WO2021185347A1 - 接入控制方法及通信设备 - Google Patents
接入控制方法及通信设备 Download PDFInfo
- Publication number
- WO2021185347A1 WO2021185347A1 PCT/CN2021/081741 CN2021081741W WO2021185347A1 WO 2021185347 A1 WO2021185347 A1 WO 2021185347A1 CN 2021081741 W CN2021081741 W CN 2021081741W WO 2021185347 A1 WO2021185347 A1 WO 2021185347A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- information
- communication device
- network
- authentication server
- server
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/22—Processing or transfer of terminal data, e.g. status or physical capabilities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/047—Key management, e.g. using generic bootstrapping architecture [GBA] without using a trusted network node as an anchor
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/02—Access restriction performed under specific conditions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/08—Access restriction or access information delivery, e.g. discovery data delivery
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/16—Discovering, processing access restriction or access information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/22—Processing or transfer of terminal data, e.g. status or physical capabilities
- H04W8/24—Transfer of terminal data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/10—Small scale networks; Flat hierarchical networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W60/00—Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
- H04W60/04—Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration using triggered events
Definitions
- the present invention relates to the field of wireless communication technology, and in particular to an access control method and communication equipment.
- the first indication information is used to request to obtain a certificate related to the first network or to indicate that the type of access is restricted service
- an embodiment of the present invention provides an access control method applied to a fourth communication device, including:
- the first server is a server capable of configuring a certificate related to the first network
- the first terminal routing strategy is used to access the first server or the certificate download application
- the first data channel is a data channel in the first network
- the first data channel is used for interaction between the first communication device and the first server,
- the first data channel is used by the first communication device to request a certificate related to the first network
- the first data channel is used to configure a certificate related to the first network to the first communication device
- the third indication information is used to indicate at least one of the following: only restricted services are allowed, only control planes are allowed, user planes are not allowed, only access to the first server is allowed, and only certificate download applications are allowed.
- the first terminal routing strategy
- the first server is a server capable of configuring a certificate related to the first network
- the first terminal routing strategy is used to access the first server or the certificate download application
- the first data channel is a data channel in the first network
- the second indication information is used to indicate at least one of the following:
- the first data channel is used for interaction between the first communication device and the first server,
- the third indication information is used to indicate at least one of the following: only restricted services are allowed, only control planes are allowed, user planes are not allowed, only access to the first server is allowed, and only certificate download applications are allowed.
- the address related information of the second authentication server is the address related information of the second authentication server
- the first indication information is used to request to obtain a certificate related to the first network or indicate that the type of access is restricted service.
- An obtaining module configured to obtain at least one of the first information, the first indication information, and the third information
- the obtaining module is used to obtain the second information
- the first data channel is used for interaction between the first communication device and the first server;
- the first data channel is used to configure a certificate related to the first network to the first communication device.
- the first data channel is used for interaction between the first communication device and the first server;
- the first data channel is used to configure a certificate related to the first network to the first communication device.
- an embodiment of the present invention provides a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by the processor, the steps of the access control method provided in the first aspect are implemented, or , Implement the steps of the access control method provided by the second aspect, or implement the steps of the access control method provided by the third aspect, or implement the steps of the access control method provided by the fourth aspect, or implement the fifth aspect Provide the steps of the access control method.
- FIG. 1 is a schematic diagram of the architecture of a wireless communication system provided by an embodiment of the present invention
- Figure 15 is a structural diagram of another communication device provided by the present invention.
- words such as “exemplary” or “for example” are used as examples, illustrations, or illustrations. Any embodiment or design solution described as “exemplary” or “for example” in the embodiments of the present invention should not be construed as being more preferable or advantageous than other embodiments or design solutions. To be precise, words such as “exemplary” or “for example” are used to present related concepts in a specific manner.
- the information control method and communication device provided by the embodiments of the present invention can be applied to a wireless communication system.
- the wireless communication system may be a 5G system, or an evolved Long Term Evolution (eLTE) system, or a subsequent evolved communication system.
- eLTE evolved Long Term Evolution
- the access control method and communication equipment provided by the embodiments of the present invention can be applied to the network system shown in FIG. 1.
- the network system shown in FIG. Equipment such as factory equipment, etc.
- the terminal can access the first network, such as SNPN (non-public network).
- SNPN can be a 5G communication network, such as 5G radio access network (NG-RAN), access and mobility management functions (Access and Mobility Management Function (AMF), Session Management Function (SMF), User Plane Function (UPF), etc.
- NG-RAN 5G radio access network
- AMF Access and Mobility Management Function
- SMF Session Management Function
- UPF User Plane Function
- the above-mentioned manufacturer equipment may be related equipment of the terminal manufacturer (vendor, also called provider), such as: vendor server, application function (AF) and authentication, authorization and accounting (Authentication, Authorization, Accounting, AAA) )server.
- vendor server application function
- AF application function
- AAA authentication, authorization and accounting
- the above-mentioned manufacturer's equipment can authenticate the terminal, or the SNPN can authenticate the terminal through the information of the manufacturer's equipment.
- the network system shown in FIG. 1 is only an example of the application of the access control method and communication equipment provided by the embodiment of the present invention, which is not limited in the embodiment of the present invention.
