WO2018196587A1 - Procédé et appareil d'authentification d'utilisateur dans un réseau convergent - Google Patents

Procédé et appareil d'authentification d'utilisateur dans un réseau convergent Download PDF

Info

Publication number
WO2018196587A1
WO2018196587A1 PCT/CN2018/082289 CN2018082289W WO2018196587A1 WO 2018196587 A1 WO2018196587 A1 WO 2018196587A1 CN 2018082289 W CN2018082289 W CN 2018082289W WO 2018196587 A1 WO2018196587 A1 WO 2018196587A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
network element
terminal device
type
parameter
Prior art date
Application number
PCT/CN2018/082289
Other languages
English (en)
Chinese (zh)
Inventor
李汉成
于游洋
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2018196587A1 publication Critical patent/WO2018196587A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/062Pre-authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a user authentication method and apparatus in a converged network.
  • the mobile terminal device from the Third Generation Partnership Project (3 rd Generation Partnership Project, 3GPP ) network access bearer extensible authentication protocol (Extensible Authentication Protocol-based non-access stratum (Non-access stratum, NAS) , EAP) completes access authentication to the mobile core network.
  • 3GPP Third Generation Partnership Project
  • 3GPP Third Generation Partnership Project
  • EAP Extensible Authentication Protocol-based non-access stratum
  • the Customer Premises Equipment also known as the customer front-end equipment, is based on Ethernet Point to Point Protocol over Ethernet (PPPoE) or Ethernet Protocol over Ethernet (IPoE).
  • PPPoE Point to Point Protocol over Ethernet
  • IPoE Ethernet Protocol over Ethernet
  • the prior art cannot implement the fixed network terminal accessing the mobile core network. Therefore, for scenarios where both fixed and mobile networks need to be supported, two core networks need to be deployed to manage the mobile terminal and the fixed network terminal respectively, which will bring about a problem of high network cost.
  • next-generation communication network architecture As shown in the schematic diagram of the next-generation communication system architecture shown in FIG.
  • the architecture supports not only standard 3GPP defined set of wireless technologies (e.g., long term evolution (Long Term Evolution, LTE), a fifth-generation mobile communication (5 th Generation, 5G), etc.) access the core network side (Core network), and supports non
  • the 3GPP access technology can access the core network side through a non-3GPP Interworking Function (N3IWF) or a next generation packet data gateway (ngPDG) to implement a converged network.
  • N3IWF non-3GPP Interworking Function
  • ngPDG next generation packet data gateway
  • the application provides a user authentication method and device in a converged network to solve the user authentication problem in the converged network.
  • An aspect of the present application provides a user authentication method in a converged network, where the method includes: an access network element receives an authentication negotiation request from a terminal device, where the authentication negotiation request is used to negotiate to determine the terminal device.
  • An authentication parameter the access network element sends an authentication parameter request to the control network element, where the authentication parameter request includes: an access protocol type that the terminal device accesses the access network element; and the access network element receives At least one authentication parameter from the control network element and transmitting the at least one authentication parameter to the terminal device, the at least one authentication parameter corresponding to the access protocol type, each type of authentication parameter includes a type An authentication type, and/or a parameter corresponding to the authentication type; the access network element determines one of the authentication parameters supported by the terminal device and the control network element in the at least one authentication parameter, Obtaining the user authentication information of the terminal device, and sending the user authentication information and the determined one of the authentication parameters to the control network element for authentication; NE receives an authentication result from the control network element and transmitting the authentication result to the
  • the authentication negotiation request and the authentication parameter request further include: an authentication type supported by the terminal device, where the parameter corresponding to the authentication type is a parameter corresponding to the authentication type supported by the terminal device.
  • the terminal device may also provide the supported authentication type, but the authentication type is used for the terminal device to negotiate with the access network element, and the control network element may preferably use the authentication supported by the terminal device. Types of.
  • the at least one type of authentication includes a simple password authentication protocol PAP, and the parameter corresponding to the authentication type is null.
  • PAP is a simple type of authentication that enables fast authentication.
  • the at least one type of authentication includes a challenge handshake protocol CHAP
  • the parameters corresponding to the authentication type include: an algorithm, a challenge identifier, and/or a challenge identifier length.
  • CHAP is a highly secure authentication type that enables secure and reliable authentication.
  • the terminal device includes a mobile terminal device or a fixed network terminal device.
  • Another aspect of the present application provides a user authentication method in a converged network, where the method includes: the terminal device sends an authentication negotiation request to the access network element, where the authentication negotiation request is used to negotiate to determine the terminal device.
  • An authentication parameter the terminal device receives at least one authentication parameter from the access network element, the at least one authentication parameter corresponding to the access protocol type, each authentication parameter includes an authentication type, and/ Or a parameter corresponding to the authentication type; the terminal device determines one of the authentication parameters supported by the terminal device and the control network element in the at least one authentication parameter, and sends the authentication parameter to the access network
  • the element transmits user authentication information; the terminal device receives an authentication result from the access network element.
  • user authentication when any terminal device accesses the converged network is implemented, so that any terminal device can access the converged network securely and reliably.
  • the authentication negotiation request and the authentication parameter request further include: an authentication type supported by the terminal device, where the parameter corresponding to the authentication type is a parameter corresponding to the authentication type supported by the terminal device.
  • the terminal device may also provide the requested authentication type, but which authentication type is used for authentication, and the terminal device needs to negotiate with the access network element, and the control network element may preferably adopt the authentication supported by the terminal device. Types of.
  • the terminal device includes a mobile terminal device or a fixed network terminal device.
  • a further aspect of the present application provides a user authentication method in a converged network, the method comprising: controlling a network element to receive an authentication parameter request from an access network element, where the authentication parameter request includes: a terminal device access station An access protocol type of the access network element, where the control network element generates at least one authentication parameter according to the authentication parameter request, and sends the at least one authentication parameter to the access network element, where At least one type of authentication parameter corresponding to the access protocol type, each type of authentication parameter includes a type of authentication supported by the authentication parameter request, and/or a parameter corresponding to the type of the authentication; the control network Receiving, by the UE, the user authentication information from the access network element, and one of the authentication parameters supported by the terminal device and the control network element in the at least one authentication parameter, and adopting the determined An authentication parameter is used to authenticate the user authentication information, and the authentication result is obtained; the control network element sends the authentication result to the access network element.
  • the authentication parameter request includes: a terminal device access station An access protocol type of the
  • the authentication negotiation request and the authentication parameter request further include: an authentication type supported by the terminal device, where the parameter corresponding to the authentication type is a parameter corresponding to the authentication type supported by the terminal device.
  • the terminal device may also provide the requested authentication type, but which authentication type is used for authentication, and the terminal device needs to negotiate with the access network element, and the control network element may preferably adopt the authentication supported by the terminal device. Types of.
  • the at least one type of authentication includes a simple password authentication protocol PAP, and the parameter corresponding to the authentication type is null.
  • PAP is a simple type of authentication that enables fast authentication.
  • the at least one type of authentication includes a challenge handshake protocol CHAP
  • the parameters corresponding to the authentication type include: an algorithm, a challenge identifier, and/or a challenge identifier length.
  • CHAP is a highly secure authentication type that enables secure and reliable authentication.
  • the terminal device includes a mobile terminal device or a fixed network terminal device.
  • an access network element is provided, and the access network element has a function of implementing access network element behavior in the foregoing method.
  • the functions may be implemented by hardware or by corresponding software implemented by hardware.
  • the hardware or software includes one or more modules corresponding to the functions described above.
