WO2014053188A1 - Using eap (fast) re-authentication to request a creation of an additional pdn connection - Google Patents

Using eap (fast) re-authentication to request a creation of an additional pdn connection Download PDF

Info

Publication number
WO2014053188A1
WO2014053188A1 PCT/EP2012/069720 EP2012069720W WO2014053188A1 WO 2014053188 A1 WO2014053188 A1 WO 2014053188A1 EP 2012069720 W EP2012069720 W EP 2012069720W WO 2014053188 A1 WO2014053188 A1 WO 2014053188A1
Authority
WO
WIPO (PCT)
Prior art keywords
information element
packet data
data network
request
network connection
Prior art date
Application number
PCT/EP2012/069720
Other languages
French (fr)
Inventor
Jouni Korhonen
Gyorgy Tamas Wolfner
Original Assignee
Nokia Siemens Networks Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Siemens Networks Oy filed Critical Nokia Siemens Networks Oy
Priority to PCT/EP2012/069720 priority Critical patent/WO2014053188A1/en
Publication of WO2014053188A1 publication Critical patent/WO2014053188A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/162Implementing security features at a particular protocol layer at the data link layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the present invention relates to apparatuses, methods and a computer program product which use EAP (fast) re-authentication to request a creation of an additional PDN Connection.
  • Embodiments of the present invention relate to the use of a WLAN network as Trusted WLAN Network (TWAN), more specifically to the solution specified for Trusted WLAN Access without UE impact (SaMOG_wlan) in section 16 of 3GPP TS 23.402 for Rel-1 1 (version 1 1.X.Y) and to the ongoing Rel-12 3GPP SA2 study documented in section 8 of TR 23.852.
  • TWAN Trusted WLAN Network
  • SaMOG_wlan Solution specified for Trusted WLAN Access without UE impact
  • Rel-1 1 specifications for trusted WLAN access enable the use of TWANs to access EPC with legacy UEs. Due the lack of mechanism how the UE can send 3GPP specific parameters (e.g. requested APN and HO indication) to the network via WLAN the Rel-1 1 solutions has limitations, e.g., no handover with IP address preservation is supported, only a single PDN connection to the default APN is possible. In order to remove these limitations, a study is going in 3GPP SA2. The main point of the work is to standardize a mechanism how a UE can send 3GPP specific parameters to the network via WLAN to enable handovers with IP address preservation, and multiple PDN connections for UEs.
  • 3GPP specific parameters e.g. requested APN and HO indication
  • EAP-AKA/AKA' for sending 3GPP specific parameters to the network.
  • a typical example of this approach can be found e.g. in section 8.2.1 of TR 23.852: during initial attach EAP is used to transfer the additional 3GPP specific parameters.
  • the current proposals are limited to the initial attach phase only, so that they are not applicable to support the creation of multiple PDN connections.
  • Embodiments of the present invention address this situation and aim to overcome the above-described disadvantages and provide a mechanism by which a UE can send 3GPP specific parameters to the network via WLAN to enable handovers with IP address preservation, and multiple PDN connections for UEs.
  • an apparatus which comprises a connection unit configured to provide connection to a wireless local area network, and a processor configured to send a request to the network to trigger a re- authentication according to an extensible authentication protocol, and to send, during the re-authentication procedure, an information element indicating a request to establish or delete a packet data network connection via the wireless local area network.
  • an apparatus which comprises a connection unit configured to provide connection to a wireless local area network, and a processor configured to receive a request from a user equipment to trigger a re-authentication according to an extensible authentication protocol, to perform a re- authentication procedure with the user equipment, and to receive, during the re- authentication procedure, an information element indicating a request to establish or delete a packet data network connection via the wireless local area network.
  • a method comprises sending a request to a wireless local area network to trigger a re-authentication according to an extensible authentication protocol, and sending, during the re-authentication procedure, an information element indicating a request to establish or delete a packet data network connection via the wireless local area network.
  • a method comprises receiving a request from a user equipment to trigger a re-authentication according to an extensible authentication protocol via a wireless local area network, performing a re-authentication procedure with the user equipment, receiving, during the re-authentication procedure, an information element indicating a request to establish or delete a packet data network connection via the wireless local area network.
  • a computer program product which comprises code means for performing a method according to any one of the third and fourth aspects or their modifications when run on a processing means or module.
  • an EAP re-authentication procedure is used in order to trigger creating (or deleting) an additional PDN connection.
  • Fig. 1 shows basic structures of a UE and an authenticator according to an embodiment of the present invention
  • Fig. 2 shows the structure of a new AT_NEW_PDN attribute according to embodiments of the present invention
  • Fig. 3 shows a signaling flow during triggering of a creation of a PDN connection according to an embodiment of the present invention
  • Fig. 4 shows a signaling flow according to an embodiment of the present invention, by which the authenticator informs that the feature according to the embodiment is supported by the network
  • Fig. 5 shows a signaling flow indicating a failure in creating the PDN connection according to an embodiment of the present invention
  • Fig. 6 shows a signaling flow indicating success in creating the PDN connection according to an embodiment of the present invention
  • Fig. 7 shows a signaling flow of a UE triggered deletion of the PDN connection according an embodiment of the present invention
  • Fig. 8 shows a signaling flow of a network triggered deletion of the PDN connection according an embodiment of the present invention.
  • Fig. 1 shows a user equipment (UE) 1 as an example for an apparatus according to a more general embodiment of the present invention.
  • the apparatus may also be only a part of the UE, for example.
  • the UE 1 comprises a processor 1 1 and an connection unit 12.
  • the connection unit 12 is configured to provide connection to a to a wireless local area network (WLAN).
  • the processor 1 1 is configured to send a request to the network to trigger a re-authentication according to an extensible authentication protocol (EAP) and to send, during the re-authentication procedure, an information element indicating a request to establish a packet data network connection via the wireless local area network.
  • EAP extensible authentication protocol
  • the information element may also indicate a request to delete a packet data network connection via the wireless local are network.
  • the UE 1 may further comprise a memory 13 for storing data and programs, by means of which the processor 1 1 may carry out its corresponding functions.
  • Fig. 1 further shows an authenticator 2 as an example for a corresponding apparatus according to a more general embodiment of the present invention.
  • an authenticator 2 could be an EAP server, AAA server or any other network entity which is capable of performing authentication and re-authentication.
  • the apparatus may also be only a part of the authenticator or the EAP server, for example.
  • the authenticator 2 comprises a processor 21 and an connection unit 22.
  • the connection unit 12 is configured to provide connection to a to a wireless local area network (WLAN).
  • WLAN wireless local area network
