRAS forwards EAP authentication response / SIM / notification to PGW.
  • the BRAS can encapsulate the EAP authentication response/SIM/notification into a RADIUS/Diameter protocol packet and forward the RADIUS/Diameter protocol packet to the PGW.
  • the PGW forwards the RADIUS/Diameter protocol packet to the 3GPP AAA Server HSS.
  • the 3GPP AAA Server/HSS may send an EAP Success Response (eg, EAP Success) message to the PGW.
  • EAP Success e.g, EAP Success
  • the 3GPP AAA Server/HSS may also send the UE's subscription data (eg, user profile) to the PGW.
  • the subscription data of the UE may include the subscription APN of the UE.
  • the 3GPP AAA Server HSS may also send the default APN (default APN) pre-configured on the network side to the PGW together with the subscription data of the UE.
  • the PGW allocates an IP address according to the pre-configured APN or the UE's subscription APN.
  • the PGW encapsulates the IP address and the EAP success response message in a RADIUS/Diameter message and sends the packet to the BRAS.
  • the BRAS forwards the EAP success response message to the UE.
  • the BRAS decapsulates the RADIUS/Diameter packet to extract an EAP success response message, and sends an EAP success response message to the UE.
  • the UE After receiving the EAP success response message, the UE sends a DHCP Request message to the BRAS through the AP.
  • the BRAS after receiving the DHCP request message, the BRAS sends a DHCP response to the UE (DHCP). Response)
  • the DHCP response message carries the IP address assigned by the PGW to the UE.
  • a virtual private network VPN tunnel is configured between the BRAS and the PGW, so that the BRAS and the PGW exchange data (for example, IP packets) through the VPN tunnel.
  • the BRAS can use the VPN tunnel to send uplink data to the PGW.
  • the VPN routing table can be statically configured on the BRAS, as shown in Table 3. According to the VPN routing table, the BRAS selects a VPN tunnel (for example, a GRE tunnel) to encapsulate and forward the uplink data according to the domain information (Domain) of the UE.
  • a VPN tunnel for example, a GRE tunnel
  • the PGW can encapsulate and forward downlink data using a VPN (e.g., GRE P tunnel) tunnel.
  • a VPN e.g., GRE P tunnel
  • the mapping between the IP address of the UE and the VPN tunnel can be dynamically maintained on the PGW according to the IP address assigned by the PGW to the UE, as shown in Table 2.
  • the PGW selects a GRE tunnel to transmit data according to the IP address of the UE.
  • FIG. 12 is a schematic flowchart of a process of accessing a mobile network according to an embodiment of the present invention.
  • the process of Figure 12 is an example of the method of Figures 8, 9, and 10. 1110, 1115, 1120, 1135, 1140, 1175, 1180, and 1185 in the process of FIG. 12 are similar to 1010, 1015, 1020, 1035, 1040, 1075, 1080, and 1085 of the process of FIG. 11, respectively, and are appropriately described herein. .
  • the UE sends a message for triggering EAP authentication.
  • the BRAS After receiving the message for triggering EAP authentication, the BRAS sends an EAP authentication request message to the UE.
  • the UE sends an EAP authentication response message to the BRAS, for example, an EAP Response/Identity message, where the NAI is used to identify the identity of the UE, and the NAI includes the UE ID (IMSI information) and the domain information.
  • EAP Response/Identity message an EAP Response/Identity message
  • the NAI is used to identify the identity of the UE, and the NAI includes the UE ID (IMSI information) and the domain information.
  • the BRAS encapsulates the EAP authentication response message into a RADIUS Diameter protocol packet, and sends the RADIUS/Diameter protocol packet to the corresponding PGW. For example, to implement routing of the signaling, the BRAS configures the AGW as the next hop route of the RADIUS/Diameter protocol packet. 1130.
  • the AGW forwards the RADIUS/Diameter protocol packet encapsulating the EAP authentication response message to the 3GPP AAA Server/HSS according to the NAI.
  • the UE, BRAS, and 3GPP AAA Server/HSS perform an EAP-SIM/AKA process.
  • the AP sends an EAP authentication response/SIM/notification message to the BRAS.
  • BRAS forwards EAP authentication response / SIM / notification to AGW.
  • the BRAS can encapsulate the EAP authentication response/SIM/notification message into a RADIUS Diameter protocol packet, and forward the RADIUS/Diameter protocol message to the AGW.
  • the AGW forwards the RADIUS/Diameter protocol packet to the 3GPP AAA Server HSS.
  • the 3GPP AAA Server/HSS may send an EAP Success Response (eg, EAP Success) message to the AGW.
  • EAP Success eg, EAP Success
  • the 3GPP AAA Server/HSS may also send the UE's subscription data (for example, user profile) to the AGW.
  • the subscription data of the UE may include the subscription APN of the UE.
  • the 3GPP AAA Server/HSS may also send the default APN (default APN) pre-configured by the network side to the AGW together with the subscription data of the UE.
  • the 3GPP AAA Server/HSS can send the EAP success response message, the subscription data, and the APN in the RADIUS Diameter protocol packet to the AGW.
  • the AGW sends a tunnel establishment request message to the 3GPP AAA Server/HSS.
  • the AGW may discover or select the PGW according to the pre-configured APN or the UE subscription APN, and send a GTP/PMIP tunnel establishment request message to the PGW, for example, Create PDP Request message or Proxy. Update (with APN and UE ID) messages.
  • the PGW allocates an IP address to the UE according to the pre-configured APN or the subscription APN of the UE. 1165.
  • the PGW replies to the AGW with a GTP/PMIP tunnel establishment response message, for example, a Create PDP Response message or a Proxy Update ACK message, to establish a GTP/PMIP tunnel with the AGW.
  • the GTP/PMIP tunnel setup response message carries an IP address allocated for the UE.
  • the AGW encapsulates the IP address and the EAP success response message in a RADIUS/Diameter message and sends the packet to the BRAS.
  • the BRAS forwards the EAP success response message to the UE.
  • the UE After receiving the EAP success response message, the UE sends a DHCP request message to the BRAS through the AP. After receiving the DHCP request message, the BRAS sends a DHCP response message to the UE, where the DHCP response message carries the IP address allocated by the PGW to the UE.
  • a virtual private network VPN tunnel is configured between the BRAS and the PGW, so that the BRAS and the PGW exchange data (for example, IP packets) through the VPN tunnel.
  • the GGW/PMIP tunnel and the VPN tunnel are bound by the AGW to exchange data between the BRAS and the PDG through the bound GTP/PMIP tunnel and the VPN tunnel.
  • the BRAS can use the VPN tunnel to send uplink data to the AGW.
  • the VPN routing table can be statically configured on the BRAS, as shown in Table 3. Based on the VPN routing table, the BRAS selects a VPN tunnel (for example, a GRE tunnel) to encapsulate and forward the uplink data according to the domain information (Domain) of the UE.
  • a VPN tunnel for example, a GRE tunnel
  • the AGW may use a VPN (e.g., GRE tunnel) tunnel to send downlink data to the BRAS, and may use the GTP/PMIP tunnel to send uplink data to the PGW.
  • the AGW can be bound to the VPN tunnel and the GTP/PMIP tunnel. That is, the mapping between the VPN tunnel and the GTP/PMIP tunnel is dynamically maintained on the AGW according to the IP address assigned by the PGW to the UE, as shown in Table 2.
  • the AGW selects a GRE tunnel or a GTP tunnel to transmit the data according to the IP address of the UE included in the data (for example, an IP packet).
  • FIG. 13 is a schematic diagram of a system architecture for accessing a mobile network, in accordance with one embodiment of the present invention.
  • the UE 1210 accesses the WLAN AViFi through the AP 1220.
  • the BRAS 1230 of WLAN AViFi is directly connected to the PGW 1240.
  • the BRAS 1230 and the PGW 1240 communicate with each other through the RADIUS Diameter packet, and communicate with the user plane through the VPN tunnel.
  • the PGW 1240 is responsible for assigning an IP address to the UE 1210 and completing the UE's authentication process with the 3GPP AAA 1250/HSS 1260.
  • FIG. 14 is a schematic diagram of a system architecture for accessing a mobile network, in accordance with one embodiment of the present invention.
  • the UE 1310 accesses WLAN/WiFi through the AP 1320, and the AGW 1340 is connected between the BRAS 1330 and the PGW 1370 of the WLAN/WiFi.
  • BRAS 1330 and The signaling plane between the AGWs 1340 communicates through RADIUS Diameter messages.
  • the AGW 1340 communicates with the PGW 1370 through the GTP/PMIP tunnel for the communication plane, communicates with the BRAS 1330 through the VPN tunnel, and dynamically generates the VPN tunnel and the GTP/PMIP tunnel according to the IP address assigned to the UE. Binding relationship.
  • the PGW 1370 is responsible for assigning an IP address to the UE 1310.
  • the AGW 1340 completes the authentication process for the UE 1310 with the 3GPP AAA 1350/HSS 1360.
  • the UE provides the 3GPP network through tunnelless access, and the service experience is consistent with the 3GPP access.
  • the impact on the BRAS is small according to the embodiment of the present invention, because the VPN tunnel function and the RADIUS/Diameter protocol function related to the embodiment of the present invention are the basic functions of the BRAS, and the 3GPP network can be realized through a simple configuration. Access.
  • the functions of the 3GPP AAA interface and the EAP message identification according to the embodiments of the present invention need not be implemented on the BRAS, so the impact on the current WLAN WiFi access network is small and easy to implement.
  • the disclosed systems, devices, and methods may be implemented in other ways.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not executed.
  • the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be electrical, mechanical or otherwise.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. You can choose some of them according to actual needs or All units are used to achieve the objectives of the solution of this embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the functions may be stored in a computer readable storage medium, including thousands of instructions for causing a computer device (which may be a personal computer, server, or network device, etc.) to perform all of the methods described in various embodiments of the present invention. Or part of the steps.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a disk or a disk, and the like, which can store program codes. .

Abstract

Provided in embodiments of the present invention are a method, system, and user equipment applicable in accessing a mobile network. The device comprises: a receiver module applicable in receiving an EAP success response message from an authentication server, a transmitter module applicable in transmitting to an access server the EAP success response message and an internet protocol (IP) address allocated to the user equipment. The embodiments of the present invention are capable of utilizing the device applicable in accessing the mobile network to transmit to the access server the EAP success response message returned by the authentication server together with the IP address allocated to the user equipment. Because the process utilizes a basic function supported by the access server, modifications to the access server can be reduced, thereby facilitating access to the mobile network.