- the above-mentioned network system also Can include:
- Unified data management Unified Data Management
- NEF network exposure function
- Config server configuration server
- the SNPN cannot verify the UE, it can only allow all UEs that request access, such as establishing a user plane PDU session to the certificate configuration server. Since there is no authentication mechanism in the SNPN, the configuration server of the certificate must be relied on to trigger the authentication of the UE. After the authentication fails, the UE connection and PDU session resources are released.
- TAC tracking area code
- IMEI International Mobile Equipment Identity
- PEI Permanent Equipment Identifier
- Scenario 3 When the terminal of the first network has only one manufacturer, there is only one authentication server of the manufacturer. When a terminal without a certificate related to the first network accesses the first network, the first network cannot distinguish whether the terminal is for access to other restricted services (such as emergency services) or for configuration related to the first network. Only the certificate is connected to the terminal of the first network. For the latter, it is necessary to authenticate the terminal through the manufacturer's authentication server. Therefore, it is necessary to solve the problem of whether to authenticate the terminal through an external authentication server.
- restricted services such as emergency services
- An optional method is that when the UE accesses the first network, the first indication information is sent to request to obtain a certificate related to the first network or to indicate that the type of access is restricted service. According to the first indication information, the first network can determine whether to authenticate the terminal through an external authentication server (such as an authentication server of a terminal manufacturer).
- an external authentication server such as an authentication server of a terminal manufacturer
- the terminal UE of the first network (such as SNPN) leaves the factory, there is no certificate related to the first network, and there is no related information of the configuration server of the certificate.
- An optional method is that the manufacturer of the UE configures the address related information or index information of the configuration server for the UE.
- the configuration server corresponds to the first network in meaning, and the information of the first network needs to be additionally configured
- Another optional method is that the UE accesses the first network, and after the authentication is passed, the first network provides the UE with address related information or index information of the configuration server. Since the UE is authenticated, the UE and the first network trust each other at this time. It is not difficult to understand that the address-related information of the configuration server provided at this time is credible.
- Question 3 After the authentication server passes the authentication of the UE, it can prove the identity of the UE instead of a fake UE. However, how to confirm whether the UE is a legitimate UE of the first network and whether it is allowed to configure a certificate related to the first network for the UE still needs to be resolved.
- the authentication of the UE by the authentication server means that the UE is a legitimate UE of the first network. That is, the authentication server but the authentication UE is the UE and the authentication UE is the legal UE of the first network
- Another optional method is that after the authentication server passes the authentication of the UE, the first network confirms that the UE is a legitimate UE of the first network.
- the UE requests the configuration server to configure the certificate related to the first network, and the configuration server also needs to confirm that the UE is a legitimate UE of the first network or confirm that the UE is allowed to be configured with the certificate related to the first network before performing the operation on the UE. Certificate configuration.
- the first network includes SNPN.
- a credential can also be referred to as security information, including parameters that can be used for authentication and/or encryption, such as a root key.
- the root key can be used to derive CK, IK.
- the certificate related to the first network may include a certificate for accessing the first network.
- the certificate used to access the first network may include a certificate that can be directly authenticated by an authentication server of the first network, or a certificate that can be indirectly authenticated. Authentication by an authentication server outside the first network can be understood as indirect authentication. It is not difficult to understand that at this time, the configuration server may configure a certificate that can be directly authenticated by the first network or a certificate that can be directly authenticated by the first network for the UE.
- the certificate related to the first network may include at least one of the following: a certificate directly related to the first network, a certificate used to access normal services of the first network, and a certificate that can be used by the first network
- the certificate directly authenticated by the authentication server is the certificate for accessing the unrestricted service of the first network. It is not difficult to understand that at this time, the configuration server can configure a certificate that can be directly authenticated by the first network for the UE.
- the certificate that is not related to the first network may include at least one of the following: a certificate that is not directly related to the first network.
- the certificate that is not directly related to the first network may include a certificate that cannot be directly authenticated by the authentication server of the first network.
- a certificate authenticated by an authentication server outside the first network can be understood as a certificate that is not related to or directly related to the first network.
- the second certificate may include at least one of the following:
- the terminal When the terminal requests to configure a certificate related to the first network, the certificate used to access the first network, the certificate used to access the first network,
- the certificate configured by the first communication device manufacturer for the first communication device
- the restricted service includes at least one of the following: only the control plane is allowed, the user plane is not allowed, only the first server (which may include the configuration server) is allowed, and only the certificate download application is allowed.
- a certificate related to the first network is configured for the terminal through the control plane. Therefore, it is possible to restrict terminal access to the first network and only allow the control plane.
- a certificate related to the first network is configured for the terminal through the user plane. Therefore, it is not difficult to understand that the restricted service may only allow the terminal to access the first server. Only allowing access to the first server includes: the data channel established by the terminal on the first network is only used to access the first server.
- the first server includes a configuration server.
- the first server can process a request to configure a certificate related to the first network for the terminal.
- the configuration server can configure a certificate related to the first network for the communication device.
- the first server may be a server belonging to the first network.