  • the processor 21 is configured to receive a request from a user equipment to trigger a re-authentication according to an extensible authentication protocol, to perform a re-authentication procedure with the user equipment, to receive, during the re-authentication procedure, an information element indicating a request to establish a packet data network connection via the wireless local area network.
  • the information element may also indicate a request to delete a packet data network connection via the wireless local are network.
  • the processor 21 may initiate establishing or deleting a packet data network connection via the wireless local area network in response to the information element.
  • the authenticator may inform an access point (AP), which may be identified by an access point name (APN) included in the information element, or a default APN that the PDN connection to the UE is to be created.
  • AP access point
  • APN access point name
  • the authenticator 2 may further comprise a memory 23 for storing data and programs, by means of which the processor 21 may carry out its corresponding functions.
  • a mechanism is proposed, by which a UE requests a creation of a new (additional) PDN Connection by using an EAP re-authentication.
  • the EAP-AKA/AKA' (fast) re-authentication mechanism is used, as it is defined in RFC4187 or RFC5448, for example.
  • the mechanism described here is meant for IEEE 802-based median, where the IEEE 802.1 X is available.
  • the mechanism fills a missing feature gap in 3GPP SaMOG feature. It is noted that in the present embodiment, only the required signaling from the UE to the network for the creation of a new PDN Connection and conveying the APN name is described. The actual creation of the PDN connection can then be effected as known from the prior art, for example as specified in 3GPP TS 23.402. According to the present embodiment, the following issues are provided:
  • Fig. 2 illustrates the new EAP attribute according to the embodiment of the present invention.
  • the attribute has the following properties:
  • the attribute type (AT_NEW_PDN) is from skippable attribute type number space i.e. must be 128 or greater.
  • the length is calculated as described in RFC4187.
  • connection identifier is a local identifier for the UE and the network to distinguish between PDN Connections (e.g. when multiple PDN Connections to the same APN is used).
  • the value Oxfffffffffff means there is no specific value given.
  • the attribute can be used for both directions. It is noted that the above detailed definitions for the attribute are only examples, and the attribute may be defined in a different way, depending on the actual implementation.
  • the UE sends the 802.1X EAPOL Start message to the authenticator.
  • the authenticator sends an EAP Request/Identity to the UE in S3-2, and the UE responds with an EAP Response/Identity in S3-3 including a fast re-authentication identity.
  • the authenticator recognizes the identity and agrees on using fast re-authentication, and sends an EAP-Request/AKA- Reauthentication to the UE in S3-4.
  • the UE sends a EAP- Response/AKA-Reauthentication in S3-5.
  • the EAP-Response/AKA-Reauthentication contains the AT_NEW_PDN, in which action is set to "Create", and in which also the APN is indicated to which a new connection is to be established.
  • the further process regarding the re-authentication is continued as specified in RFC4187, for example. Thereafter, the new PDN connection is created, as indicated in S3-6. It is noted that for creation of the new PDN connection, other network elements than the authenticator are involved.
  • the authenticator would not agree on using fast re-authentication in response to S3-3, a full authentication will be performed.
  • the authenticator sends a EAP-Request/AKA-Re-Challenge to the UE.
  • the UE sends a EAP-Response/AKA-Re-Challenge in which the AT_NEW_PDN attribute is included.
  • the network uses the AT_NEW_PDN attribute e.g. in EAP-Request/AKA-Re- authentication or EAP-Request/AKA-Challenge to indicate the support for the feature described in this invention.
  • the connection identifier is set to Oxfffffff and the APN name is set to one ' ⁇ 0' octets and the length is set to 2.
  • the Action is set to INFORM.
  • the authenticator sends a EAP- Request/AKA-Re-authentication to the UE including the AT_NEW_PDN attribute in which action is set to "inform". That is, in S3-4 shown in Fig. 3, this attribute may be inserted.
  • a new AT_NOTIFICATION notification code has to be defined. This code is then sent by the EAP-server in EAP-Request/AKA-Notification to the UE.
  • the notification values are not specifically limited since there can be multiple depending on the deployment scenarios.
  • the general rule is that both S and P bits must be set to 0, which indicates an error after a successful authentication, but the APN & PDN specific authorization or such failed.
  • An example for this is illustrated in Fig. 5.
  • S5-1 to S5-5 are the same or similar to S3-1 to S3-5 of Fig. 3.
  • the authenticator (EAP server) sends a EAP-Request/AKA- Notification to the UE, which responses with a EAP-Request/AKA-Notification in S5-7. Thereafter, the authenticator sends a notification code indicating a failure in S5-8.
  • a network specific information prior or during the PDN Connection establishment is sent to the UE using an EAP-Request/AKA-Notification (such as VLAN tags, selected APN) which indicates success.
  • EAP-Request/AKA-Notification such as VLAN tags, selected APN
  • the EAP-Success received by the UE is an indication that the signaling of the new PDN Connection creation has succeeded.
  • S6-1 to S6-5 are the same or similar to S3-1 to S3- 5 of Fig. 3.
  • the authenticator EAP server
  • the authenticator sends a notification code indicating success.
  • the creation of the new PDN connection is continued, as indicated in Fig. 3 in S3-6.
  • the actual procedure of the PDN connection establishment e.g. the timing of the EAP messages
  • the timing of the EAP messages is not described in the present embodiment and can be carried out as in the prior art.
  • a UE initiated PDN connection release is described.
  • a UE can also trigger via (fast) re-authentication mechanism the release of a PDN connection.
  • the UE acts like in case 1 ) but the Action is set to DELETE and the Connection identifier is set to a meaning value that identifies the PDN Connection to be released.
  • the APN may or may not contain the APN name. If APN is not included, then only one ' ⁇ 0' octet is included into the APN name.
  • the U E sends the 802.1 X EAPOL Start message to the authenticator, in order to trigger the re-authentication procedure.
  • the authenticator sends an EAP Request/Identity to the UE in S7-2, and the UE responds with an EAP Response/Identity in S7-3, similar as described above in connection with Fig. 3.
  • the authenticator recognizes the identity and agrees on using fast re-authentication, and sends an EAP-Request/AKA-Reauthentication to the UE in S7-4.
  • the UE sends a EAP-Response/AKA-Reauthentication in S7-5.
  • the EAP Response/Identity contains the AT_NEW_PDN, in which action is set to "Delete". Thereafter, the PDN connection is deleted.
  • the AT_NEW_PDN attribute with action set to "inform" is included in EAP-Request/Reauthentication.
  • the invention is not limited to this.
  • the corresponding information may be included in general network information/specification, so that it is not always necessary to insert the above attribute in order to inform the UE.
  • any method step is suitable to be implemented as software or by hardware without changing the idea of the invention in terms of the functionality implemented;
  • a device may be regarded as an apparatus or as an assembly of more than one apparatus, whether functionally in cooperation with each other or functionally independently of each other but in a same device housing, for example.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Apparatuses and methods are provided by which a request is sent from a user equipment to a wireless local area network to trigger a re-authentication according to an extensible authentication protocol. During the re-authentication procedure, an information element indicating a request to establish or delete a packet data network connection from the user equipment via the wireless local area network.