Description

用于接入移动网络的方法和装置以及用户设备 技术领域  Method and apparatus for accessing a mobile network and user equipment
本发明实施例涉及通信技术领域, 更具体地, 涉及用于接入移动网络的 方法和装置以及用户设备。 背景技术  Embodiments of the present invention relate to the field of communications technologies, and, more particularly, to a method and apparatus for accessing a mobile network and user equipment. Background technique
为了支持更好的用户体验和兼容多种接入技术, 演进的移动网络可以同 时支持 3GPP ( The 3rd Generation Project Partnership, 第三代项目伙伴关系) 接入技术和非 3GPP接入技术, 例如, WiFi ( Wireless Fidelity, 无线相容性 认证 )、 WLAN ( Wireless Local Area Networks ,无线局域网络)、 CDMA ( Code Division Multiple Access , 码分多址) 等。  In order to support a better user experience and compatible with multiple access technologies, the evolved mobile network can simultaneously support 3GPP (The 3rd Generation Project Partnership) access technology and non-3GPP access technologies, such as WiFi. (Wireless Fidelity, Wireless Compatibility), WLAN (Wireless Local Area Networks), CDMA (Code Division Multiple Access), etc.
WLANAViFi可以在可信接入方式下接入 3GPP 网络访问分组业务。 在 可信接入方式下, UE ( User Equipment, 用户设备 )支持基本的 WLAN/WiFi 接入功能和 EAP 接入认证功能, 并与 WLAN/WiFi 接入网絡的 BRAS ( Broadband Remote Access Server, 宽带远程接入服务器) 以及 3GPP AAA ( Authority, Authentication 和 Accounting, 认证, 授权和计费)之间执行 EAP认证。另外, WLAN接入网络需要支持 GTP( General Packet Radio Service Tunnel Protocol, 通用分組无线服务技术隧道协议 ) /PMIP ( Proxy Mobile IP 代理移动 IP ) 隧道, 以便 WLAN接入网络能够直接与 PGW ( Packet Data Network Gateway, 分组数据网关 )进行通信。  WLAN AViFi can access the 3GPP network access packet service in the trusted access mode. In the trusted access mode, the UE (User Equipment) supports basic WLAN/WiFi access and EAP access authentication, and BRAS (Broadband Remote Access Server) with WLAN/WiFi access network. EAP authentication is performed between the access server) and 3GPP AAA ( Authority, Authentication and Accounting, authentication, authorization, and accounting). In addition, the WLAN access network needs to support the GTP (General Packet Radio Service Tunnel Protocol) / PMIP (Proxy Mobile IP Proxy Mobile IP) tunnel, so that the WLAN access network can directly communicate with the PGW (Packet Data Network). Gateway, Packet Data Gateway) communicates.
在可信接入方式下,需要改造 BRAS以支持可信接入方式涉及的各项功 能, 例如, GTP/PMIP接口、 EAP 功能等。 然而, 可能无法通过简单升级 BRAS来支持这些功能, 甚至可能需要更换 BRAS。 发明内容  In the trusted access mode, the BRAS needs to be modified to support various functions involved in the trusted access mode, such as GTP/PMIP interface and EAP function. However, it may not be possible to support these features by simply upgrading the BRAS, and may even need to replace the BRAS. Summary of the invention
本发明实施例提供一种用于接入移动网络的方法和装置以及用户设备, 能够減少对接入服务器的改造, 从而更容易实现对移动网络的接入。  The embodiments of the present invention provide a method and apparatus for accessing a mobile network and a user equipment, which can reduce the modification of the access server, thereby facilitating access to the mobile network.
一方面, 提供了一种用于接入移动网络的装置, 包括: 接收模块, 用于 从认证服务器接收 EAP成功响应消息; 发送模块, 用于向接入服务器发送 该 EAP成功响应消息和为该用户设备分配的因特网协议 IP地址。 另一方面, 提供了一种用于接入移动网络的装置, 其特征在于, 包括: 接收模块, 用于在对用户设备的 EAP认证成功之后, 从网关设备接收 EAP 成功响应消息和为该用户设备分配的 IP地址; 和发送模块, 用于向该用户 设备发送该 EAP成功响应消息, 其中该接收模块还接收该用户设备在接收 到该 EAP成功响应消息之后发送的 IP连接建立请求消息, 该发送模块还在 该接收模块接收到该 IP连接建立请求消息之后, 向该用户设备发送 IP连接 建立响应消息, 该 IP连接建立响应消息携带该 IP地址, 以便该用户设备根 据该 IP地址接入该移动网络。 In one aspect, an apparatus for accessing a mobile network is provided, including: a receiving module, configured to receive an EAP success response message from an authentication server; and a sending module, configured to send the EAP success response message to the access server, and The Internet Protocol IP address assigned by the user device. In another aspect, an apparatus for accessing a mobile network is provided, including: a receiving module, configured to: after the EAP authentication to the user equipment succeeds, receive an EAP success response message from the gateway device and serve the user The IP address assigned by the device; and the sending module, configured to send the EAP success response message to the user equipment, where the receiving module further receives an IP connection establishment request message sent by the user equipment after receiving the EAP success response message, where After the receiving module receives the IP connection establishment request message, the sending module sends an IP connection setup response message to the user equipment, where the IP connection setup response message carries the IP address, so that the user equipment accesses the IP address according to the IP address. mobile network.
另一方面, 提供了一种用户设备, 其特征在于, 包括: 发送模块, 用于 向接入服务器发送 EAP认证消息, 以便与认证服务器之间完成对该用户设 备的 EAP认证; 接收模块, 用于从该接入服务器接收 EAP成功响应消息, 其中如果该发送模块在该 EAP认证成功之前向该接入服务器发送 IP连接建 立请求消息, 则在该接收模块接收到该 EAP成功响应消息之后, 该发送模 块再次向该接入服务器发送新的 IP连接建立请求消息以获取网关设备为该 用户设备配置的 IP地址, 该接收模块还从该接入服务器接收 IP连接建立响 应消息, 该 IP连接建立响应消息中携带该 IP地址。  In another aspect, a user equipment is provided, including: a sending module, configured to send an EAP authentication message to an access server, to complete EAP authentication with the authentication server, and a receiving module, Receiving an EAP success response message from the access server, where the sending module sends an IP connection establishment request message to the access server before the EAP authentication succeeds, after the receiving module receives the EAP success response message, The sending module sends a new IP connection establishment request message to the access server to obtain an IP address configured by the gateway device for the user equipment, and the receiving module further receives an IP connection establishment response message from the access server, where the IP connection establishment response is The message carries the IP address.
另一方面, 提供了一种用于接入移动网络的方法, 其特征在于, 包括: 从认证服务器接收 EAP成功响应消息; 向接入服务器发送该 EAP成功响应 消息和为用户设备分配的 IP地址, 以便该接入服务器向该用户设备转发该 EAP成功响应消息, 并由该用户设备在从该接入服务器获取该 IP地址之后 , 根据该 IP地址接入该移动网络。  In another aspect, a method for accessing a mobile network is provided, including: receiving an EAP success response message from an authentication server; transmitting the EAP success response message and an IP address assigned to the user equipment to the access server So that the access server forwards the EAP success response message to the user equipment, and after the user equipment obtains the IP address from the access server, accesses the mobile network according to the IP address.
另一方面, 提供了一种用于接入移动网络的方法, 其特征在于, 包括: 从网关设备接收 EAP成功响应消息和该网关设备为用户设备分配的 IP地址; 向该用户设备发送该 EAP成功响应消息; 接收该用户设备在接收到该 EAP 成功响应消息之后发送的 IP连接建立请求消息; 在接收到该 IP连接建立请 求消息之后, 向该用户设备发送 IP连接建立响应消息, 该 IP连接建立响应 消息携带该 IP地址, 以便该用户设备根据该 IP地址接入该移动网络。  In another aspect, a method for accessing a mobile network is provided, including: receiving an EAP success response message from a gateway device and an IP address assigned by the gateway device to the user equipment; sending the EAP to the user equipment Receiving an IP connection establishment request message sent by the user equipment after receiving the EAP success response message; after receiving the IP connection establishment request message, sending an IP connection establishment response message to the user equipment, the IP connection The setup response message carries the IP address, so that the user equipment accesses the mobile network according to the IP address.
另一方面, 提供了一种用于接入移动网絡的方法, 其特征在于, 包括: 向接入服务器发送 EAP认证消息, 以便与认证服务器之间完成对用户设备 的 EAP认证;如果在该 EAP认证成功之前向该接入服务器发送 IP连接建立 请求消息, 则在从该接入服务器接收到该 EAP成功响应消息之后, 再次向 该接入服务器发送新的 IP连接建立请求消息以获取网关设备为该用户设备 配置的 IP地址; 从该接入服务器接收 IP连接建立响应消息, 该 IP连接建立 响应消息中携带该 IP地址。 In another aspect, a method for accessing a mobile network is provided, including: sending an EAP authentication message to an access server to complete EAP authentication with a user equipment with the authentication server; Sending an IP connection establishment request message to the access server before the authentication succeeds, after receiving the EAP success response message from the access server, The access server sends a new IP connection establishment request message to obtain an IP address configured by the gateway device for the user equipment. The IP connection establishment response message is received from the access server, and the IP connection establishment response message carries the IP address.
本发明实施例可以利用上述用于接入移动网络的装置将认证服务器返 回的 EAP成功响应消息和为用户设备分配的 IP地址一起发送给接入服务器。 由于在上述过程中利用了接入服务器已支持的基本功能, 能够减少对接入服 务器的改造, 从而更容易实现对移动网络的接入。 附图说明  The embodiment of the present invention can use the foregoing apparatus for accessing the mobile network to send the EAP success response message returned by the authentication server to the access server together with the IP address allocated for the user equipment. Since the basic functions already supported by the access server are utilized in the above process, the modification of the access server can be reduced, thereby making it easier to access the mobile network. DRAWINGS
为了更清楚地说明本发明实施例的技术方案, 下面将对实施例或现有技 术描述中所需要使用的附图作简单地介绍, 显而易见地, 下面描述中的附图 仅仅是本发明的一些实施例, 对于本领域普通技术人员来讲, 在不付出创造 性劳动的前提下, 还可以根据这些附图获得其他的附图。  In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the embodiments or the prior art description will be briefly described below. Obviously, the drawings in the following description are only some of the present invention. For the embodiments, those skilled in the art can obtain other drawings according to the drawings without any creative work.
图 1是根据本发明一个实施例的系统的架构的示意图。  1 is a schematic diagram of an architecture of a system in accordance with one embodiment of the present invention.
图 2是根据本发明一个实施例的用于接入移动网络的装置的示意性结构 图。  2 is a schematic block diagram of an apparatus for accessing a mobile network, in accordance with one embodiment of the present invention.
图 3是根据本发明一个实施例的用于接入移动网络的装置的示意性结构 图。  3 is a schematic block diagram of an apparatus for accessing a mobile network, in accordance with one embodiment of the present invention.
图 4是根据本发明一个实施例的用于接入移动网络的装置的示意性结构 图。  4 is a schematic block diagram of an apparatus for accessing a mobile network, in accordance with one embodiment of the present invention.
图 5是根据本发明一个实施例的用于接入移动网络的装置的示意性结构 图。  Figure 5 is a schematic block diagram of an apparatus for accessing a mobile network, in accordance with one embodiment of the present invention.
图 6是根据本发明一个实施例的用于接入移动网络的装置的示意性结构 图。  Figure 6 is a schematic block diagram of an apparatus for accessing a mobile network, in accordance with one embodiment of the present invention.
图 7是根据本发明一个实施例的用户设备的示意性结构图。  FIG. 7 is a schematic structural diagram of a user equipment according to an embodiment of the present invention.
图 8是根据本发明一个实施例的用于接入移动网络的方法的示意性流程 图。  Figure 8 is a schematic flow diagram of a method for accessing a mobile network, in accordance with one embodiment of the present invention.
图 9是根据本发明一个实施例的用于接入移动网络的方法的示意性流程 图。  9 is a schematic flow diagram of a method for accessing a mobile network, in accordance with one embodiment of the present invention.
图 10是根据本发明一个实施例的用于接入移动网絡的方法的示意性流 程图。 图 11是根据本发明一个实施例的接入移动网络的过程的示意性流程图。 图 12是根据本发明一个实施例的接入移动网络的过程的示意性流程图。 图 13是根据本发明一个实施例的接入移动网络的系统架构的示意图。 图 14是根据本发明一个实施例的接入移动网絡的系统架构的示意图。 具体实施方式 FIG. 10 is a schematic flowchart of a method for accessing a mobile network according to an embodiment of the present invention. 11 is a schematic flow chart of a process of accessing a mobile network according to an embodiment of the present invention. FIG. 12 is a schematic flowchart of a process of accessing a mobile network according to an embodiment of the present invention. 13 is a schematic diagram of a system architecture for accessing a mobile network, in accordance with one embodiment of the present invention. 14 is a schematic diagram of a system architecture for accessing a mobile network, in accordance with one embodiment of the present invention. detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行 清楚、 完整地描述, 显然, 所描述的实施例是本发明一部分实施例, 而不是 全部的实施例。 基于本发明中的实施例, 本领域普通技术人员在没有作出创 造性劳动前提下所获得的所有其他实施例, 都属于本发明保护的范围。  The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without making creative labor are within the scope of the present invention.
本发明的技术方案, 可以应用于各种通信系统, 例如: 全球移动通讯系 统 ( GSM, Global System of Mobile communication ), 码分多址( CDMA, Code Division Multiple Access ) 系统, 宽带码分多址( WCDMA, Wideband Code Division Multiple Access ), 通用分组无线业务 ( GPRS, General Packet Radio Service ), 长期演进( LTE, Long Term Evolution ), LTE演进( LTE-A, LTE- Advanced )等。 本发明实施例将以 WLAN/WiFi接入 3GPP SAE (系统 架构演进, System Architecture Evolution ) 网络为例进行说明, 但是本发明 实施例并不限于此, 根据本发明实施例也适用于其它非 3GPP网络(例如, CDMA等)接入 3GPP网络访问分组业务场景。  The technical solution of the present invention can be applied to various communication systems, such as: Global System of Mobile Communication (GSM), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access ( WCDMA, Wideband Code Division Multiple Access), General Packet Radio Service (GPRS), Long Term Evolution (LTE), LTE-Advanced (LTE-Advanced), etc. The embodiment of the present invention is described by using a WLAN/WiFi access 3GPP SAE (System Architecture Evolution) network as an example, but the embodiment of the present invention is not limited thereto, and is applicable to other non-3GPP networks according to the embodiment of the present invention. (eg, CDMA, etc.) access to the 3GPP network access packet service scenario.