- the first server when the first server configures a request for a certificate related to the first network for the terminal, it may request the second authentication server to verify the terminal.
- the first server is an authentication intermediate server .
- the initial authentication includes the authentication performed by the first network on the terminal when the terminal does not have a certificate related to the first network to access the first network. It is not difficult to understand that the initial certification is an indirect certification.
- the certificate related to the first network and the first network related certificate may be used together, representing the same meaning.
- the manufacturer-related information may be referred to as manufacturer information or manufacturer information for short.
- the related information of the manufacturer includes: manufacturer identification information (such as Vendor ID, or TAC).
- the address-related information of the server may include at least one of the following: IP address, MAC address, port number, fully qualified domain name (FQDN), uniform resource locator (Uniform Resource) Locator, URL), operating system identification carefully, application identification information.
- IP address IP address
- MAC address IP address
- port number IP address
- FQDN fully qualified domain name
- URL uniform resource locator
- operating system identification carefully, application identification information.
- the data channel may include but is not limited to one of the following: PDU session, PDN connection, QoS flow, bearer, Internet Protocol Security (IPsec) channel, where the bearer may be Evolved Radio Access Bearer (E-RAB), Evolved Radio Access Bearer (RAB), Data Radio Bearer (DRB), signaling radio bearers, SRB) and so on.
- E-RAB Evolved Radio Access Bearer
- RAB Evolved Radio Access Bearer
- DRB Data Radio Bearer
- SRB signaling radio bearers
- the communication network element may include at least one of the following: a core network network element and a radio access network network element.
- the core network element may include, but is not limited to, at least one of the following: core network equipment, core network nodes, core network functions, core network elements, and mobility management entities (Mobility Management Entity, MME), Access Management Function (AMF), Session Management Function (SMF), User Plane Function (UPF), Serving GW (SGW), PDN Gateway ( PDN Gate Way, PDN Gateway), Policy Control Function (PCF), Policy and Charging Rules Function (PCRF), GPRS Service Support Node (Serving GPRS Support Node, SGSN), Gateway GPRS Support Node (Gateway GPRS Support Node, GGSN), Unified Data Management (UDM), Unified Data Repository (UDR), Home Subscriber Server (HSS), Application Function (Application Function) , AF), Centralized network configuration (CNC).
- MME Mobility Management Entity
- AMF Access Management Function
- SMF Session Management Function
- UPF User Plane Function
- SGW Serving GW
- PDN Gateway PDN Gate Way, PDN
- a radio access network (Radio Access Network, RAN) network element may include but is not limited to at least one of the following: radio access network equipment, radio access network node, radio access network function, radio access Network unit, Third Generation Partnership Project (3GPP) radio access network, non-3GPP radio access network, Centralized Unit (CU), Distributed Unit (DU), base station, Evolved base station (evolved Node B, eNB), 5G base station (gNB), radio network controller (Radio Network Controller, RNC), base station (NodeB), non-3GPP Inter Working Function (N3IWF), Access control (Access Controller, AC) node, access point (Access Point, AP) device or wireless local area network (Wireless Local Area Networks, WLAN) node, N3IWF.
- 3GPP Third Generation Partnership Project
- the base station can be the base station (Base Transceiver Station, BTS) in the Global System for Mobile Communications (GSM) or Code Division Multiple Access (CDMA), or it can be the Broadband Code Division Multiple Access (BTS).
- BTS Base Transceiver Station
- GSM Global System for Mobile Communications
- CDMA Code Division Multiple Access
- BTS Broadband Code Division Multiple Access
- NodeB in Wideband Code Division Multiple Access
- WCDMA Wideband Code Division Multiple Access
- gNB 5G base station
- the method and communication device provided by the embodiment of the present invention can be applied to a wireless communication system.
- the wireless communication system may be a fifth-generation mobile communication (Fifth-generation, 5G) system, or an evolved packet system (Evolved Packet System, EPS), or a subsequent evolved communication system.
- the wireless communication network in the embodiment of the present invention may be a fifth-generation mobile communication network (Fifth-generation system, 5GS) or an LTE network.
- an embodiment of the present invention provides an access control method, which is applied to a first communication device.
- the first communication device includes but is not limited to one of the following: a terminal (UE), a first server, and a CN network element (such as AMF, Security Anchor Function (SEAF)), and the method includes:
- Step 201 Send first information and/or first indication information to a first target end, where the first information includes at least one of the following:
- the address related information of the second authentication server is the address related information of the second authentication server
- the first indication information is used to request to obtain a certificate related to the first network or indicate that the type of access is restricted service.
- the first target terminal may include: a communication device of a first network, for example, an AMF in the first network, and the first network may be SNPN.
- the second certificate may include at least one of the following:
- the terminal When the terminal requests to configure a certificate related to the first network, the certificate used to access the first network, the certificate used to access the first network,
- the certificate configured by the first communication device manufacturer for the first communication device
- a certificate that can be authenticated by the second authentication server is a certificate that can be authenticated by the second authentication server.
- the second authentication server includes at least one of the following: an authentication server outside the first network, an authentication server of a service provider, an authentication server of a manufacturer of the first communication device, with a second certificate or capable of authentication The authentication server for the second certificate.