Description

DESCRIPTION
TITLE
Using EAP (fast) re-authentication to request a creation of an additional PDN
Connection
Field of the Invention
The present invention relates to apparatuses, methods and a computer program product which use EAP (fast) re-authentication to request a creation of an additional PDN Connection.
Related background Art
The following meanings for the abbreviations used in this specification apply:
AAA Authentication, Authorization and Accounting
AKA Authentication and Key Agreement
AP Access Point APN Access Point Name
DHCP Dynamic Host Configuration Protocol
EAP Extensible Authentication Protocol
EPC Evolved Packet Core
EPS Evolved Packet System GPRS General Packet Radio Service
IP Internet Protocol LTE Long Term Evolution
PDN Packet Data Network
PGW Packet Data Network Gateway
SaMOG S2a Mobility based on GPRS Tunneling Protocol
TWAN Trusted WLAN Network
UE User Equipment
VLAN Virtual Local Area Network
WLAN Wireless Local Area Network
3GPP 3rd Generation Partnership Project
Embodiments of the present invention relate to the use of a WLAN network as Trusted WLAN Network (TWAN), more specifically to the solution specified for Trusted WLAN Access without UE impact (SaMOG_wlan) in section 16 of 3GPP TS 23.402 for Rel-1 1 (version 1 1.X.Y) and to the ongoing Rel-12 3GPP SA2 study documented in section 8 of TR 23.852.
Rel-1 1 specifications for trusted WLAN access enable the use of TWANs to access EPC with legacy UEs. Due the lack of mechanism how the UE can send 3GPP specific parameters (e.g. requested APN and HO indication) to the network via WLAN the Rel-1 1 solutions has limitations, e.g., no handover with IP address preservation is supported, only a single PDN connection to the default APN is possible. In order to remove these limitations, a study is going in 3GPP SA2. The main point of the work is to standardize a mechanism how a UE can send 3GPP specific parameters to the network via WLAN to enable handovers with IP address preservation, and multiple PDN connections for UEs.
There have been proposals to employ DHCP for the UE to the network signalling. Since DHCP is something that is inherently more difficult for 3GPP UEs to modify in a global manner, it is unlikely the solution would be accepted globally. On the other hand EAP- AKA/AKA' is 3GPP specific more or less, thus modifications to it are more easier to roll out.
There are also proposals to use EAP-AKA/AKA' for sending 3GPP specific parameters to the network. A typical example of this approach can be found e.g. in section 8.2.1 of TR 23.852: during initial attach EAP is used to transfer the additional 3GPP specific parameters. However, the current proposals are limited to the initial attach phase only, so that they are not applicable to support the creation of multiple PDN connections.
Summary of the Invention
Embodiments of the present invention address this situation and aim to overcome the above-described disadvantages and provide a mechanism by which a UE can send 3GPP specific parameters to the network via WLAN to enable handovers with IP address preservation, and multiple PDN connections for UEs.
According to a first aspect of the present invention an apparatus is provided which comprises a connection unit configured to provide connection to a wireless local area network, and a processor configured to send a request to the network to trigger a re- authentication according to an extensible authentication protocol, and to send, during the re-authentication procedure, an information element indicating a request to establish or delete a packet data network connection via the wireless local area network.
According to a second aspect of the present invention an apparatus is provided which comprises a connection unit configured to provide connection to a wireless local area network, and a processor configured to receive a request from a user equipment to trigger a re-authentication according to an extensible authentication protocol, to perform a re- authentication procedure with the user equipment, and to receive, during the re- authentication procedure, an information element indicating a request to establish or delete a packet data network connection via the wireless local area network.
According to a third aspect of the present invention a method is provided which comprises sending a request to a wireless local area network to trigger a re-authentication according to an extensible authentication protocol, and sending, during the re-authentication procedure, an information element indicating a request to establish or delete a packet data network connection via the wireless local area network.
According to a fourth aspect of the present invention a method is provided which comprises receiving a request from a user equipment to trigger a re-authentication according to an extensible authentication protocol via a wireless local area network, performing a re-authentication procedure with the user equipment, receiving, during the re-authentication procedure, an information element indicating a request to establish or delete a packet data network connection via the wireless local area network.
Modifications of the above aspects are defined in the dependent claims.
According to a fifth aspect of the present invention, a computer program product is provided which comprises code means for performing a method according to any one of the third and fourth aspects or their modifications when run on a processing means or module.
Thus, according to embodiments of the present invention, an EAP re-authentication procedure is used in order to trigger creating (or deleting) an additional PDN connection. Brief Description of the Drawings
These and other objects, features, details and advantages will become more fully apparent from the following detailed description of embodiments of the present invention which is to be taken in conjunction with the appended drawings, in which:
Fig. 1 shows basic structures of a UE and an authenticator according to an embodiment of the present invention,
Fig. 2 shows the structure of a new AT_NEW_PDN attribute according to embodiments of the present invention,
Fig. 3 shows a signaling flow during triggering of a creation of a PDN connection according to an embodiment of the present invention,
Fig. 4 shows a signaling flow according to an embodiment of the present invention, by which the authenticator informs that the feature according to the embodiment is supported by the network,
Fig. 5 shows a signaling flow indicating a failure in creating the PDN connection according to an embodiment of the present invention,
Fig. 6 shows a signaling flow indicating success in creating the PDN connection according to an embodiment of the present invention,