  • the method and the beneficial effects of the above-mentioned possible access network elements can be referred to the implementation of the method and the beneficial effects. Therefore, the implementation of the device can refer to the implementation of the method, and the method is repeated. I won't go into details here.
  • a terminal device having a function of implementing the behavior of the terminal device in the above method.
  • the functions may be implemented by hardware or by corresponding software implemented by hardware.
  • the hardware or software includes one or more modules corresponding to the functions described above.
  • the principle and the beneficial effects of the device can be referred to the method embodiments of the foregoing possible terminal devices and the beneficial effects thereof. Therefore, the implementation of the device can refer to the implementation of the method, and the repetition is not Let me repeat.
  • a control network element is provided, and the control network element has a function of implementing the behavior of controlling a network element in the foregoing method.
  • the functions may be implemented by hardware or by corresponding software implemented by hardware.
  • the hardware or software includes one or more modules corresponding to the functions described above.
  • the principle and the beneficial effects of the device can be referred to the method embodiments of the foregoing possible control network elements and the beneficial effects thereof. Therefore, the implementation of the device can be referred to the implementation of the method. No longer.
  • a user authentication method in a converged network comprising: an access network element receiving an authentication negotiation request from a terminal device, where the authentication negotiation request is used to request negotiation to determine the The type of authentication for the terminal device to perform user authentication; the access network element determines that the authentication type of the terminal device for user authentication is plaintext authentication; and the access network element receives user authentication information from the terminal device, and The user authentication information and the authentication type are sent to the control network element for authentication; the access network element receives the authentication result from the control network element and sends the authentication result to the terminal device.
  • the access network element determines that the authentication type of the terminal device is plaintext authentication
  • the method includes: configuring, by the access network element, that the authentication type of the terminal device is plaintext authentication; And sending, by the terminal device, an authentication type negotiation request, where the negotiation request is used to negotiate that the authentication type is plaintext authentication; and the access network element receives a first negotiation feedback message from the terminal device, where the A negotiation feedback message is used to indicate that the terminal device agrees that the authentication type is plain text authentication.
  • the access network element determines that the authentication type of the terminal device is plain text authentication
  • the method includes: determining, by the access network element, that the authentication type of the terminal device is a plaintext according to the authentication negotiation request. Authentication, wherein the authentication negotiation request is further used to indicate that the authentication type supported by the terminal device is plaintext authentication; the access network element sends a second negotiation feedback message to the terminal device, where the second negotiation feedback is The message is used to indicate that the access network element agrees that the authentication type is plain text authentication.
  • the terminal device includes a mobile terminal device or a fixed network terminal device.
  • a still further aspect of the present application provides a user authentication method in a converged network, where the method includes: the terminal device sends an authentication negotiation request to the access network element, where the authentication negotiation request is used to request negotiation to determine the terminal.
  • the authentication type of the device for user authentication the terminal device determines that the authentication type of the user authentication is plain text authentication; the terminal device sends user authentication information to the access network element; and the terminal device receives the access network element from the access network element.
  • Certification results.
  • user authentication when any terminal device accesses the converged network is implemented, so that any terminal device can access the converged network securely and reliably; and the terminal device and the access network element directly determine that the authentication type is plaintext.
  • Authentication eliminates the need to request authentication parameters from the control network element, simplifying the authentication process.
  • the terminal device determines that the authentication type of the user authentication is plain text authentication, and the method includes: the terminal device receives a negotiation request from the access network element, and the negotiation request is used to negotiate the authentication type.
  • the terminal device sends a first negotiation feedback message to the access network element, where the first negotiation feedback message is used to indicate that the terminal device agrees that the authentication type is plain text authentication.
  • the terminal device determines that the authentication type of the user authentication is plain text authentication, and the method includes: the terminal device receives a second negotiation feedback message from the access network element, and the second negotiation feedback message And indicating that the access network element agrees that the authentication type is plaintext authentication.
  • the terminal device includes a mobile terminal device or a fixed network terminal device.
  • an access network element has a function of implementing access network element behavior in the foregoing method.
  • the functions may be implemented by hardware or by corresponding software implemented by hardware.
  • the hardware or software includes one or more modules corresponding to the functions described above.
  • the method and the beneficial effects of the above-mentioned possible access network elements can be referred to the implementation of the method and the beneficial effects. Therefore, the implementation of the device can refer to the implementation of the method, and the method is repeated. I won't go into details here.
  • a terminal device having a function of implementing a behavior of a terminal device in the above method.
  • the functions may be implemented by hardware or by corresponding software implemented by hardware.
  • the hardware or software includes one or more modules corresponding to the functions described above.
  • the principle and the beneficial effects of the device can be referred to the method embodiments of the foregoing possible terminal devices and the beneficial effects thereof. Therefore, the implementation of the device can refer to the implementation of the method, and the repetition is not Let me repeat.
  • Yet another aspect of the present application provides a computer readable storage medium having instructions stored therein that, when executed on a computer, cause the computer to perform the methods described in the above aspects.
  • Yet another aspect of the present application provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the methods described in the various aspects above.
  • FIG. 1 is a schematic diagram of an exemplary communication system architecture
  • FIG. 2 is a schematic diagram of interaction of a user authentication method in a converged network according to an embodiment of the present invention
  • FIG. 3 is a schematic diagram of interaction of another user authentication method in a converged network according to an embodiment of the present disclosure
  • FIG. 4 is a schematic diagram of a module for accessing a network element according to an embodiment of the present disclosure
  • FIG. 5 is a schematic diagram of a module of a terminal device according to an embodiment of the present disclosure.
  • FIG. 6 is a schematic diagram of a module for controlling a network element according to an embodiment of the present disclosure
  • FIG. 7 is a schematic diagram of another module for accessing a network element according to an embodiment of the present disclosure.
  • FIG. 8 is a schematic diagram of another terminal device according to an embodiment of the present disclosure.
  • FIG. 9 is a schematic diagram of a hardware architecture of an access network element/terminal device/control network element according to an embodiment of the present invention.
  • the communication system involved in the embodiments of the present invention mainly includes: an access network element, a user plane function network element, and a control plane network element.
  • the control plane network element may also be referred to as a control network element.
  • the access network element is mainly responsible for access management of the terminal equipment (User Equipment, UE), and the user plane function network element is mainly responsible for packet data packet forwarding, QoS control, accounting information statistics, etc.; the control plane function network element is mainly responsible for User authentication, sending packet forwarding policies to users, QoS control policies, and so on.
  • the communication system may be a 5G communication system (for example, a New Radio (NR) system, a communication system in which a plurality of communication technologies are integrated (for example, a communication system in which LTE technology and NR technology are integrated), or a subsequent evolved communication system.
  • the terminal device in the example may be a fixed network terminal device; or may be a mobile terminal device, for example, a handheld device having a wireless communication function, an in-vehicle device, a wearable device, a computing device, or other processing device connected to the wireless modem.
  • Terminal devices in different networks may be called different names, such as: user equipment, access terminals, subscriber units, subscriber stations, mobile stations, mobile stations, remote stations, remote terminals, mobile devices, user terminals, terminals, wireless communications.
  • Device, user agent or user device cellular phone, cordless phone, Session Initiation Protocol (SIP) phone, Wireless Local Loop (WLL) station, Personal Digital Assistant (PDA), Terminal equipment in a 5G network or a future
  • the embodiments of the present invention mainly relate to communication between a terminal device, an access network element, and a control network element, and perform user authentication.
