WO2017000140A1 - Method and apparatus for authenticating user equipment - Google Patents

Method and apparatus for authenticating user equipment Download PDF

Info

Publication number
WO2017000140A1
WO2017000140A1 PCT/CN2015/082707 CN2015082707W WO2017000140A1 WO 2017000140 A1 WO2017000140 A1 WO 2017000140A1 CN 2015082707 W CN2015082707 W CN 2015082707W WO 2017000140 A1 WO2017000140 A1 WO 2017000140A1
Authority
WO
WIPO (PCT)
Prior art keywords
user equipment
apn
authentication
message
access
Prior art date
Application number
PCT/CN2015/082707
Other languages
French (fr)
Chinese (zh)
Inventor
施密特·彼得
周润泽
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2015/082707 priority Critical patent/WO2017000140A1/en
Priority to CN201580049417.XA priority patent/CN106688259B/en
Publication of WO2017000140A1 publication Critical patent/WO2017000140A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for authenticating a user equipment.
  • D2D Device to Device
  • the cell users in the cellular network can communicate directly through the D2D link.
  • D2D communication uses the same resources as cell users.
  • relay communication is an important working mode.
  • a relay UE (which may be called a relay UE) can provide forwarding of messages for two UEs outside the D2D communication range. Therefore, the relay UE can provide a service connected to the network for a UE (referred to as a remote UE) that is outside the network coverage. For example, the relay UE can forward the downlink data packet sent by the network to the remote UE.
  • the remote UE Before the remote UE obtains the network service through the relay UE, it is necessary to find a relay UE that can provide services for the remote UE.
  • the remote UE can learn the PDN (Public Data Network) connection information that the relay UE has established. If the remote UE wishes to connect to the network through the PDN, the relay UE is selected to serve itself. That is to say, the remote UE can complete communication with the network by using the channel resources of the relay UE.
  • the defect is also obvious, that is, the remote UE can only complete the network communication through the PDN of the relay UE, which greatly limits the network access range of the remote UE.
  • the embodiment of the invention provides a method and a device for authenticating a user equipment, which are used to provide a larger network access range for the second user equipment.
  • the embodiment of the present invention adopts the following technical solutions:
  • an embodiment of the present invention provides a method for authenticating a user equipment, which is applied to Device to device D2D network, the method includes:
  • the first user equipment In response to the request message, the first user equipment sends a response message to the second user equipment to indicate whether the second user equipment can establish a connection to the APN.
  • the method before the sending, by the first user equipment, the response message to the second user equipment, the method further includes:
  • the first user equipment sends an authentication request to the network device, where the authentication request is carried in response to the request message.
  • the identification information of the APN or the authenticated user equipment is used to enable the network device to return an authentication reply message to the first user equipment after the authentication succeeds.
  • the sending, by the first user equipment, the response message to the second user equipment includes:
  • the sending, by the first user equipment, the response message to the second user equipment includes:
  • the first user equipment sends the response message to the second user equipment according to the access authorization information of the APN, to indicate whether the second user equipment can connect to the APN carried in the request message.
  • the sending, by the first user equipment, the authentication request to the network device, in response to the request message includes:
  • the first user equipment When the APN is carried in the authentication request, the first user equipment sends a template for the second user equipment to connect to the APN. And the authentication reply message is used to indicate whether the second user equipment can access the APN;
  • the first user equipment When the authentication request carries the identifier information of the first user equipment, the first user equipment sends the first user equipment to the network device corresponding to the first user equipment for authenticating the first user equipment.
  • the authentication request, the authentication reply message is used to indicate the APN that the first user equipment can access;
  • the first user equipment When the authentication request carries the identifier information of the second user equipment, the first user equipment sends the network device corresponding to the second user equipment to perform authentication on the second user equipment.
  • the authentication reply message is used to indicate the APN that the second user equipment can access.
  • the authentication reply message includes all APNs that the second user equipment can access, and/or The first user equipment has all accessible APNs.
  • an embodiment of the present invention provides an authentication device for a user equipment, which is applied to a device-to-device D2D network, where the device includes:
  • a receiving unit configured to receive a request message sent by the second user equipment, where the request message includes an access point name APN;
  • the first sending unit is configured to send a response message to the second user equipment to indicate whether the second user equipment can establish a connection to the APN in response to the request message.
  • the method further includes:
  • a determining unit configured to determine whether access authorization information of the APN is stored in the first user equipment
  • a second sending unit configured to send an authentication request to the network device in response to the request message when determining that the access authorization information of the APN is not stored in the first user equipment, where the authentication request is The identifier information of the APN or the authenticated user equipment is carried, so that the network device returns an authentication reply message to the first user equipment after the authentication succeeds.
  • the first sending unit is specifically configured to: after receiving the authentication reply message returned by the network device And sending, according to the authentication reply message, the response message to the second user equipment, to indicate whether the second user equipment can connect to the APN carried in the request message.
  • the first sending unit determines that the APN is stored in the first user equipment When the authorization information is used, the method further sends the response message to the second user equipment according to the access authorization information of the APN, to indicate whether the second user equipment can be connected to the request message.
  • APN access authorization information
  • the second sending unit is further configured to: when the authentication request carries the APN Sending, to the network device corresponding to the second user equipment, an authentication request for whether the second user equipment can connect to the APN, where the authentication reply message is used to indicate the second user equipment Whether the access to the APN is enabled; when the authentication request carries the identifier information of the first user equipment, sending, to the network device corresponding to the first user equipment, the first user equipment The authentication request of the authentication, the authentication reply message is used to indicate the APN that the first user equipment can access; and when the authentication request carries the identifier information of the second user equipment, The network device corresponding to the second user equipment sends an authentication request for authenticating the second user equipment, where the authentication reply message is used to indicate the APN that the second user equipment can access.
  • the authentication reply message includes all the second user equipments that are accessible APN, and/or, all APNs that the first user equipment can access.
  • an embodiment of the present invention provides an authentication device for a user equipment, which is applied to a device-to-device D2D network, where the device includes a transceiver:
  • the transceiver is configured to receive a request message sent by the second user equipment, where the request message includes an access point name APN, and configured to send a response to the second user equipment in response to the request message And a message, to indicate whether the second user equipment can establish a connection to the APN.
  • the processor is further included:
  • the processor is configured to determine whether access authorization information of the APN is stored in the first user equipment;
  • the transceiver is further configured to: when determining that the access authorization information of the APN is not stored in the first user equipment, send an authentication request to the network device, where the authentication request is sent, in response to the request message
  • the identifier information of the APN or the authenticated user equipment is carried in the network device, so that the network device returns an authentication reply message to the first user equipment after the authentication succeeds.
  • the transceiver is specifically configured to: after receiving the authentication reply message returned by the network device, according to The authentication reply message sends the response message to the second user equipment to indicate whether the second user equipment can connect to the APN carried in the request message.
  • the transceiver determines, in the first user equipment, an access authorization of the APN The information is used to send the response message to the second user equipment according to the access authorization information of the APN, to indicate whether the second user equipment can connect to the APN carried in the request message.
  • the transceiver is further configured to: when the APN is carried in the authentication request, send, to the network device corresponding to the second user equipment, whether the second user equipment can be connected
  • the authentication reply message is used to indicate whether the second user equipment can access the APN, and the identifier of the first user equipment is carried in the authentication request.
  • the network device corresponding to the second user equipment sends a packet for authenticating the second user equipment.
  • the authentication reply message is used to indicate the APN that the second user equipment can access.
  • the authentication reply message includes all APNs that the second user equipment can access, and/or The first user equipment has all accessible APNs.
  • the second user equipment may send a setup request for establishing a session with the destination APN to the first user equipment, so that the first user equipment on the network
  • the invention can determine the APN that the second user equipment can access.
  • the second user equipment can only use the same APN as the relay device for access.
  • the present invention can obtain the first from the network side.
  • the APN that the user equipment can access can obtain a large number of APNs other than the APN that the relay device is using, thereby providing more options for accessing the second user equipment, and providing the second user equipment with the second user equipment. Greater network access.
  • FIG. 1 is a flowchart of a method for authenticating a user equipment according to an embodiment of the present invention
  • FIG. 2 is a flowchart of another method for authenticating a user equipment according to an embodiment of the present invention
  • FIG. 3 is a structural diagram of an apparatus for authenticating a user equipment according to an embodiment of the present invention.
  • FIG. 4 is a structural diagram of another method for authenticating a user equipment according to an embodiment of the present invention.
  • FIG. 5 is a structural diagram of another method for authenticating a user equipment according to an embodiment of the present invention.
  • FIG. 6 is a structural diagram of another method for authenticating a user equipment according to an embodiment of the present invention.
  • a method for authenticating a user equipment is applicable to a D2D network.
  • a first user equipment also referred to as a relay user equipment, and a Relay UE
  • the network device, the first user equipment as a device inside the D2D network, can be regarded as a network relay node, providing information forwarding and network for a second user equipment (Remote UE) outside the D2D network or in a pre-off-network state. Access instructions and other services.
  • the network device is generally used to provide an access service for accessing an Access Point Name (APN) access to various types of user equipment, including the first user equipment and the second user equipment.
  • APN Access Point Name
  • the network equipment is used.
  • the ProSe function Proximity-based service function
  • HSS Home subscriber server
  • the method for authenticating the user equipment provided by the embodiment of the present invention is applicable to the process in which the second user equipment needs to establish an APN session connection with the network side to implement whether to allow access to the second user equipment.
  • APN authentication As shown in FIG. 1, the method is performed by the first user equipment, and the specific steps include:
  • the request message generally carries an APN to indicate the access intention of the second user equipment.
  • a method for authenticating a user equipment where the second user equipment may Sending, by the first user equipment, a setup request for establishing a session with the destination APN, so that the first user equipment on the network determines the APN that the second user equipment can access, compared to the second user equipment in the prior art.