Fig. 7 shows a signaling flow of a UE triggered deletion of the PDN connection according an embodiment of the present invention, and Fig. 8 shows a signaling flow of a network triggered deletion of the PDN connection according an embodiment of the present invention.
Detailed Description of embodiments
In the following, description will be made to embodiments of the present invention. It is to be understood, however, that the description is given by way of example only, and that the described embodiments are by no means to be understood as limiting the present invention thereto.
Fig. 1 shows a user equipment (UE) 1 as an example for an apparatus according to a more general embodiment of the present invention. The apparatus may also be only a part of the UE, for example. The UE 1 comprises a processor 1 1 and an connection unit 12. The connection unit 12 is configured to provide connection to a to a wireless local area network (WLAN). The processor 1 1 is configured to send a request to the network to trigger a re-authentication according to an extensible authentication protocol (EAP) and to send, during the re-authentication procedure, an information element indicating a request to establish a packet data network connection via the wireless local area network. Alternatively, the information element may also indicate a request to delete a packet data network connection via the wireless local are network.
Optionally, the UE 1 may further comprise a memory 13 for storing data and programs, by means of which the processor 1 1 may carry out its corresponding functions.
Fig. 1 further shows an authenticator 2 as an example for a corresponding apparatus according to a more general embodiment of the present invention. Another example for such an apparatus could be an EAP server, AAA server or any other network entity which is capable of performing authentication and re-authentication. The apparatus may also be only a part of the authenticator or the EAP server, for example. The authenticator 2 comprises a processor 21 and an connection unit 22. The connection unit 12 is configured to provide connection to a to a wireless local area network (WLAN). The processor 21 is configured to receive a request from a user equipment to trigger a re-authentication according to an extensible authentication protocol, to perform a re-authentication procedure with the user equipment, to receive, during the re-authentication procedure, an information element indicating a request to establish a packet data network connection via the wireless local area network. Alternatively, the information element may also indicate a request to delete a packet data network connection via the wireless local are network.
After this, the processor 21 may initiate establishing or deleting a packet data network connection via the wireless local area network in response to the information element. For example, the authenticator may inform an access point (AP), which may be identified by an access point name (APN) included in the information element, or a default APN that the PDN connection to the UE is to be created.
Optionally, similar as in case of the UE 1 , also the authenticator 2 may further comprise a memory 23 for storing data and programs, by means of which the processor 21 may carry out its corresponding functions.
Hence, according to some embodiments of the present invention, a mechanism is proposed, by which a UE requests a creation of a new (additional) PDN Connection by using an EAP re-authentication.
According to a more detailed embodiment, the EAP-AKA/AKA' (fast) re-authentication mechanism is used, as it is defined in RFC4187 or RFC5448, for example. The mechanism described here is meant for IEEE 802-based median, where the IEEE 802.1 X is available. The mechanism fills a missing feature gap in 3GPP SaMOG feature. It is noted that in the present embodiment, only the required signaling from the UE to the network for the creation of a new PDN Connection and conveying the APN name is described. The actual creation of the PDN connection can then be effected as known from the prior art, for example as specified in 3GPP TS 23.402. According to the present embodiment, the following issues are provided:
1 ) A UE initiated trigger when to create a new PDN Connection,
2) How the EAP-server indicates it supports the feature, 3) How the network indicates the UE the creation of the new PDN failed,
4) How the network indicates the UE the creation of the PDN succeeded and
5) How the UE or the network initiates a deletion of the PDN Connection.
Fig. 2 illustrates the new EAP attribute according to the embodiment of the present invention.
The attribute has the following properties:
The attribute type (AT_NEW_PDN) is from skippable attribute type number space i.e. must be 128 or greater.
The length is calculated as described in RFC4187.
Action is either INFORM (0), CREATE (1 ), DELETE (2)
The connection identifier is a local identifier for the UE and the network to distinguish between PDN Connections (e.g. when multiple PDN Connections to the same APN is used). The value Oxffffffff means there is no specific value given.
APN name is encoded as defined in TS23.003 and the trailing '\0' octet is added to mark the end of the string.
The attribute can be used for both directions. It is noted that the above detailed definitions for the attribute are only examples, and the attribute may be defined in a different way, depending on the actual implementation.
In the following, the above issues 1 ) to 5) to be provided by the embodiments of the present invention are explained in more detail.
1 ) How the UE triggers the creation of the new PDN Connections:
It is assumed that the UE has already authenticated to the network. When a new PDN Connection needs to be created the UE sends an IEEE 802.1 X EAPOL Start message to the authenticator. The authenticator responses, as it must, with EAP-Request/ldentity. The UE responses to this as expected for a re-authentication. After the UE receives the server acceptance for fast re-authentication (EAP-Request/AKA-Reauthentication) from the server then the UE sends the EAP-Response/AKA-Re-Authentication message including the AT_NEW_PDN with appropriate values filled in. The Action in the AT_NEW_PDN is set to CREATE, and if the UE would like to have a connection not to default APN then it shall include the APN as well.
This process is illustrated in Fig. 3. In S3-1 , the UE sends the 802.1X EAPOL Start message to the authenticator. In response to this, the authenticator sends an EAP Request/Identity to the UE in S3-2, and the UE responds with an EAP Response/Identity in S3-3 including a fast re-authentication identity. The authenticator recognizes the identity and agrees on using fast re-authentication, and sends an EAP-Request/AKA- Reauthentication to the UE in S3-4. In response to this, the UE sends a EAP- Response/AKA-Reauthentication in S3-5. The EAP-Response/AKA-Reauthentication contains the AT_NEW_PDN, in which action is set to "Create", and in which also the APN is indicated to which a new connection is to be established.