  • the terminal device requests the negotiation to determine the authentication parameter of the terminal device by sending an authentication negotiation request, where the authentication negotiation request includes the access protocol type of the terminal device, and the access network element sends an authentication parameter request to the control network element to control
  • the network element generates at least one type of authentication parameter corresponding to the access protocol type of the terminal device, and sends the authentication parameter to the access network element, and the access network element negotiates with the terminal device to determine a type supported by the terminal device and the control network element.
  • the authentication parameter, the access network element sends the determined authentication parameter and the user authentication information received from the terminal device to the control network element for user authentication, and obtains the authentication result. Therefore, the user authentication method and device in the converged network provided by the embodiment of the present invention enable user authentication when any terminal device accesses the converged network, so that any terminal device can access the converged network securely and reliably. .
  • FIG. 1 is a schematic diagram of an exemplary 5G communication system architecture.
  • the access network element Access Network, AN
  • the radio access network element Radio Access Network, RAN
  • the user plane function network element UPF
  • Yuan Control Plane, CP
  • the AN, the UPF, and the CP respectively correspond to the access network element, the user plane function network element, and the control plane function network element described above.
  • UPF is mainly responsible for packet data packet forwarding, QoS control, accounting information statistics, etc.
  • the CP is mainly responsible for sending data packet forwarding policies and QoS control policies to the user plane.
  • the CP specifically includes an Access and Mobility Management Funnel (AMF), a Session Management Funnel (SMF), an Authentication Service Function (AUSF), and a unified data management network.
  • AMF Access and Mobility Management Funnel
  • SMF Session Management Funnel
  • AUSF Authentication Service Function
  • UDM Unified Data Management
  • PCF Policy Control Function
  • AF Application Function Network
  • AMF is used for access management in a converged network
  • UDM is used to manage user subscription information.
  • the types of access protocols that the UE accesses the converged network include PPPoE, 802.1X, and so on.
  • the PPPoE discovery process may be performed between the UE and the AN.
  • the discovery process may include the following steps (not shown):
  • Step 1 The UE discovers the access network and sends a PPPoE Active Discovery Initiation (PADI) to the AN to initiate the PPPoE discovery process.
  • PADI PPPoE Active Discovery Initiation
  • the discovery of the access network is a logical process to illustrate the point in time when the PADI is initiated. Generally, when the UE is powered on and establishes a physical link, it is considered to be connected to the network; or it may be manual, such as clicking a PPPoE connection.
  • Step 2 AN selects AMF.
  • AMF is a component of CP, responsible for access and mobility management, as shown in Figure 1, but this embodiment describes the CP as a whole, but only when it specifically refers to the AMF component of the CP, The interaction of the AN with the AMF component is described in this step.
  • the AN may select the AMF based on a prior configuration or an access protocol type of the UE or the like.
  • Step 3 The AN generates a Registration NAS message according to the received PADI from the UE, and sends the message to the CP.
  • the Registration NAS message can also be said to be generated by the UE and then sent to the AN, which is not limited herein.
  • the registration NAS message carries the Network Access Identity (NAI), and the NAI contains user information from the PADI, such as: device identification, circuit ID, virtual local area network identifier (Vlan ID), user physics. At least one of the address (user MAC) and the host name.
  • NAI Network Access Identity
  • Step 4 The AN and the core network side complete the authentication and registration process according to the existing definition, and then the AN and the UE side complete the PPPoE discovery process. Specifically, the method further includes: Step 41) completing the authentication process of the AN and the core network, where the AN replaces the UE in response to the NAS message; Step 42) The core network side answers the registration completion message; Step 43) The AN allocates the session identifier ( Session ID), completes the PPPoE discovery process with the UE.
  • Session ID session identifier
  • a PPPoE session process may be performed, where the PPPoE session process includes user authentication, IP address allocation, and formal session.
  • Embodiments of the present invention generally relate to a user authentication process therein.
  • FIG. 2 is a schematic diagram of interaction of a user authentication method in a converged network according to an embodiment of the present invention, where the method is applicable to the foregoing communication system. Specifically, the method can include the following steps:
  • the terminal device sends an authentication negotiation request to the access network element, where the authentication negotiation request is used to negotiate to determine an authentication parameter of the terminal device.
  • the access protocol type of the UE accessing the converged network includes the PPPoE, the 802.1X, and the Dynamic Host Configuration Protocol (DHCP).
  • the AN can configure the access protocol type of the UE, or can be an AN according to the AN.
  • the user packet of the UE received in the PPPoE discovery process determines the access protocol type of the UE, which is not limited herein.
  • Each access protocol type can correspond to one or more authentication parameters, and the same authentication parameters are required between the UE and the CP for authentication, so that the user authentication process can be successfully completed. Therefore, based on these protocols, the access network is used for user authentication.
  • the authentication parameters are negotiated between the UE and the AN.
  • the PPPoE access protocol is used as an example
  • the UE sends a Link Control Protocol (LCP) negotiation request to the AN as an authentication negotiation request
  • the LCP negotiation request is used to negotiate to determine the UE's authentication parameter, the LCP.
  • the negotiation request includes the type of access protocol that the UE accesses the AN.
  • the authentication parameter includes an authentication type and a parameter corresponding to the authentication type.
  • the AN receives an LCP negotiation request from the UE.
  • LCP Link Control Protocol
  • the LCP negotiation request may also include an authentication type supported by the UE, or an authentication type that the UE expects to perform.
  • the access network element sends an authentication parameter request to the control network element, where the authentication parameter request includes: an access protocol type that the terminal device accesses the access network element.
  • the AN constructs an authentication parameter request, and the authentication parameter request includes an access protocol type in which the terminal device accesses the AN.
  • the AN then sends an authentication parameter request to the CP.
  • the CP receives an authentication parameter request from the AN.
  • the AN may choose to carry the authentication type supported by the UE in the authentication parameter request, or may choose not to carry the authentication type supported by the UE in the authentication parameter request. If the AN does not carry the authentication type supported by the UE, and the authentication parameter received by the AN from the CP is all the authentication parameters supported by the CP corresponding to the access protocol type, the authentication parameters received by the AN from the CP generally include the UE. The type of authentication supported.
  • the control network element generates, according to the authentication parameter request, at least one type of authentication parameter, where each type of authentication parameter includes: determining, according to the authentication parameter request, a type of authentication supported, and/or corresponding to the type of authentication. Parameters.
  • the CP selects one or more types of authentication corresponding to the type of the access protocol according to the type of the access protocol included in the authentication parameter request. Then, since the CP has previously completed the authentication and registration process with the UE, the CP has been configured according to the UE.
  • the user information obtains the user subscription information of the UE (the user subscription information is previously stored in the UDM), and therefore, the CP generates parameters corresponding to each authentication type according to the user subscription information of the UE and the selected authentication type.
  • the CP itself stores the authentication parameters. Specifically, the authentication parameters are generated by the AUSF module in the CP.
  • Authentication types include the Password Authentication Protocol (PAP) or the Challenge Handshake Authentication Protocol (CHAP).
  • PAP the corresponding parameter is null, that is, its parameter is: ⁇ PAP: NULL ⁇ , or the parameter corresponding to PAP is not included in the authentication parameter.
  • CHAP its corresponding parameters include: algorithm, challenge identifier, and/or challenge identifier length, for example, its parameters are: ⁇ CHAP: ⁇ algorithm: 5 (MD5); Challenge ID Length: 16; Challenge ID: *** * ⁇ .
  • the CP priority response only supports the authentication type, and provides corresponding Parameter information. For example, if the authentication type requested by the UE is PAP, and the CP supports both the PAP and CHAP authentication types, the type of authentication that the CP can answer is PAP.
  • the control network element sends the at least one authentication parameter to the access network element.
  • the access network element sends the at least one authentication parameter to the terminal device.
  • the CP sends the generated one or more authentication parameters to the AN, and the AN receives at least one authentication parameter from the CP.
  • the AN sends the received one or more authentication parameters to the UE, and the UE receives at least one authentication parameter from the AN.