  • the APN can be accessed only by using the same APN as the relay device. Compared with the APN that the second user equipment can access, the present invention can obtain a large amount of the APN that the relay device is using.
  • the APN outside the APN provides more options for access by the second user equipment, providing a larger network access range for the second user equipment.
  • the authentication information may be obtained in the first user equipment, or may be requested by the first user equipment. Obtain.
  • the corresponding implementation process is as shown in FIG. 2, and needs to be performed before step 102, including:
  • the first user equipment sends an authentication request to the network device, in response to the request message, to enable the network.
  • the device After the device is successfully authenticated, the device returns an authentication reply message to the first user equipment, where the authentication reply message is used to indicate the APN that the first user equipment or the second user equipment can access.
  • the APN mentioned in step 101 needs to be carried in the authentication request.
  • the authentication request may include the APN included in the foregoing request message, or the identification information of the authenticated device (that is, the identifier information of the first user equipment or the identifier information of the second user equipment).
  • step 102 in response to the request message, sending a response message to the second user equipment, to indicate whether the second user equipment can establish a connection to the APN, the specific execution flow is:
  • step 102 in response to the request message, sending a response message to the second user equipment, where Instructing the second user equipment to establish a connection to the APN
  • the first user equipment sends the response message to the second user equipment according to the access authorization information of the APN, to indicate whether the second user equipment can connect to the APN carried in the request message.
  • the authentication reply message may be used to indicate the function of the APN that the first or second user equipment can access, or directly indicate whether the second user equipment can access the APN of the request.
  • the content specified in the authentication reply message depends on the content carried in the authentication request.
  • the embodiment of the present invention provides three types of content that can be carried in the authentication request. Therefore, in step 104, the first user equipment sends an authentication request to the network device in response to the request message. It can be achieved in the following three ways:
  • the first mode is: when the APN is carried in the authentication request, the first user equipment sends, to the network device corresponding to the second user equipment, whether the second user equipment can be connected to The authentication request of the APN.
  • the authentication reply message is used to indicate whether the second user equipment can access the APN.
  • the second mode is: when the authentication request carries the identifier information of the first user equipment, the first user equipment sends the first user equipment to the network device corresponding to the first user equipment, where the first The user equipment performs an authentication request for authentication.
  • the authentication reply message is used to indicate an APN that the first user equipment can access.
  • the third mode is: when the authentication request carries the identifier information of the second user equipment, the first user equipment sends the second user equipment to the network device corresponding to the second user equipment, where the second The user equipment performs an authentication request for authentication.
  • the authentication reply message is used to indicate an APN that the second user equipment can access.
  • the implementation principle is relatively simple, that is, which APN is requested by the first user equipment, and the network side authenticates the behavior of accessing the APN.
  • the network device side generally determines the APN that the second user equipment can access.
  • the first user equipment determines the APN that the second user equipment can access.
  • the APN information that the second user equipment can access can only be selected from the APN information that the first user equipment can access, although the number may be compared with the APN that the second user equipment can access. The difference, but also much more than the choices available in the prior art to complete network access using only one APN that the first user equipment is using.
  • the authentication process involved in the present invention is provided, and only a feasible implementation manner is provided.
  • the authentication request generally carries the second user equipment.
  • the identifier is used to facilitate the ProSe Function to perform the authentication.
  • the ProSe Function does not have the authentication information of the second user equipment, the ProSe Function sends an authentication check message to the HSS corresponding to the second user equipment, which is completed by the HSS. Subsequent authentication work. After the authentication is completed, the HSS sends the relevant authentication information to the ProSe Function, and then the ProSe Function completes the subsequent reply work.
  • the authentication process of the first user equipment is involved, it is similar to the above process, except that the network device related to the first user equipment needs to initiate an authentication process.
  • the embodiment of the present invention further provides an authentication device for the user equipment, which is used to implement the foregoing method flow.
  • the device includes:
  • the receiving unit 21 is configured to receive a request message sent by the second user equipment, where the request message includes an access point name APN.
  • the first sending unit 22 is configured to send a response message to the second user equipment to indicate whether the second user equipment can establish a connection to the APN in response to the request message.
  • the device further includes:
  • the determining unit 23 is configured to determine whether the access authorization information of the APN is stored in the first user equipment.
  • a second sending unit 24 configured to determine that the first user equipment is not stored in the When the access information of the APN is accessed, the authentication request is sent to the network device in response to the request message, where the authentication request carries the identifier information of the APN or the authenticated user equipment, so that the network device After the authentication succeeds, an authentication reply message is returned to the first user equipment.
  • the first sending unit 22 is specifically configured to: after receiving the authentication reply message returned by the network device, send the response message to the second user equipment according to the authentication reply message. And indicating whether the second user equipment can connect to the APN carried in the request message.
  • the first sending unit 22 determines that the access authorization information of the APN is stored in the first user equipment
  • the first sending unit 22 is further configured to: according to the access authorization information of the APN, to the The second user equipment sends the response message to indicate whether the second user equipment can connect to the APN carried in the request message.
  • the second sending unit 24 is further configured to send, to the network device corresponding to the second user equipment, the second user, when the APN is carried in the authentication request.
  • the authentication reply message is used to indicate whether the second user equipment can access the APN; when the authentication request carries the first And sending, by the network device corresponding to the first user equipment, an authentication request for authenticating the first user equipment, where the authentication reply message is used to indicate the first The APN that the user equipment can access; when the authentication request carries the identifier information of the second user equipment, sending, to the network device corresponding to the second user equipment, the second user equipment The authentication reply request is used to indicate the APN that the second user equipment can access.
  • the authentication reply message includes all APNs that the second user equipment can access, and/or all the APNs that the first user equipment can access.
  • An authentication device for a user equipment is provided by the embodiment of the present invention.
  • the second user equipment may send a setup request for establishing a session with the destination APN to the first user equipment, so that the first user equipment on the network determines
  • the APN that the second user equipment can access compared to the second user equipment in the prior art, can only use the same APN as the relay device to access.
  • the present invention can obtain the second user from the network side. APN that the device can access, a large range An APN other than the APN being used by the relay device can be obtained, thereby providing more options for accessing the second user equipment and providing a larger network access range for the second user equipment.
  • the embodiment of the invention further provides an authentication device for the user equipment, which is applied to the device to the device D2D network.
  • the device includes a transceiver 31:
  • the transceiver 31 is configured to receive a request message sent by the second user equipment, where the request message includes an access point name APN, and configured to send to the second user equipment in response to the request message And a response message, configured to indicate whether the second user equipment can establish a connection to the APN.
  • the apparatus further includes a processor 32:
  • the processor 32 is configured to determine whether access authorization information of the APN is stored in the first user equipment.
  • the transceiver 31 is further configured to: when determining that the access authorization information of the APN is not stored in the first user equipment, send an authentication request to the network device according to the request message, where the authentication is performed.
  • the request carries the identification information of the APN or the authenticated user equipment, so that the network device returns an authentication reply message to the first user equipment after the authentication succeeds.
  • the transceiver 31 is configured to: after receiving the authentication reply message returned by the network device, send the response message to the second user equipment according to the authentication reply message, to Indicates whether the second user equipment is able to connect to the APN carried in the request message.
  • the transceiver 31 is configured to send, according to the access authorization information of the APN, to the second user, when determining that the access authorization information of the APN is stored in the first user equipment.
  • the device sends the response message to indicate whether the second user equipment can connect to the APN carried in the request message.
  • the transceiver 31 is further configured to: when the authentication request carries the And sending, by the network device corresponding to the second user equipment, an authentication request for whether the second user equipment can connect to the APN, where the authentication reply message is used to indicate the second Whether the user equipment can access the APN; when the authentication request carries the identifier information of the first user equipment, send, to the network device corresponding to the first user equipment, the first user And the authentication reply message is used to indicate the APN that the first user equipment can access; when the authentication request carries the identifier information of the second user equipment, And sending, to the network device corresponding to the second user equipment, an authentication request for authenticating the second user equipment, where the authentication reply message is used to indicate that the second user equipment is accessible.
  • APN APN.
  • the authentication reply message includes all APNs that the second user equipment can access, and/or all the APNs that the first user equipment can access.
  • An authentication device for a user equipment is provided by the embodiment of the present invention.
  • the second user equipment may send a setup request for establishing a session with the destination APN to the first user equipment, so that the first user equipment on the network determines
  • the APN that the second user equipment can access compared to the second user equipment in the prior art, can only use the same APN as the relay device to access.
  • the present invention can obtain the second user from the network side.
  • the APN that the device can access can obtain a large number of APNs other than the APN that the relay device is using, thereby providing more options for accessing the second user device and providing greater access to the second user device.
  • the scope of network access is provided by the embodiment of the present invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The present invention relates to the technical field of communications. Provided are a method and apparatus for authenticating a user equipment, which are mainly used to provide a greater network access range to a second user equipment. In the present invention, a second user equipment can send, to a first user equipment, an establishment request for establishing a session with a target APN, so that the live first user equipment determines an APN that can be accessed by the second user equipment, thereby providing more choices for access of the second user equipment. The present invention is applicable to a network access process of a D2D device.