- the service provider may be outside the first network.
- the related information of the manufacturer includes: manufacturer identification information (such as Vendor ID, or TAC).
- manufacturer identification information such as Vendor ID, or TAC.
- the index information of the second authentication server may include at least one of the following: address-related information (such as IP, FQDN, or URL) of the second authentication server, and identification information of the terminal manufacturer to which the second authentication server belongs .
- address-related information such as IP, FQDN, or URL
- the first indication information used to request to obtain a certificate related to the first network may be a request to obtain a certificate related to the first network through the first indication information.
- the certificate related to the first network may include at least one of the following: a certificate directly related to the first network, a certificate used to access normal services of the first network, and a certificate that can be used by the first network
- the certificate directly authenticated by the authentication server is the certificate for accessing the unrestricted service of the first network. It is not difficult to understand that at this time, the first server may configure a certificate that can be directly authenticated by the first network for the UE.
- the foregoing first information and/or first instruction information can be sent to the first target terminal through the foregoing, so that the first target terminal can execute the first information and/or first instruction information according to the first information and/or first instruction information.
- One operation is specifically described in the embodiment of FIG. 3.
- the first server is a server capable of configuring a certificate related to the first network for the first communication device.
- the first condition includes at least one of the following:
- the first communication device does not have a certificate related to the first network
- the first communication device requests to access the first network
- the first communication device requests access to the restricted service of the first network
- the first communication device requests to obtain a certificate related to the first network
- At least one item of the first information is acquired
- the identity request sent by the first target is acquired, and the type of the identity request is the manufacturer-related type of the first communication device;
- the first network supporting and/or requiring authentication of the first communication device may include at least one of the following:
- the first communication device supported and/or required by the first network is authenticated between the first network and the second authentication server,
- the first network supports and/or requires authentication of the first communication device based on the second certificate.
- the first communication device may be a terminal that does not have a certificate related to the first network. It is not difficult to understand that when the terminal is connected to the first network before configuring the certificate related to the first network, the first network may require the terminal to be based on the second certificate (such as the certificate configured by the terminal manufacturer for the terminal for more security considerations). ) For authentication. Under this requirement, the terminal can provide relevant index information of the second authentication server to the first network to support authentication.
- the acquired information that the first network supports and/or requires authentication of the first communication device may include at least one of the following:
- the first network may require the terminal to be authenticated based on the second certificate for more security considerations. Under this requirement, the terminal can provide relevant index information of the second authentication server to the first network to support authentication.
- the first communication device is pre-configured with the first information. It is not difficult to understand that when the first communication device leaves the factory, its manufacturer pre-configures the first information on the first communication device.
- the certificate related to the first network is as described above, and will not be repeated here.
- the first network may broadcast at least one of the following in the cell:
- the first network supports the configuration of the certificate information related to the first network to the first communication device.
- the information that the first network supports and/or requires authentication of the first communication device includes information that the first network supports and/or requires initial authentication.
- the supported and/or required initial authentication includes: when the first communication device does not have a certificate related to the first network, the step of accessing the first network or the first communication device requesting to configure a certificate related to the first network Currently, authentication of the first communication device is still supported and/or required.
- the initial authentication may be performed by the first authentication server and the first communication device through the first network.
- the first network can still authenticate the first communication device through the first authentication server.
- the first device only requests the index information of the second authentication server from the first network when the first network indicates that the initial authentication is required by the cell broadcast.
- First request information and the first request information is used to request manufacturer information of the first communication device,
- Second request information and the second request information is used to request index information of the second authentication server
- Third request information, and the third request information is used to request address related information of the second authentication server.
- the first indication information is used to request to obtain a certificate related to the first network or indicate that the type of access is restricted service.
- the first indication information may be embodied as a reason for access (such as a reason for radio resource control (Radio Resource Control, RRC), or a non-access stratum (NAS) layer). Access reason), access request or access type.
- RRC Radio Resource Control
- NAS non-access stratum
- the method before the step of sending the first information, the method further includes:
- At least one of the following information sent by the first target terminal is received:
- the first network supports the configuration of certificate information related to the first network to the first communication device.
- the first target sends request information for the first information after receiving the first communication device access request and/or the first instruction.
- the authentication information for the first communication device may be related information of the terminal manufacturer, index information of the second authentication server, and address information of the second authentication server.
- the method further includes:
- the second information is specifically as described in the embodiment of FIG. 5 for the second information.
- the default slice information is set to empty
- the first server is a server capable of configuring a certificate related to the first network
- the first terminal routing strategy is used to access the first server or the certificate download application
- the first data channel is a data channel in the first network
- the first data channel is used by the first communication device to request a certificate related to the first network
- the first data channel is used to configure a certificate related to the first network to the first communication device
- the third indication information is used to indicate at least one of the following: only restricted services are allowed, only control planes are allowed, user planes are not allowed, only access to the first server is allowed, and only certificate download applications are allowed.
- the related information used for the establishment of the first data channel includes at least one of the following:
- Data network name Data Network Name, DNN
- slice information such as NSSAI
- session and service continuity mode Session and Service Continuity Mode, SSC Mode
- SSC Mode Session and Service Continuity Mode
- data channel type such as PDU session type
- the first data channel is a data channel in the first network and is used for downloading and the first network certificate data channel.