The further process regarding the re-authentication is continued as specified in RFC4187, for example. Thereafter, the new PDN connection is created, as indicated in S3-6. It is noted that for creation of the new PDN connection, other network elements than the authenticator are involved.
Moreover, in case the authenticator would not agree on using fast re-authentication in response to S3-3, a full authentication will be performed. During such a full authentication, the authenticator sends a EAP-Request/AKA-Re-Challenge to the UE. In response thereto, the UE sends a EAP-Response/AKA-Re-Challenge in which the AT_NEW_PDN attribute is included.
2) How the EAP-Server indicates the support for the functionality described in this invention:
The network uses the AT_NEW_PDN attribute e.g. in EAP-Request/AKA-Re- authentication or EAP-Request/AKA-Challenge to indicate the support for the feature described in this invention. When send by the EAP server as a feature support indication, the connection identifier is set to Oxffffffff and the APN name is set to one '\0' octets and the length is set to 2. The Action is set to INFORM.
An example for this is illustrated in Fig. 4. In S4-1 , the authenticator sends a EAP- Request/AKA-Re-authentication to the UE including the AT_NEW_PDN attribute in which action is set to "inform". That is, in S3-4 shown in Fig. 3, this attribute may be inserted.
3) How the network indicates the UE the creation of the new PDN Connection failed.
A new AT_NOTIFICATION notification code has to be defined. This code is then sent by the EAP-server in EAP-Request/AKA-Notification to the UE. The notification values are not specifically limited since there can be multiple depending on the deployment scenarios. The general rule is that both S and P bits must be set to 0, which indicates an error after a successful authentication, but the APN & PDN specific authorization or such failed. An example for this is illustrated in Fig. 5. S5-1 to S5-5 are the same or similar to S3-1 to S3-5 of Fig. 3. In S5-6, the authenticator (EAP server) sends a EAP-Request/AKA- Notification to the UE, which responses with a EAP-Request/AKA-Notification in S5-7. Thereafter, the authenticator sends a notification code indicating a failure in S5-8.
4) How the network indicates the UE the creation of the PDN succeeded:
A network specific information prior or during the PDN Connection establishment is sent to the UE using an EAP-Request/AKA-Notification (such as VLAN tags, selected APN) which indicates success. Generally, the EAP-Success received by the UE is an indication that the signaling of the new PDN Connection creation has succeeded.
An example for this is shown in Fig. 6. S6-1 to S6-5 are the same or similar to S3-1 to S3- 5 of Fig. 3. In S6-6, the authenticator (EAP server) sends a EAP-Request/AKA-Notification to the UE, which responses with a EAP-Request/AKA-Notification in S6-7. Thereafter, the authenticator sends a notification code indicating success. After this, the creation of the new PDN connection is continued, as indicated in Fig. 3 in S3-6.
As mentioned above, the actual procedure of the PDN connection establishment (e.g. the timing of the EAP messages) is not described in the present embodiment and can be carried out as in the prior art.
5) How the UE or the network initiates a deletion of the PDN Connection.
First, an UE initiated PDN connection release is described. A UE can also trigger via (fast) re-authentication mechanism the release of a PDN connection. The UE acts like in case 1 ) but the Action is set to DELETE and the Connection identifier is set to a meaning value that identifies the PDN Connection to be released. The APN may or may not contain the APN name. If APN is not included, then only one '\0' octet is included into the APN name.
This is illustrated in Fig. 7. In S7-1 , the U E sends the 802.1 X EAPOL Start message to the authenticator, in order to trigger the re-authentication procedure. In response to the start message, the authenticator sends an EAP Request/Identity to the UE in S7-2, and the UE responds with an EAP Response/Identity in S7-3, similar as described above in connection with Fig. 3. The authenticator recognizes the identity and agrees on using fast re-authentication, and sends an EAP-Request/AKA-Reauthentication to the UE in S7-4. In response to this, the UE sends a EAP-Response/AKA-Reauthentication in S7-5. In this case, the EAP Response/Identity contains the AT_NEW_PDN, in which action is set to "Delete". Thereafter, the PDN connection is deleted.
In the following, a network initiated PDN connection release is described.
The network initiated PDN Connection release is done by the network requesting a (fast) re-authentication. The AT_NEW_PDN attributed is included in the EAP-Request/AKA- Reauthentication message. The Action in the AT_NEW_PDN attribute is set to DELETE, the connection identifier to the value matching the PDN Connection and the APN Name may be included. If APN is not included then only one '\0' octet is included into the APN name.
An example for this is illustrated in Fig. 8. In S8-1 , the authenticator sends a EAP- Request/AKA-Reauthentication message to the UE, which includes the AT_NEW_PDN attribute, in which the action is set to DELETE. After this, the network will delete the PDN connection. Thus, according to embodiments of the present invention, a procedure is realized by which a UE can send 3GPP specific parameters to the network via WLAN to enable handovers with I P address preservation and multiple PDN connections for the UE.
The procedure is easy to implement by extending EAP-AKA/AKA' since it is 3GPP specific anyway, both client and the server. The solution is completely backwards compatible. The use of DHCP for the same purpose is more difficult as generally DHCP client implementations are not 3GPP specific, and in some scenarios DHCP is not robust enough (e.g. there is no reliable method for network initiated PDN connection release).
It is noted that the embodiments and the present invention in general is not limited to the specific examples given above.
For example, in the process shown in Fig. 3, the AT_NEW_PDN attribute is included in the EAP-Response/AKA-Reauthentication message in S3-5 (or alternatively in a EAP- Response/AKA-Re-Challenge in case of a full authentication). However, this is only an example, and alternatively the AT_NEW_PDN attribute may be included in another message/request from the UE, in which the UE has to indicate to which APN the new PDN connection is to be created. Similar applies to S7-5 shown in Fig. 4.