UE也可称之为移动终端 (Mobile Terminal ), 移动用户设备等。 UE可 以是移动终端, 如移动电话(或称为 "蜂窝 "电话 )和具有移动终端的计算机, 例如, 可以是便携式、 袖珍式、 手持式、计算机内置的或者车载的移动装置, 它们与无线接入网交换语言和 /或数据。  The UE may also be referred to as a mobile terminal, a mobile user equipment, or the like. The UE may be a mobile terminal, such as a mobile phone (or "cellular" phone) and a computer with a mobile terminal, for example, a portable, pocket-sized, handheld, computer-integrated or in-vehicle mobile device that is connected to the wireless device. Network exchange language and / or data.
图 1是根据本发明的一个实施例的系统 10的示意性架构图。 系统 10包 括: UE 11、 AP ( Access Point, 无线接入点) 12、 接入服务器 13、 网关设备 14以及认证服务器 15。 UE 11通过 AP 12接入 WLAN WiFi, AP 12与接入 服务器 13相连接, 接入服务器 13与网关设备 14相连接, 网关设备 14与认 证服务器 15相连接。  1 is a schematic architectural diagram of a system 10 in accordance with one embodiment of the present invention. System 10 includes: UE 11, AP (Access Point, Wireless Access Point) 12, access server 13, gateway device 14, and authentication server 15. The UE 11 accesses the WLAN WiFi through the AP 12, the AP 12 is connected to the access server 13, the access server 13 is connected to the gateway device 14, and the gateway device 14 is connected to the authentication server 15.
图 2是根据本发明一个实施例的用于接入移动网络的装置 100的示意性 结构图。 图 2的装置 100的一个例子是图 1的系统中的网关设备 14, 例如, AGW ( Access Gateway, 接入网关)或 PGW, 包括: 接收模块 110和发送 模块 120。 2 is a schematic block diagram of an apparatus 100 for accessing a mobile network, in accordance with one embodiment of the present invention. An example of the apparatus 100 of FIG. 2 is a gateway device 14 in the system of FIG. 1, for example, an AGW (Access Gateway) or a PGW, including: a receiving module 110 and transmitting Module 120.
接收模块 110从认证服务器接收 EAP( Extensible Authentication Protocol, 可扩展认证协议)成功响应消息。 发送模块 120 向接入服务器发送该 EAP 成功响应消息和为该 UE分配的 IP地址, 以便该接入服务器向该 UE转发该 EAP成功响应消息, 并由该 UE在从该接入服务器获取该 IP地址之后, 根 据该 IP地址接入该移动网络。  The receiving module 110 receives an EAP (Extensible Authentication Protocol) success response message from the authentication server. The sending module 120 sends the EAP success response message and the IP address assigned to the UE to the access server, so that the access server forwards the EAP success response message to the UE, and the UE obtains the IP from the access server. After the address, the mobile network is accessed according to the IP address.
根据本发明的实施例, 上述认证服务器可以是 3GPP AAA服务器 /HSS ( Home Subscriber Server , 归属用户服务器), 上述接入服务器可以是 WLAN/WiFi中的 BRAS或其它非 3GPP网络中能够执行类似功能的接入服 务器或网关设备。  According to an embodiment of the present invention, the foregoing authentication server may be a 3GPP AAA server/HSS (Home Subscriber Server), and the foregoing access server may be a BRAS in WLAN/WiFi or other non-3GPP networks capable of performing similar functions. Access the server or gateway device.
本发明实施例可以利用网关设备参与对用户设备的 EAP认证过程, 并 利用网关设备将认证服务器返回的 EAP成功响应消息和为用户设备分配的 IP地址一起发送给接入服务器。由于在上述过程中利用了接入服务器已支持 的基本功能, 能够减少对接入服务器的改造, 从而更容易实现对移动网络的 接入。  The embodiment of the present invention can use the gateway device to participate in the EAP authentication process for the user equipment, and use the gateway device to send the EAP success response message returned by the authentication server to the access server together with the IP address allocated for the user equipment. Since the basic functions already supported by the access server are utilized in the above process, the modification of the access server can be reduced, thereby making it easier to access the mobile network.
根据本发明的实施例, 在进行该 EAP认证时, 接收模块 110从上述接 入服务器接收上述 UE发送的 EAP认证消息,发送模块 120向该认证服务器 发送该 EAP认证消息,以便该 UE与该认证服务器之间完成对该 UE的 EAP 认证, 并且在该认证服务器对该用户设备的 EAP认证成功之后, 接收模块 110从该认证服务器接收该 EAP成功响应消息。  According to the embodiment of the present invention, when performing the EAP authentication, the receiving module 110 receives the EAP authentication message sent by the UE from the access server, and the sending module 120 sends the EAP authentication message to the authentication server, so that the UE and the authentication The EAP authentication of the UE is completed between the servers, and after the EAP authentication of the user equipment by the authentication server is successful, the receiving module 110 receives the EAP success response message from the authentication server.
例如, 上述 EAP认证消息可以为 EAP认证响应消息。 UE在进行认证 或接入分组业务时, 可以向 BRAS发送用于触发 EAP认证的消息。 BRAS 在收到该消息之后, 可以向 UE发送 EAP认证请求消息。 UE在收到 EAP认 证请求消息之后, 可以向 BRAS发送上述 EAP认证响应消息。  For example, the foregoing EAP authentication message may be an EAP authentication response message. When the UE performs authentication or accesses the packet service, the UE may send a message for triggering EAP authentication to the BRAS. After receiving the message, the BRAS may send an EAP Authentication Request message to the UE. After receiving the EAP authentication request message, the UE may send the foregoing EAP authentication response message to the BRAS.
根据本发明的实施例,接收模块 110从上述接入服务器接收封装在第一 According to an embodiment of the present invention, the receiving module 110 receives the encapsulation from the access server at the first
RADIUS ( Remote Authentication Dial In User Service, 远程用户拨号认证系 统)协议或其升级版本 Diameter (直径)协议艮文中的 EAP认证消息。 发 送模块 120向该认证服务器发送封装在该第一 RADIUS/Diameter协议报文中 的 EAP认证消息, 并且向该接入服务器发送封装在第二 RADIUS/Diameter 协议报文中的 IP地址和 EAP成功响应消息。 UE通过上述无隧道方式接入 分组业务网络, 业务体验与 3GPP接入技术一致。 例如, 由于 BRAS支持 RADIUS/Diameter功能, 上述网关设备 (例如, PGW或 AGW ) 与 BRAS之间可以通过 RADIUS/Diameter协议艮文进行信 令面的通信。 在 EAP认证成功之后, 上述网关设备还可以将上述分配的 IP 地址与 EAP成功响应消息一起封装在 RADIUS/Diameter协议报文中发送给 BRAS。 根据本发明的实施例在 BRAS与认证服务器之间增加了网关设备参 与 EAP认证过程, 并且仅利用 BRAS已支持的 RADIUS/Diameter功能, 无 需在 BRAS上实现与认证服务器的接口和 EAP消息识别等功能, 因此能够 减少对 BRAS?文造, 从而更容易实现对移动网络的接入。 EAP authentication message in the RADIUS (Remote Authentication Dial In User Service) protocol or its upgraded version of the Diameter protocol. The sending module 120 sends an EAP authentication message encapsulated in the first RADIUS/Diameter protocol packet to the authentication server, and sends an IP address and an EAP successful response encapsulated in the second RADIUS/Diameter protocol packet to the access server. Message. The UE accesses the packet service network through the above tunnelless mode, and the service experience is consistent with the 3GPP access technology. For example, because the BRAS supports the RADIUS/Diameter function, the above-mentioned gateway device (for example, PGW or AGW) and the BRAS can communicate with each other through the RADIUS/Diameter protocol. After the EAP authentication succeeds, the gateway device may also encapsulate the IP address and the EAP success response message in a RADIUS/Diameter protocol packet and send the packet to the BRAS. According to the embodiment of the present invention, the gateway device participates in the EAP authentication process between the BRAS and the authentication server, and only utilizes the RADIUS/Diameter function supported by the BRAS, and does not need to implement the interface with the authentication server and the EAP message identification function on the BRAS. So can you reduce the BRAS? The creation makes it easier to access mobile networks.
图 3是根据本发明一个实施例的用于接入移动网络的装置 200的示意性 结构图。装置 200的一个例子是图 1的系统 10中的网关设备 14,例如, PGW。 图 3的接收模块 210和发送模块 220与图 2的 110和 120类似, 因此在这里 适当省略详细的描述。  FIG. 3 is a schematic block diagram of an apparatus 200 for accessing a mobile network, in accordance with one embodiment of the present invention. An example of a device 200 is a gateway device 14, such as a PGW, in the system 10 of FIG. The receiving module 210 and the transmitting module 220 of Fig. 3 are similar to those of 110 and 120 of Fig. 2, and thus detailed descriptions are omitted as appropriate herein.
除了接收模块 210和发送模块 220之外,装置 200还包括分配模块 230。 分配模块 230根据预配置的接入点名称 (APN, Access Point Name )或该 UE的签约数据中包含的接入点名称为该 UE分配 IP地址。 接收模块 210在 从该认证服务器接收该 EAP成功响应消息的同时, 从该认证服务器接收该 UE的签约数据。  In addition to the receiving module 210 and the transmitting module 220, the apparatus 200 also includes an allocation module 230. The allocating module 230 allocates an IP address to the UE according to the pre-configured access point name (APN, Access Point Name) or the access point name included in the subscription data of the UE. The receiving module 210 receives the contract data of the UE from the authentication server while receiving the EAP success response message from the authentication server.
例如, 上述网关设备 (例如, PGW )还可以负责为 UE分配 IP地址。 上述 APN可以由网络侧预先配置, 也可以从 UE的签约数据中获取, 本发 明并不限于此, 也可以通过其它方式获取 APN。 另外, 上述认证服务器可以 将 EAP成功响应消息、签约数据以及 APN封装在 RADIUS/Diameter协议报 文中一起发送给 PGW, 以便 PGW根据 APN为 UE分配 IP地址。  For example, the gateway device (e.g., PGW) may also be responsible for assigning an IP address to the UE. The foregoing APN may be pre-configured by the network side or may be obtained from the subscription data of the UE. The present invention is not limited thereto, and the APN may be acquired by other means. In addition, the foregoing authentication server may send the EAP success response message, the subscription data, and the APN encapsulated in the RADIUS/Diameter protocol message to the PGW, so that the PGW allocates an IP address to the UE according to the APN.
可选地, 作为另一实施例, 装置 200还包括: 配置模块 240。 配置模块 240配置装置 200与上述接入服务器之间的 VPN ( Virtual Private Network, 虚拟专用网络) 隧道, 以便通过该 VPN隧道与该接入服务器交互数据。  Optionally, as another embodiment, the apparatus 200 further includes: a configuration module 240. The configuration module 240 configures a VPN (Virtual Private Network) tunnel between the device 200 and the access server to exchange data with the access server through the VPN tunnel.
例如, PGW可以通过配置模块 240, 在为 UE分配了 IP地址之后, 根 据该 IP地址配置 PGW与 BRAS之间的 VPN隧道,例如, GRE( Generic Route Encapsulation, 通用路由封装)隧道。 由于 BRAS也支持 VPN隧道功能, 因 此, PGW与 BRAS之间可以通过 VPN隧道进行用户面的数据通信, 例如, PGW根据 UE的 IP地址选择 VPN隧道向 BRAS发送下行数据。 根据本发 明的实施例在实现对移动网络的接入时, 只需基于 BRAS 已支持的功能对 BRAS进行配置, 无需添加新的功能。 For example, the PGW can configure a VPN tunnel between the PGW and the BRAS according to the IP address, for example, a GRE (Generic Route Encapsulation) tunnel, after the IP address is assigned to the UE. Since the BRAS also supports the VPN tunnel function, the PGW and the BRAS can perform user plane data communication through the VPN tunnel. For example, the PGW selects the VPN tunnel according to the IP address of the UE to send downlink data to the BRAS. According to an embodiment of the present invention, when implementing access to a mobile network, it is only necessary to perform a function pair supported by the BRAS. The BRAS is configured without adding new features.
本发明实施例可以利用网关设备参与对用户设备的 ΕΑΡ认证过程, 并 利用网关设备将认证服务器返回的 ΕΑΡ成功响应消息和为用户设备分配的 IP地址一起发送给接入服务器。 另外, 还可以利用接入服务器的 VPN隧道 功能进行用户面的数据通信。 由于在上述过程中仅仅利用了接入服务器已支 持的基本功能, 能够减少对接入服务器的改造, 从而更容易实现对移动网络 的接入。  The embodiment of the present invention can use the gateway device to participate in the authentication process of the user equipment, and use the gateway device to send the success response message returned by the authentication server to the access server together with the IP address allocated for the user equipment. In addition, you can use the VPN tunnel function of the access server to perform data communication on the user plane. Since only the basic functions supported by the access server are utilized in the above process, the modification of the access server can be reduced, thereby making it easier to access the mobile network.
图 4是根据本发明一个实施例的用于接入移动网络的装置 300的示意性 结构图。装置 300的一个例子是图 1的系统 10中的网关设备 14,例如, AGW, 包括:接收模块 310和发送模块 320。图 4的 310和 320与图 2的 110和 120 类似, 因此在这里适当省略详细的描述。  4 is a schematic block diagram of an apparatus 300 for accessing a mobile network, in accordance with one embodiment of the present invention. An example of a device 300 is a gateway device 14, such as an AGW, in the system 10 of FIG. 1, including a receiving module 310 and a transmitting module 320. 310 and 320 of Fig. 4 are similar to 110 and 120 of Fig. 2, and thus detailed descriptions are omitted as appropriate herein.
除了接收模块 310和发送模块 320之外,装置 300还包括获取模块 330。 获取模块 330在从该认证服务器接收到该 EAP成功响应消息之后, 从独立 的分组数据网关 (例如, PGW )获取为该 UE分配的 IP地址。  In addition to the receiving module 310 and the transmitting module 320, the apparatus 300 further includes an acquisition module 330. The obtaining module 330 obtains an IP address assigned to the UE from an independent packet data gateway (e.g., PGW) after receiving the EAP success response message from the authentication server.