- the first communication device may establish the first data channel.
- Step 301 Obtain at least one of the first information, the first indication information, the legal device list, and the third information.
- Step 302 Perform a first operation according to at least one of the first information, the first indication information, the legal device list, and the third information;
- the first information includes at least one of the following: index information of the second authentication server, related information of the manufacturer of the first communication device, and address related information of the second authentication server;
- the first indication information is used to request to obtain a certificate related to the first network or indicate that the type of access is restricted service
- the address related information of the second authentication server is the address related information of the second authentication server.
- the third information provides relevant information of a legitimate second authentication server. It is not difficult to understand that the "address related information of the second authentication server" in the third information can be compared with the "address related information of the second authentication server" in the first information to confirm that " The address-related information of the second authentication server is "legal.”
- At least one of the first information, the first indication information, and the third information may include: any one of the first information, the first indication information, and the third information, or the first information, A combination of any items in the first indication information and the third information.
- the above-mentioned first information may refer to the first information in the embodiment shown in FIG. 2 and the above-mentioned first indication information may refer to the first indication information in the embodiment shown in FIG. 2, which will not be repeated here. .
- the first information and/or the first indication information are acquired through an access request (such as a registration request message, or an attachment request message, etc.).
- an access request such as a registration request message, or an attachment request message, etc.
- the first server is a server capable of configuring a certificate related to the first network for the first communication device.
- the determining the second authentication server includes determining the address related information of the second authentication server.
- the step of determining the second authentication server may include, but is not limited to, at least one of the following: 1) According to the “index information of the second authentication server” in the first information and “the index information of the second authentication server” in the third information.
- the mapping information between the index information of the second authentication server and the address-related information of the second authentication server" can determine the second authentication server. It is not difficult to understand that the determining the second authentication server may include selecting a second authentication server for the terminal that meets the index information of the second authentication server.
- the second authentication server can be determined. It is not difficult to understand that the determining the second authentication server may include selecting a second authentication server for the terminal that meets the "address related information of the second authentication server" in the first information. By comparing the "address related information of the second authentication server” in the first message with the third message, it can be confirmed that the "address related information of the second authentication server" in the first message is legitimate. Information about the address of the authentication server.
- the second authentication server According to the "address related information of the second authentication server" in the first indication information and/or the third information, the second authentication server can be determined. It is not difficult to understand that the determining the second authentication server may include: according to the first indication information, selecting a second authentication server corresponding to the "address related information of the second authentication server" in the third information.
- the step of determining to request authentication of the first communication device from the second authentication server may include but is not limited to at least one of the following:
- the "address related information of the second authentication server" in the first indication information and/or the third information it may be determined to request the second authentication server to authenticate the first communication device.
- the first network can confirm whether the first communication device is a counterfeit device.
- the second authentication server passes the authentication of the first communication device, it may further confirm whether the first communication device is a legal device of the first network and/or whether it is allowed to configure a certificate related to the first network according to the list of legal devices.
- the first network can confirm whether the first communication device is a counterfeit device and whether it is a legitimate device of the first network.
- the legal device may include a device (such as a terminal) that allows the configuration of a certificate related to the first network.
- the legal device may include a device (the device such as a terminal) that does not have a certificate related to the first network and is allowed to configure a certificate related to the first network.
- the list of legal terminals may be configured in a user management server (such as UDM, HSS, or UDR) of the first network.
- the list of legal devices can be obtained from the user management server.
- the legal device list includes at least one of the following: legal communication devices of the first network that have not yet been configured with a certificate related to the first network, and communication devices that are allowed to configure a certificate related to the first network.
- the legal device list is a legal terminal list.
- the list of legal terminals can be a group of terminal information.
- the terminal information may include an identification of the terminal, such as IMEI, PEI, GPSI, MAC address or SUPI (in this case, SUPI is SUPI of a non-first network).
- the first network can confirm that the terminal is a terminal (that is, a non-counterfeiting terminal), and through the list of legal terminals, the first network can confirm whether the terminal is a legal terminal. Whether it is allowed to configure the certificate related to the first network for it.
- the first network can confirm that the terminal is a terminal and a legal terminal of the first network. That is, the authentication server directly authenticates the terminal that has passed the terminal non-counterfeiting and is a legitimate terminal of the first network, allowing the configuration of certificates related to the first network.
- the above-mentioned first server may also be referred to as a configuration server or an authentication intermediate server.
- the first communication device when the first communication device satisfies a second condition, confirm that the first communication device is a legal device of the first network;
- the first communication device is authenticated by the second authentication server
- the first communication device is a communication device in the legal device list.
- the method further includes:
- the aforementioned sending of the request information for the first information may be sent to the first communication device to request the first communication device to send the first information.
- the access request of the first communication device and/or the first indication information is received from the first communication device.
- the request information for the first information is sent to the first communication device.
- First request information and the first request information is used to request manufacturer information of the first communication device,
- Second request information and the second request information is used to request index information of the second authentication server
- Third request information, and the third request information is used to request address related information of the second authentication server.