  • the access network element determines, in the at least one type of authentication parameter, one of the authentication parameters supported by the terminal device and the control network element.
  • the terminal device determines, in the at least one authentication parameter, one of the authentication parameters supported by the terminal device and the control network element.
  • the negotiation process may be implemented in multiple ways: the AN may send a negotiation request to the UE, the UE feeds back the authentication type supported by the UE, and then the AN responds; or the UE sends a negotiation request to the AN, the negotiation.
  • the request carries the type of authentication supported by the UE, and the AN responds.
  • the AN negotiates with the UE to determine one of the authentication parameters supported by the UE and the CP.
  • the AN may respond to the CP support or not support the authentication type, or the AN allows the UE to re-feed back one or more authentications sent.
  • the type of authentication supported by the UE in the type is not limited.
  • the terminal device sends user authentication information to the access network element.
  • the UE After the UE negotiates with the AN to determine the authentication type, the UE sends the user authentication information corresponding to the authentication type to the AN.
  • the user authentication information is, for example, a username and a password.
  • the AN receives user authentication information from the UE.
  • the access network element sends the user authentication information and the determined one of the authentication parameters to the control network element for authentication.
  • the AN will negotiate with the UE to determine the good authentication parameters (specifically, the authentication type is negotiated), and the user authentication information sent by the UE is sent to the CP for authentication.
  • the CP receives user authentication information from the AN and one of the determined authentication parameters.
  • the control network element authenticates the user authentication information by using the determined one of the authentication parameters, and obtains an authentication result.
  • the CP obtains the comparison information according to the authentication parameters. For example, if it is a CHAP authentication type, the authentication parameter determined by the negotiation and the user subscription information are used for calculation, and the comparison information is obtained; if it is the PAP authentication type, the user subscription information is directly obtained as the comparison information. The comparison process and the user authentication information are then used for comparison to complete the authentication process.
  • the comparison process is: user subscription information is (user name: A, password: B); authentication parameters are, for example, ⁇ algorithm: 5 (MD5); Change ID Length: 16; Change ID: C ⁇
  • MD5 ⁇ algorithm
  • Change ID Length 16
  • Change ID: C Change ID: C
  • the CP receives the user authentication information as: (user name: A, password: D)
  • the password B in the user subscription information and the challenge identifier C in the authentication parameter are used for MD5 calculation, and the digital string E is calculated, and then the ratio is calculated. Correct.
  • the user name is A. If the password D and the numeric string E are equal, the user is legal, otherwise it is illegal.
  • the comparison user name is A
  • the password D and the subscription information B are directly compared. If they are equal, the user is legal, otherwise it is illegal.
  • the control network element sends the authentication result to the access network element.
  • the authentication result includes the authentication, the user is a legitimate user, or the authentication fails.
  • the user is an illegal user.
  • the CP sends the authentication result to the AN, and the AN receives the authentication result from the CP.
  • the access network element sends the authentication result to the terminal device.
  • the AN notifies the UE of the authentication result of the CP, and the UE receives the authentication result from the AN.
  • the UE can be a mobile terminal device or a fixed network terminal device. Any terminal device can access the converged network for user authentication in this manner, so that any terminal device can access the converged network securely and reliably.
  • the user authentication method in the converged network implements user authentication when any terminal device accesses the converged network, so that any terminal device can access the converged network securely and reliably.
  • FIG. 3 is a schematic diagram of interaction of another user authentication method in a converged network according to an embodiment of the present invention, where the method is applicable to the foregoing communication system. Specifically, the method can include the following steps:
  • the terminal device sends an authentication negotiation request to the access network element.
  • the UE sends an authentication negotiation request to the AN to perform user authentication.
  • the authentication negotiation request is used to request negotiation to determine the type of authentication in which the UE performs user authentication.
  • the authentication negotiation request may be used to indicate that the authentication type supported by the UE is plaintext authentication. In another implementation manner, the authentication negotiation request does not include the indication.
  • the AN receives an authentication negotiation request from the UE.
  • the access network element and the terminal device determine that the authentication type of the terminal device for user authentication is plaintext authentication.
  • the authentication type of the plain text authentication (that is, PAP authentication) is adopted, and the AN does not need to obtain the authentication parameter from the CP, and the AN and the UE directly determine that the authentication type for performing user authentication is plain text authentication.
  • the access network element determines that the authentication type of the terminal device is a plaintext authentication, and the method includes: configuring, by the access network element, that the authentication type of the terminal device is a plaintext
  • the access network element sends an authentication type negotiation request to the terminal device, where the negotiation request is used to negotiate that the authentication type is plaintext authentication; and the access network element receives the first from the terminal device.
  • the first negotiation feedback message is used to indicate that the terminal device agrees that the authentication type is plaintext authentication.
  • the terminal device determines that the authentication type of the user authentication is plain text authentication, and the method includes: the terminal device receives a negotiation request from the access network element, and the negotiation request is used to negotiate that the authentication type is plaintext.
  • the terminal device sends a first negotiation feedback message to the access network element, where the first negotiation feedback message is used to indicate that the terminal device agrees that the authentication type is plaintext authentication.
  • the AN configures the authentication type of the UE to be plaintext authentication, and then negotiates with the UE.
  • the access network element determines that the authentication type of the terminal device is plaintext authentication, and the method includes: determining, by the access network element, the terminal device according to the authentication negotiation request.
  • the authentication type is a plain text authentication
  • the authentication negotiation request is further used to indicate that the authentication type supported by the terminal device is plaintext authentication
  • the access network element sends a second negotiation feedback message to the terminal device, where The second negotiation feedback message is used to indicate that the access network element agrees that the authentication type is plain text authentication.
  • the terminal device determines that the authentication type of the user authentication is the plain text authentication, and the method includes: the terminal device receives a second negotiation feedback message from the access network element, where the second negotiation feedback message is used to indicate The access network element agrees that the authentication type is plain text authentication.
  • the UE indicates in the authentication negotiation request that the supported authentication type is plain text authentication, and then the AN feeds back whether it agrees to adopt the authentication type of the plain text authentication, thereby completing the negotiation process.
  • the terminal device sends user authentication information to the access network element.
  • the UE After the UE negotiates with the AN to determine that the authentication type is plaintext authentication, the UE sends the user authentication information corresponding to the authentication type to the AN.
  • the AN receives user authentication information from the UE.
  • the user authentication information is, for example, a username and a password.
  • the access network element sends the user authentication information and the authentication type to the control network element for authentication.
  • the AN authenticates the user authentication information and the authentication type as a plain text authentication notification CP, and the user authenticates the user authentication information.
  • the CP receives user authentication information and authentication type from the AN.
  • the user subscription information is (user name: A, password: B).
  • the CP receives the user authentication information as: (user name: A, password: D)
  • the comparison user name is A
  • the password is directly compared.
  • D and the contract information B are equal. If they are equal, the user is legal, otherwise it is illegal.
  • the control network element authenticates the user authentication information according to the authentication type, and obtains an authentication result.
  • the control network element sends the authentication result to the access network element.
  • the AN receives the authentication result from the CP.
  • the access network element sends the authentication result to the terminal device.
  • the UE receives the authentication result from the AN.
  • the terminal device and the access network element directly determine that the authentication type is plaintext authentication, and the authentication parameter is not required to be requested from the control network element, which simplifies the authentication process.
  • the UE can directly configure the UE to perform the authentication without the need for the authentication, that is, the authentication is not required.