根据本发明的实施例, 获取模块 330根据该 UE的签约数据中包含的接 入点名称或者预配置的接入点名称从该分组数据网关获取为该 UE分配的 IP 地址, 其中接收模块在 310从该认证服务器接收到该 EAP成功响应消息的 同时, 从该认证服务器接收该 UE的签约数据。  According to an embodiment of the present invention, the obtaining module 330 acquires an IP address allocated for the UE from the packet data gateway according to an access point name or a pre-configured access point name included in the subscription data of the UE, where the receiving module is at 310. Receiving the EAP success response message from the authentication server, receiving the subscription data of the UE from the authentication server.
例如, 上述 AGW可以在向 PGW发送的 GTP/PMIP隧道请求消息中携 带 APN, 则由 PGW根据该 APN为 UE分配 IP地址, 并在向 AGW返回 GTP/PMIP隧道响应消息中携带 PGW为 UE分配的 IP地址。另外,上述 APN 可以由网络侧预先配置。 可选地, 也可以从 UE的签约数据中获取 APN。 本 发明并不限于此, 也可以通过其它方式获取上述 APN。 认证服务器可以将 EAP成功响应消息、 签约数据以及 APN封装在 R ADIUS/Diameter协议报文 中一起发送给 AGW。  For example, the AGW may carry the APN in the GTP/PMIP tunnel request message sent to the PGW, and the PGW allocates an IP address to the UE according to the APN, and carries the PGW to the UE in the GTP/PMIP tunnel response message returned to the AGW. IP address. In addition, the above APN can be pre-configured by the network side. Optionally, the APN may also be obtained from the subscription data of the UE. The present invention is not limited thereto, and the above APN may be acquired by other means. The authentication server can send the EAP success response message, the subscription data, and the APN package to the AGW in the R ADIUS/Diameter protocol message.
可选地, 作为另一实施例, 装置 300还包括: 配置模块 340、 建立模块 360和绑定模块 350。  Optionally, as another embodiment, the apparatus 300 further includes: a configuration module 340, an establishing module 360, and a binding module 350.
配置模块 340配置装置 300与该接入服务器之间的 VPN隧道。 建立模 块 360 与上述分组数据网关建立 GTP/PMIP 隧道。 绑定模块 350 绑定该 GTP/PMIP隧道和该 VPN隧道, 以便通过绑定的 GTP/PMIP隧道和 VPN隧 道在该接入服务器与该分数组据网关之间交互数据。 例如, AGW可以通过配置模块 340, 在获取模块 330从 PGW获取 IP 地址之后,根据该 IP地址配置 AGW与 BRAS之间的 VPN隧道(例如, GRE 隧道 ), 并且可以与该 PGW之间建立 GTP/PMIP隧道。 另夕卜, AGW可以建 立该 VPN隧道和该 GTP PMIP隧道之间的映射关系, 以绑定 VPN隧道和 GTP/PMIP隧道。 由于 BRAS也支持 VPN隧道功能, 因此 AGW与 BRAS 之间可以通过 VPN隧道进行用户面的数据通信,例如, AGW在从 GTP PMIP 隧道接收到 PGW发送的下行数据之后,根据 VPN隧道和 GTP/PMIP隧道之 间的映射关系选择 VPN隧道向 BRAS发送下行数据。另夕卜, AGW在从 VPN 隧道接收到 BRAS发送的上行数据之后, 根据 VPN隧道和 GTP/PMIP隧道 之间的映射关系选择 GTP隧道向 PGW发送上行数据。 The configuration module 340 configures a VPN tunnel between the device 300 and the access server. The setup module 360 establishes a GTP/PMIP tunnel with the packet data gateway described above. The binding module 350 binds the GTP/PMIP tunnel and the VPN tunnel to exchange data between the access server and the score group gateway through the bound GTP/PMIP tunnel and the VPN tunnel. For example, the AGW may configure, by the configuration module 340, the VPN tunnel (for example, a GRE tunnel) between the AGW and the BRAS according to the IP address after the obtaining module 330 obtains the IP address from the PGW, and may establish a GTP/between the PGW. PMIP tunnel. In addition, the AGW can establish a mapping relationship between the VPN tunnel and the GTP PMIP tunnel to bind the VPN tunnel and the GTP/PMIP tunnel. Since the BRAS also supports the VPN tunnel function, the AGW and the BRAS can perform user plane data communication through the VPN tunnel. For example, after receiving the downlink data sent by the PGW from the GTP PMIP tunnel, the AGW according to the VPN tunnel and the GTP/PMIP tunnel. The mapping relationship between the VPN tunnels is selected to send downlink data to the BRAS. In addition, after receiving the uplink data sent by the BRAS from the VPN tunnel, the AGW selects the GTP tunnel to send uplink data to the PGW according to the mapping relationship between the VPN tunnel and the GTP/PMIP tunnel.
本发明实施例可以利用网关设备参与对用户设备的 EAP认证过程, 并 利用网关设备将认证服务器返回的 EAP成功响应消息和为用户设备分配的 IP地址一起发送给接入服务器。 另外, 还可以利用接入服务器的 VPN隧道 功能进行用户面的数据通信。 由于在上述过程中仅仅利用了接入服务器已支 持的基本功能, 能够减少对接入服务器的改造, 从而更容易实现对移动网络 的接入。  The embodiment of the present invention can use the gateway device to participate in the EAP authentication process for the user equipment, and use the gateway device to send the EAP success response message returned by the authentication server to the access server together with the IP address allocated for the user equipment. In addition, you can use the VPN tunnel function of the access server to perform data communication on the user plane. Since only the basic functions supported by the access server are utilized in the above process, the modification of the access server can be reduced, thereby making it easier to access the mobile network.
图 5是根据本发明一个实施例的用于接入移动网络的装置 400的示意性 结构图。 装置 400的一个例子是图 1的系统 10中的接入服务器 13, 例如, BRAS。 装置 400包括: 接收模块 410和发送模块 420。  Figure 5 is a schematic block diagram of an apparatus 400 for accessing a mobile network, in accordance with one embodiment of the present invention. An example of a device 400 is the access server 13, such as the BRAS, in the system 10 of FIG. The apparatus 400 includes: a receiving module 410 and a transmitting module 420.
接收模块 410从网关设备接收 EAP成功响应消息和为该 UE分配的 IP 地址。 发送模块 420向上述用户设备发送该 EAP成功响应消息, 其中接收 模块 410还接收该用户设备在接收到该 EAP成功响应消息之后发送的 IP连 接建立请求消息, 发送模块 420还在接收模块 410接收到该 IP连接建立请 求消息之后, 向该用户设备发送 IP连接建立响应消息, 该 IP连接建立响应 消息携带该 IP地址, 以便该用户设备根据该 IP地址接入上述移动网络。  The receiving module 410 receives an EAP Success Response message from the gateway device and an IP address assigned to the UE. The sending module 420 sends the EAP success response message to the user equipment, where the receiving module 410 further receives an IP connection setup request message sent by the user equipment after receiving the EAP success response message, and the sending module 420 further receives the message in the receiving module 410. After the IP connection establishment request message, the IP connection establishment response message is sent to the user equipment, and the IP connection establishment response message carries the IP address, so that the user equipment accesses the mobile network according to the IP address.
本发明实施例可以利用网关设备参与对用户设备的 EAP认证过程, 并 利用网关设备将认证服务器返回的 EAP成功响应消息和为用户设备分配的 IP地址一起发送给接入服务器。由于在上述过程中利用了接入服务器已支持 的基本功能, 能够减少对接入服务器的改造, 从而更容易实现对移动网络的 接入。  The embodiment of the present invention can use the gateway device to participate in the EAP authentication process for the user equipment, and use the gateway device to send the EAP success response message returned by the authentication server to the access server together with the IP address allocated for the user equipment. Since the basic functions already supported by the access server are utilized in the above process, the modification of the access server can be reduced, thereby making it easier to access the mobile network.
根据本发明的实施例,在进行该 EAP认证时,接收模块 410从该 UE接 收 EAP认证消息, 并且发送模块 420向该网关设备发送该 ΕΑΡ认证消息, 以便该网关设备将该 ΕΑΡ认证消息转发给认证服务器,并使该 UE与该认证 服务器之间完成对该 UE的 ΕΑΡ认证, 并且在对该用户设备的 ΕΑΡ认证成 功之后, 接收模块 410从该网关设备接收该 ΕΑΡ成功响应消息和为该用户 设备分配的 IP地址。 According to an embodiment of the present invention, when performing the EAP authentication, the receiving module 410 is connected from the UE. Receiving an EAP authentication message, and the sending module 420 sends the UI authentication message to the gateway device, so that the gateway device forwards the UI authentication message to the authentication server, and completes the UI authentication between the UE and the authentication server. And after the authentication of the user equipment is successful, the receiving module 410 receives the success response message and the IP address assigned to the user equipment from the gateway device.
例如, 上述 EAP认证消息可以为 EAP认证响应消息。 UE在进行认证 或接入分组业务时, 可以向 BRAS发送用于触发 EAP认证的消息。 BRAS 在收到该消息之后, 可以向 UE发送 EAP认证请求消息。 UE在收到 EAP认 证请求消息之后 , 可以向 BRAS发送上述 EAP认证响应消息。  For example, the foregoing EAP authentication message may be an EAP authentication response message. When the UE performs authentication or accesses the packet service, the UE may send a message for triggering EAP authentication to the BRAS. After receiving the message, the BRAS may send an EAP Authentication Request message to the UE. After receiving the EAP authentication request message, the UE may send the foregoing EAP authentication response message to the BRAS.
例如, 上述 EAP认证消息可以是 EAP认证响应消息。 例如, UE在进 行认证或接入 PS业务时向 BRAS发送触发 EAP认证的消息, BRAS在收到 该消息之后, 向 UE发送 EAP认证请求消息, UE在收到 EAP认证请求消息 之后向 BRAS发送 EAP认证响应消息。  For example, the foregoing EAP authentication message may be an EAP authentication response message. For example, the UE sends a message triggering EAP authentication to the BRAS when performing authentication or accessing the PS service. After receiving the message, the BRAS sends an EAP authentication request message to the UE, and the UE sends an EAP to the BRAS after receiving the EAP authentication request message. Authentication response message.
根据本发明实施例, 接收模块 410 从该网关设备接收封装在第一 RADIUS/Diameter协议 4艮文中的 EAP成功响应消息和 IP地址 ,发送模块 420 向该网关设备发送封装在该第一 RADIUS/Diameter协议报文中的 EAP认证 消息。  According to the embodiment of the present invention, the receiving module 410 receives an EAP success response message and an IP address encapsulated in the first RADIUS/Diameter protocol, and the sending module 420 sends the encapsulated in the first RADIUS/Diameter to the gateway device. EAP authentication message in the protocol packet.
根据本发明的实施例, 如果接收模块 410在上述 EAP认证成功之前从 上述用户设备接收到上述 IP连接建立请求消息, 则在 EAP认证成功并且接 收模块 410再次从该用户设备接收到新的 IP连接建立请求消息之后, 发送 模块 420向该用户设备发送 IP连接建立响应消息, 该 IP连接建立响应消息 中携带上述 IP地址。  According to an embodiment of the present invention, if the receiving module 410 receives the IP connection establishment request message from the user equipment before the EAP authentication succeeds, the EAP authentication succeeds and the receiving module 410 receives the new IP connection from the user equipment again. After the request message is established, the sending module 420 sends an IP connection setup response message to the user equipment, where the IP connection setup response message carries the IP address.
上述 EAP 成功响应消息和上述 IP 地址可以由网关设备封装在 RADIUS/Diameter协议报文中一起发送给 BRAS , BRAS从中获取该 IP地址, 例如, 对该 RADIUS/Diameter协议报文进行解封装。根据本归的实施例并不 限于此, 例如, 上述 EAP成功响应消息和上述 IP地址也可以分别在单独的 消息中发送。 根据本发明仅利用 BRAS 已支持的 RADIUS/Diameter功能通 过网关设备与认证服务器进行通信,无需在 BRAS上实现与认证服务器的接 口和 EAP消息识别等功能就能实现 EAP认证,因此能够减少对 BRAS改造, 从而更容易实现对移动网络的接入。  The above-mentioned EAP success response message and the above-mentioned IP address can be sent to the BRAS by the gateway device in the RADIUS/Diameter protocol packet, and the BRAS obtains the IP address, for example, decapsulating the RADIUS/Diameter protocol packet. The embodiment according to the present invention is not limited thereto. For example, the above EAP success response message and the above IP address may also be sent in separate messages. According to the present invention, only the RADIUS/Diameter function supported by the BRAS is used to communicate with the authentication server through the gateway device, and the EAP authentication can be realized without implementing the interface with the authentication server and the EAP message identification function on the BRAS, thereby reducing the BRAS transformation. , making it easier to access mobile networks.
根据本发明的实施例,上述 IP连接建立请求消息可以为 DHCP( Dynamic Host Configuration Protocol, 动态主机设置协议 )请求消息, 上述 IP连接建 立响应消息可以为 DHCP响应消息。 According to an embodiment of the present invention, the above IP connection establishment request message may be DHCP (Dynamic) Host Configuration Protocol, request message, the above IP connection setup response message may be a DHCP response message.
另外, 对于数据卡类 UE来说, UE在访问分组业务时, DHCP请求消 息可能在 EAP认证过程完成之前就已经发送, 这时, 为了确保成功获取为 UE为配的 IP地址, 可以在 EAP认证完成后, 或者在上述网关设备为 UE配 置 IP地址并且发送给 BRAS之后, 由 UE再次向 BRAS发送 IP连接建立请 求消息。  In addition, for the data card type UE, when the UE accesses the packet service, the DHCP request message may be sent before the EAP authentication process is completed. In this case, in order to ensure successful acquisition of the IP address assigned to the UE, the EAP authentication may be performed. After completion, or after the gateway device configures an IP address for the UE and sends it to the BRAS, the UE sends an IP connection establishment request message to the BRAS again.
本发明实施例在实现接入移动网络时, 接入服务器可以从参与 EAP认 证的网关设备接收与 EAP成功响应消息一起发送的 IP地址。 由于在上述过 程中利用了接入服务器已支持的基本功能, 能够减少对接入服务器的改造, 从而更容易实现对移动网络的接入。  In the embodiment of the present invention, when accessing the mobile network, the access server may receive an IP address sent together with the EAP success response message from the gateway device participating in the EAP authentication. Since the basic functions already supported by the access server are utilized in the above process, the modification of the access server can be reduced, thereby making it easier to access the mobile network.