Moreover, in connection with Fig. 4 it was described that, in order to inform that the network supports the above features of the embodiment, the AT_NEW_PDN attribute with action set to "inform" is included in EAP-Request/Reauthentication. However, the invention is not limited to this. Alternatively, the corresponding information may be included in general network information/specification, so that it is not always necessary to insert the above attribute in order to inform the UE.
Thus, according to general embodiments of the present invention, apparatuses and methods are provided by which a request is sent from a user equipment to a wireless local area network to trigger a re-authentication according to an extensible authentication protocol. During the re-authentication procedure, an information element indicating a request to establish or delete a packet data network connection from the user equipment via the wireless local area network.
According to a further aspect of embodiments of the present invention, an apparatus is provided which comprises means for sending a request to a wireless local area network to trigger a re- authentication according to an extensible authentication protocol, and means for sending, during the re-authentication procedure, an information element indicating a request to establish or delete a packet data network connection via the wireless local area network.
According to another aspect of embodiments of the present invention, an apparatus is provided which comprises means for receiving a request from a user equipment to trigger a re-authentication according to an extensible authentication protocol via a wireless local area network, means for performing a re-authentication procedure with the user equipment, and means for receiving, during the re-authentication procedure, an information element indicating a request to establish or delete a packet data network connection via the wireless local area network.
It is to be understood that any of the above modifications can be applied singly or in combination to the respective aspects and/or embodiments to which they refer, unless they are explicitly stated as excluding alternatives.
For the purpose of the present invention as described herein above, it should be noted that
- an access technology via which signaling is transferred to and from a network element may be any technology by means of which a network element or sensor node can access another network element or node (e.g. via a base station or generally an access node). Any present or future technology, such as WLAN (Wireless Local Access Network), WiMAX (Worldwide Interoperability for Microwave Access), LTE, LTE-A, Bluetooth, Infrared, and the like may be used; although the above technologies are mostly wireless access technologies, e.g. in different radio spectra, access technology in the sense of the present invention implies also wired technologies, e.g. IP based access technologies like cable networks or fixed lines but also circuit switched access technologies; access technologies may be distinguishable in at least two categories or access domains such as packet switched and circuit switched, but the existence of more than two access domains does not impede the invention being applied thereto,
- usable communication networks, stations and transmission nodes may be or comprise any device, apparatus, unit or means by which a station, entity or other user equipment may connect to and/or utilize services offered by the access network; such services include, among others, data and/or (audio-) visual communication, data download etc.;
- a user equipment or communication network element (station) may be any device, apparatus, unit or means by which a system user or subscriber may experience services from an access network, such as a mobile phone or smart phone, a personal digital assistant PDA, or computer, or a device having a corresponding functionality, such as a modem chipset, a chip, a module etc., which can also be part of a UE or attached as a separate element to a UE, or the like;
- method steps likely to be implemented as software code portions and being run using a processor at a network element or terminal (as examples of devices, apparatuses and/or modules thereof, or as examples of entities including apparatuses and/or modules therefore), are software code independent and can be specified using any known or future developed programming language as long as the functionality defined by the method steps is preserved;
- generally, any method step is suitable to be implemented as software or by hardware without changing the idea of the invention in terms of the functionality implemented;
- method steps and/or devices, units or means likely to be implemented as hardware components at the above-defined apparatuses, or any module(s) thereof, (e.g., devices carrying out the functions of the apparatuses according to the embodiments as described above, eNode-B etc. as described above) are hardware independent and can be implemented using any known or future developed hardware technology or any hybrids of these, such as MOS (Metal Oxide Semiconductor), CMOS (Complementary MOS), BiMOS (Bipolar MOS), BiCMOS (Bipolar CMOS), ECL (Emitter Coupled Logic), TTL (Transistor-Transistor Logic), etc., using for example ASIC (Application Specific IC (Integrated Circuit)) components, FPGA (Field-programmable Gate Arrays) components, CPLD (Complex Programmable Logic Device) components or DSP (Digital Signal Processor) components;
- devices, units or means (e.g. the above-defined apparatuses, or any one of their respective means) can be implemented as individual devices, units or means, but this does not exclude that they are implemented in a distributed fashion throughout the system, as long as the functionality of the device, unit or means is preserved;
- an apparatus may be represented by a semiconductor chip, a chipset, or a (hardware) module comprising such chip or chipset; this, however, does not exclude the possibility that a functionality of an apparatus or module, instead of being hardware implemented, be implemented as software in a (software) module such as a computer program or a computer program product comprising executable software code portions for execution/being run on a processor;
- a device may be regarded as an apparatus or as an assembly of more than one apparatus, whether functionally in cooperation with each other or functionally independently of each other but in a same device housing, for example.
It is noted that the embodiments and examples described above are provided for illustrative purposes only and are in no way intended that the present invention is restricted thereto. Rather, it is the intention that all variations and modifications be included which fall within the spirit and scope of the appended claims.