- the method further includes:
- the first server is a server capable of configuring a certificate related to the first network
- the first data channel is a data channel in the first network
- the first data channel is used for interaction between the first communication device and the first server;
- the first data channel is used by the first communication device to request a certificate related to the first network
- the first data channel is used to configure a certificate related to the first network to the first communication device.
- the first information and/or the first indication information is obtained from a first communication device.
- the third information is obtained from a third communication device.
- index information of the second authentication server in the first information and the "index information of the second authentication server and the address related information of the second authentication server” in the third information Mapping information" can confirm the address related information of the second authentication server.
- the first communication device is authenticated by the second authentication server and/or the second authentication is confirmed Information about the address of the server.
- At least one of the first information, the first indication information, the legal device list, and the third information can be obtained; according to the first information, the first indication information, the legal device list, and the third information At least one item of, perform the first operation; this way, on the one hand, it can support the first network to select the second authentication server to authenticate the first communication device, so as to support when the terminal accesses the first network without a certificate related to the first network , To authenticate the terminal to avoid counterfeit and illegal terminal security attacks on the first network; on the other hand, it supports the configuration of the first communication device to support legitimate terminals to obtain certificates related to the first network to access the first network.
- a network service is
- FIG. 4 is another access control method provided by an embodiment of the present invention.
- the method is applied to a third communication device.
- the third communication device includes but is not limited to one of the following: AF, a second authentication server,
- the related equipment of the manufacturer of the first communication equipment, as shown in Figure 4 includes the following steps:
- Step 401 Determine the third information
- Step 402 Send third information
- the third information includes at least one of the following:
- the address related information of the second authentication server is the address related information of the second authentication server.
- the foregoing third information is the third information in the embodiment shown in FIG. 3, and details are not described herein.
- mapping information between the index information of the second authentication server and the address-related information of the second authentication server may be used to confirm the address-related information of the second authentication server.
- the foregoing sending of the third information may be sending the third information to the second communication device.
- sending relevant information of the second authentication server includes:
- the third condition includes at least one of the following:
- the mutual authentication between the third communication device and the first network passes.
- the third communication device is a communication device outside the first network.
- the foregoing third communication device and the second authentication server may be mutually authenticated in advance.
- the third communication device and the first network are mutually authenticated.
- the third information is sent so that the second communication device can obtain the above-mentioned third information
- Step 501 Obtain second information
- Step 502 Perform a second operation according to the second information
- the second information includes at least one of the following:
- the first terminal routing strategy (such as URSP);
- the default DNN information is set to empty
- the default slice information is set to empty
- the first terminal routing strategy is used to access the first server or the certificate download application
- the second indication information is used to indicate at least one of the following:
- the first data channel is used to configure a certificate related to the first network to the first communication device
- the third indication information is used to indicate at least one of the following: only restricted services are allowed, only control planes are allowed, user planes are not allowed, only access to the first server is allowed, and only certificate download applications are allowed.
- the acquiring of the second information may be acquiring the second information from a first network.
- the second operation includes at least one of the following:
- a first data channel is established, and the first data channel satisfies at least one of the following: the first data channel is used for interaction between the first communication device and the first server, and the first data channel is used for the first communication
- the device requests a certificate related to the first network, and the first data channel is used to configure the first communication device with a certificate related to the first network;
- the related information used for the establishment of the first data channel includes at least one of the following:
- the first server According to the address related information of the first server, request the first server to configure the certificate related to the first network.
- Figure 6 is another access control method provided by an embodiment of the present invention. The method is applied to a fifth communication device.
- the fifth communication device includes but is not limited to one of the following: a communication device of the first network,
- AMF as shown in Figure 6, includes the following steps:
- Step 601 Send second information, where the second information includes at least one of the following:
- the default slice information is set to empty
- the first server is a server capable of configuring a certificate related to the first network
- the first terminal routing strategy is used to access the first server or the certificate download application
- the first data channel is a data channel in the first network
- the second indication information is used to indicate at least one of the following:
- the first data channel is used for interaction between the first communication device and the first server,
- the first data channel is used by the first communication device to request a certificate related to the first network
- the first data channel is used to configure a certificate related to the first network to the first communication device
- the third indication information is used to indicate at least one of the following: only restricted services are allowed, only control planes are allowed, user planes are not allowed, only access to the first server is allowed, and only certificate download applications are allowed.
- Performing related operations to determine the second information includes
- the default DNN information is set to empty or not to set the default DNN information.
- the default slice information is set to empty or no default (NSSAI) slice information is set.
- the first network does not allow the terminal to access other services.
- the default DNN is used for the application or access target of the terminal, when there is no DNN in the corresponding routing strategy, the default DNN is selected to establish a data channel to access the application or access target. Therefore, if the default DNN is not configured, the terminal is not allowed to initiate other services.
- the default slice information is used when the application or access target of the terminal does not have slice information in the corresponding routing strategy, and the default slice information is selected to establish a data channel to access the application or access target. Therefore, if the default slice information is not configured, the terminal is not allowed to initiate other services.
- the operation of determining a routing strategy for the first terminal includes at least one of the following:
- the certificate download application is used to request the first server to configure a certificate related to the first network.