Description

一种对用户设备的鉴权方法及装置Method and device for authenticating user equipment 技术领域Technical field
本发明涉及通信技术领域,尤其涉及一种对用户设备的鉴权方法及装置。The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for authenticating a user equipment.
背景技术Background technique
D2D(Device to device,设备到设备)技术作为应用于移动蜂窝网络技术的一种,可以用于提高资源利用率和网络容量。蜂窝网中的小区用户除可以通过基站服务进行通信外,它们之间还可以通过D2D链路直接进行通信。D2D通信与蜂窝小区用户使用相同的资源。As a kind of mobile cellular network technology, D2D (Device to Device) technology can be used to improve resource utilization and network capacity. In addition to the cell service in the cellular network, the cell users in the cellular network can communicate directly through the D2D link. D2D communication uses the same resources as cell users.
D2D通信中,中继通信是一大重要的工作模式,在其使用场景中,中继UE(可称为relay UE)可以为两台在D2D通信范围之外的UE提供消息的转发。因此,中继UE可以为处于网络覆盖外的UE(称为remote UE)提供连接到网络的服务。比如:relay UE可以将网络下发的下行数据包转发给remote UE。In D2D communication, relay communication is an important working mode. In its usage scenario, a relay UE (which may be called a relay UE) can provide forwarding of messages for two UEs outside the D2D communication range. Therefore, the relay UE can provide a service connected to the network for a UE (referred to as a remote UE) that is outside the network coverage. For example, the relay UE can forward the downlink data packet sent by the network to the remote UE.
在remote UE通过relay UE取得网络服务之前,必须需要发现一个能够为它提供服务的relay UE,在发现过程中,remote UE可以获知relay UE已经建立的PDN(Public Data Network,公共数据网络)连接信息,如果remote UE希望通过该PDN连接到网络,则选择该relay UE为自己服务。也就是说,remote UE可以使用relay UE的信道资源完成与网络的通信。但是,其缺陷也较为明显,就是remote UE只能通过relay UE的PDN完成网络通信,极大地限制了remote UE的网络访问范围。Before the remote UE obtains the network service through the relay UE, it is necessary to find a relay UE that can provide services for the remote UE. During the discovery process, the remote UE can learn the PDN (Public Data Network) connection information that the relay UE has established. If the remote UE wishes to connect to the network through the PDN, the relay UE is selected to serve itself. That is to say, the remote UE can complete communication with the network by using the channel resources of the relay UE. However, the defect is also obvious, that is, the remote UE can only complete the network communication through the PDN of the relay UE, which greatly limits the network access range of the remote UE.
发明内容Summary of the invention
本发明实施例提供了一种对用户设备的鉴权方法及装置,用以为第二用户设备提供更大的网络访问范围。The embodiment of the invention provides a method and a device for authenticating a user equipment, which are used to provide a larger network access range for the second user equipment.
为达到上述目的,本发明实施例采用如下技术方案:To achieve the above objective, the embodiment of the present invention adopts the following technical solutions:
第一方面,本发明实施例提供了一种对用户设备的鉴权方法,应用于 设备到设备D2D网络,所述方法包括:In a first aspect, an embodiment of the present invention provides a method for authenticating a user equipment, which is applied to Device to device D2D network, the method includes:
所述第一用户设备接收所述第二用户设备发送的请求消息,所述请求消息包括接入点名称APN;Receiving, by the first user equipment, a request message sent by the second user equipment, where the request message includes an access point name APN;
响应于所述请求消息,所述第一用户设备向所述第二用户设备发送响应消息,用以指示所述第二用户设备是否能够建立到所述APN的连接。In response to the request message, the first user equipment sends a response message to the second user equipment to indicate whether the second user equipment can establish a connection to the APN.
结合第一方面,在第一方面的第一种可能的实现方式中,在所述第一用户设备向所述第二用户设备发送响应消息之前,还包括:In conjunction with the first aspect, in a first possible implementation manner of the first aspect, before the sending, by the first user equipment, the response message to the second user equipment, the method further includes:
所述第一用户设备判断在所述第一用户设备中是否存储有APN的接入授权信息;Determining, by the first user equipment, whether access authorization information of the APN is stored in the first user equipment;
若确定在所述第一用户设备中没有存储所述APN的接入授权信息,则所述第一用户设备响应于所述请求消息,向网络设备发送鉴权请求,所述鉴权请求中携带有所述APN或被鉴权用户设备的标识信息,以使得所述网络设备在鉴权成功后,向所述第一用户设备返回鉴权回复消息。If it is determined that the access authorization information of the APN is not stored in the first user equipment, the first user equipment sends an authentication request to the network device, where the authentication request is carried in response to the request message. The identification information of the APN or the authenticated user equipment is used to enable the network device to return an authentication reply message to the first user equipment after the authentication succeeds.
结合第一方面的第一种可能的实现方式,在第一方面的第二种可能的实现方式中,所述第一用户设备向所述第二用户设备发送响应消息包括:With the first possible implementation of the first aspect, in a second possible implementation manner of the first aspect, the sending, by the first user equipment, the response message to the second user equipment includes:
在接收到所述网络设备返回的鉴权回复消息后,根据所述鉴权回复消息,向所述第二用户设备发送所述响应消息,以指示所述第二用户设备是否能够连接到与所述请求消息中携带的APN。After receiving the authentication reply message returned by the network device, sending the response message to the second user equipment according to the authentication reply message, to indicate whether the second user equipment can connect to the The APN carried in the request message.
结合第一方面的第二种可能的实现方式,在第一方面的第三种可能的实现方式中,若确定在所述第一用户设备中存储有所述APN的接入授权信息,则所述第一用户设备向所述第二用户设备发送响应消息包括:With the second possible implementation of the first aspect, in a third possible implementation manner of the first aspect, if it is determined that the access authorization information of the APN is stored in the first user equipment, The sending, by the first user equipment, the response message to the second user equipment includes:
所述第一用户设备根据所述APN的接入授权信息,向所述第二用户设备发送所述响应消息,以指示所述第二用户设备是否能够连接到所述请求消息中携带的APN。The first user equipment sends the response message to the second user equipment according to the access authorization information of the APN, to indicate whether the second user equipment can connect to the APN carried in the request message.
结合第一方面的第三种可能的实现方式,在第一方面的第四种可能的 实现方式中,所述第一用户设备响应于所述请求消息,向所述网络设备发送鉴权请求包括:In conjunction with the third possible implementation of the first aspect, the fourth possible aspect in the first aspect In an implementation manner, the sending, by the first user equipment, the authentication request to the network device, in response to the request message, includes:
当所述鉴权请求中携带有所述APN时,所述第一用户设备向所述第二用户设备对应的网络设备发送用于对所述第二用户设备是否能够连接到所述APN的鉴权请求,则所述鉴权回复消息用于指示所述第二用户设备是否能够接入所述APN;When the APN is carried in the authentication request, the first user equipment sends a template for the second user equipment to connect to the APN. And the authentication reply message is used to indicate whether the second user equipment can access the APN;
当所述鉴权请求中携带有所述第一用户设备的标识信息时,所述第一用户设备向所述第一用户设备对应的网络设备发送用于对所述第一用户设备进行鉴权的鉴权请求,则所述鉴权回复消息用于指示所述第一用户设备能够接入的APN;When the authentication request carries the identifier information of the first user equipment, the first user equipment sends the first user equipment to the network device corresponding to the first user equipment for authenticating the first user equipment. The authentication request, the authentication reply message is used to indicate the APN that the first user equipment can access;
当所述鉴权请求中携带有所述第二用户设备的标识信息时,所述第一用户设备向所述第二用户设备对应的网络设备发送用于对所述第二用户设备进行鉴权的鉴权请求,则所述鉴权回复消息用于指示所述第二用户设备能够接入的APN。When the authentication request carries the identifier information of the second user equipment, the first user equipment sends the network device corresponding to the second user equipment to perform authentication on the second user equipment. The authentication reply message is used to indicate the APN that the second user equipment can access.
结合第一方面的第二种可能的实现方式,在第一方面的第五种可能的实现方式中,所述鉴权回复消息包括所述第二用户设备所有能够接入的APN,和/或,所述第一用户设备所有能够接入的APN。With the second possible implementation of the first aspect, in a fifth possible implementation manner of the first aspect, the authentication reply message includes all APNs that the second user equipment can access, and/or The first user equipment has all accessible APNs.
第二方面,本发明实施例提供了一种对用户设备的鉴权装置,应用于设备到设备D2D网络,所述装置包括:In a second aspect, an embodiment of the present invention provides an authentication device for a user equipment, which is applied to a device-to-device D2D network, where the device includes:
接收单元,用于接收所述第二用户设备发送的请求消息,所述请求消息包括接入点名称APN;a receiving unit, configured to receive a request message sent by the second user equipment, where the request message includes an access point name APN;
第一发送单元,用于响应于所述请求消息,向所述第二用户设备发送响应消息,用以指示所述第二用户设备是否能够建立到所述APN的连接。The first sending unit is configured to send a response message to the second user equipment to indicate whether the second user equipment can establish a connection to the APN in response to the request message.
结合第二方面,在第二方面的第一种可能的实现方式中,还包括:With reference to the second aspect, in a first possible implementation manner of the second aspect, the method further includes:
判断单元,用于判断在所述第一用户设备中是否存储有APN的接入授权信息; a determining unit, configured to determine whether access authorization information of the APN is stored in the first user equipment;
第二发送单元,用于在确定在所述第一用户设备中没有存储所述APN的接入授权信息时,响应于所述请求消息,向网络设备发送鉴权请求,所述鉴权请求中携带有所述APN或被鉴权用户设备的标识信息,以使得所述网络设备在鉴权成功后,向所述第一用户设备返回鉴权回复消息。a second sending unit, configured to send an authentication request to the network device in response to the request message when determining that the access authorization information of the APN is not stored in the first user equipment, where the authentication request is The identifier information of the APN or the authenticated user equipment is carried, so that the network device returns an authentication reply message to the first user equipment after the authentication succeeds.
结合第二方面的第一种可能的实现方式,在第二方面的第二种可能的实现方式中,所述第一发送单元具体用于在接收到所述网络设备返回的鉴权回复消息后,根据所述鉴权回复消息,向所述第二用户设备发送所述响应消息,以指示所述第二用户设备是否能够连接到所述请求消息中携带的APN。With reference to the first possible implementation manner of the second aspect, in a second possible implementation manner of the second aspect, the first sending unit is specifically configured to: after receiving the authentication reply message returned by the network device And sending, according to the authentication reply message, the response message to the second user equipment, to indicate whether the second user equipment can connect to the APN carried in the request message.
结合第二方面的第二种可能的实现方式,在第二方面的第三种可能的实现方式中,所述第一发送单元在确定在所述第一用户设备中存储有所述APN的接入授权信息时,还用于根据所述APN的接入授权信息,向所述第二用户设备发送所述响应消息,以指示所述第二用户设备是否能够连接到所述请求消息中携带的APN。With the second possible implementation of the second aspect, in a third possible implementation manner of the second aspect, the first sending unit determines that the APN is stored in the first user equipment When the authorization information is used, the method further sends the response message to the second user equipment according to the access authorization information of the APN, to indicate whether the second user equipment can be connected to the request message. APN.