Claims

1 . An apparatus comprising a connection unit configured to provide connection to a wireless local area network, and a processor configured to send a request to the network to trigger a re-authentication according to an extensible authentication protocol, and to send, during the re-authentication procedure, an information element indicating a request to establish or delete a packet data network connection via the wireless local area network.
2. The apparatus according to claim 1 , wherein the information element indicates at least an access point name of an access point to which the packet data network connection is to be established or deleted, and/or the information element further comprises an action field indicating at least one of informing, creating and deleting the packet data network connection, and/or the information element further comprises a connection identifier identifying the packet data network connection.
3. The apparatus according to claim 1 , wherein the processor is configured to receive an information element informing that a process of sending a request to the network to trigger the re-authentication according to the extensible authentication protocol is supported by the network.
4. The apparatus according to any one of the claims 1 to 3, wherein the information element is an attribute.
5. The apparatus according to claim 1 , wherein the processor is configured to receive an information regarding success or failure of establishing or deleting the packet data network connection.
6. The apparatus according to claim 5, wherein the information is a notification code.
7. An apparatus comprising a connection unit configured to provide connection to a wireless local area network, and a processor configured to receive a request from a user equipment to trigger a re-authentication according to an extensible authentication protocol, to perform a re-authentication procedure with the user equipment, and to receive, during the re-authentication procedure, an information element indicating a request to establish or delete a packet data network connection via the wireless local area network.
8. The apparatus according to claim 7, wherein the processor is configured to initiate establishing or deleting a packet data network connection via the wireless local area network in response to the information element.
9. The apparatus according to claim 7 or 8, wherein the information element indicates at least an access point name of an access point to which the packet data network connection is to be established or deleted, and/or the information element further comprises an action field indicating at least one of informing, creating and deleting the packet data network connection, and/or the information element further comprises a connection identifier identifying the packet data network connection.
10. The apparatus according to claim 7, wherein the processor is configured to send an information element to the user equipment informing that a process of sending a request to the network to trigger the re-authentication according to the extensible authentication protocol is supported by the network.
1 1 . The apparatus according to any one of the claims 7 to 10, wherein the information element is an attribute.
12. The apparatus according to claim 7, wherein the processor is configured to send an information regarding success or failure of establishing or deleting the packet data network connection to the user equipment.
13. The apparatus according to claim 12, wherein the information is a notification code.
14. The apparatus according to claim 7, wherein the processor is configured to initiate deleting of the packet data network connection by sending a re-authentication request according to the extensible authentication protocol including an information element to the user equipment informing that the packet data network connection is to be deleted.
15. A method comprising sending a request to a wireless local area network to trigger a re-authentication according to an extensible authentication protocol, and sending, during the re-authentication procedure, an information element indicating a request to establish or delete a packet data network connection via the wireless local area network.
16. The method according to claim 15, wherein the information element indicates at least an access point name of an access point to which the packet data network connection is to be established or deleted, and/or the information element further comprises an action field indicating at least one of informing, creating and deleting the packet data network connection, and/or the information element further comprises a connection identifier identifying the packet data network connection.
17. The method according to claim 15, further comprising receiving an information element informing that a process of sending a request to the network to trigger the re-authentication according to the extensible authentication protocol is supported by the network.
18. The method according to any one of the claims 15 to 17, wherein the information element is an attribute.
19. The method according to claim 15, further comprising receiving an information regarding success or failure of establishing or deleting the packet data network connection.
20. The method according to claim 19, wherein the information is a notification code.
21 . A method comprising receiving a request from a user equipment to trigger a re-authentication according to an extensible authentication protocol via a wireless local area network, performing a re-authentication procedure with the user equipment, and receiving, during the re-authentication procedure, an information element indicating a request to establish or delete a packet data network connection via the wireless local area network.
22. The method according to claim 21 , further comprising initiating establishing or deleting a packet data network connection via the wireless local area network in response to the information element.
23. The method according to claim 21 or 22, wherein the information element indicates at least an access point name of an access point to which the packet data network connection is to be established or deleted, and/or the information element further comprises an action field indicating at least one of informing, creating and deleting the packet data network connection, and/or the information element further comprises a connection identifier identifying the packet data network connection.
24. The method according to claim 21 , further comprising sending an information element to the user equipment informing that a process of sending a request to the network to trigger the re-authentication according to the extensible authentication protocol is supported by the network.
25. The method according to any one of the claims 21 to 24, wherein the information element is an attribute.
26. The method according to claim 21 , further comprising sending an information regarding success or failure of establishing or deleting the packet data network connection to the user equipment.
27. The method according to claim 26, wherein the information is a notification code.
28. The method according to claim 21 , further comprising initiating deleting of the packet data network connection by sending a re- authentication request according to the extensible authentication protocol including an information element to the user equipment informing that the packet data network connection is to be deleted.
29. A computer program product comprising code means for performing a method according to any one of claims 15 to 28 when run on a processing means or module.
30. The computer program product according to claim 29, wherein the computer program product is embodied on a computer-readable medium.
PCT/EP2012/069720 2012-10-05 2012-10-05 Using eap (fast) re-authentication to request a creation of an additional pdn connection WO2014053188A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2012/069720 WO2014053188A1 (en) 2012-10-05 2012-10-05 Using eap (fast) re-authentication to request a creation of an additional pdn connection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2012/069720 WO2014053188A1 (en) 2012-10-05 2012-10-05 Using eap (fast) re-authentication to request a creation of an additional pdn connection