  • the AN receives the LCP negotiation request, the AN sends the indication that the UE does not need to be authenticated to the UE, and the UE can access the network for subsequent operations. .
  • the user authentication method in the converged network implements user authentication when any terminal device accesses the converged network, so that any terminal device can access the converged network securely and reliably; and the terminal device
  • the access network element directly determines that the authentication type is plain text authentication, and does not need to request an authentication parameter from the control network element, which simplifies the authentication process.
  • FIG. 4 is a schematic diagram of a module for accessing a network element according to an embodiment of the present invention.
  • the access network element may be an access network element described in the foregoing communication system.
  • the access network element 1000 includes: a receiving unit 11, a sending unit 12, and a determining unit 13; wherein:
  • the receiving unit 11 is configured to receive an authentication negotiation request from the terminal device, where the authentication negotiation request is used to negotiate to determine an authentication parameter of the terminal device;
  • the sending unit 12 is configured to send an authentication parameter request to the control network element, where the authentication parameter request includes: an access protocol type that the terminal device accesses the access network element;
  • the receiving unit 11 is further configured to receive at least one authentication parameter from the control network element, where the at least one authentication parameter corresponds to the access protocol type, and each type of authentication parameter includes an authentication type, and / or a parameter corresponding to the type of authentication;
  • the sending unit 12 is further configured to send the at least one authentication parameter to the terminal device;
  • the determining unit 13 is configured to determine, in the at least one authentication parameter, one of the authentication parameters supported by the terminal device and the control network element;
  • the receiving unit 11 is further configured to acquire user authentication information of the terminal device
  • the sending unit 12 is further configured to send the user authentication information and the determined one of the authentication parameters to the control network element for authentication;
  • the receiving unit 11 is further configured to receive an authentication result from the control network element.
  • the sending unit 12 is further configured to send the authentication result to the terminal device.
  • the authentication negotiation request and the authentication parameter request further include: an authentication type supported by the terminal device, where the parameter corresponding to the authentication type is a parameter corresponding to the authentication type supported by the terminal device. .
  • the at least one type of authentication includes a simple password authentication protocol PAP, and the parameter corresponding to the authentication type is null.
  • the at least one type of authentication includes a challenge handshake protocol CHAP
  • the parameters corresponding to the authentication type include: an algorithm, a challenge identifier, and/or a challenge identifier length.
  • An access network element implements user authentication when any terminal device accesses the converged network, so that any terminal device can access the converged network securely and reliably.
  • FIG. 5 is a schematic diagram of a module of a terminal device according to an embodiment of the present invention.
  • the terminal device may be a terminal device described in the foregoing communication system.
  • the terminal device 2000 includes: a sending unit 21, a receiving unit 22, and a determining unit 23; wherein:
  • the sending unit 21 is configured to send an authentication negotiation request to the access network element, where the authentication negotiation request is used to negotiate to determine an authentication parameter of the terminal device.
  • the receiving unit 22 is configured to receive at least one authentication parameter from the access network element, where the at least one authentication parameter corresponds to the access protocol type, each authentication parameter includes an authentication type, and/or a parameter corresponding to the authentication type;
  • a determining unit 23 configured to determine, in the at least one type of authentication parameter, one of the authentication parameters supported by the terminal device and the control network element;
  • the sending unit 21 is further configured to send user authentication information to the access network element.
  • the receiving unit 22 is further configured to receive an authentication result from the access network element.
  • the authentication negotiation request and the authentication parameter request further include: an authentication type supported by the terminal device, where the parameter corresponding to the authentication type is a parameter corresponding to the authentication type supported by the terminal device. .
  • a terminal device implements user authentication when any terminal device accesses the converged network, so that any terminal device can access the converged network securely and reliably.
  • FIG. 6 is a schematic diagram of a module for controlling a network element according to an embodiment of the present invention.
  • the control network element may be a control network element described in the foregoing communication system.
  • the control network element 3000 includes: a receiving unit 31, a generating unit 32, a sending unit 33, and an authenticating unit 34; wherein:
  • the receiving unit 31 is configured to receive an authentication parameter request from the access network element, where the authentication parameter request includes: an access protocol type that the terminal device accesses the access network element;
  • the generating unit 32 is configured to generate, according to the authentication parameter request, at least one type of authentication parameter, where the at least one type of authentication parameter corresponds to the access protocol type, and each type of the authentication parameter comprises: supporting according to the authentication parameter request confirmation An authentication type, and/or a parameter corresponding to the authentication type;
  • the sending unit 33 is configured to send the at least one authentication parameter to the access network element
  • the receiving unit 31 is further configured to receive user authentication information from the access network element, and the terminal device and the control network element in the at least one authentication parameter of the access network element An authentication parameter;
  • the authentication unit 34 is configured to authenticate the user authentication information by using the determined one of the authentication parameters to obtain an authentication result.
  • the sending unit 33 is further configured to send the authentication result to the access network element.
  • the authentication negotiation request and the authentication parameter request further include: an authentication type supported by the terminal device, where the parameter corresponding to the authentication type is a parameter corresponding to the authentication type supported by the terminal device. .
  • the at least one type of authentication includes a simple password authentication protocol PAP, and the parameter corresponding to the authentication type is null.
  • the at least one type of authentication includes a challenge handshake protocol CHAP
  • the parameters corresponding to the authentication type include: an algorithm, a challenge identifier, and/or a challenge identifier length.
  • a control network element implements user authentication when any terminal device accesses the converged network, so that any terminal device can access the converged network securely and reliably.
  • FIG. 7 is a schematic diagram of another module of an access network element according to an embodiment of the present invention.
  • the access network element may be an access network element in the foregoing communication system.
  • the access network element 4000 may include: a receiving unit 41, a determining unit 42 and a sending unit 43; wherein:
  • the receiving unit 41 is configured to receive an authentication negotiation request from the terminal device, where the authentication negotiation request is used to request the negotiation to determine the authentication type of the terminal device for performing user authentication.
  • the determining unit 42 is configured to determine that the authentication type of the terminal device is plain text authentication
  • the receiving unit 41 is further configured to receive user authentication information from the terminal device;
  • the sending unit 43 is configured to send the user authentication information and the authentication type to the control network element for authentication;
  • the receiving unit 41 is further configured to receive an authentication result from the control network element.
  • the sending unit 43 is further configured to send the authentication result to the terminal device.
  • An access network element implements user authentication when any terminal device accesses the converged network, so that any terminal device can access the converged network securely and reliably; and the terminal device and the access device
  • the network element directly determines that the authentication type is plain text authentication, and does not need to request authentication parameters from the control network element, which simplifies the authentication process.
  • FIG. 8 is a schematic diagram of another terminal device according to an embodiment of the present disclosure, where the terminal device may be a terminal device in the foregoing communication system.
  • the terminal device 5000 may include: a sending unit 51, a determining unit 52, and a receiving unit 53; wherein:
  • the sending unit 51 is configured to send an authentication negotiation request to the access network element, where the authentication negotiation request is used to request the negotiation to determine the authentication type of the terminal device for performing user authentication.
  • a determining unit 52 configured to determine that the authentication type of the user authentication is plaintext authentication
  • the sending unit 51 is further configured to send user authentication information to the access network element.
  • the receiving unit 53 is configured to receive an authentication result from the access network element.