结合第二方面的第三种可能的实现方式,在第二方面的第四种可能的实现方式中,所述第二发送单元还具体用于当所述鉴权请求中携带有所述APN时,向所述第二用户设备对应的网络设备发送用于对所述第二用户设备是否能够连接到所述APN的鉴权请求,则所述鉴权回复消息用于指示所述第二用户设备是否能够接入所述APN;当所述鉴权请求中携带有所述第一用户设备的标识信息时,向所述第一用户设备对应的网络设备发送用于对所述第一用户设备进行鉴权的鉴权请求,则所述鉴权回复消息用于指示所述第一用户设备能够接入的APN;当所述鉴权请求中携带有所述第二用户设备的标识信息时,向所述第二用户设备对应的网络设备发送用于对所述第二用户设备进行鉴权的鉴权请求,则所述鉴权回复消息用于指示所述第二用户设备能够接入的APN。With the third possible implementation of the second aspect, in a fourth possible implementation manner of the second aspect, the second sending unit is further configured to: when the authentication request carries the APN Sending, to the network device corresponding to the second user equipment, an authentication request for whether the second user equipment can connect to the APN, where the authentication reply message is used to indicate the second user equipment Whether the access to the APN is enabled; when the authentication request carries the identifier information of the first user equipment, sending, to the network device corresponding to the first user equipment, the first user equipment The authentication request of the authentication, the authentication reply message is used to indicate the APN that the first user equipment can access; and when the authentication request carries the identifier information of the second user equipment, The network device corresponding to the second user equipment sends an authentication request for authenticating the second user equipment, where the authentication reply message is used to indicate the APN that the second user equipment can access.
结合第二方面的第二种可能的实现方式,在第二方面的第五种可能的实现方式中,所述鉴权回复消息包括所述第二用户设备所有能够接入的 APN,和/或,所述第一用户设备所有能够接入的APN。With the second possible implementation of the second aspect, in a fifth possible implementation manner of the second aspect, the authentication reply message includes all the second user equipments that are accessible APN, and/or, all APNs that the first user equipment can access.
第三方面,本发明实施例提供了一种对用户设备的鉴权装置,应用于设备到设备D2D网络,所述装置包括收发器:In a third aspect, an embodiment of the present invention provides an authentication device for a user equipment, which is applied to a device-to-device D2D network, where the device includes a transceiver:
所述收发器,用于接收所述第二用户设备发送的请求消息,所述请求消息包括接入点名称APN;以及,用于响应于所述请求消息,向所述第二用户设备发送响应消息,用以指示所述第二用户设备是否能够建立到所述APN的连接。The transceiver is configured to receive a request message sent by the second user equipment, where the request message includes an access point name APN, and configured to send a response to the second user equipment in response to the request message And a message, to indicate whether the second user equipment can establish a connection to the APN.
结合第三方面,在第三方面的第一种可能的实现方式中,还包括处理器:In conjunction with the third aspect, in a first possible implementation of the third aspect, the processor is further included:
所述处理器,用于判断在所述第一用户设备中是否存储有APN的接入授权信息;The processor is configured to determine whether access authorization information of the APN is stored in the first user equipment;
所述收发器,还用于在确定在所述第一用户设备中没有存储所述APN的接入授权信息时,响应于所述请求消息,向网络设备发送鉴权请求,所述鉴权请求中携带有所述APN或被鉴权用户设备的标识信息,以使得所述网络设备在鉴权成功后,向所述第一用户设备返回鉴权回复消息。The transceiver is further configured to: when determining that the access authorization information of the APN is not stored in the first user equipment, send an authentication request to the network device, where the authentication request is sent, in response to the request message The identifier information of the APN or the authenticated user equipment is carried in the network device, so that the network device returns an authentication reply message to the first user equipment after the authentication succeeds.
结合第三方面的第一种可能的实现方式,在第三方面的第二种可能的实现方式中,所述收发器具体用于在接收到所述网络设备返回的鉴权回复消息后,根据所述鉴权回复消息,向所述第二用户设备发送所述响应消息,以指示所述第二用户设备是否能够连接到所述请求消息中携带的APN。With the first possible implementation of the third aspect, in a second possible implementation manner of the third aspect, the transceiver is specifically configured to: after receiving the authentication reply message returned by the network device, according to The authentication reply message sends the response message to the second user equipment to indicate whether the second user equipment can connect to the APN carried in the request message.
结合第三方面的第二种可能的实现方式,在第三方面的第三种可能的实现方式中,所述收发器在确定在所述第一用户设备中存储有所述APN的接入授权信息时,用于根据所述APN的接入授权信息,向所述第二用户设备发送所述响应消息,以指示所述第二用户设备是否能够连接到所述请求消息中携带的APN。In conjunction with the second possible implementation of the third aspect, in a third possible implementation manner of the third aspect, the transceiver determines, in the first user equipment, an access authorization of the APN The information is used to send the response message to the second user equipment according to the access authorization information of the APN, to indicate whether the second user equipment can connect to the APN carried in the request message.
结合第三方面的第三种可能的实现方式,在第三方面的第四种可能的 实现方式中,所述收发器还具体用于当所述鉴权请求中携带有所述APN时,向所述第二用户设备对应的网络设备发送用于对所述第二用户设备是否能够连接到所述APN的鉴权请求,则所述鉴权回复消息用于指示所述第二用户设备是否能够接入所述APN;当所述鉴权请求中携带有所述第一用户设备的标识信息时,向所述第一用户设备对应的网络设备发送用于对所述第一用户设备进行鉴权的鉴权请求,则所述鉴权回复消息用于指示所述第一用户设备能够接入的APN;当所述鉴权请求中携带有所述第二用户设备的标识信息时,向所述第二用户设备对应的网络设备发送用于对所述第二用户设备进行鉴权的鉴权请求,则所述鉴权回复消息用于指示所述第二用户设备能够接入的APN。In conjunction with the third possible implementation of the third aspect, the fourth possible aspect in the third aspect In an implementation manner, the transceiver is further configured to: when the APN is carried in the authentication request, send, to the network device corresponding to the second user equipment, whether the second user equipment can be connected The authentication reply message is used to indicate whether the second user equipment can access the APN, and the identifier of the first user equipment is carried in the authentication request. Sending an authentication request for authenticating the first user equipment to the network device corresponding to the first user equipment, where the authentication reply message is used to indicate that the first user equipment can be connected When the authentication request carries the identifier information of the second user equipment, the network device corresponding to the second user equipment sends a packet for authenticating the second user equipment. And the authentication reply message is used to indicate the APN that the second user equipment can access.
结合第三方面的第二种可能的实现方式,在第三方面的第五种可能的实现方式中,所述鉴权回复消息包括所述第二用户设备所有能够接入的APN,和/或,所述第一用户设备所有能够接入的APN。With the second possible implementation of the third aspect, in a fifth possible implementation manner of the third aspect, the authentication reply message includes all APNs that the second user equipment can access, and/or The first user equipment has all accessible APNs.
本发明实施例提供的一种对用户设备的鉴权方法及装置,第二用户设备可以通过向第一用户设备发送用于与目的APN建立会话的建立请求,以使得在网的第一用户设备来决定第二用户设备可以接入的APN,相比于现有技术中第二用户设备只能使用与中继设备相同的APN进行接入相比而言,本发明能够从网络侧获取到第二用户设备能够接入的APN,很大程度上能够获取到除中继设备正在使用的APN以外的APN,从而为第二用户设备的接入提供了更多的选择,为第二用户设备提供更大的网络访问范围。The method and device for authenticating a user equipment provided by the embodiment of the present invention, the second user equipment may send a setup request for establishing a session with the destination APN to the first user equipment, so that the first user equipment on the network The invention can determine the APN that the second user equipment can access. Compared with the prior art, the second user equipment can only use the same APN as the relay device for access. Compared with the access, the present invention can obtain the first from the network side. The APN that the user equipment can access can obtain a large number of APNs other than the APN that the relay device is using, thereby providing more options for accessing the second user equipment, and providing the second user equipment with the second user equipment. Greater network access.
附图说明DRAWINGS
为了更清楚地说明本发明实施例中的技术方案,下面将对实施例中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其它的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings to be used in the embodiments will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the present invention. Those skilled in the art can also obtain other drawings based on these drawings without any creative work.
图1为本发明实施例提供的一种对用户设备的鉴权方法流程图;FIG. 1 is a flowchart of a method for authenticating a user equipment according to an embodiment of the present invention;
图2为本发明实施例提供的另一种对用户设备的鉴权方法流程图;2 is a flowchart of another method for authenticating a user equipment according to an embodiment of the present invention;
图3为本发明实施例提供的一种对用户设备的鉴权装置的结构图; FIG. 3 is a structural diagram of an apparatus for authenticating a user equipment according to an embodiment of the present invention;
图4为本发明实施例提供的另一种对用户设备的鉴权方法结构图;FIG. 4 is a structural diagram of another method for authenticating a user equipment according to an embodiment of the present invention;
图5为本发明实施例提供的另一种对用户设备的鉴权方法结构图;FIG. 5 is a structural diagram of another method for authenticating a user equipment according to an embodiment of the present invention;
图6为本发明实施例提供的另一种对用户设备的鉴权方法结构图。FIG. 6 is a structural diagram of another method for authenticating a user equipment according to an embodiment of the present invention.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其它实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, but not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
本发明实施例提供的一种对用户设备的鉴权方法,适用于D2D网络中,在该D2D网络中一般需要设置有第一用户设备(也可称之为中继用户设备,Relay UE)和网络设备,第一用户设备作为D2D网络内部的设备,可以被认为是一种网络中继节点,为处于D2D网络外部或处于预离网状态的第二用户设备(Remote UE)提供信息转发和网络接入指示等服务。网络设备一般用于对包括第一用户设备和第二用户设备在内的各类用户设备提供APN(Access Point Name,接入点名称)接入的鉴权服务,在本发明实施中,网络设备可以通过ProSe function(Proximity-based service function,近距离业务功能)功能实体和用户设备对应的HSS(Home subscriber server,归属用户服务器)共同实现。A method for authenticating a user equipment according to an embodiment of the present invention is applicable to a D2D network. In the D2D network, a first user equipment (also referred to as a relay user equipment, and a Relay UE) is generally required. The network device, the first user equipment, as a device inside the D2D network, can be regarded as a network relay node, providing information forwarding and network for a second user equipment (Remote UE) outside the D2D network or in a pre-off-network state. Access instructions and other services. The network device is generally used to provide an access service for accessing an Access Point Name (APN) access to various types of user equipment, including the first user equipment and the second user equipment. In the implementation of the present invention, the network equipment is used. The ProSe function (Proximity-based service function) functional entity and the HSS (Home subscriber server) corresponding to the user equipment can be implemented together.
基于上述D2D网络,本发明实施例提供的对用户设备的鉴权方法,适用于第二用户设备需要与网络侧建立APN会话连接的过程中,以实现对第二用户设备是否允许接入更多APN的鉴权。如图1所示,该方法由第一用户设备执行,具体步骤包括:The method for authenticating the user equipment provided by the embodiment of the present invention is applicable to the process in which the second user equipment needs to establish an APN session connection with the network side to implement whether to allow access to the second user equipment. APN authentication. As shown in FIG. 1, the method is performed by the first user equipment, and the specific steps include:
101、接收所述第二用户设备发送的请求消息。101. Receive a request message sent by the second user equipment.
在该步骤中,请求消息中一般写携带APN,以表示第二用户设备的接入意图。In this step, the request message generally carries an APN to indicate the access intention of the second user equipment.
102、响应于所述请求消息,向所述第二用户设备发送响应消息,用以指示所述第二用户设备是否能够建立到所述APN的连接。102. Send a response message to the second user equipment to indicate whether the second user equipment can establish a connection to the APN in response to the request message.
本发明实施例提供的一种对用户设备的鉴权方法,第二用户设备可以 通过向第一用户设备发送用于与目的APN建立会话的建立请求,以使得在网的第一用户设备来决定第二用户设备可以接入的APN,相比于现有技术中第二用户设备只能使用与中继设备相同的APN进行接入相比而言,本发明能够从网络侧获取到第二用户设备能够接入的APN,很大程度上能够获取到除中继设备正在使用的APN以外的APN,从而为第二用户设备的接入提供了更多的选择,为第二用户设备提供更大的网络访问范围。A method for authenticating a user equipment according to an embodiment of the present invention, where the second user equipment may Sending, by the first user equipment, a setup request for establishing a session with the destination APN, so that the first user equipment on the network determines the APN that the second user equipment can access, compared to the second user equipment in the prior art. The APN can be accessed only by using the same APN as the relay device. Compared with the APN that the second user equipment can access, the present invention can obtain a large amount of the APN that the relay device is using. The APN outside the APN provides more options for access by the second user equipment, providing a larger network access range for the second user equipment.
为了实现对第二用户设备接入APN的鉴权,通常情况下需要获取到相应的鉴权信息,这些鉴权信息可以存储在第一用户设备中,也可以由第一用户设备向网络设备请求获取。相应的具体实现流程如图2所示,需执行于步骤102之前,包括:In order to implement the authentication of the second user equipment to access the APN, the authentication information may be obtained in the first user equipment, or may be requested by the first user equipment. Obtain. The corresponding implementation process is as shown in FIG. 2, and needs to be performed before step 102, including:
103、判断在所述第一用户设备中是否存储有APN的接入授权信息。103. Determine whether the access authorization information of the APN is stored in the first user equipment.
104、若确定在所述第一用户设备中没有存储所述APN的接入授权信息,则所述第一用户设备响应于所述请求消息,向网络设备发送鉴权请求,以使得所述网络设备在鉴权成功后,向所述第一用户设备返回鉴权回复消息,所述鉴权回复消息用于指示所述第一用户设备或第二用户设备能够接入的APN。鉴权请求中需要携带有步骤101中提到的APN。104. If it is determined that the access authorization information of the APN is not stored in the first user equipment, the first user equipment sends an authentication request to the network device, in response to the request message, to enable the network. After the device is successfully authenticated, the device returns an authentication reply message to the first user equipment, where the authentication reply message is used to indicate the APN that the first user equipment or the second user equipment can access. The APN mentioned in step 101 needs to be carried in the authentication request.
其中,所述鉴权请求一般可以包括前述请求消息中包括的APN,或者,是被鉴权设备的标识信息(即第一用户设备的标识信息或第二用户设备的标识信息)。The authentication request may include the APN included in the foregoing request message, or the identification information of the authenticated device (that is, the identifier information of the first user equipment or the identifier information of the second user equipment).
则此时,步骤102、响应于所述请求消息,向所述第二用户设备发送响应消息,用以指示所述第二用户设备是否能够建立到所述APN的连接的具体执行流程为:Then, in step 102, in response to the request message, sending a response message to the second user equipment, to indicate whether the second user equipment can establish a connection to the APN, the specific execution flow is:
在接收到所述网络设备返回的鉴权回复消息后,根据所述鉴权回复消息,向所述第二用户设备发送所述响应消息,以指示所述第二用户设备是否能够连接到所述请求消息中携带的APN。After receiving the authentication reply message returned by the network device, sending the response message to the second user equipment according to the authentication reply message, to indicate whether the second user equipment is connectable to the The APN carried in the request message.
另外,若确定在所述第一用户设备中存储有所述APN的接入授权信息,则此时,步骤102、响应于所述请求消息,向所述第二用户设备发送响应消息,用以指示所述第二用户设备是否能够建立到所述APN的连接 的具体执行流程为:In addition, if it is determined that the access authorization information of the APN is stored in the first user equipment, then in step 102, in response to the request message, sending a response message to the second user equipment, where Instructing the second user equipment to establish a connection to the APN The specific execution process is:
所述第一用户设备根据所述APN的接入授权信息,向所述第二用户设备发送所述响应消息,以指示所述第二用户设备是否能够连接到所述请求消息中携带的APN。The first user equipment sends the response message to the second user equipment according to the access authorization information of the APN, to indicate whether the second user equipment can connect to the APN carried in the request message.
在本发明实施例中,所述鉴权回复消息可用于指示所述第一或第二用户设备能够接入的APN这一功能,或者直接指示第二用户设备是否可以接入其请求的APN中。而鉴权回复消息中具体指示什么内容则取决于鉴权请求中携带的内容。在这种设定下,本发明实施例提供了三种可携带在鉴权请求中的内容,因此前述步骤104、第一用户设备响应于所述请求消息,向所述网络设备发送鉴权请求可以通过下述三种方式实现:In the embodiment of the present invention, the authentication reply message may be used to indicate the function of the APN that the first or second user equipment can access, or directly indicate whether the second user equipment can access the APN of the request. . The content specified in the authentication reply message depends on the content carried in the authentication request. In this setting, the embodiment of the present invention provides three types of content that can be carried in the authentication request. Therefore, in step 104, the first user equipment sends an authentication request to the network device in response to the request message. It can be achieved in the following three ways:
第一种方式:当所述鉴权请求中携带有所述APN时,所述第一用户设备向所述第二用户设备对应的网络设备发送用于对所述第二用户设备是否能够连接到所述APN的鉴权请求。The first mode is: when the APN is carried in the authentication request, the first user equipment sends, to the network device corresponding to the second user equipment, whether the second user equipment can be connected to The authentication request of the APN.
在此方式中,所述鉴权回复消息用于指示所述第二用户设备是否能够接入所述APN。In this manner, the authentication reply message is used to indicate whether the second user equipment can access the APN.
第二种方式:当所述鉴权请求中携带有所述第一用户设备的标识信息时,所述第一用户设备向所述第一用户设备对应的网络设备发送用于对所述第一用户设备进行鉴权的鉴权请求。The second mode is: when the authentication request carries the identifier information of the first user equipment, the first user equipment sends the first user equipment to the network device corresponding to the first user equipment, where the first The user equipment performs an authentication request for authentication.
在此方式中,所述鉴权回复消息用于指示所述第一用户设备能够接入的APN。In this manner, the authentication reply message is used to indicate an APN that the first user equipment can access.
第三种方式:当所述鉴权请求中携带有所述第二用户设备的标识信息时,所述第一用户设备向所述第二用户设备对应的网络设备发送用于对所述第二用户设备进行鉴权的鉴权请求。The third mode is: when the authentication request carries the identifier information of the second user equipment, the first user equipment sends the second user equipment to the network device corresponding to the second user equipment, where the second The user equipment performs an authentication request for authentication.
在此方式中,所述鉴权回复消息用于指示所述第二用户设备能够接入的APN。In this manner, the authentication reply message is used to indicate an APN that the second user equipment can access.
在第一种方式中,其实现原理比较简单,就是第一用户设备请求接入哪个APN,网络侧就对其接入该APN的行为进行鉴权。在第二种方式中,一般是由网络设备侧来决定第二用户设备可以接入的APN。在第三种方式中,则是由第一用户设备自己来决定第二用户设备可以接入的APN, 但此时,第二用户设备可以接入的APN信息只能从第一用户设备可以接入的APN信息中选择,虽然与第二用户设备本身可接入的APN相比,数量上可能会有差异,但也比现有技术中只能使用第一用户设备正在使用的一个APN完成网络接入所提供的选择要多得多。In the first mode, the implementation principle is relatively simple, that is, which APN is requested by the first user equipment, and the network side authenticates the behavior of accessing the APN. In the second mode, the network device side generally determines the APN that the second user equipment can access. In the third mode, the first user equipment determines the APN that the second user equipment can access. However, at this time, the APN information that the second user equipment can access can only be selected from the APN information that the first user equipment can access, although the number may be compared with the APN that the second user equipment can access. The difference, but also much more than the choices available in the prior art to complete network access using only one APN that the first user equipment is using.
另外,在此对本发明涉及的鉴权过程进行简单的介绍,仅是提供一种可行的实施方式,本发明实施例对此不作限制。举例来说,若第一用户设备向所述第二用户设备对应的ProSe Function发送用于对所述第二用户设备进行鉴权的鉴权请求,该鉴权请求一般会携带有第二用户设备的标识,以方便ProSe Function有针对性地完成鉴权,如果ProSe Function没有第二用户设备的鉴权信息,则ProSe Function会向第二用户设备对应的HSS发送一个鉴权检查消息,由HSS完成后续的鉴权工作。完成鉴权之后,HSS将相关的鉴权信息发送给ProSe Function,再由ProSe Function完成后续回复工作。In addition, a brief description of the authentication process involved in the present invention is provided, and only a feasible implementation manner is provided. For example, if the first user equipment sends an authentication request for authenticating the second user equipment to the ProSe Function corresponding to the second user equipment, the authentication request generally carries the second user equipment. The identifier is used to facilitate the ProSe Function to perform the authentication. If the ProSe Function does not have the authentication information of the second user equipment, the ProSe Function sends an authentication check message to the HSS corresponding to the second user equipment, which is completed by the HSS. Subsequent authentication work. After the authentication is completed, the HSS sends the relevant authentication information to the ProSe Function, and then the ProSe Function completes the subsequent reply work.
若涉及对第一用户设备的鉴权过程,则与上述过程类似,只是需要与第一用户设备相关的网络设备发起鉴权过程。If the authentication process of the first user equipment is involved, it is similar to the above process, except that the network device related to the first user equipment needs to initiate an authentication process.
基于对前述方法流程的介绍,本发明实施例还提供了一种对用户设备的鉴权装置,用以实现前述方法流程,如图3所示,所述装置包括:Based on the description of the foregoing method flow, the embodiment of the present invention further provides an authentication device for the user equipment, which is used to implement the foregoing method flow. As shown in FIG. 3, the device includes:
接收单元21,用于接收所述第二用户设备发送的请求消息,所述请求消息包括接入点名称APN。The receiving unit 21 is configured to receive a request message sent by the second user equipment, where the request message includes an access point name APN.
第一发送单元22,用于响应于所述请求消息,向所述第二用户设备发送响应消息,用以指示所述第二用户设备是否能够建立到所述APN的连接。The first sending unit 22 is configured to send a response message to the second user equipment to indicate whether the second user equipment can establish a connection to the APN in response to the request message.
可选的是,如图4所示,该装置还包括:Optionally, as shown in FIG. 4, the device further includes:
判断单元23,用于判断在所述第一用户设备中是否存储有APN的接入授权信息。The determining unit 23 is configured to determine whether the access authorization information of the APN is stored in the first user equipment.
第二发送单元24,用于在确定在所述第一用户设备中没有存储所述 APN的接入授权信息时,响应于所述请求消息,向网络设备发送鉴权请求,所述鉴权请求中携带有所述APN或被鉴权用户设备的标识信息,以使得所述网络设备在鉴权成功后,向所述第一用户设备返回鉴权回复消息。a second sending unit 24, configured to determine that the first user equipment is not stored in the When the access information of the APN is accessed, the authentication request is sent to the network device in response to the request message, where the authentication request carries the identifier information of the APN or the authenticated user equipment, so that the network device After the authentication succeeds, an authentication reply message is returned to the first user equipment.
可选的是,所述第一发送单元22具体用于在接收到所述网络设备返回的鉴权回复消息后,根据所述鉴权回复消息,向所述第二用户设备发送所述响应消息,以指示所述第二用户设备是否能够连接到所述请求消息中携带的APN。Optionally, the first sending unit 22 is specifically configured to: after receiving the authentication reply message returned by the network device, send the response message to the second user equipment according to the authentication reply message. And indicating whether the second user equipment can connect to the APN carried in the request message.
可选的是,所述第一发送单元22在确定在所述第一用户设备中存储有所述APN的接入授权信息时,还用于根据所述APN的接入授权信息,向所述第二用户设备发送所述响应消息,以指示所述第二用户设备是否能够连接到所述请求消息中携带的APN。Optionally, when the first sending unit 22 determines that the access authorization information of the APN is stored in the first user equipment, the first sending unit 22 is further configured to: according to the access authorization information of the APN, to the The second user equipment sends the response message to indicate whether the second user equipment can connect to the APN carried in the request message.
可选的是,所述第二发送单元24还具体用于当所述鉴权请求中携带有所述APN时,向所述第二用户设备对应的网络设备发送用于对所述第二用户设备是否能够连接到所述APN的鉴权请求,则所述鉴权回复消息用于指示所述第二用户设备是否能够接入所述APN;当所述鉴权请求中携带有所述第一用户设备的标识信息时,向所述第一用户设备对应的网络设备发送用于对所述第一用户设备进行鉴权的鉴权请求,则所述鉴权回复消息用于指示所述第一用户设备能够接入的APN;当所述鉴权请求中携带有所述第二用户设备的标识信息时,向所述第二用户设备对应的网络设备发送用于对所述第二用户设备进行鉴权的鉴权请求,则所述鉴权回复消息用于指示所述第二用户设备能够接入的APN。Optionally, the second sending unit 24 is further configured to send, to the network device corresponding to the second user equipment, the second user, when the APN is carried in the authentication request. Whether the device is capable of connecting to the authentication request of the APN, the authentication reply message is used to indicate whether the second user equipment can access the APN; when the authentication request carries the first And sending, by the network device corresponding to the first user equipment, an authentication request for authenticating the first user equipment, where the authentication reply message is used to indicate the first The APN that the user equipment can access; when the authentication request carries the identifier information of the second user equipment, sending, to the network device corresponding to the second user equipment, the second user equipment The authentication reply request is used to indicate the APN that the second user equipment can access.
可选的是,所述鉴权回复消息包括所述第二用户设备所有能够接入的APN,和/或,所述第一用户设备所有能够接入的APN。Optionally, the authentication reply message includes all APNs that the second user equipment can access, and/or all the APNs that the first user equipment can access.
本发明实施例提供的一种对用户设备的鉴权装置,第二用户设备可以通过向第一用户设备发送用于与目的APN建立会话的建立请求,以使得在网的第一用户设备来决定第二用户设备可以接入的APN,相比于现有技术中第二用户设备只能使用与中继设备相同的APN进行接入相比而言,本发明能够从网络侧获取到第二用户设备能够接入的APN,很大程 度上能够获取到除中继设备正在使用的APN以外的APN,从而为第二用户设备的接入提供了更多的选择,为第二用户设备提供更大的网络访问范围。An authentication device for a user equipment is provided by the embodiment of the present invention. The second user equipment may send a setup request for establishing a session with the destination APN to the first user equipment, so that the first user equipment on the network determines The APN that the second user equipment can access, compared to the second user equipment in the prior art, can only use the same APN as the relay device to access. Compared to the second user, the present invention can obtain the second user from the network side. APN that the device can access, a large range An APN other than the APN being used by the relay device can be obtained, thereby providing more options for accessing the second user equipment and providing a larger network access range for the second user equipment.
本发明实施例还提供了一种对用户设备的鉴权装置,应用于设备到设备D2D网络,如图5所示,所述装置包括收发器31:The embodiment of the invention further provides an authentication device for the user equipment, which is applied to the device to the device D2D network. As shown in FIG. 5, the device includes a transceiver 31:
所述收发器31,用于接收所述第二用户设备发送的请求消息,所述请求消息包括接入点名称APN;以及,用于响应于所述请求消息,向所述第二用户设备发送响应消息,用以指示所述第二用户设备是否能够建立到所述APN的连接。The transceiver 31 is configured to receive a request message sent by the second user equipment, where the request message includes an access point name APN, and configured to send to the second user equipment in response to the request message And a response message, configured to indicate whether the second user equipment can establish a connection to the APN.
可选的是,如图6所示,该装置还包括处理器32:Optionally, as shown in FIG. 6, the apparatus further includes a processor 32:
所述处理器32,用于判断在所述第一用户设备中是否存储有APN的接入授权信息。The processor 32 is configured to determine whether access authorization information of the APN is stored in the first user equipment.
所述收发器31,还用于在确定在所述第一用户设备中没有存储所述APN的接入授权信息时,响应于所述请求消息,向网络设备发送鉴权请求,所述鉴权请求中携带有所述APN或被鉴权用户设备的标识信息,以使得所述网络设备在鉴权成功后,向所述第一用户设备返回鉴权回复消息。The transceiver 31 is further configured to: when determining that the access authorization information of the APN is not stored in the first user equipment, send an authentication request to the network device according to the request message, where the authentication is performed. The request carries the identification information of the APN or the authenticated user equipment, so that the network device returns an authentication reply message to the first user equipment after the authentication succeeds.
可选的是,所述收发器31具体用于在接收到所述网络设备返回的鉴权回复消息后,根据所述鉴权回复消息,向所述第二用户设备发送所述响应消息,以指示所述第二用户设备是否能够连接到所述请求消息中携带的APN。Optionally, the transceiver 31 is configured to: after receiving the authentication reply message returned by the network device, send the response message to the second user equipment according to the authentication reply message, to Indicates whether the second user equipment is able to connect to the APN carried in the request message.
可选的是,所述收发器31在确定在所述第一用户设备中存储有所述APN的接入授权信息时,用于根据所述APN的接入授权信息,向所述第二用户设备发送所述响应消息,以指示所述第二用户设备是否能够连接到所述请求消息中携带的APN。Optionally, the transceiver 31 is configured to send, according to the access authorization information of the APN, to the second user, when determining that the access authorization information of the APN is stored in the first user equipment. The device sends the response message to indicate whether the second user equipment can connect to the APN carried in the request message.
可选的是,所述收发器31还具体用于当所述鉴权请求中携带有所述 APN时,向所述第二用户设备对应的网络设备发送用于对所述第二用户设备是否能够连接到所述APN的鉴权请求,则所述鉴权回复消息用于指示所述第二用户设备是否能够接入所述APN;当所述鉴权请求中携带有所述第一用户设备的标识信息时,向所述第一用户设备对应的网络设备发送用于对所述第一用户设备进行鉴权的鉴权请求,则所述鉴权回复消息用于指示所述第一用户设备能够接入的APN;当所述鉴权请求中携带有所述第二用户设备的标识信息时,向所述第二用户设备对应的网络设备发送用于对所述第二用户设备进行鉴权的鉴权请求,则所述鉴权回复消息用于指示所述第二用户设备能够接入的APN。Optionally, the transceiver 31 is further configured to: when the authentication request carries the And sending, by the network device corresponding to the second user equipment, an authentication request for whether the second user equipment can connect to the APN, where the authentication reply message is used to indicate the second Whether the user equipment can access the APN; when the authentication request carries the identifier information of the first user equipment, send, to the network device corresponding to the first user equipment, the first user And the authentication reply message is used to indicate the APN that the first user equipment can access; when the authentication request carries the identifier information of the second user equipment, And sending, to the network device corresponding to the second user equipment, an authentication request for authenticating the second user equipment, where the authentication reply message is used to indicate that the second user equipment is accessible. APN.
可选的是,所述鉴权回复消息包括所述第二用户设备所有能够接入的APN,和/或,所述第一用户设备所有能够接入的APN。Optionally, the authentication reply message includes all APNs that the second user equipment can access, and/or all the APNs that the first user equipment can access.
本发明实施例提供的一种对用户设备的鉴权装置,第二用户设备可以通过向第一用户设备发送用于与目的APN建立会话的建立请求,以使得在网的第一用户设备来决定第二用户设备可以接入的APN,相比于现有技术中第二用户设备只能使用与中继设备相同的APN进行接入相比而言,本发明能够从网络侧获取到第二用户设备能够接入的APN,很大程度上能够获取到除中继设备正在使用的APN以外的APN,从而为第二用户设备的接入提供了更多的选择,为第二用户设备提供更大的网络访问范围。An authentication device for a user equipment is provided by the embodiment of the present invention. The second user equipment may send a setup request for establishing a session with the destination APN to the first user equipment, so that the first user equipment on the network determines The APN that the second user equipment can access, compared to the second user equipment in the prior art, can only use the same APN as the relay device to access. Compared to the second user, the present invention can obtain the second user from the network side. The APN that the device can access can obtain a large number of APNs other than the APN that the relay device is using, thereby providing more options for accessing the second user device and providing greater access to the second user device. The scope of network access.
本说明书中的各个实施例均采用递进的方式描述,各个实施例之间相同相似的部分互相参见即可,每个实施例重点说明的都是与其他实施例的不同之处。尤其,对于装置实施例而言,由于其基本相似于方法实施例,所以描述得比较简单,相关之处参见方法实施例的部分说明即可。The various embodiments in the specification are described in a progressive manner, and the same or similar parts between the various embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the device embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关的硬件来完成,所述的程序可存储于计算机可读取存储介质中,该程序在执行时,可包括如上述各方法的实施例的流程。A person skilled in the art can understand that all or part of the process of implementing the above embodiment method can be completed by a computer program to instruct related hardware, and the program can be stored in a computer readable storage medium. When executed, the flow of an embodiment of the methods as described above may be included.
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局 限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到的变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应该以权利要求的保护范围为准。 The above description is only a specific embodiment of the present invention, but the scope of protection of the present invention is not It is to be understood that those skilled in the art are susceptible to variations and substitutions within the scope of the present invention. Therefore, the scope of protection of the present invention should be determined by the scope of the claims.