图 6是根据本发明一个实施例的用于接入移动网络的装置 500的示意性 结构图。 装置 500的一个例子是图 1的系统 10中的接入服务器 13, 例如, BRAS, 包括: 接收模块 510、 发送模块 520和配置模块 530。 图 6的 510和 520与图 5的 410和 420类似, 因此在这里适当省略详细的描述。  Figure 6 is a schematic block diagram of an apparatus 500 for accessing a mobile network, in accordance with one embodiment of the present invention. An example of the device 500 is the access server 13, for example, the BRAS in the system 10 of FIG. 1, comprising: a receiving module 510, a transmitting module 520, and a configuration module 530. 510 and 520 of Fig. 6 are similar to 410 and 420 of Fig. 5, and thus detailed descriptions are omitted as appropriate herein.
配置模块 530配置装置 500与上述网关设备之间 VPN隧道, 以便通过 该 VPN隧道与该网关设备交互数据。 例如, BRAS 可以通过配置模块 530 静态配置 BRAS与网关设备之间的 VPN隧道(例如, GRE隧道)。由于 BRAS 本身支持 VPN隧道功能, 因此 BRAS与网关设备之间可以通过 VPN隧道进 行用户面的数据通信, 例如, BRAS可以根据静态配置的 VPN路由表, 按 照用户的域信息( Domain )选择 VPN隧道(例如, GRE隧道)封装和转发 上行数据。  The configuration module 530 configures a VPN tunnel between the device 500 and the gateway device to exchange data with the gateway device through the VPN tunnel. For example, the BRAS can statically configure a VPN tunnel (eg, a GRE tunnel) between the BRAS and the gateway device through the configuration module 530. Since the BRAS itself supports the VPN tunnel function, the BRAS and the gateway device can perform user plane data communication through the VPN tunnel. For example, the BRAS can select the VPN tunnel according to the user's domain information ( Domain ) according to the statically configured VPN routing table ( For example, a GRE tunnel) encapsulates and forwards upstream data.
本发明实施例在实现接入移动网络时,接入服务器可以利用已支持的功 能从网关设备接收与 EAP成功响应消息一起发送的 IP地址, 并且利用自身 的 VPN隧道功能进行用户面的数据通信。 由于在上述过程中利用了接入服 务器已支持的基本功能, 能够减少对接入服务器的改造, 从而更容易实现对 移动网络的接入。  In the embodiment of the present invention, when accessing the mobile network, the access server may use the supported functions to receive the IP address sent from the gateway device along with the EAP success response message, and use the VPN tunnel function to perform data communication on the user plane. Since the basic functions already supported by the access server are utilized in the above process, the modification of the access server can be reduced, thereby making it easier to access the mobile network.
图 7是根据本发明一个实施例的用户设备 UE 600的示意性结构图。 UE 600包括: 接收模块 610和发送模块 620。 UE 600是图 1的系统 10中的 UE 11的一个例子, 例如, 数据卡类 UE。  FIG. 7 is a schematic structural diagram of a user equipment UE 600 according to an embodiment of the present invention. The UE 600 includes: a receiving module 610 and a transmitting module 620. The UE 600 is an example of the UE 11 in the system 10 of Fig. 1, for example, a data card type UE.
发送模块 610向接入服务器发送 EAP认证消息, 以便与认证服务器之 间完成对该 UE的 EAP认证。 The sending module 610 sends an EAP authentication message to the access server, so as to be associated with the authentication server. EAP authentication for the UE is completed.
接收模块 610从该接入服务器接收 EAP成功响应消息, 其中如果发送 模块 620在上述 EAP认证成功之前向该接入服务器发送 IP连接建立请求消 息, 则在接收模块 610接收到该 EAP成功响应消息之后, 发送模块 620再 次向该接入服务器发送新的 IP连接建立请求消息以获取网关设备为该用户 设备配置的 IP地址, 接收模块 610还从该接入服务器接收 IP连接建立响应 消息, 该 IP连接建立响应消息中携带该 IP地址。 上述 EAP成功响应消息和 上述 IP地址可以由网关设备封装在 RADIUS/Diameter协议报文中一起发送 给 BRAS,并且可以由 BRAS通过解封装从该 RADIUS/Diameter协议报文中 提取该 IP地址。  The receiving module 610 receives an EAP success response message from the access server, where the sending module 620 sends an IP connection establishment request message to the access server before the EAP authentication succeeds, after the receiving module 610 receives the EAP success response message. The sending module 620 sends a new IP connection establishment request message to the access server to obtain an IP address configured by the gateway device for the user equipment, and the receiving module 610 further receives an IP connection establishment response message from the access server, where the IP connection is The establishment response message carries the IP address. The EAP success response message and the foregoing IP address may be sent by the gateway device to the BRAS in a RADIUS/Diameter protocol message, and the BRAS may extract the IP address from the RADIUS/Diameter protocol message by decapsulating the BRAS.
根据本发明的实施例, 上述 IP连接建立请求消息可以为 DHCP请求消 息, 上述 IP连接建立响应消息可以为 DHCP响应消息。  According to an embodiment of the present invention, the foregoing IP connection establishment request message may be a DHCP request message, and the IP connection establishment response message may be a DHCP response message.
另外, 对于数据卡类 UE来说, UE在访问分组业务时, DHCP请求消 息可能在 EAP认证过程完成之前就已经发送, 这时, 为了确保成功获取为 UE为配的 IP地址, 可以在 EAP认证完成后, 或者在上述网关设备为 UE配 置 IP地址并发送给 BRAS之后,由 UE再次向 BRAS发送 DHCP请求消息。  In addition, for the data card type UE, when the UE accesses the packet service, the DHCP request message may be sent before the EAP authentication process is completed. In this case, in order to ensure successful acquisition of the IP address assigned to the UE, the EAP authentication may be performed. After completion, or after the gateway device configures an IP address for the UE and sends it to the BRAS, the UE sends a DHCP request message to the BRAS again.
本发明实施例可以利用网关设备参与对用户设备的 EAP认证过程, 并 公利用了接入服务器的基本功能, 从而减少了对接入服务器的改造。 另外, 根据本发明实施例, UE在 EAP认证完成后再次向接入服务器发送 IP连接 建立请求消息 , 以确保成功获取分配的 IP地址。  The embodiment of the present invention can utilize the gateway device to participate in the EAP authentication process for the user equipment, and publicly utilize the basic functions of the access server, thereby reducing the modification of the access server. In addition, according to the embodiment of the present invention, the UE sends an IP connection setup request message to the access server again after the EAP authentication is completed, to ensure successful acquisition of the allocated IP address.
图 8是根据本发明一个实施例的用于接入移动网络的方法 700的示意性 流程图。 图 8的方法 700可以由图 2、 图 3和图 4的网关设备执行。  FIG. 8 is a schematic flow diagram of a method 700 for accessing a mobile network, in accordance with one embodiment of the present invention. The method 700 of Figure 8 can be performed by the gateway device of Figures 2, 3 and 4.
710, 从认证服务器接收 EAP成功响应消息。  710. Receive an EAP success response message from the authentication server.
720, 向接入服务器发送该 EAP成功响应消息和为 UE分配的 IP地址, 以便该接入服务器向该 UE转发该 EAP成功响应消息, 并由该 UE在从该接 入服务器获取该 IP地址之后, 根据该 IP地址接入该移动网络。  720. Send the EAP success response message and an IP address allocated to the UE to the access server, so that the access server forwards the EAP success response message to the UE, and after the UE obtains the IP address from the access server, Accessing the mobile network according to the IP address.
本发明实施例可以利用网关设备参与对用户设备的 EAP认证过程, 并 利用网关设备将认证服务器返回的 EAP成功响应消息和为用户设备分配的 IP地址一起发送给接入服务器。由于在上述过程中利用了接入服务器已支持 的基本功能, 能够减少对接入服务器的改造, 从而更容易实现对移动网络的 接入。 根据本发明的实施例, 在进行该 EAP认证时, 从该接入服务器接收该 UE发送的 EAP认证消息, 并向该认证服务器发送该 EAP认证消息, 以便 该 UE与该认证服务器之间完成对该 UE的 EAP认证,并且在该认证服务器 对该用户设备的 EAP认证成功之后, 从该认证服务器接收该 EAP成功响应 消息。 The embodiment of the present invention can use the gateway device to participate in the EAP authentication process for the user equipment, and use the gateway device to send the EAP success response message returned by the authentication server to the access server together with the IP address allocated for the user equipment. Since the basic functions already supported by the access server are utilized in the above process, the modification of the access server can be reduced, thereby making it easier to access the mobile network. According to the embodiment of the present invention, when performing the EAP authentication, the EAP authentication message sent by the UE is received from the access server, and the EAP authentication message is sent to the authentication server, so that the UE and the authentication server complete the pair. The EAP authentication of the UE, and after the EAP authentication of the user equipment by the authentication server is successful, the EAP success response message is received from the authentication server.
根据本发明的另一实施例, 方法 700还包括: 在对 UE的 EAP认证成功 之后, 从认证服务器接收 EAP成功响应消息; 根据预配置的接入点名称或 该 UE的签约数据中包含的接入点名称为该 UE分配该 IP地址,其中在从该 认证服务器接收该 EAP成功响应消息的同时,从该认证服务器接收该 UE的 签约数据。  According to another embodiment of the present invention, the method 700 further includes: after the EAP authentication to the UE is successful, receiving an EAP success response message from the authentication server; according to the pre-configured access point name or the subscription included in the subscription data of the UE The in-point name assigns the IP address to the UE, and the subscription data of the UE is received from the authentication server while receiving the EAP success response message from the authentication server.
根据本发明的另一实施例, 方法 700还包括: 向接入服务器发送该 EAP 成功响应消息和为该 UE分配的 IP地址, 以便该接入服务器向该 UE转发该 EAP成功响应消息, 并由该 UE在从该接入服务器获取该 IP地址之后, 根 据该 IP地址接入该移动网络。  According to another embodiment of the present invention, the method 700 further includes: transmitting the EAP success response message and an IP address assigned to the UE to the access server, so that the access server forwards the EAP success response message to the UE, and After acquiring the IP address from the access server, the UE accesses the mobile network according to the IP address.
根据本发明的另一实施例, 方法 700还包括: 配置与该接入服务器之间 的 VPN隧道, 以便通过该 VPN隧道与该接入服务器交互数据。  According to another embodiment of the present invention, the method 700 further includes: configuring a VPN tunnel with the access server to interact with the access server through the VPN tunnel.
根据本发明的另一实施例, 方法 700还包括: 在从该认证服务器接收到 该 EAP成功响应消息之后, 从分组数据网关获取为该 UE分配的 IP地址。  According to another embodiment of the present invention, the method 700 further includes: obtaining the IP address assigned to the UE from the packet data gateway after receiving the EAP Success Response message from the authentication server.
根据本发明的实施例,在从该分組数据网关获取为该 UE分配的 IP地址 时, 根据该 UE的签约数据中包含的接入点名称或者预配置的接入点名称从 该分组数据网关获取为该 UE分配的 IP地址,其中在从该认证服务器接收到 该 EAP成功响应消息的同时, 从该认证服务器接收该 UE的签约数据。  According to an embodiment of the present invention, when the IP address assigned to the UE is obtained from the packet data gateway, the access point name included in the subscription data of the UE or the pre-configured access point name is obtained from the packet data gateway. An IP address assigned to the UE, wherein the UE's subscription data is received from the authentication server while receiving the EAP Success Response message from the authentication server.
根据本发明的另一实施例, 方法 700还包括: 配置与该接入服务器之间 的 VPN隧道; 与该分组数据网关建立 GTP/PMIP隧道; 绑定该 GTP/PMIP 隧道和该 VPN隧道, 以便通过绑定的该 GTP/PMIP隧道和该 VPN隧道在该 接入服务器与该分数组据网关之间交互数据。  According to another embodiment of the present invention, the method 700 further includes: configuring a VPN tunnel with the access server; establishing a GTP/PMIP tunnel with the packet data gateway; binding the GTP/PMIP tunnel and the VPN tunnel, so that Data is exchanged between the access server and the score group gateway by the bound GTP/PMIP tunnel and the VPN tunnel.
在 710中,从该接入服务器接收封装在第一 RADIUS/Diameter协议报文 中的 EAP 认证消息, 并且向该认证服务器发送封装在该第一 RADIUS/Diameter协议报文中的 EAP认证消息。  In 710, the EAP authentication message encapsulated in the first RADIUS/Diameter protocol packet is received from the access server, and the EAP authentication message encapsulated in the first RADIUS/Diameter protocol packet is sent to the authentication server.
在 720中,向该接入服务器发送封装在第二 RADIUS/Diameter协议报文 中的 IP地址和 EAP成功响应消息。 图 9是根据本发明一个实施例的用于接入移动网络的方法 800的示意性 流程图。 图 9的方法 800可以由图 5和图 6的接入服务器执行, 例如, 由 BRAS执行。 In 720, an IP address and an EAP success response message encapsulated in the second RADIUS/Diameter protocol packet are sent to the access server. 9 is a schematic flow diagram of a method 800 for accessing a mobile network, in accordance with one embodiment of the present invention. The method 800 of Figure 9 can be performed by the access server of Figures 5 and 6, for example, by the BRAS.
810, 从网关设备接收 EAP成功响应消息和该网关设备为 UE分配的 IP 地址。  810. Receive an EAP success response message from the gateway device and an IP address assigned by the gateway device to the UE.
820, 向该 UE发送该 EAP成功响应消息。  820. Send the EAP success response message to the UE.
830,接收该 UE在接收到该 EAP成功响应消息之后发送的 IP连接建立 请求消息。  830. Receive an IP connection setup request message sent by the UE after receiving the EAP success response message.
840,在接收到该 IP连接建立请求消息之后, 向该用户设备发送 IP连接 建立响应消息, 该 IP连接建立响应消息携带该 IP地址, 以便该用户设备根 据该 IP地址接入上述移动网络。  840. After receiving the IP connection setup request message, send an IP connection setup response message to the user equipment, where the IP connection setup response message carries the IP address, so that the user equipment accesses the mobile network according to the IP address.
本发明实施例可以利用网关设备参与对用户设备的 EAP认证过程, 并 利用网关设备将认证服务器返回的 EAP成功响应消息和为用户设备分配的 IP地址一起发送给接入服务器。由于在上述过程中利用了接入服务器已支持 的基本功能, 能够减少对接入服务器的改造, 从而更容易实现对移动网络的 接入。  The embodiment of the present invention can use the gateway device to participate in the EAP authentication process for the user equipment, and use the gateway device to send the EAP success response message returned by the authentication server to the access server together with the IP address allocated for the user equipment. Since the basic functions already supported by the access server are utilized in the above process, the modification of the access server can be reduced, thereby making it easier to access the mobile network.