  • a terminal device implements user authentication when any terminal device accesses a converged network, so that any terminal device can access the converged network securely and reliably; and the terminal device and the access network element
  • the authentication type is directly determined to be plain text authentication, and the authentication parameters are not required to be requested from the control network element, which simplifies the authentication process.
  • the embodiment of the present invention further provides an access network element, where the access network element can be an access network element in the foregoing communication system, and the access network element can adopt the hardware architecture shown in FIG.
  • the access network element can include a receiver, a transmitter, a memory, and a processor, the receiver, transmitter, memory, and processor being interconnected by a bus.
  • the related functions implemented by the receiving unit 11 in FIG. 4 may be implemented by a receiver, and related functions implemented by the transmitting unit 12 may be implemented by a transmitter, and related functions implemented by the determining unit 13 may pass through one or more processors. to realise.
  • the memory includes, but is not limited to, a random access memory (RAM), a read-only memory (ROM), an Erasable Programmable Read Only Memory (EPROM), or a portable Compact Disc Read-Only Memory (CD-ROM), which is used for related instructions and data.
  • RAM random access memory
  • ROM read-only memory
  • EPROM Erasable Programmable Read Only Memory
  • CD-ROM portable Compact Disc Read-Only Memory
  • the receiver is for receiving data and/or signals
  • the transmitter is for transmitting data and/or signals.
  • the transmitter and receiver can be separate devices or a single device.
  • the processor may include one or more processors, for example, including one or more central processing units (CPUs).
  • CPUs central processing units
  • the CPU may be a single-core CPU, or may be Multi-core CPU.
  • the memory is used to store program code and data of the network device.
  • the receiver is configured to receive an authentication negotiation request from a terminal device, where the authentication negotiation request is used to negotiate to determine an authentication parameter of the terminal device;
  • the transmitter is configured to send an authentication parameter request to the control network element, where the authentication parameter request includes: an access protocol type that the terminal device accesses the access network element;
  • the receiver is further configured to receive at least one authentication parameter from the control network element, where the at least one authentication parameter corresponds to the access protocol type, each authentication parameter includes an authentication type, and/or a parameter corresponding to the authentication type;
  • the transmitter is further configured to send the at least one authentication parameter to the terminal device;
  • the processor is configured to determine, in the at least one authentication parameter, one of the authentication parameters supported by the terminal device and the control network element;
  • the receiver is further configured to acquire user authentication information of the terminal device
  • the transmitter is further configured to send the user authentication information and the determined one of the authentication parameters to the control network element for authentication;
  • the receiver is further configured to receive an authentication result from the control network element
  • the transmitter is further configured to send the authentication result to the terminal device.
  • the authentication negotiation request and the authentication parameter request further include: an authentication type supported by the terminal device, where the parameter corresponding to the authentication type is a parameter corresponding to the authentication type supported by the terminal device. .
  • the at least one type of authentication includes a simple password authentication protocol PAP, and the parameter corresponding to the authentication type is null.
  • the at least one type of authentication includes a challenge handshake protocol CHAP
  • the parameters corresponding to the authentication type include: an algorithm, a challenge identifier, and/or a challenge identifier length.
  • Figure 9 only shows a simplified design of the access network element.
  • the access network element may further include other necessary components, including but not limited to any number of transceivers, processors, controllers, memories, etc., and all access network elements that can implement the embodiments of the present invention. All are within the scope of the invention.
  • An access network element implements user authentication when any terminal device accesses the converged network, so that any terminal device can access the converged network securely and reliably.
  • the embodiment of the present invention further provides a terminal device, which may be a terminal device in the foregoing communication system, and the terminal device may adopt the hardware architecture shown in FIG.
  • the terminal device may include a receiver, a transmitter, a memory, and a processor, the receiver, the transmitter, the memory, and the processor being connected to each other by a bus.
  • the related functions implemented by the transmitting unit 21 in FIG. 5 may be implemented by a transmitter, and related functions implemented by the receiving unit 22 may be implemented by a receiver, and related functions implemented by the determining unit 23 may pass through one or more processors. to realise.
  • the memory includes, but is not limited to, RAM, ROM, EPROM, CD-ROM, which is used for related instructions and data.
  • the receiver is for receiving data and/or signals
  • the transmitter is for transmitting data and/or signals.
  • the transmitter and receiver can be separate devices or a single device.
  • the processor may include one or more processors, for example including one or more CPUs.
  • the processor may be a single core CPU or a multi-core CPU.
  • the memory is used to store program code and data of the terminal device.
  • the transmitter is configured to send an authentication negotiation request to the access network element, where the authentication negotiation request is used to negotiate to determine an authentication parameter of the terminal device;
  • the receiver is configured to receive at least one authentication parameter from the access network element, the at least one authentication parameter corresponding to the access protocol type, each authentication parameter including an authentication type, and/or a parameter corresponding to the authentication type;
  • the processor is configured to determine, in the at least one authentication parameter, one of the authentication parameters supported by the terminal device and the control network element;
  • the transmitter is further configured to send user authentication information to the access network element
  • the receiver is further configured to receive an authentication result from the access network element.
  • the authentication negotiation request and the authentication parameter request further include: an authentication type supported by the terminal device, where the parameter corresponding to the authentication type is a parameter corresponding to the authentication type supported by the terminal device. .
  • Figure 9 only shows a simplified design of the terminal device.
  • the terminal device may also include other necessary components, including but not limited to any number of transceivers, processors, controllers, memories, etc., and all terminal devices that can implement the present invention are protected by the present invention.
  • the terminal device may also include other necessary components, including but not limited to any number of transceivers, processors, controllers, memories, etc., and all terminal devices that can implement the present invention are protected by the present invention.
  • a terminal device implements user authentication when any terminal device accesses the converged network, so that any terminal device can access the converged network securely and reliably.
  • the embodiment of the present invention further provides a hardware architecture diagram of the control network element, where the control network element may be a control network element in the foregoing communication system, and the control network element may adopt the hardware architecture shown in FIG.
  • the control network element can include a receiver, a transmitter, a memory, and a processor, the receiver, transmitter, memory, and processor being interconnected by a bus.
  • the related functions implemented by the receiving unit 31 in FIG. 6 may be implemented by a receiver, and related functions implemented by the transmitting unit 33 may be implemented by a transmitter, and related functions implemented by the generating unit 32 and the authenticating unit 34 may be performed by one or Implemented by multiple processors.
  • the memory includes, but is not limited to, RAM, ROM, EPROM, CD-ROM, which is used for related instructions and data.
  • the receiver is for receiving data and/or signals
  • the transmitter is for transmitting data and/or signals.
  • the transmitter and receiver can be separate devices or a single device.
  • the processor may include one or more processors, for example including one or more CPUs.
  • the processor may be a single core CPU or a multi-core CPU.
  • the memory is used to store program code and data for controlling the network element.
  • the receiver is configured to receive an authentication parameter request from an access network element, where the authentication parameter request includes: an access protocol type that the terminal device accesses the access network element;
  • the processor is configured to generate, according to the authentication parameter request, at least one type of authentication parameter, where the at least one type of authentication parameter corresponds to the access protocol type, and each type of the authentication parameter includes a request for confirmation according to the authentication parameter request.
  • the transmitter is configured to send the at least one authentication parameter to the access network element
  • the receiver is further configured to receive user authentication information from the access network element, and one of the terminal device and the control network element supported by the at least one authentication parameter of the access network element.
  • the processor is further configured to perform authentication on the user authentication information by using the determined one of the authentication parameters to obtain an authentication result;