Claims (18)

  1. 一种对用户设备的鉴权方法,其特征在于,应用于设备到设备D2D网络,所述方法包括:A method for authenticating a user equipment, which is characterized in that it is applied to a device to a device D2D network, and the method includes:
    所述第一用户设备接收所述第二用户设备发送的请求消息,所述请求消息包括接入点名称APN;Receiving, by the first user equipment, a request message sent by the second user equipment, where the request message includes an access point name APN;
    响应于所述请求消息,所述第一用户设备向所述第二用户设备发送响应消息,用以指示所述第二用户设备是否能够建立到所述APN的连接。In response to the request message, the first user equipment sends a response message to the second user equipment to indicate whether the second user equipment can establish a connection to the APN.
  2. 根据权利要求1所述的方法,其特征在于,在所述第一用户设备向所述第二用户设备发送响应消息之前,还包括:The method according to claim 1, wherein before the first user equipment sends a response message to the second user equipment, the method further includes:
    所述第一用户设备判断在所述第一用户设备中是否存储有APN的接入授权信息;Determining, by the first user equipment, whether access authorization information of the APN is stored in the first user equipment;
    若确定在所述第一用户设备中没有存储所述APN的接入授权信息,则所述第一用户设备响应于所述请求消息,向网络设备发送鉴权请求,所述鉴权请求中携带有所述APN或被鉴权用户设备的标识信息,以使得所述网络设备在鉴权成功后,向所述第一用户设备返回鉴权回复消息。If it is determined that the access authorization information of the APN is not stored in the first user equipment, the first user equipment sends an authentication request to the network device, where the authentication request is carried in response to the request message. The identification information of the APN or the authenticated user equipment is used to enable the network device to return an authentication reply message to the first user equipment after the authentication succeeds.
  3. 根据权利要求2所述的方法,其特征在于,所述第一用户设备向所述第二用户设备发送响应消息包括:The method according to claim 2, wherein the sending, by the first user equipment, the response message to the second user equipment comprises:
    在接收到所述网络设备返回的鉴权回复消息后,根据所述鉴权回复消息,向所述第二用户设备发送所述响应消息,以指示所述第二用户设备是否能够连接到所述请求消息中携带的APN。After receiving the authentication reply message returned by the network device, sending the response message to the second user equipment according to the authentication reply message, to indicate whether the second user equipment is connectable to the The APN carried in the request message.
  4. 根据权利要求3所述的方法,其特征在于,若确定在所述第一用户设备中存储有所述APN的接入授权信息,则所述第一用户设备向所述第二用户设备发送响应消息包括:The method according to claim 3, wherein if it is determined that the access authorization information of the APN is stored in the first user equipment, the first user equipment sends a response to the second user equipment. The message includes:
    所述第一用户设备根据所述APN的接入授权信息,向所述第二用户设备发送所述响应消息,以指示所述第二用户设备是否能够连接到所述请求 消息中携带的APN。Sending, by the first user equipment, the response message to the second user equipment according to the access authorization information of the APN, to indicate whether the second user equipment is able to connect to the request The APN carried in the message.
  5. 根据权利要求4所述的方法,其特征在于,所述第一用户设备响应于所述请求消息,向所述网络设备发送鉴权请求包括:The method according to claim 4, wherein the sending, by the first user equipment, the authentication request to the network device in response to the request message comprises:
    当所述鉴权请求中携带有所述APN时,所述第一用户设备向所述第二用户设备对应的网络设备发送用于对所述第二用户设备是否能够连接到所述APN的鉴权请求,则所述鉴权回复消息用于指示所述第二用户设备是否能够接入所述APN;When the APN is carried in the authentication request, the first user equipment sends a template for the second user equipment to connect to the APN. And the authentication reply message is used to indicate whether the second user equipment can access the APN;
    当所述鉴权请求中携带有所述第一用户设备的标识信息时,所述第一用户设备向所述第一用户设备对应的网络设备发送用于对所述第一用户设备进行鉴权的鉴权请求,则所述鉴权回复消息用于指示所述第一用户设备能够接入的APN;When the authentication request carries the identifier information of the first user equipment, the first user equipment sends the first user equipment to the network device corresponding to the first user equipment for authenticating the first user equipment. The authentication request, the authentication reply message is used to indicate the APN that the first user equipment can access;
    当所述鉴权请求中携带有所述第二用户设备的标识信息时,所述第一用户设备向所述第二用户设备对应的网络设备发送用于对所述第二用户设备进行鉴权的鉴权请求,则所述鉴权回复消息用于指示所述第二用户设备能够接入的APN。When the authentication request carries the identifier information of the second user equipment, the first user equipment sends the network device corresponding to the second user equipment to perform authentication on the second user equipment. The authentication reply message is used to indicate the APN that the second user equipment can access.
  6. 根据权利要求3所述的方法,其特征在于,所述鉴权回复消息包括所述第二用户设备所有能够接入的APN,和/或,所述第一用户设备所有能够接入的APN。The method according to claim 3, wherein the authentication reply message comprises all APNs accessible by the second user equipment, and/or all APNs that the first user equipment can access.
  7. 一种对用户设备的鉴权装置,其特征在于,应用于设备到设备D2D网络,所述装置包括:An authentication device for a user equipment, which is characterized in that it is applied to a device to a device D2D network, and the device includes:
    接收单元,用于接收所述第二用户设备发送的请求消息,所述请求消息包括接入点名称APN;a receiving unit, configured to receive a request message sent by the second user equipment, where the request message includes an access point name APN;
    第一发送单元,用于响应于所述请求消息,向所述第二用户设备发送响应消息,用以指示所述第二用户设备是否能够建立到所述APN的连接。The first sending unit is configured to send a response message to the second user equipment to indicate whether the second user equipment can establish a connection to the APN in response to the request message.
  8. 根据权利要求7所述的装置,其特征在于,还包括:The device according to claim 7, further comprising:
    判断单元,用于判断在所述第一用户设备中是否存储有APN的接入授权信息; a determining unit, configured to determine whether access authorization information of the APN is stored in the first user equipment;
    第二发送单元,用于在确定在所述第一用户设备中没有存储所述APN的接入授权信息时,响应于所述请求消息,向网络设备发送鉴权请求,所述鉴权请求中携带有所述APN或被鉴权用户设备的标识信息,以使得所述网络设备在鉴权成功后,向所述第一用户设备返回鉴权回复消息。a second sending unit, configured to send an authentication request to the network device in response to the request message when determining that the access authorization information of the APN is not stored in the first user equipment, where the authentication request is The identifier information of the APN or the authenticated user equipment is carried, so that the network device returns an authentication reply message to the first user equipment after the authentication succeeds.
  9. 根据权利要求8所述的装置,其特征在于,所述第一发送单元具体用于在接收到所述网络设备返回的鉴权回复消息后,根据所述鉴权回复消息,向所述第二用户设备发送所述响应消息,以指示所述第二用户设备是否能够连接到所述请求消息中携带的APN。The device according to claim 8, wherein the first sending unit is configured to: after receiving the authentication reply message returned by the network device, according to the authentication reply message, to the second The user equipment sends the response message to indicate whether the second user equipment can connect to the APN carried in the request message.
  10. 根据权利要求9所述的装置,其特征在于,所述第一发送单元在确定在所述第一用户设备中存储有所述APN的接入授权信息时,还用于根据所述APN的接入授权信息,向所述第二用户设备发送所述响应消息,以指示所述第二用户设备是否能够连接到所述请求消息中携带的APN。The device according to claim 9, wherein the first sending unit is further configured to connect according to the APN when determining that the access authorization information of the APN is stored in the first user equipment. The authorization information is sent to the second user equipment to indicate whether the second user equipment can connect to the APN carried in the request message.
  11. 根据权利要求10所述的装置,其特征在于,所述第二发送单元还具体用于当所述鉴权请求中携带有所述APN时,向所述第二用户设备对应的网络设备发送用于对所述第二用户设备是否能够连接到所述APN的鉴权请求,则所述鉴权回复消息用于指示所述第二用户设备是否能够接入所述APN;当所述鉴权请求中携带有所述第一用户设备的标识信息时,向所述第一用户设备对应的网络设备发送用于对所述第一用户设备进行鉴权的鉴权请求,则所述鉴权回复消息用于指示所述第一用户设备能够接入的APN;当所述鉴权请求中携带有所述第二用户设备的标识信息时,向所述第二用户设备对应的网络设备发送用于对所述第二用户设备进行鉴权的鉴权请求,则所述鉴权回复消息用于指示所述第二用户设备能够接入的APN。The device according to claim 10, wherein the second sending unit is further configured to send to the network device corresponding to the second user equipment when the APN is carried in the authentication request And the authentication reply message is used to indicate whether the second user equipment can access the APN, and the authentication request is sent to the second user equipment. When the identifier information of the first user equipment is carried, the authentication request for authenticating the first user equipment is sent to the network device corresponding to the first user equipment, and the authentication reply message is sent. The APN is used to indicate that the first user equipment can access; when the authentication request carries the identifier information of the second user equipment, the information is sent to the network device corresponding to the second user equipment. And the second user equipment performs an authentication request for authentication, where the authentication reply message is used to indicate an APN that the second user equipment can access.
  12. 根据权利要求9所述的装置,其特征在于,所述鉴权回复消息包括所述第二用户设备所有能够接入的APN,和/或,所述第一用户设备所有能够接入的APN。The device according to claim 9, wherein the authentication reply message comprises all APNs accessible by the second user equipment, and/or all APNs that the first user equipment can access.
  13. 一种对用户设备的鉴权装置,其特征在于,应用于设备到设备D2D网络,所述装置包括收发器: An authentication device for a user equipment, characterized in that it is applied to a device to device D2D network, and the device comprises a transceiver:
    所述收发器,用于接收所述第二用户设备发送的请求消息,所述请求消息包括接入点名称APN;以及,用于响应于所述请求消息,向所述第二用户设备发送响应消息,用以指示所述第二用户设备是否能够建立到所述APN的连接。The transceiver is configured to receive a request message sent by the second user equipment, where the request message includes an access point name APN, and configured to send a response to the second user equipment in response to the request message And a message, to indicate whether the second user equipment can establish a connection to the APN.
  14. 根据权利要求13所述的装置,其特征在于,还包括处理器:The apparatus of claim 13 further comprising a processor:
    所述处理器,用于判断在所述第一用户设备中是否存储有APN的接入授权信息;The processor is configured to determine whether access authorization information of the APN is stored in the first user equipment;
    所述收发器,还用于在确定在所述第一用户设备中没有存储所述APN的接入授权信息时,响应于所述请求消息,向网络设备发送鉴权请求,所述鉴权请求中携带有所述APN或被鉴权用户设备的标识信息,以使得所述网络设备在鉴权成功后,向所述第一用户设备返回鉴权回复消息。The transceiver is further configured to: when determining that the access authorization information of the APN is not stored in the first user equipment, send an authentication request to the network device, where the authentication request is sent, in response to the request message The identifier information of the APN or the authenticated user equipment is carried in the network device, so that the network device returns an authentication reply message to the first user equipment after the authentication succeeds.
  15. 根据权利要求14所述的装置,其特征在于,所述收发器具体用于在接收到所述网络设备返回的鉴权回复消息后,根据所述鉴权回复消息,向所述第二用户设备发送所述响应消息,以指示所述第二用户设备是否能够连接到与所述请求消息中携带的APN。The device according to claim 14, wherein the transceiver is specifically configured to: after receiving the authentication reply message returned by the network device, according to the authentication reply message, to the second user equipment And sending the response message to indicate whether the second user equipment is able to connect to the APN carried in the request message.
  16. 根据权利要求15所述的装置,其特征在于,所述收发器在确定在所述第一用户设备中存储有所述APN的接入授权信息时,用于根据所述APN的接入授权信息,向所述第二用户设备发送所述响应消息,以指示所述第二用户设备是否能够连接到与所述请求消息中携带的APN。The device according to claim 15, wherein the transceiver is configured to use the access authorization information according to the APN when determining that the access authorization information of the APN is stored in the first user equipment. Sending the response message to the second user equipment to indicate whether the second user equipment can connect to the APN carried in the request message.
  17. 根据权利要求16所述的装置,其特征在于,所述收发器还具体用于当所述鉴权请求中携带有所述APN时,向所述第二用户设备对应的网络设备发送用于对所述第二用户设备是否能够连接到所述APN的鉴权请求,则所述鉴权回复消息用于指示所述第二用户设备是否能够接入所述APN;当所述鉴权请求中携带有所述第一用户设备的标识信息时,向所述第一用户设备对应的网络设备发送用于对所述第一用户设备进行鉴权的鉴权请求,则所述鉴权回复消息用于指示所述第一用户设备能够接入的APN;当所述鉴权请求中携带有所述第二用户设备的标识信息时,向所述第二用 户设备对应的网络设备发送用于对所述第二用户设备进行鉴权的鉴权请求,则所述鉴权回复消息用于指示所述第二用户设备能够接入的APN。The device according to claim 16, wherein the transceiver is further configured to send, when the APN is carried in the authentication request, to a network device corresponding to the second user equipment, Whether the second user equipment is able to connect to the authentication request of the APN, the authentication reply message is used to indicate whether the second user equipment can access the APN; when the authentication request is carried When the identifier information of the first user equipment is sent, an authentication request for authenticating the first user equipment is sent to the network device corresponding to the first user equipment, where the authentication reply message is used. Instructing the APN that the first user equipment can access; when the authentication request carries the identification information of the second user equipment, to the second The network device corresponding to the user equipment sends an authentication request for authenticating the second user equipment, and the authentication reply message is used to indicate the APN that the second user equipment can access.
  18. 根据权利要求15所述的装置,其特征在于,所述鉴权回复消息包括所述第二用户设备所有能够接入的APN,和/或,所述第一用户设备所有能够接入的APN。 The device according to claim 15, wherein the authentication reply message includes all APNs that the second user equipment can access, and/or all APNs that the first user equipment can access.
PCT/CN2015/082707 2015-06-29 2015-06-29 Method and apparatus for authenticating user equipment WO2017000140A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2015/082707 WO2017000140A1 (en) 2015-06-29 2015-06-29 Method and apparatus for authenticating user equipment
CN201580049417.XA CN106688259B (en) 2015-06-29 2015-06-29 Authentication method and device for user equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2015/082707 WO2017000140A1 (en) 2015-06-29 2015-06-29 Method and apparatus for authenticating user equipment