根据本发明的实施例, 在进行 EAP认证时, 从该 UE接收 EAP认证消 息, 并且向网关设备发送该 EAP认证消息, 以便该网关设备将该 EAP认证 消息转发给认证服务器,并使该 UE与该认证服务器之间完成对该 UE的 EAP 认证, 并在该认证服务器对该用户设备的 EAP认证成功之后, 从该网关设 备接收 EAP成功响应消息和该网关设备为该用户设备分配的 IP地址。  According to an embodiment of the present invention, when EAP authentication is performed, an EAP authentication message is received from the UE, and the EAP authentication message is sent to the gateway device, so that the gateway device forwards the EAP authentication message to the authentication server, and causes the UE to The authentication server completes the EAP authentication for the UE, and after the authentication server succeeds in EAP authentication to the user equipment, receives an EAP success response message from the gateway device and an IP address assigned by the gateway device to the user equipment.
根据本发明的实施例, 该方法还包括: 如果在该 EAP认证成功之前从 该 UE接收到该 IP连接建立请求消息, 则在 840中, 在 EAP认证成功并且 再次从该用户设备接收到新的 IP连接建立请求消息之后, 向该用户设备发 送该 IP连接建立响应消息。  According to an embodiment of the present invention, the method further comprises: if the IP connection establishment request message is received from the UE before the EAP authentication succeeds, then in 840, the EAP authentication is successful and a new one is received from the user equipment again. After the IP connection setup request message, the IP connection setup response message is sent to the user equipment.
根据本发明的另一实施例, 方法 800 还包括: 配置与该网关设备之间 VPN隧道, 以便通过该 VPN隧道与该网关设备交互数据。  According to another embodiment of the present invention, the method 800 further includes: configuring a VPN tunnel with the gateway device to interact with the gateway device through the VPN tunnel.
在 810中,从该网关设备接收封装在第一 RADIUS/Diameter协议报文中 的该 EAP成功响应消息和该 IP地址。  In 810, the EAP success response message encapsulated in the first RADIUS/Diameter protocol packet and the IP address are received from the gateway device.
根据本发明的实施例, 在向网关设备发送该 EAP认证消息时, 向该网 关设备发送封装在该第一 RADIUS/Diameter协议中的该 EAP认证消息。 图 10是根据本发明一个实施例的用于接入移动网络的方法的示意性流 程图。 图 10的方法 900可以由图 7的 UE执行。 According to an embodiment of the present invention, when the EAP authentication message is sent to the gateway device, the EAP authentication message encapsulated in the first RADIUS/Diameter protocol is sent to the gateway device. FIG. 10 is a schematic flowchart of a method for accessing a mobile network according to an embodiment of the present invention. The method 900 of FIG. 10 can be performed by the UE of FIG.
910, 向接入服务器发送 EAP认证消息, 以便与认证服务器之间完成对 该 UE的 EAP认证。  910. Send an EAP authentication message to the access server, so as to complete EAP authentication for the UE with the authentication server.
920,如果在该 EAP认证成功之前向该接入服务器发送 IP连接建立请求 消息, 则在从该接入服务器接收到该 EAP成功响应消息之后, 再次向该接 入服务器发送新的 IP连接建立请求消息以获取网关设备为该用户设备配置 的 IP地址。  920. If an IP connection establishment request message is sent to the access server before the EAP authentication succeeds, after receiving the EAP success response message from the access server, send a new IP connection establishment request to the access server again. The message is obtained by obtaining the IP address configured by the gateway device for the user device.
930,从该接入服务器接收 IP连接建立响应消息,该 IP连接建立响应消 息中携带该 IP地址。  930. Receive an IP connection setup response message from the access server, where the IP connection establishment response message carries the IP address.
根据本发明的实施例, 上述 EAP成功响应消息和上述 IP地址可以由网 关设备封装在 RADIUS/Diameter协议报文中一起发送给 BRAS,并且可以由 BRAS通过解封装从该 RADIUS/Diameter协议报文中提取该 IP地址。  According to an embodiment of the present invention, the foregoing EAP success response message and the foregoing IP address may be encapsulated in a RADIUS/Diameter protocol message by the gateway device and sent to the BRAS, and may be decapsulated by the BRAS from the RADIUS/Diameter protocol message. Extract the IP address.
本发明实施例可以利用网关设备参与对用户设备的 EAP认证过程, 并 公利用了接入服务器的基本功能, 从而减少了对接入服务器的改造。 另外, 根据本发明实施例, UE在 EAP认证完成后再次向接入服务器发送 IP连接 建立请求消息, 以确保成功获取分配的 IP地址。  The embodiment of the present invention can utilize the gateway device to participate in the EAP authentication process for the user equipment, and publicly utilize the basic functions of the access server, thereby reducing the modification of the access server. In addition, according to the embodiment of the present invention, the UE sends an IP connection establishment request message to the access server again after the EAP authentication is completed, to ensure successful acquisition of the allocated IP address.
图 11是根据本发明一个实施例的接入移动网络的过程的示意性流程图。 图 11的过程是图 8、 图 9和图 10的方法的一个例子, 其中 WLAN WiFi以 可信接入方法访问 3GPP SAE (系统架构演进, System Architecture Evolution ) 网络。  11 is a schematic flow chart of a process of accessing a mobile network according to an embodiment of the present invention. The process of Figure 11 is an example of the method of Figures 8, 9, and 10, wherein the WLAN WiFi accesses the 3GPP SAE (System Architecture Evolution) network in a trusted access method.
1010, UE发送用于触发 EAP认证的消息。 例如, 当 UE进行认证或接 入分组业务时, 通过 AP发送 EAPOL-start消息给 AC ( Access Controller, 无线控制器) /BRAS , 触发 EAP认证过程。  1010. The UE sends a message for triggering EAP authentication. For example, when the UE performs authentication or accesses the packet service, the AP sends an EAPOL-start message to the AC (Access Controller, Wireless Controller) / BRAS to trigger the EAP authentication process.
1015 , BRAS在接收到触发 EAP认证的消息之后向 UE发送 EAP认证 请求消息。 例如, BRAS 在收到 EAPOL-start 消息之后, 向 UE发送 EAP request/Identity消息, 以请求 UE的 ID (身份, Identity )。  1015. After receiving the message triggering EAP authentication, the BRAS sends an EAP authentication request message to the UE. For example, after receiving the EAPOL-start message, the BRAS sends an EAP request/Identity message to the UE to request the UE's ID (identity, Identity).
1020, UE向 BRAS发送 EAP认证响应消息,例如, EAP Response/Identity 消息,其中携带用于标识 UE的身份的 NAK网络接入标识符, Network Access Identifier ) , NAI 中包含 UE ID ( IMSI ( International Mobile Subscriber Identification Number, 国际移动用户识别码)信息)和域信息, 例如, NAI1 = 0<IMSI>@ wlan.mnc.mcc.3gppnetwork.org。 1020. The UE sends an EAP authentication response message to the BRAS, for example, an EAP Response/Identity message carrying a NAK network access identifier for identifying the identity of the UE, a Network Access Identifier, and a NAI including the UE ID (IMSI (International Mobile) Subscriber Identification Number, information and domain information, for example, NAI1 = 0<IMSI>@ wlan.mnc.mcc.3gppnetwork.org.
1025 , BRAS将 EAP认证响应消息封装为 RADIUS Diameter协议报文, 并将该 RADIUS/Diameter协议 4艮文发送到对应的 PGW。 例如, 为了实现该 信令的路由, BRAS将 PGW配置为该 RADIUS/Diameter协议报文的下一跳 路由。  1025. The BRAS encapsulates the EAP authentication response message into a RADIUS Diameter protocol packet, and sends the RADIUS/Diameter protocol packet to the corresponding PGW. For example, in order to implement the routing of the signaling, the BRAS configures the PGW as the next hop route of the RADIUS/Diameter protocol packet.
1030, PGW根据 NAI将封装了 EAP认证响应消息的 RADIUS/Diameter 协议报文转发到 3GPP AAA Server/HSS。  1030. The PGW forwards the RADIUS/Diameter protocol packet encapsulating the EAP authentication response message to the 3GPP AAA Server/HSS according to the NAI.
1035 , UE、 BRAS和 3GPP AAA Server HSS进行 EAP-SIM/AKA过程。 EAP-SIM/AKA过程与常规 EAP-SIM/AKA过程类似, 这里不再赘述。  1035, UE, BRAS and 3GPP AAA Server HSS perform EAP-SIM/AKA process. The EAP-SIM/AKA process is similar to the conventional EAP-SIM/AKA process and will not be described here.
1040, UE在 EAP-SIM/AKA过程中接收到 ΕΑΡ请求 /SIM/通知 (例如, 1040, the UE receives a request/SIM/notification during the EAP-SIM/AKA process (eg,
EAP Request/SIM/Notification ) 消息时, 通过 AP向 BRAS发送 EAP认证响 应 /SIM/通知消息 (例如, EAP Response/SIM otification )。 In the case of an EAP Request/SIM/Notification message, an EAP authentication response/SIM/notification message (for example, EAP Response/SIM otification) is sent to the BRAS through the AP.
1045 , BRAS向 PGW转发 EAP认证响应 /SIM/通知。 例如, BRAS可以 将 EAP 认证响应 /SIM/通知封装为 RADIUS/Diameter 协议报文, 并将 RADIUS/Diameter协议报文转发给 PGW。  1045, BRAS forwards EAP authentication response / SIM / notification to PGW. For example, the BRAS can encapsulate the EAP authentication response/SIM/notification into a RADIUS/Diameter protocol packet and forward the RADIUS/Diameter protocol packet to the PGW.
1050, PGW向 3GPP AAA Server HSS转发该 RADIUS/Diameter协议报 文。  1050. The PGW forwards the RADIUS/Diameter protocol packet to the 3GPP AAA Server HSS.
1055 , 在 EAP认证成功后, 3GPP AAA Server/HSS可以向 PGW发送 EAP成功响应 (例如, EAP Success ) 消息。 另夕卜, 3GPP AAA Server/HSS 还可以将 UE的签约数据 (例如, user profile )发送给 PGW。 UE的签约数 据可以包括 UE的签约 APN。 可选地, 3GPP AAA Server HSS还可以将网络 侧预配置的缺省 APN ( default APN ) 与 UE的签约数据一起发送给 PGW。  1055. After the EAP authentication succeeds, the 3GPP AAA Server/HSS may send an EAP Success Response (eg, EAP Success) message to the PGW. In addition, the 3GPP AAA Server/HSS may also send the UE's subscription data (eg, user profile) to the PGW. The subscription data of the UE may include the subscription APN of the UE. Optionally, the 3GPP AAA Server HSS may also send the default APN (default APN) pre-configured on the network side to the PGW together with the subscription data of the UE.
1060, PGW根据预配置的 APN或 UE的签约 APN分配 IP地址。  1060. The PGW allocates an IP address according to the pre-configured APN or the UE's subscription APN.
1070 , PGW 将该 IP 地址和 EAP 成功响应消息一起封装在 RADIUS/Diameter报文中发送给 BRAS。  1070. The PGW encapsulates the IP address and the EAP success response message in a RADIUS/Diameter message and sends the packet to the BRAS.
1075 , BRAS 将 EAP 成功响应消息转发给 UE。 例如, BRAS 将该 RADIUS/Diameter报文解封装以提取 EAP成功响应消息, 并将 EAP成功响 应消息发送给 UE。  1075, the BRAS forwards the EAP success response message to the UE. For example, the BRAS decapsulates the RADIUS/Diameter packet to extract an EAP success response message, and sends an EAP success response message to the UE.
1080, UE在收到 EAP成功响应消息之后,通过 AP向 BRAS发送 DHCP 请求 ( DHCP Request ) 消息。  After receiving the EAP success response message, the UE sends a DHCP Request message to the BRAS through the AP.
1085 , BRAS在收到 DHCP请求消息后,向 UE发送 DHCP响应( DHCP Response ) 消息, 该 DHCP响应消息中可携带 PGW为 UE分配的 IP址。1085, after receiving the DHCP request message, the BRAS sends a DHCP response to the UE (DHCP). Response) The DHCP response message carries the IP address assigned by the PGW to the UE.
1090, BRAS和 PGW之间配置虚拟专用网络 VPN隧道, 以便 BRAS 与 PGW之间通过 VPN隧道交互数据 (例如, IP报文)。 1090. A virtual private network VPN tunnel is configured between the BRAS and the PGW, so that the BRAS and the PGW exchange data (for example, IP packets) through the VPN tunnel.
例如, BRAS可以利用 VPN隧道向 PGW发送上行数据。 可以在 BRAS 上静态配置 VPN路由表, 如表 3所示。 BRAS根据 VPN路由表, 按照 UE 的域信息( Domain )选择 VPN隧道(例如, GRE隧道)封装和转发上行数 据  For example, the BRAS can use the VPN tunnel to send uplink data to the PGW. The VPN routing table can be statically configured on the BRAS, as shown in Table 3. According to the VPN routing table, the BRAS selects a VPN tunnel (for example, a GRE tunnel) to encapsulate and forward the uplink data according to the domain information (Domain) of the UE.
表 1
Figure imgf000018_0001
Table 1
Figure imgf000018_0001
例如, PGW可以利用 VPN (例如, GRE P遂道) 隧道封装和转发下行数 据。 可以根据 PGW为 UE分配的 IP地址, 在 PGW上动态地维护 UE IP地 址与 VPN隧道之间的对应关系, 如表 2所示。 例如, PGW根据 UE的 IP地 址选择 GRE隧道发送数据。  For example, the PGW can encapsulate and forward downlink data using a VPN (e.g., GRE P tunnel) tunnel. The mapping between the IP address of the UE and the VPN tunnel can be dynamically maintained on the PGW according to the IP address assigned by the PGW to the UE, as shown in Table 2. For example, the PGW selects a GRE tunnel to transmit data according to the IP address of the UE.
表 2
Figure imgf000018_0002
Table 2
Figure imgf000018_0002
图 12是根据本发明一个实施例的接入移动网络的过程的示意性流程图。 图 12的过程是图 8、图 9和图 10的方法的一个例子。图 12的过程中的 1110、 1115、 1120、 1135、 1140、 1175、 1180和 1185分别与图 11的过程的 1010、 1015、 1020、 1035、 1040、 1075、 1080和 1085类似, 在这里适当进行描述。  FIG. 12 is a schematic flowchart of a process of accessing a mobile network according to an embodiment of the present invention. The process of Figure 12 is an example of the method of Figures 8, 9, and 10. 1110, 1115, 1120, 1135, 1140, 1175, 1180, and 1185 in the process of FIG. 12 are similar to 1010, 1015, 1020, 1035, 1040, 1075, 1080, and 1085 of the process of FIG. 11, respectively, and are appropriately described herein. .
1110, UE发送用于触发 EAP认证的消息。  1110. The UE sends a message for triggering EAP authentication.
1115, BRAS在接收到用于触发 EAP认证的消息之后向 UE发送 EAP 认证请求消息。  1115. After receiving the message for triggering EAP authentication, the BRAS sends an EAP authentication request message to the UE.