  • the transmitter is further configured to send the authentication result to the access network element.
  • the authentication negotiation request and the authentication parameter request further include: an authentication type supported by the terminal device, where the parameter corresponding to the authentication type is a parameter corresponding to the authentication type supported by the terminal device. .
  • the at least one type of authentication includes a simple password authentication protocol PAP, and the parameter corresponding to the authentication type is null.
  • the at least one type of authentication includes a challenge handshake protocol CHAP
  • the parameters corresponding to the authentication type include: an algorithm, a challenge identifier, and/or a challenge identifier length.
  • control network element may also include other necessary components, including but not limited to any number of transceivers, processors, controllers, memories, etc., and all control network elements that can implement the present invention are in the present invention. Within the scope of protection.
  • a control network element implements user authentication when any terminal device accesses the converged network, so that any terminal device can access the converged network securely and reliably.
  • the embodiment of the present invention further provides another access network element, where the access network element may be an access network element in the foregoing communication system, and the access network element may adopt the hardware architecture shown in FIG.
  • the access network element can include a receiver, a transmitter, a memory, and a processor, the receiver, transmitter, memory, and processor being interconnected by a bus.
  • the related functions implemented by the receiving unit 41 in FIG. 7 may be implemented by a receiver, the related functions implemented by the transmitting unit 43 may be implemented by a transmitter, and the related functions implemented by the determining unit 42 may be passed through one or more processors. to realise.
  • the memory includes, but is not limited to, RAM, ROM, EPROM, CD-ROM, which is used for related instructions and data.
  • the receiver is for receiving data and/or signals
  • the transmitter is for transmitting data and/or signals.
  • the transmitter and receiver can be separate devices or a single device.
  • the processor may include one or more processors, for example including one or more CPUs.
  • the processor may be a single core CPU or a multi-core CPU.
  • the memory is used to store program code and data of the access network element.
  • the receiver is configured to receive an authentication negotiation request from a terminal device, where the authentication negotiation request is used to request negotiation to determine an authentication type of the terminal device to perform user authentication.
  • the processor is configured to determine that the authentication type of the terminal device is plain text authentication
  • the receiver is further configured to receive user authentication information from the terminal device
  • the transmitter is configured to send the user authentication information and the authentication type to a control network element for authentication
  • the transmitter is further configured to receive an authentication result from the control network element
  • the transmitter is further configured to send the authentication result to the terminal device.
  • Figure 9 only shows a simplified design of the access network element.
  • the access network element may also include other necessary components, including but not limited to any number of transceivers, processors, controllers, memories, etc., and all access network elements that can implement the present invention are Within the scope of protection of the present invention.
  • An access network element implements user authentication when any terminal device accesses the converged network, so that any terminal device can access the converged network securely and reliably; and the terminal device and the access device
  • the network element directly determines that the authentication type is plain text authentication, and does not need to request authentication parameters from the control network element, which simplifies the authentication process.
  • the embodiment of the present invention further provides a schematic diagram of a hardware architecture of another terminal device, where the terminal device may be a terminal device in the foregoing communication system, and the terminal device may adopt the hardware architecture shown in FIG.
  • the terminal device can include a receiver, a transmitter, a memory, and a processor, the receiver, transmitter, memory, and processor being interconnected by a bus 118.
  • the related functions implemented by the receiving unit 53 in FIG. 8 may be implemented by a receiver, the related functions implemented by the transmitting unit 51 may be implemented by a transmitter, and the related functions implemented by the determining unit 52 may be passed through one or more processors. to realise.
  • the memory includes, but is not limited to, RAM, ROM, EPROM, CD-ROM, which is used for related instructions and data.
  • the receiver is for receiving data and/or signals
  • the transmitter is for transmitting data and/or signals.
  • the transmitter and receiver can be separate devices or a single device.
  • the processor may include one or more processors, for example including one or more CPUs.
  • the processor may be a single core CPU or a multi-core CPU.
  • the memory is used to store program code and data of the terminal device.
  • the transmitter is configured to send an authentication negotiation request to the access network element, where the authentication negotiation request is used to request the negotiation to determine the authentication type of the terminal device for performing user authentication.
  • the processor is configured to determine that the authentication type of the user authentication is plain text authentication
  • the transmitter is further configured to send user authentication information to the access network element
  • the receiver is configured to receive an authentication result from the access network element.
  • Figure 9 only shows a simplified design of the terminal device.
  • the terminal device may also include other necessary components, including but not limited to any number of transceivers, processors, controllers, memories, etc., and all terminal devices that can implement the present invention are protected by the present invention.
  • the terminal device may also include other necessary components, including but not limited to any number of transceivers, processors, controllers, memories, etc., and all terminal devices that can implement the present invention are protected by the present invention.
  • a terminal device implements user authentication when any terminal device accesses a converged network, so that any terminal device can access the converged network securely and reliably; and the terminal device and the access network element
  • the authentication type is directly determined to be plain text authentication, and the authentication parameters are not required to be requested from the control network element, which simplifies the authentication process.
  • the disclosed systems, devices, and methods may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above embodiments it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof.
  • software it may be implemented in whole or in part in the form of a computer program product.
  • the computer program product includes one or more computer instructions.
  • the computer program instructions When the computer program instructions are loaded and executed on a computer, the processes or functions described in accordance with embodiments of the present invention are generated in whole or in part.
  • the computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable device.
  • the computer instructions can be stored in or transmitted by a computer readable storage medium.
  • the computer instructions can be from a website site, computer, server or data center to another website site by wire (eg, coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (eg, infrared, wireless, microwave, etc.) Transfer from a computer, server, or data center.
  • the computer readable storage medium can be any available media that can be accessed by a computer or a data storage device such as a server, data center, or the like that includes one or more available media.
  • the usable medium may be a magnetic medium (eg, a floppy disk, a hard disk, a magnetic tape), an optical medium (eg, a DVD), or a semiconductor medium (such as a Solid State Disk (SSD)) or the like.
  • the program can be stored in a computer readable storage medium, when the program is executed
  • the flow of the method embodiments as described above may be included.
  • the foregoing storage medium includes various media that can store program codes, such as a ROM or a random access memory RAM, a magnetic disk, or an optical disk.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé et un appareil d'authentification d'utilisateur dans un réseau convergent. Le procédé comporte les étapes suivantes: un élément de réseau d'accès reçoit une demande de négociation d'authentification en provenance d'un dispositif terminal, la demande de négociation d'authentification étant utilisée pour déterminer des paramètres d'authentification du dispositif terminal par une négociation, envoie une demande de paramètres d'authentification à un élément de réseau de commande, reçoit au moins un paramètre d'authentification en provenance de l'élément de réseau de commande, détermine, parmi le ou les paramètres d'authentification, un des paramètres d'authentification que le dispositif terminal et l'élément de réseau de commande prennent tous deux en charge, obtient des informations d'authentification d'utilisateur du dispositif terminal, envoie les informations d'authentification d'utilisateur et les paramètres d'authentification déterminés par la négociation à l'élément de réseau de commande en vue d'une authentification, et reçoit un résultat d'authentification en provenance de l'élément de commande et l'envoie au dispositif terminal. L'invention concerne également un appareil correspondant. La présente invention met en œuvre une authentification d'utilisateur pendant l'accès d'un dispositif terminal quelconque à un réseau convergent, de sorte que tout dispositif terminal peut accéder de manière sécurisée et fiable au réseau convergent.
PCT/CN2018/082289 2017-04-25 2018-04-09 Procédé et appareil d'authentification d'utilisateur dans un réseau convergent WO2018196587A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710277650.4A CN108738019B (zh) 2017-04-25 2017-04-25 融合网络中的用户认证方法及装置
CN201710277650.4 2017-04-25