Publications (1)

Publication Number Publication Date
WO2014053188A1 true WO2014053188A1 (en) 2014-04-10

Family

ID=47010586

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2012/069720 WO2014053188A1 (en) 2012-10-05 2012-10-05 Using eap (fast) re-authentication to request a creation of an additional pdn connection

Country Status (1)

Country Link
WO (1) WO2014053188A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040066769A1 (en) * 2002-10-08 2004-04-08 Kalle Ahmavaara Method and system for establishing a connection via an access network
WO2010076043A1 (en) * 2009-01-05 2010-07-08 Nokia Siemens Networks Oy Method and device for data processing and system comprising such device
WO2013070540A1 (en) * 2011-11-10 2013-05-16 Motorola Mobility Llc Method for establishing data connectivity between a wireless communication device and a core network over an ip access network, wireless communication device and communication system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040066769A1 (en) * 2002-10-08 2004-04-08 Kalle Ahmavaara Method and system for establishing a connection via an access network
WO2010076043A1 (en) * 2009-01-05 2010-07-08 Nokia Siemens Networks Oy Method and device for data processing and system comprising such device
WO2013070540A1 (en) * 2011-11-10 2013-05-16 Motorola Mobility Llc Method for establishing data connectivity between a wireless communication device and a core network over an ip access network, wireless communication device and communication system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ARKKO ERICSSON H HAVERINEN NOKIA J: "Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA); rfc4187.txt", 20060101, January 2006 (2006-01-01), XP015054876, ISSN: 0000-0003 *
ARKKO V LEHTOVIRTA ERICSSON P ERONEN NOKIA J: "Improved Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA(OEB_ENTITY_AMPERSAND)apos;); rfc5448.txt", IMPROVED EXTENSIBLE AUTHENTICATION PROTOCOL METHOD FOR 3RD GENERATION AUTHENTICATION AND KEY AGREEMENT (EAP-AKA(OEB_ENTITY_AMPERSAND)APOS;); RFC5448.TXT, INTERNET ENGINEERING TASK FORCE, IETF; STANDARD, INTERNET SOCIETY (ISOC) 4, RUE DES FALAISES CH-, May 2009 (2009-05-01), XP015065592 *

Similar Documents

Publication Publication Date Title
CN108574969B (en) Connection processing method and device in multi-access scene
CN101983517B (en) Security for a non-3gpp access to an evolved packet system
EP3291456A1 (en) Trusted wlan connectivity to 3gpp evolved packet core
KR20130114727A (en) External authentication support over an untrusted network
CN111726228B (en) Configuring liveness check using internet key exchange messages
US11490252B2 (en) Protecting WLCP message exchange between TWAG and UE
CN108293183B (en) Handover between E-UTRAN and WLAN
CN110249648B (en) System and method for session establishment performed by unauthenticated user equipment
WO2013004905A1 (en) Trusted wireless local area network access
KR20230124621A (en) UE authentication method and system for non-3GPP service access
AU2018366777A1 (en) Authentication method and apparatus
US11109219B2 (en) Mobile terminal, network node server, method and computer program
KR20110090990A (en) Methods, apparatuses, system, related computer program product and data structures for informing of roaming restrictions
US20230016347A1 (en) Method, apparatus, and computer program product for authentication using a user equipment identifier
KR20190050835A (en) A communication method, a secure node network element,
WO2014053188A1 (en) Using eap (fast) re-authentication to request a creation of an additional pdn connection
WO2017132906A1 (en) Method and device for acquiring and sending user equipment identifier
US20240155533A1 (en) Anonymous registration with a communication network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12770118

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12770118

Country of ref document: EP

Kind code of ref document: A1