1120 , UE向 BRAS发送 EAP认证响应消息,例如, EAP Response/Identity 消息,其中携带用于标识 UE的身份的 NAI, NAI中包含 UE ID ( IMSI信息) 和域信息。  1120. The UE sends an EAP authentication response message to the BRAS, for example, an EAP Response/Identity message, where the NAI is used to identify the identity of the UE, and the NAI includes the UE ID (IMSI information) and the domain information.
1125, BRAS将 EAP认证响应消息封装为 RADIUS Diameter协议报文, 并将该 RADIUS/Diameter协议 4艮文发送到对应的 PGW。 例如, 为了实现该 信令的路由, BRAS将 AGW配置为该 RADIUS/Diameter协议报文的下一跳 路由。 1130, AGW根据 NAI将封装了 EAP认证响应消息的 RADIUS/Diameter 协议报文转发到 3GPPAAA Server/HSS。 1125. The BRAS encapsulates the EAP authentication response message into a RADIUS Diameter protocol packet, and sends the RADIUS/Diameter protocol packet to the corresponding PGW. For example, to implement routing of the signaling, the BRAS configures the AGW as the next hop route of the RADIUS/Diameter protocol packet. 1130. The AGW forwards the RADIUS/Diameter protocol packet encapsulating the EAP authentication response message to the 3GPP AAA Server/HSS according to the NAI.
1135 , UE、 BRAS和 3GPPAAA Server/HSS进行 EAP-SIM/AKA过程。 1135. The UE, BRAS, and 3GPP AAA Server/HSS perform an EAP-SIM/AKA process.
1140, 在 EAP-SIM/AKA过程中, 当 UE接收到 EAP请求 /SIM/通知消 息时, 通过 AP向 BRAS发送 EAP认证响应 /SIM/通知消息。 1140. In the EAP-SIM/AKA process, when the UE receives the EAP request/SIM/notification message, the AP sends an EAP authentication response/SIM/notification message to the BRAS.
1145 , BRAS向 AGW转发 EAP认证响应 /SIM/通知。 例如, BRAS可 以将 EAP认证响应 /SIM/通知消息封装为 RADIUS Diameter协议报文, 并将 RADIUS/Diameter协议艮文转发给 AGW。  1145, BRAS forwards EAP authentication response / SIM / notification to AGW. For example, the BRAS can encapsulate the EAP authentication response/SIM/notification message into a RADIUS Diameter protocol packet, and forward the RADIUS/Diameter protocol message to the AGW.
1150, AGW向 3GPPAAA Server HSS转发该 RADIUS/Diameter协议报 文。  1150. The AGW forwards the RADIUS/Diameter protocol packet to the 3GPP AAA Server HSS.
1155, 在 EAP认证成功后, 3GPP AAA Server/HSS可以向 AGW发送 EAP成功响应 (例如, EAP Success ) 消息。 另夕卜, 3GPP AAA Server/HSS 还可以将 UE的签约数据 (例如, user profile )发送给 AGW。 UE的签约数 据可以包括 UE的签约 APN。 可选地, 可选地, 3GPP AAA Server/HSS还可 以将网络侧预配置的缺省 APN ( default APN )与 UE的签约数据一起发送给 AGW。 3GPP AAA Server/HSS可以将 EAP成功响应消息、 签约数据和 APN 封装在 RADIUS Diameter协议报文中一起发送给 AGW。  1155. After the EAP authentication succeeds, the 3GPP AAA Server/HSS may send an EAP Success Response (eg, EAP Success) message to the AGW. In addition, the 3GPP AAA Server/HSS may also send the UE's subscription data (for example, user profile) to the AGW. The subscription data of the UE may include the subscription APN of the UE. Optionally, the 3GPP AAA Server/HSS may also send the default APN (default APN) pre-configured by the network side to the AGW together with the subscription data of the UE. The 3GPP AAA Server/HSS can send the EAP success response message, the subscription data, and the APN in the RADIUS Diameter protocol packet to the AGW.
1157, AGW向 3GPP AAA Server/HSS发送隧道建立请求消息。 例如, AGW在收到上述 RADIUS/Diameter协议报文时, 可以按照预配置的 APN 或 UE签约 APN发现或选择 PGW, 并向 PGW发送 GTP/PMIP隧道建立请 求消息, 例如, Create PDP Request消息或者 Proxy Update (携带 APN和 UE ID ) 消息。  1157. The AGW sends a tunnel establishment request message to the 3GPP AAA Server/HSS. For example, when receiving the RADIUS/Diameter protocol packet, the AGW may discover or select the PGW according to the pre-configured APN or the UE subscription APN, and send a GTP/PMIP tunnel establishment request message to the PGW, for example, Create PDP Request message or Proxy. Update (with APN and UE ID) messages.
1160, PGW根据预配置的 APN或 UE的签约 APN为 UE分配 IP地址。 1165 , PGW向 AGW回复 GTP/PMIP隧道建立响应消息, 例如, Create PDP Response消息或者 Proxy Update ACK消息, 以与 AGW建立 GTP/PMIP 隧道。另外,在该 GTP/PMIP隧道建立响应消息中携带为 UE分配的 IP地址。  1160. The PGW allocates an IP address to the UE according to the pre-configured APN or the subscription APN of the UE. 1165. The PGW replies to the AGW with a GTP/PMIP tunnel establishment response message, for example, a Create PDP Response message or a Proxy Update ACK message, to establish a GTP/PMIP tunnel with the AGW. In addition, the GTP/PMIP tunnel setup response message carries an IP address allocated for the UE.
1170 , AGW 将该 IP 地址和 EAP 成功响应消息一起封装在 RADIUS/Diameter报文中发送给 BRAS。  1170. The AGW encapsulates the IP address and the EAP success response message in a RADIUS/Diameter message and sends the packet to the BRAS.
1175 , BRAS将 EAP成功响应消息转发给 UE。  1175. The BRAS forwards the EAP success response message to the UE.
1180, UE在收到 EAP成功响应消息之后,通过 AP向 BRAS发送 DHCP 请求消息。 1185 , BRAS在收到 DHCP请求消息后, 向 UE发送 DHCP响应消息, 该 DHCP响应消息中可携带 PGW为 UE分配的 IP址。 1180. After receiving the EAP success response message, the UE sends a DHCP request message to the BRAS through the AP. After receiving the DHCP request message, the BRAS sends a DHCP response message to the UE, where the DHCP response message carries the IP address allocated by the PGW to the UE.
1190, BRAS和 PGW之间配置虚拟专用网络 VPN隧道, 以便 BRAS与 PGW之间通过 VPN隧道交互数据 (例如, IP报文)。 另外, 由 AGW绑定 GTP/PMIP隧道和 VPN隧道, 以便通过绑定的 GTP/PMIP隧道和 VPN隧道 在 BRAS与 PDG之间交互数据。  1190. A virtual private network VPN tunnel is configured between the BRAS and the PGW, so that the BRAS and the PGW exchange data (for example, IP packets) through the VPN tunnel. In addition, the GGW/PMIP tunnel and the VPN tunnel are bound by the AGW to exchange data between the BRAS and the PDG through the bound GTP/PMIP tunnel and the VPN tunnel.
例如, BRAS可以利用 VPN隧道向 AGW发送上行数据。 可以在 BRAS 上静态配置 VPN路由表, 如表 3所示。 BRAS根据 VPN路由表, 按照 UE 的域信息( Domain )选择 VPN隧道(例如, GRE隧道)封装和转发上行数 据。  For example, the BRAS can use the VPN tunnel to send uplink data to the AGW. The VPN routing table can be statically configured on the BRAS, as shown in Table 3. Based on the VPN routing table, the BRAS selects a VPN tunnel (for example, a GRE tunnel) to encapsulate and forward the uplink data according to the domain information (Domain) of the UE.
表 3
Figure imgf000020_0001
table 3
Figure imgf000020_0001
例如, AGW可以利用 VPN (例如, GRE隧道)隧道向 BRAS发送下行 数据, 并且可以利用 GTP/PMIP隧道向 PGW发送上行数据。 可以由 AGW 绑定 VPN隧道与 GTP/PMIP隧道, 即才艮据 PGW为 UE分配的 IP地址, 动 态地在 AGW上维护 VPN隧道与 GTP/PMIP隧道之间的映射关系, 如表 2 所示。 AGW根据数据 (例如, IP报文) 中包含的 UE的 IP地址选择 GRE 隧道或 GTP隧道发送该数据。  For example, the AGW may use a VPN (e.g., GRE tunnel) tunnel to send downlink data to the BRAS, and may use the GTP/PMIP tunnel to send uplink data to the PGW. The AGW can be bound to the VPN tunnel and the GTP/PMIP tunnel. That is, the mapping between the VPN tunnel and the GTP/PMIP tunnel is dynamically maintained on the AGW according to the IP address assigned by the PGW to the UE, as shown in Table 2. The AGW selects a GRE tunnel or a GTP tunnel to transmit the data according to the IP address of the UE included in the data (for example, an IP packet).
表 4
Figure imgf000020_0002
Table 4
Figure imgf000020_0002
图 13是根据本发明一个实施例的接入移动网络的系统架构的示意图。 在图 13 所示的系统中, UE 1210 通过 AP 1220接入 WLANAViFi, 13 is a schematic diagram of a system architecture for accessing a mobile network, in accordance with one embodiment of the present invention. In the system shown in Figure 13, the UE 1210 accesses the WLAN AViFi through the AP 1220.
WLANAViFi的 BRAS 1230与 PGW 1240直接连接。 BRAS 1230与 PGW1240 之间通过 RADIUS Diameter报文进行信令面的通信, 并且通过 VPN隧道进 行用户面的通信。 PGW 1240负责为 UE 1210分配 IP地址,并且与 3GPPAAA 1250/HSS 1260一起完成 UE的认证过程。 The BRAS 1230 of WLAN AViFi is directly connected to the PGW 1240. The BRAS 1230 and the PGW 1240 communicate with each other through the RADIUS Diameter packet, and communicate with the user plane through the VPN tunnel. The PGW 1240 is responsible for assigning an IP address to the UE 1210 and completing the UE's authentication process with the 3GPP AAA 1250/HSS 1260.
图 14是根据本发明一个实施例的接入移动网络的系统架构的示意图。 在图 14所示的系统中, UE 1310通过 AP 1320接入 WLAN/WiFi, AGW 1340连接在 WLAN/WiFi的 BRAS 1330与 PGW 1370之间。 BRAS 1330与 AGW 1340之间的信令面通过 RADIUS Diameter报文进行通信。 AGW 1340 与 PGW 1370之间通过 GTP/PMIP隧道进行信令面的通信, 与 BRAS 1330 通过 VPN隧道进行用户面的通信, 并且根据为 UE分配的 IP地址动态生成 VPN隧道和 GTP/PMIP隧道之间的绑定关系。 PGW 1370负责为 UE 1310分 配 IP地址。 AGW 1340与 3GPP AAA 1350/HSS 1360一起完成对 UE 1310的 认证过程。 14 is a schematic diagram of a system architecture for accessing a mobile network, in accordance with one embodiment of the present invention. In the system shown in FIG. 14, the UE 1310 accesses WLAN/WiFi through the AP 1320, and the AGW 1340 is connected between the BRAS 1330 and the PGW 1370 of the WLAN/WiFi. BRAS 1330 and The signaling plane between the AGWs 1340 communicates through RADIUS Diameter messages. The AGW 1340 communicates with the PGW 1370 through the GTP/PMIP tunnel for the communication plane, communicates with the BRAS 1330 through the VPN tunnel, and dynamically generates the VPN tunnel and the GTP/PMIP tunnel according to the IP address assigned to the UE. Binding relationship. The PGW 1370 is responsible for assigning an IP address to the UE 1310. The AGW 1340 completes the authentication process for the UE 1310 with the 3GPP AAA 1350/HSS 1360.
根据本发明的实施例, UE通过无隧道方式接入提供 3GPP网络, 业务 体验和 3GPP接入一致。 其次, 根据本发明的实施例对 BRAS影响较小, 因 为本发明的实施例涉及的 VPN隧道功能和 RADIUS/Diameter协议功能都为 BRAS的基本功能, 只需通过简单的配置就可实现对 3GPP网络的接入。 另 夕卜,根据本发明的实施例涉及的 3GPP AAA接口、 EAP消息识别等功能都无 需在 BRAS上实现, 因此对当前的 WLAN WiFi接入网络影响较小, 容易实 现。  According to an embodiment of the present invention, the UE provides the 3GPP network through tunnelless access, and the service experience is consistent with the 3GPP access. Secondly, the impact on the BRAS is small according to the embodiment of the present invention, because the VPN tunnel function and the RADIUS/Diameter protocol function related to the embodiment of the present invention are the basic functions of the BRAS, and the 3GPP network can be realized through a simple configuration. Access. In addition, the functions of the 3GPP AAA interface and the EAP message identification according to the embodiments of the present invention need not be implemented on the BRAS, so the impact on the current WLAN WiFi access network is small and easy to implement.
本领域普通技术人员可以意识到, 结合本文中所公开的实施例描述的各 示例的单元及算法步骤, 能够以电子硬件、 或者计算机软件和电子硬件的结 合来实现。 这些功能究竟以硬件还是软件方式来执行, 取决于技术方案的特 定应用和设计约束条件。 专业技术人员可以对每个特定的应用来使用不同方 法来实现所描述的功能, 但是这种实现不应认为超出本发明的范围。  Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the various examples described in connection with the embodiments disclosed herein can be implemented in a combination of electronic hardware or computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods for implementing the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present invention.
所属领域的技术人员可以清楚地了解到, 为描述的方便和简洁, 上述描 述的系统、 装置和单元的具体工作过程, 可以参考前述方法实施例中的对应 过程, 在此不再赘述。  A person skilled in the art can clearly understand that the specific working process of the system, the device and the unit described above can be referred to the corresponding process in the foregoing method embodiments for the convenience and brevity of the description, and details are not described herein again.
在本申请所提供的几个实施例中, 应该理解到, 所揭露的系统、 装置和 方法, 可以通过其它的方式实现。 例如, 以上所描述的装置实施例仅仅是示 意性的, 例如, 所述单元的划分, 仅仅为一种逻辑功能划分, 实际实现时可 以有另外的划分方式, 例如多个单元或组件可以结合或者可以集成到另一个 系统, 或一些特征可以忽略, 或不执行。 另一点, 所显示或讨论的相互之间 的耦合或直接耦合或通信连接可以是通过一些接口, 装置或单元的间接耦合 或通信连接, 可以是电性, 机械或其它的形式。  In the several embodiments provided herein, it should be understood that the disclosed systems, devices, and methods may be implemented in other ways. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not executed. In addition, the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be electrical, mechanical or otherwise.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作 为单元显示的部件可以是或者也可以不是物理单元, 即可以位于一个地方, 或者也可以分布到多个网络单元上。 可以根据实际的需要选择其中的部分或 者全部单元来实现本实施例方案的目的。 The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. You can choose some of them according to actual needs or All units are used to achieve the objectives of the solution of this embodiment.
另外, 在本发明各个实施例中的各功能单元可以集成在一个处理单元 中, 也可以是各个单元单独物理存在, 也可以两个或两个以上单元集成在一 个单元中。  In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
所述功能可以存储在一个计算机可读取存储介质中,包括若千指令用以 使得一台计算机设备(可以是个人计算机, 服务器, 或者网络设备等)执行 本发明各个实施例所述方法的全部或部分步骤。 而前述的存储介质包括: U 盘、 移动硬盘、 只读存储器 (ROM, Read-Only Memory ). 随机存取存储器 ( RAM, Random Access Memory ). 磁碟或者光盘等各种可以存储程序代码 的介质。  The functions may be stored in a computer readable storage medium, including thousands of instructions for causing a computer device (which may be a personal computer, server, or network device, etc.) to perform all of the methods described in various embodiments of the present invention. Or part of the steps. The foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a disk or a disk, and the like, which can store program codes. .
以上所述, 仅为本发明的具体实施方式, 但本发明的保护范围并不局限 于此, 任何熟悉本技术领域的技术人员在本发明揭露的技术范围内, 可轻易 想到变化或替换, 都应涵盖在本发明的保护范围之内。 因此, 本发明的保护 范围应所述以权利要求的保护范围为准。  The above is only the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope of the present invention. It should be covered by the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the claims.