- the certificate related to the first network may be configured through control plane signaling. It is not difficult to understand that at this time, the third indication information can be used to restrict the user plane and only the control plane.
- the second information is sent to the terminal.
- It can support the terminal to obtain the necessary configuration when accessing the first network without the certificate related to the first network, so as to support the legal terminal to obtain the certificate related to the first network to access the service of the first network.
- the access control method in the embodiment of the present invention will be described below in conjunction with specific application scenarios.
- Application scenario 1 of the embodiment of the present invention mainly describes the access control between the UE, SNPN and the second authentication server, as shown in FIG. 7, including the following steps:
- Step 1 The AF sends the third information (related information of the second authentication server) to the first network.
- the third information includes at least one of the following: mapping information between index information of the second authentication server and address information of the second authentication server, and address information of the second authentication server.
- the index information of the second authentication server in the mapping information of the index information of the second authentication server and the address information of the second authentication server may be indexed to the address information of the second authentication server to which it is mapped.
- the AF may be the AF of the terminal manufacturer.
- the AF may send the information to the UDM of the first network through the NEF of the first network.
- Step 2 The UE initiates a registration request to the AMF of the first network.
- the registration request includes index information of the second authentication server. Or only provide terminal manufacturer information.
- the index information of the second authentication server may include at least one of the following: address information (such as IP, FQDN, URL) of the second authentication server, and identification information of the terminal manufacturer to which the second authentication server belongs.
- address information such as IP, FQDN, URL
- Step 3 AMF sends an identity authentication request (identity request) to the UE, and the identity authentication type (identity type) is set to at least consistent with the following: terminal manufacturer (such as vendor ID) and other related types, the index of the second authentication server Information, address information of the second authentication server.
- the UE includes the index information of the second authentication server in the identity authentication response (identity response), such as the identification information of the UE vendor.
- Step 4 (optional): The AMF sends the index information of the second authentication server to the UDM to obtain the address information of the authentication server.
- the UDM can confirm the address information of the second authentication server according to the mapping information between the index information of the second authentication server and the address information of the second authentication server, and the index information of the second authentication server.
- the UDM sends the address information of the second authentication server to the AMF.
- step 4 adopts a non-UE-related signaling process.
- Step 5 The AMF performs a first operation, and the first operation includes at least one of the following:
- the terminal is a legal terminal of the first network or whether it is allowed to configure a certificate related to the first network.
- mapping information between the index information of the second authentication server and the address information of the second authentication server is obtained from the AF.
- the index information of the second authentication server is obtained from the terminal.
- the legal terminal condition may include at least one of the following: the terminal passes the authentication of the second authentication server, and the terminal is a terminal in the legal terminal list.
- the legal terminal may be a terminal that allows configuration of a certificate related to the first network.
- Step 6 When it is confirmed that the terminal is a legitimate terminal of the first network, the second information and the registration acceptance message are sent to the terminal.
- Relevant information such as DNN, slice information, SSC, etc. used to establish PDU sessions for restricted services
- the sending registration receiving message includes: address related information of the first server.
- Step 7 The UE establishes a session with the SNPN.
- Step 8 The SNPN credential (credential) configuration request and configuration response are transmitted between the UE and the configuration server.
- the application scenario 2 of the embodiment of the present invention mainly describes the access control between the UE, the SNPN, the configuration server, and the second authentication server, as shown in FIG. 8, including the following steps:
- Step 1 the configuration server obtains the third information (or referred to as related information of the second authentication server).
- the related information of the second authentication server includes at least one of the following: mapping information between index information of the second authentication server and address information of the second authentication server, and address information of the second authentication server.
- the index information of the second authentication server in the mapping information of the index information of the second authentication server and the address information of the second authentication server may be indexed to the address information of the second authentication server to which it is mapped.
- Step 2 The UE initiates an access request to the AMF of the first network, and sends the index information of the second authentication server.
- the index information of the second authentication server may include at least one of the following: address information (such as IP, FQDN, URL) of the second authentication server, and identification information of the terminal manufacturer to which the second authentication server belongs.
- address information such as IP, FQDN, URL
- Step 3 (optional): The AMF sends the index information of the second authentication server to the UDM to obtain the address information of the authentication server.
- the UDM can confirm the address information of the second authentication server according to the mapping information between the index information of the second authentication server and the address information of the second authentication server, and the index information of the second authentication server.
- the UDM sends the address information of the second authentication server to the AMF.
- step 4 adopts a non-UE-related signaling process.
- AMF After completing the authentication steps, AMF performs at least one of the following operations:
- the legal terminal condition may include at least one of the following: the terminal passes the authentication of the second authentication server, and the terminal is a terminal in the legal terminal list.
- the legal terminal may be a terminal that allows configuration of a certificate related to the first network.
- Step 5 When it is confirmed that the terminal is a legitimate terminal of the first network, the second information and the registration acceptance message are sent to the terminal.
- the second information is as described in the embodiment of FIG. 5.
- the second information includes at least one of the following:
- Relevant information such as DNN, slice information, SSC, etc. used to establish PDU sessions for restricted services
- the sending registration receiving message includes: address related information of the first server.