Publications (1)

Publication Number Publication Date
WO2018196587A1 true WO2018196587A1 (fr) 2018-11-01

Family

ID=63917992

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/082289 WO2018196587A1 (fr) 2017-04-25 2018-04-09 Procédé et appareil d'authentification d'utilisateur dans un réseau convergent

Country Status (2)

Country Link
CN (1) CN108738019B (fr)
WO (1) WO2018196587A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111988778A (zh) * 2019-05-21 2020-11-24 广东美的制冷设备有限公司 设备、wifi模块的多协议认证方法和计算机可读存储介质
US12052787B2 (en) * 2018-03-28 2024-07-30 Cable Television Laboratories, Inc. Converged core communication networks and associated methods

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114208111B (zh) * 2019-08-18 2023-08-04 华为技术有限公司 一种通信方法、装置及系统
CN110572804B (zh) * 2019-08-27 2022-04-22 暨南大学 蓝牙通信认证请求、接收及通信方法、移动端、设备端
CN111147471B (zh) * 2019-12-20 2023-02-28 视联动力信息技术股份有限公司 一种终端入网认证方法、装置、系统和存储介质
CN114245376A (zh) * 2020-09-07 2022-03-25 中国移动通信有限公司研究院 一种数据传输方法、用户设备、相关网络设备和存储介质
CN114615665A (zh) * 2020-12-04 2022-06-10 中国电信股份有限公司 终端认证方法、装置和存储介质
CN114051244A (zh) * 2021-11-10 2022-02-15 杭州萤石软件有限公司 一种终端侧设备与网络侧设备之间的认证方法、系统

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1536508A (zh) * 2003-04-09 2004-10-13 华为技术有限公司 基于以太网协议的在用户登录时显示门户网页的方法
WO2006123974A1 (fr) * 2005-05-16 2006-11-23 Telefonaktiebolaget Lm Ericsson (Publ) Moyens et procedes de chiffrement et de transmission de donnees dans des reseaux integres
CN101730102A (zh) * 2009-05-15 2010-06-09 中兴通讯股份有限公司 一种对家用基站用户实施鉴权的系统及方法

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8341700B2 (en) * 2003-10-13 2012-12-25 Nokia Corporation Authentication in heterogeneous IP networks
CN100407687C (zh) * 2003-11-21 2008-07-30 华为技术有限公司 一种异步传输模式交换网用户的以太网接入方法
CN101753533A (zh) * 2008-12-04 2010-06-23 华为终端有限公司 协商认证方式的方法、装置和系统
CN103139768B (zh) * 2011-11-28 2017-03-01 上海贝尔股份有限公司 融合无线网络中的认证方法以及认证装置
CN103297968B (zh) * 2012-03-02 2017-12-29 华为技术有限公司 一种无线终端认证的方法、设备及系统
CN105306406A (zh) * 2014-05-26 2016-02-03 中国移动通信集团公司 认证和密钥协商算法的协商方法、网络侧设备和用户设备

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1536508A (zh) * 2003-04-09 2004-10-13 华为技术有限公司 基于以太网协议的在用户登录时显示门户网页的方法
WO2006123974A1 (fr) * 2005-05-16 2006-11-23 Telefonaktiebolaget Lm Ericsson (Publ) Moyens et procedes de chiffrement et de transmission de donnees dans des reseaux integres
CN101730102A (zh) * 2009-05-15 2010-06-09 中兴通讯股份有限公司 一种对家用基站用户实施鉴权的系统及方法

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12052787B2 (en) * 2018-03-28 2024-07-30 Cable Television Laboratories, Inc. Converged core communication networks and associated methods
CN111988778A (zh) * 2019-05-21 2020-11-24 广东美的制冷设备有限公司 设备、wifi模块的多协议认证方法和计算机可读存储介质
CN111988778B (zh) * 2019-05-21 2023-09-26 广东美的制冷设备有限公司 设备、wifi模块的多协议认证方法和计算机可读存储介质

Also Published As

Publication number Publication date
CN108738019A (zh) 2018-11-02
CN108738019B (zh) 2021-02-05

Similar Documents

Publication Publication Date Title
WO2018196587A1 (fr) Procédé et appareil d'authentification d'utilisateur dans un réseau convergent
US11716621B2 (en) Apparatus and method for providing mobile edge computing services in wireless communication system
JP7035163B2 (ja) ネットワークセキュリティ管理方法および装置
US7194763B2 (en) Method and apparatus for determining authentication capabilities
US20200053131A1 (en) Method for accessing fixed network and access gateway network element
JP5934364B2 (ja) Soap−xml技術を使用したwi−fiホットスポットのための安全なオンラインサインアップ及び提供のためのモバイルデバイス及び方法
EP2572491B1 (fr) Systèmes et procédés d'authentification d'hôte
KR20100100641A (ko) 듀얼 모뎀 디바이스
US8588742B2 (en) Method and apparatus for providing wireless services to mobile subscribers using existing broadband infrastructure
US11363023B2 (en) Method, device and system for obtaining local domain name
EP2712141A1 (fr) Procédé, système et dispositif d'authentification d'un téléphone ip et de négociation de champ vocal
WO2014101449A1 (fr) Procédé pour contrôler un point d'accès dans un réseau local sans fil, et système de communication
JP2019533951A (ja) 次世代システムの認証
WO2019227459A1 (fr) Procédés et nœuds d'authentification d'une connexion tls
US11502987B2 (en) Communication system and method for performing third-party authentication between home service end and foreign service end
WO2019096287A1 (fr) Procédé d'authentification et dispositif
CN101499993B (zh) 一种认证方法、设备和系统
WO2015100874A1 (fr) Procédé et système de gestion d'accès par passerelle locale
US20190200226A1 (en) Method of authenticating access to a wireless communication network and corresponding apparatus
CN102143601B (zh) 宽带接入处理方法、无线接入网和通信系统
JP2006345302A (ja) ゲートウェイ装置およびプログラム
WO2013166909A1 (fr) Procédé et système de déclenchement d'authentification eap, dispositif de réseau d'accès et dispositif terminal
WO2024183537A1 (fr) Procédé et appareil de communication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18791645

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18791645

Country of ref document: EP

Kind code of ref document: A1