Claims

权利要求 Rights request
1. 一种用于接入移动网络的装置, 包括:  1. An apparatus for accessing a mobile network, comprising:
接收模块, 用于从认证服务器接收可扩展认证协议 EAP成功响应消息; 发送模块, 用于向接入服务器发送所述 EAP成功响应消息和为用户设 备分配的因特网协议 IP地址。  a receiving module, configured to receive an extensible authentication protocol EAP success response message from the authentication server, and a sending module, configured to send the EAP success response message and an Internet Protocol IP address allocated to the user equipment to the access server.
2.根据权利要求 1所述的装置, 其特征在于, 在进行所述 EAP认证时, 所述接收模块用于从所述接入服务器接收所述用户设备发送的 EAP认证消 息, 所述发送模块用于向所述认证服务器发送所述 EAP认证消息, 以便所 述用户设备与所述认证服务器之间完成对所述用户设备的 EAP认证, 并且 在所述认证服务器用于对用户设备的 EAP认证成功之后, 所述接收模块用 于从所述认证服务器接收所述 EAP成功响应消息。  The device according to claim 1, wherein the receiving module is configured to receive an EAP authentication message sent by the user equipment from the access server, where the sending module performs the EAP authentication, the sending module And sending the EAP authentication message to the authentication server, so that the EAP authentication of the user equipment is completed between the user equipment and the authentication server, and the EAP authentication is performed on the user equipment in the authentication server. After the success, the receiving module is configured to receive the EAP success response message from the authentication server.
3. 根据权利要求 1或 2所述的装置, 其特征在于, 还包括: 分配模块, 用于根据预配置的接入点名称或所述用户设备的签约数据中包含的接入点 名称为所述用户设备分配所述 IP地址, 其中所述接收模块在从所述认证服 务器接收所述 EAP成功响应消息的同时, 从所述认证服务器接收所述用户 设备的签约数据。  The device according to claim 1 or 2, further comprising: an allocation module, configured to: according to the pre-configured access point name or the access point name included in the subscription data of the user equipment The user equipment allocates the IP address, wherein the receiving module receives the subscription data of the user equipment from the authentication server while receiving the EAP success response message from the authentication server.
4. 根据权利要求 1至 3中的任一项所述的装置, 其特征在于, 还包括: 配置模块, 用于配置与所述接入服务器之间的虚拟专用网络 VPN隧道, 以便通过所述 VPN隧道与所述接入服务器交互数据。  The device according to any one of claims 1 to 3, further comprising: a configuration module, configured to configure a virtual private network VPN tunnel with the access server, to pass the The VPN tunnel exchanges data with the access server.
5. 根据权利要求 1或 2所述的装置, 其特征在于, 还包括: 获取模块, 用于在从所述认证服务器接收到所述 EAP成功响应消息之后, 从分组数据 网关获取为所述用户设备分配的 IP地址。  The device according to claim 1 or 2, further comprising: an obtaining module, configured to acquire, as the user, a packet data gateway after receiving the EAP success response message from the authentication server The IP address assigned by the device.
6、 根据权利要求 5所述的装置, 其特征在于, 所述获取模块用于根据 所述用户设备的签约数据中包含的接入点名称或者预配置的接入点名称从 所述分组数据网关获取为所述用户设备分配的 IP地址, 其中所述接收模块 用于在从所述认证服务器接收到所述 EAP成功响应消息的同时, 从所述认 证服务器接收所述用户设备的签约数据。  The device according to claim 5, wherein the acquiring module is configured to use the access point name included in the subscription data of the user equipment or a pre-configured access point name from the packet data gateway. Acquiring an IP address assigned to the user equipment, where the receiving module is configured to receive subscription data of the user equipment from the authentication server while receiving the EAP success response message from the authentication server.
7. 根据权利要求 5或 6所述的装置, 其特征在于, 还包括:  The device according to claim 5 or 6, further comprising:
配置模块, 用于配置与所述接入服务器之间的 VPN隧道;  a configuration module, configured to configure a VPN tunnel with the access server;
建立模块, 用于与所述分组数据网关建立通用分组无线服务技术隧道协 议 /代理移动因特网协议 GTP PMIP隧道; 绑定模块, 用于绑定所述 GTP PMIP隧道和所述 VPN隧道, 以便通过 绑定的所述 GTP/PMIP隧道和所述 VPN隧道在所述接入服务器与所述分数 组据网关之间交互数据。 Establishing a module, configured to establish a general packet radio service technology tunneling protocol/proxy mobile internet protocol GTP PMIP tunnel with the packet data gateway; a binding module, configured to bind the GTP PMIP tunnel and the VPN tunnel, to pass the bound GTP/PMIP tunnel and the VPN tunnel between the access server and the score group gateway Interactive data.
8. 一种用于接入移动网络的装置, 其特征在于, 包括:  8. An apparatus for accessing a mobile network, comprising:
接收模块, 用于从网关设备接收 EAP成功响应消息和为用户设备分配 的 IP地址; 和  a receiving module, configured to receive an EAP success response message from the gateway device and an IP address allocated to the user equipment; and
发送模块, 用于向所述用户设备发送所述 EAP成功响应消息, 其中所 述接收模块还接收所述用户设备在接收到所述 EAP成功响应消息之后发送 的 IP连接建立请求消息, 所述发送模块还在所述接收模块接收到所述 IP连 接建立请求消息之后, 向所述用户设备发送 IP连接建立响应消息, 所述 IP 连接建立响应消息携带所述 IP地址, 以便所述用户设备根据所述 IP地址接 入所述移动网络。  a sending module, configured to send the EAP success response message to the user equipment, where the receiving module further receives an IP connection establishment request message sent by the user equipment after receiving the EAP success response message, where the sending After the receiving module receives the IP connection establishment request message, the module sends an IP connection setup response message to the user equipment, where the IP connection setup response message carries the IP address, so that the user equipment according to the The IP address is accessed to the mobile network.
9、根据权利要求 8所述的装置, 其特征在于, 在进行所述 EAP认证时, 所述接收模块用于从所述用户设备接收 EAP认证消息, 并且所述发送模块 用于向所述网关设备发送所述 EAP认证消息 ,以便所述网关设备将所述 EAP 认证消息转发给认证服务器, 并使所述用户设备与所述认证服务器之间完成 对所述用户设备的 EAP认证,并且在对所述用户设备的 EAP认证成功之后, 所述接收模块用于从所述网关设备接收所述 EAP成功响应消息和为所述用 户设备分配的 IP地址。  The device according to claim 8, wherein, when performing the EAP authentication, the receiving module is configured to receive an EAP authentication message from the user equipment, and the sending module is configured to use the gateway The device sends the EAP authentication message, so that the gateway device forwards the EAP authentication message to the authentication server, and completes EAP authentication to the user equipment between the user equipment and the authentication server, and is in the right After the EAP authentication of the user equipment is successful, the receiving module is configured to receive the EAP success response message and an IP address allocated for the user equipment from the gateway device.
10. 根据权利要求 8或 9所述的装置, 其特征在于, 如果所述接收模块 在所述 EAP认证成功之前从所述用户设备接收到所述 IP连接建立请求消息, 则在 EAP认证成功并且所述接收模块再次从所述用户设备接收到新的 IP连 接建立请求消息之后, 所述发送模块用于向所述用户设备发送 IP连接建立 响应消息, 所述 IP连接建立响应消息中携带所述 IP地址。  The device according to claim 8 or 9, wherein if the receiving module receives the IP connection establishment request message from the user equipment before the EAP authentication succeeds, the EAP authentication succeeds and After the receiving module receives the new IP connection establishment request message from the user equipment, the sending module is configured to send an IP connection setup response message to the user equipment, where the IP connection setup response message carries the IP address.
11. 根据权利要求 8至 10中的任一项所述的装置, 其特征在于, 还包 括:  The apparatus according to any one of claims 8 to 10, further comprising:
配置模块,用于配置与所述网关设备之间 VPN隧道,以便通过所述 VPN 隧道与所述网关设备交互数据。  And a configuration module, configured to configure a VPN tunnel with the gateway device, so as to exchange data with the gateway device by using the VPN tunnel.
12、 一种用户设备, 其特征在于, 包括:  12. A user equipment, comprising:
发送模块, 用于向接入服务器发送 EAP认证消息, 以便与认证服务器 之间完成对所述用户设备的 EAP认证; 接收模块, 用于从所述接入服务器接收 EAP成功响应消息, a sending module, configured to send an EAP authentication message to the access server, to complete EAP authentication with the user equipment with the authentication server; a receiving module, configured to receive an EAP success response message from the access server, where
其中如果所述发送模块在所述 EAP认证成功之前向所述接入服务器发 送 IP连接建立请求消息, 则在所述接收模块接收到所述 EAP成功响应消息 之后, 所述发送模块再次向所述接入服务器发送新的 IP连接建立请求消息 以获取网关设备为所述用户设备配置的 IP地址, 所述接收模块还从所述接 入服务器接收 IP连接建立响应消息, 所述 IP连接建立响应消息中携带所述 If the sending module sends an IP connection establishment request message to the access server before the EAP authentication succeeds, after the receiving module receives the EAP success response message, the sending module again reports to the The access server sends a new IP connection establishment request message to obtain an IP address configured by the gateway device for the user equipment, and the receiving module further receives an IP connection establishment response message, the IP connection establishment response message from the access server. Carrying
IP地址。 IP address.
13、 一种用于接入移动网络的方法, 其特征在于, 包括:  13. A method for accessing a mobile network, comprising:
从认证服务器接收 EAP成功响应消息;  Receiving an EAP success response message from the authentication server;
向接入服务器发送所述 EAP成功响应消息和为用户设备分配的 IP地址, 以便所述接入服务器向所述用户设备转发所述 EAP成功响应消息, 并由所 述用户设备在从所述接入服务器获取所述 IP地址之后, 根据所述 IP地址接 入所述移动网络。  Sending the EAP success response message and an IP address allocated to the user equipment to the access server, so that the access server forwards the EAP success response message to the user equipment, and the user equipment is in the slave device After the server obtains the IP address, the mobile network is accessed according to the IP address.
14、 根据权利要求 13所述的方法, 其特征在于,  14. The method of claim 13 wherein:
在进行所述 EAP认证时, 从所述接入服务器接收所述用户设备发送的 Receiving, by the user equipment, the sending by the user equipment when performing the EAP authentication.
EAP认证消息, 并向所述认证服务器发送所述 EAP认证消息, 以便所述用 述认证服务器对所述用户设备的 EAP认证成功之后, 从所述认证服务器接 收所述 EAP成功响应消息。 The EAP authentication message is sent to the authentication server, and the EAP authentication response message is received from the authentication server after the EAP authentication of the user equipment by the authentication server is successful.
15. 根据权利要求 13或 14所述的方法, 其特征在于, 还包括: 根据预配置的接入点名称或所述用户设备的签约数据中包含的接入点 名称为所述用户设备分配所述 IP地址, 其中在从所述认证服务器接收所述 EAP 成功响应消息的同时, 从所述认证服务器接收所述用户设备的签约数 据。  The method according to claim 13 or 14, further comprising: allocating the user equipment according to a pre-configured access point name or an access point name included in the subscription data of the user equipment The IP address, wherein the subscription data of the user equipment is received from the authentication server while receiving the EAP success response message from the authentication server.
16. 根据权利要求 13至 15中的任一项所述的方法, 其特征在于, 还包 括:  The method according to any one of claims 13 to 15, further comprising:
配置与所述接入服务器之间的 VPN隧道, 以便通过所述 VPN隧道与所 述接入服务器交互数据。  A VPN tunnel is established with the access server to exchange data with the access server through the VPN tunnel.
17. 根据权利要求 13或 14所述的方法, 其特征在于, 还包括: 在从所述认证服务器接收到所述 EAP成功响应消息之后, 从分组数据 网关获取为所述用户设备分配的 IP地址。 17. The method according to claim 13 or 14, further comprising: obtaining an IP address assigned to the user equipment from a packet data gateway after receiving the EAP success response message from the authentication server .
18、 根据权利要求 17所述的方法, 其特征在于, 所述从所述分组数据 网关获取为所述用户设备分配的 IP地址包括: The method of claim 17, wherein the obtaining, by the packet data gateway, an IP address allocated for the user equipment comprises:
根据所述用户设备的签约数据中包含的接入点名称或者预配置的接入 点名称从所述分组数据网关获取为所述用户设备分配的 IP地址 , 其中在从 所述认证服务器接收到所述 EAP成功响应消息的同时, 从所述认证服务器 接收所述用户设备的签约数据。  Obtaining an IP address assigned to the user equipment from the packet data gateway according to an access point name included in the subscription data of the user equipment or a pre-configured access point name, where the receiving is received from the authentication server At the same time as the EAP success response message, the subscription data of the user equipment is received from the authentication server.
19. 根据权利要求 17或 18所述的方法, 其特征在于, 还包括: 配置与所述接入服务器之间的 VPN隧道;  The method according to claim 17 or 18, further comprising: configuring a VPN tunnel with the access server;
与所述分组数据网关建立 GTP/PMIP隧道;  Establishing a GTP/PMIP tunnel with the packet data gateway;
绑定所述 GTP PMIP 隧道和所述 VPN 隧道, 以便通过绑定的所述 Binding the GTP PMIP tunnel and the VPN tunnel to pass the binding
GTP/PMIP 隧道和所述 VPN 隧道在所述接入服务器与所述分数组据网关之 间交互数据。 A GTP/PMIP tunnel and the VPN tunnel exchange data between the access server and the score group gateway.
20、 根据权利要求 14至 19中的任一项所述的方法, 其特征在于, 所述 从接入服务器接收用户设备发送的 EAP认证消息, 包括:  The method according to any one of claims 14 to 19, wherein the receiving, by the access server, the EAP authentication message sent by the user equipment comprises:
从所述接入服务器接收封装在第一远程用户拨号认证系统协议或直径 协议报文中的 EAP认证消息,  Receiving, by the access server, an EAP authentication message encapsulated in a first remote user dialing authentication system protocol or a diameter protocol packet,
其中所述向认证服务器发送所述 EAP认证消息, 包括:  The sending the EAP authentication message to the authentication server includes:
向所述认证服务器发送封装在所述第一远程用户拨号认证系统协议或 直径协议报文中的所述 EAP认证消息,  Sending, to the authentication server, the EAP authentication message encapsulated in the first remote user dialing authentication system protocol or the diameter protocol packet,
其中所述向所述接入服务器发送所述 EAP成功响应消息和所述 IP地址 包括:  The sending the EAP success response message and the IP address to the access server includes:
向所述接入服务器发送封装在第二远程用户拨号认证系统协议或直径 协议 4艮文中的所述 IP地址和所述 EAP成功响应消息。  Sending the IP address and the EAP success response message encapsulated in the second remote user dialing authentication system protocol or the diameter protocol to the access server.
21. 一种用于接入移动网络的方法, 其特征在于, 包括:  A method for accessing a mobile network, comprising:
从网关设备接收 EAP成功响应消息和所述网关设备为用户设备分配的 Receiving an EAP success response message from the gateway device and the gateway device assigning to the user equipment
IP地址; IP address;
向所述用户设备发送所述 EAP成功响应消息;  Sending the EAP success response message to the user equipment;
接收所述用户设备在接收到所述 EAP成功响应消息之后发送的 IP连接 建立请求消息;  Receiving an IP connection setup request message sent by the user equipment after receiving the EAP success response message;
在接收到所述 IP连接建立请求消息之后, 向所述用户设备发送 IP连接 建立响应消息, 所述 IP连接建立响应消息携带所述 IP地址, 以便所述用户 设备根据所述 IP地址接入所述移动网络。 After receiving the IP connection establishment request message, sending an IP connection setup response message to the user equipment, where the IP connection setup response message carries the IP address, so that the user The device accesses the mobile network according to the IP address.
22. 根据权利要求 21所述的方法, 其特征在于, 在进行 EAP认证时, 从所述用户设备接收 EAP认证消息, 并且向网关设备发送所述 EAP认证消 息, 以便所述网关设备将所述 EAP认证消息转发给认证服务器, 并使所述 用户设备与所述认证服务器之间完成对所述用户设备的 EAP认证, 并在认 证服务器对用户设备的 EAP认证成功之后 , 从所述网关设备接收 EAP成功 响应消息和所述网关设备为所述用户设备分配的 IP地址。  22. The method according to claim 21, wherein, when performing EAP authentication, receiving an EAP authentication message from the user equipment, and transmitting the EAP authentication message to a gateway device, so that the gateway device The EAP authentication message is forwarded to the authentication server, and the EAP authentication of the user equipment is completed between the user equipment and the authentication server, and after the EAP authentication of the user equipment by the authentication server is successful, the EAP authentication message is received from the gateway device. An EAP success response message and an IP address assigned by the gateway device to the user equipment.
23. 根据权利要求 21或 22所述的方法, 其特征在于, 如果在所述 EAP 认证成功之前从所述用户设备接收到所述 IP连接建立请求消息, 则所述在 接收到所述 IP连接建立请求消息之后, 向所述用户设备发送 IP连接建立响 应消息, 包括:  The method according to claim 21 or 22, wherein if the IP connection establishment request message is received from the user equipment before the EAP authentication succeeds, the receiving the IP connection After the request message is established, sending an IP connection setup response message to the user equipment, including:
在 EAP认证成功并且再次从所述用户设备接收到新的 IP连接建立请求 消息之后, 向所述用户设备发送所述 IP连接建立响应消息。  After the EAP authentication succeeds and the new IP connection setup request message is received again from the user equipment, the IP connection setup response message is sent to the user equipment.
24. 根据权利要求 21至 24中的任一项所述的方法, 其特征在于, 还包 括:  The method according to any one of claims 21 to 24, further comprising:
配置与所述网关设备之间 VPN隧道, 以便通过所述 VPN隧道与所述网 关设备交互数据。  And configuring a VPN tunnel with the gateway device to exchange data with the gateway device through the VPN tunnel.
25. 根据权利要求 22至 24中的任一项所述的方法, 其特征在于, 所述 从所述网关设备接收 EAP成功响应消息和所述网关设备为所述用户设备分 配的 IP地址, 包括:  The method according to any one of claims 22 to 24, wherein the receiving an EAP success response message from the gateway device and an IP address allocated by the gateway device to the user equipment, including :
从所述网关设备接收封装在第一远程用户拨号认证系统协议或直径协 议报文中的所述 EAP成功响应消息和所述 IP地址,  Receiving, by the gateway device, the EAP success response message and the IP address encapsulated in a first remote user dialing authentication system protocol or a diameter protocol packet,
其中所述向网关设备发送所述 EAP认证消息, 包括:  The sending the EAP authentication message to the gateway device includes:
向所述网关设备发送封装在所述第一远程用户拨号认证系统协议或直 径协议 4艮文中的所述 EAP认证消息。  And transmitting, to the gateway device, the EAP authentication message encapsulated in the first remote user dialing authentication system protocol or the path protocol.
26. 一种用于接入移动网络的方法, 其特征在于, 包括:  26. A method for accessing a mobile network, comprising:
向接入服务器发送 EAP认证消息, 以便与认证服务器之间完成对用户 设备的 EAP认证;  Sending an EAP authentication message to the access server to complete EAP authentication with the user equipment with the authentication server;
如果在所述 EAP认证成功之前向所述接入服务器发送 IP连接建立请求 消息, 则在从所述接入服务器接收到所述 EAP成功响应消息之后, 再次向 所述接入服务器发送新的 IP连接建立请求消息以获取网关设备为所述用户 设备配置的 IP地址; If the IP connection establishment request message is sent to the access server before the EAP authentication succeeds, after receiving the EAP success response message from the access server, the new IP is sent to the access server again. a connection establishment request message to obtain a gateway device as the user IP address of the device configuration;
从所述接入服务器接收 IP连接建立响应消息, 所述 IP连接建立响应消 息中携带所述 IP地址。  And receiving, by the access server, an IP connection setup response message, where the IP connection establishment response message carries the IP address.
PCT/CN2011/080377 2011-09-29 2011-09-29 Method, device, and user equipment applicable in accessing mobile network WO2012149783A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201180001958.7A CN102388639B (en) 2011-09-29 2011-09-29 Method and device for accessing mobile network and user device
PCT/CN2011/080377 WO2012149783A1 (en) 2011-09-29 2011-09-29 Method, device, and user equipment applicable in accessing mobile network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2011/080377 WO2012149783A1 (en) 2011-09-29 2011-09-29 Method, device, and user equipment applicable in accessing mobile network

Publications (1)

Publication Number Publication Date
WO2012149783A1 true WO2012149783A1 (en) 2012-11-08

Family

ID=45826523

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/080377 WO2012149783A1 (en) 2011-09-29 2011-09-29 Method, device, and user equipment applicable in accessing mobile network

Country Status (2)

Country Link
CN (1) CN102388639B (en)
WO (1) WO2012149783A1 (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103685201A (en) * 2012-09-24 2014-03-26 中兴通讯股份有限公司 Method and system for WLAN user fixed network access
CN103841604B (en) * 2012-11-26 2017-08-11 中国电信股份有限公司 Method, system and the DPI devices of QoS processing are carried out in IP bearer networks
WO2014110768A1 (en) * 2013-01-17 2014-07-24 华为技术有限公司 Method for authenticating terminal by mobile network, network element, and terminal
TWI477180B (en) * 2013-01-17 2015-03-11 Chunghwa Telecom Co Ltd Differentiate the way of registering wireless base stations
CN103997546A (en) * 2013-02-18 2014-08-20 华为技术有限公司 Method and system for realizing communication in WLAN
ES2745087T3 (en) 2013-06-20 2020-02-27 Samsung Electronics Co Ltd Procedure and device to control multiple connections in wireless LAN
US9924548B2 (en) * 2015-04-14 2018-03-20 General Motors Llc Vehicle connectivity using a desired access point name
MY195382A (en) 2016-10-31 2023-01-18 Ericsson Telefon Ab L M Authentication for Next Generation Systems
CN109429363B (en) 2017-06-20 2021-04-20 华为技术有限公司 Session management method and device
CN109104448B (en) 2017-06-20 2021-10-01 华为技术有限公司 Session management method and device
CN110769482B (en) * 2019-09-16 2022-03-01 浙江大华技术股份有限公司 Method and device for network connection of wireless equipment and wireless router equipment
CN113381917B (en) * 2021-06-11 2022-09-16 中国电信股份有限公司 Network access method, device and system, readable storage medium and electronic equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101374334A (en) * 2007-08-22 2009-02-25 华为技术有限公司 Method and system for transferring packet data network identification information
CN101399855A (en) * 2007-09-30 2009-04-01 华为技术有限公司 System, apparatus and method for obtaining home address

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101355485B (en) * 2007-07-26 2013-01-09 华为技术有限公司 Method for conversing network access authentication as well as system and apparatus thereof
ITMI20122098A1 (en) * 2012-12-10 2014-06-11 Mario Melosi DEVELOPMENT, TRANSFER AND CONVERSION OF SOLAR ENERGY FOR ELECTRICITY, HYDROGEN AND OXYGEN ENERGY GENERATION SYSTEM

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101374334A (en) * 2007-08-22 2009-02-25 华为技术有限公司 Method and system for transferring packet data network identification information
CN101399855A (en) * 2007-09-30 2009-04-01 华为技术有限公司 System, apparatus and method for obtaining home address

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"Technical Specification Group Core Network and Terminals; Access to the 3GPP Evolved Packet Core (EPC) via non-3GPP access networks; Stage 3 (Release 8)", 3GPP TS 24.302 V8.10.0, 3RD GENERATION PARTNERSHIP PROJECT, 28 September 2011 (2011-09-28) *

Also Published As

Publication number Publication date
CN102388639A (en) 2012-03-21
CN102388639B (en) 2015-04-08

Similar Documents

Publication Publication Date Title
US10993112B2 (en) Systems and methods for accessing a network
WO2012149783A1 (en) Method, device, and user equipment applicable in accessing mobile network
EP2658301B1 (en) Non-mobile authentication for mobile network gateway connectivity
JP6063564B2 (en) Method, apparatus and system for accessing a mobile network
WO2012130085A1 (en) Method and device for establishing connection with network management system, and communication system
WO2011116713A2 (en) Method, device and system for machine type communication (mtc) terminal communicating with network through gateway
KR20140018266A (en) Mobile router in eps
CN102695236B (en) A kind of data routing method and system
WO2014000678A1 (en) Connection establishment method and device for packet data network
WO2014063530A1 (en) Method and system for mobile user to access fixed network
US20160205064A1 (en) Method, Device and System for Processing Network Address, WLAN and UE
WO2011094956A1 (en) Method, apparatus and system for address distribution
EP2897417A1 (en) Pdn service realizing method, system and network element
WO2014032542A1 (en) Method and system for setting up multiple connections
WO2012106984A1 (en) Method and system for accessing mobile core network through trustworthy fixed network
EP2879459B1 (en) Method and device for data transmission
WO2013155938A1 (en) Method and device for informing of user address
WO2014000191A1 (en) Subscriber identity module card, mobile station, and method and system for managing subscriber three-layer protocol information
WO2013152640A1 (en) Address allocation method and device

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 201180001958.7

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11864895

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11864895

Country of ref document: EP

Kind code of ref document: A1