Publications (1)

Publication Number Publication Date
WO2017000140A1 true WO2017000140A1 (en) 2017-01-05

Family

ID=57607448

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/082707 WO2017000140A1 (en) 2015-06-29 2015-06-29 Method and apparatus for authenticating user equipment

Country Status (2)

Country Link
CN (1) CN106688259B (en)
WO (1) WO2017000140A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023240575A1 (en) * 2022-06-16 2023-12-21 北京小米移动软件有限公司 Relay communication method, communication apparatus, and communication device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102761981A (en) * 2011-04-29 2012-10-31 华为技术有限公司 Method and system for establishing RRC (Radio Resource Control) connection
CN103369709A (en) * 2012-03-30 2013-10-23 电信科学技术研究院 A method and an apparatus for establishing PDN connectivity
US20150023350A1 (en) * 2013-07-22 2015-01-22 Verizon Patent And Licensing Inc. Network connection via a proxy device using a generic access point name

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102123477B (en) * 2010-01-08 2015-06-10 中兴通讯股份有限公司 Access realization method and device of M2M (Machine to Machine) core network
CN103188738B (en) * 2011-12-27 2015-11-25 华为技术有限公司 resource allocation method, device and system
CN103781114A (en) * 2012-10-24 2014-05-07 中兴通讯股份有限公司 Network access method, device and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102761981A (en) * 2011-04-29 2012-10-31 华为技术有限公司 Method and system for establishing RRC (Radio Resource Control) connection
CN103369709A (en) * 2012-03-30 2013-10-23 电信科学技术研究院 A method and an apparatus for establishing PDN connectivity
US20150023350A1 (en) * 2013-07-22 2015-01-22 Verizon Patent And Licensing Inc. Network connection via a proxy device using a generic access point name

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023240575A1 (en) * 2022-06-16 2023-12-21 北京小米移动软件有限公司 Relay communication method, communication apparatus, and communication device

Also Published As

Publication number Publication date
CN106688259B (en) 2020-01-21
CN106688259A (en) 2017-05-17

Similar Documents

Publication Publication Date Title
US11412473B2 (en) PDU session management
US10595250B2 (en) Quality of service initiated handover
KR101814969B1 (en) Systems and methods for accessing a network
JP5793812B2 (en) Method, network side device, user equipment, and network system for triggering data offload
AU2018265334B2 (en) Selection of IP version
CN106105321B (en) Method for connecting user equipment to IMS network through network browser for network real-time communication service
JP2016507963A (en) Authenticate wireless dockees to wireless docking services
CN110830925A (en) Session management method and device for user group
TW201114225A (en) Wireless communication method and system for activating multiple service bearers via efficient packet data protocol context activation procedures
US8948754B2 (en) Method and apparatus for establishing a communication connection
WO2019076308A1 (en) Method, apparatus and device for determining state of terminal device
WO2022052798A1 (en) Qos control method and device, and processor-readable storage medium
WO2012130133A1 (en) Access point and terminal access method
US20220263879A1 (en) Multicast session establishment method and network device
CN109417490A (en) A kind of access control method and device
JP2018518113A (en) Method for discovering handover function of mobile communication network, system for discovering handover function of mobile communication network, user apparatus, program and computer program product
CN110475296B (en) Service quality negotiation method and device
KR20160001569A (en) Method and apparatus for proividing quality of service of web real-time communication
WO2016169232A1 (en) Authentication method, apparatus and system for d2d service multicast
WO2017000140A1 (en) Method and apparatus for authenticating user equipment
WO2014134819A1 (en) Billing method, access network device and gateway device
WO2014047923A1 (en) Method and device for accessing network
US10798054B2 (en) IP address allocation method in D2D communication and user equipment
WO2015135278A1 (en) Authentication method and system, prose functional entity, and ue
WO2022067736A1 (en) Communication method and apparatus

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15896671

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15896671

Country of ref document: EP

Kind code of ref document: A1