- the application scenario 3 of the embodiment of the present invention mainly describes the access control between the UE, the configuration server and the authentication server, as shown in FIG. 9, including the following steps:
- Step 1 (optional): The configuration server obtains relevant information of the second authentication server.
- the related information of the second authentication server includes at least one of the following: mapping information between index information of the second authentication server and address information of the second authentication server, and address information of the second authentication server.
- the index information of the second authentication server in the mapping information of the index information of the second authentication server and the address information of the second authentication server may be indexed to the address information of the second authentication server to which it is mapped.
- Step 2 The UE initiates a registration request to the AMF of the first network.
- the AMF sends the second information and the registration acceptance message to the terminal.
- the second information includes at least one of the following:
- the sending registration receiving message includes: address related information of the first server (such as a configuration server).
- Step 3 Establish a session between the UE and the first network PDU.
- the PDU session is a restricted service PDU session.
- the SMF sends the second information to the terminal.
- Step 4 The UE initiates a configuration request to the configuration server.
- the UE sends the index information of the second authentication server to the configuration server.
- the index information of the second authentication server may include at least one of the following: address information (such as IP, FQDN, URL) of the authentication server, and identification information of the terminal manufacturer to which the authentication server belongs.
- address information such as IP, FQDN, URL
- Step 5 Configure the server to perform at least one of the following operations:
- Step 6 When it is confirmed that the terminal is a legitimate terminal of the first network, a credential related to the first network is configured to the terminal.
- the application scenario 4 of the embodiment of the present invention mainly describes the access control between the UE and the configuration server, as shown in FIG. 10, including the following steps:
- the AMF sends the second information and the registration acceptance message to the terminal.
- the second information is as described in the embodiment of FIG. 5.
- the second information includes at least one of the following:
- Relevant information such as DNN, slice information, SSC, etc. used to establish PDU sessions for restricted services
- Step 2 Establish a session between the UE and the first network PDU.
- the PDU session is a restricted service PDU session.
- the SMF sends the second information to the terminal.
- Step 4 Configure the server to authenticate the terminal.
- the legal terminal condition may include at least one of the following: the terminal passes the authentication of the second authentication server, and the terminal is a terminal in the legal terminal list.
- the legal terminal may be a terminal that allows configuration of a certificate related to the first network.
- Step 5 When it is confirmed that the terminal is a legitimate terminal of the first network, the terminal is configured with a certificate related to the first network.
- the UE When the UE first accesses the SNPN or accesses the configuration server of the SNPN, it provides relevant information identifying the UE vendor. After receiving the SNPN, it is used to select the second authentication server (such as AAA) of the UE vendor to authenticate the UE.
- the second authentication server such as AAA
- SNPN can define a new identity type to obtain the index information of the second authentication server such as the manufacturer of the UE.
- the SNPN sends the configuration server address related information to the UE, which is used by the UE to initiate a configuration request through the user-oriented configuration server or the SNPN uses the control-oriented configuration server to request a certificate related to the first network for the UE.
- the present invention on the one hand, it is possible to support authentication and configuration of the UE when accessing the SNPN when the UE has no SNPN certificate, so as to avoid security attacks from counterfeiting and illegal UE; on the other hand, it supports the configuration of the SNPN certificate for the UE.
- the first sending module 1101 is configured to send first information and/or first indication information to a first target end, where the first information includes at least one of the following:
- the address related information of the second authentication server is the address related information of the second authentication server
- the first indication information is used to request to obtain a certificate related to the first network or indicate that the type of access is restricted service.
- the sending the first information includes:
- the first condition includes at least one of the following:
- the first communication device has a second certificate
- the first communication device does not have a certificate related to the first network
- the first communication device requests to access the first network
- the first communication device requests access to the restricted service of the first network
- the first communication device requests to obtain a certificate related to the first network
- At least one item of the first information is acquired
- the request information for the first information includes at least one of the following:
- the request information for the first information includes at least one of the following:
- First request information and the first request information is used to request manufacturer information of the first communication device,
- Second request information and the second request information is used to request index information of the second authentication server
- Third request information, and the third request information is used to request address related information of the second authentication server.
- the communication device before the step of sending the first information, the communication device further includes:
- the second sending module is configured to send an access request and/or send first indication information to the first target end,
- the first indication information is used to request to obtain a certificate related to the first network or indicate that the type of access is restricted service.
- the receiving module is configured to receive at least one of the following information sent by the first target terminal:
- the first network supports the configuration of certificate information related to the first network to the first communication device.
- the communication device further includes:
- the first terminal routing strategy
- the default DNN information is set to empty
- the first server is a server capable of configuring a certificate related to the first network
- the first terminal routing strategy is used to access the first server or the certificate download application
- the first data channel is a data channel in the first network
- the first data channel is used for interaction between the first communication device and the first server,
- the first data channel is used by the first communication device to request a certificate related to the first network
- the first data channel is used to configure a certificate related to the first network to the first communication device
- the third indication information is used to indicate at least one of the following: only restricted services are allowed, only control planes are allowed, user planes are not allowed, only access to the first server is allowed, and only certificate download applications are allowed.
- the communication device 1100 can implement each process implemented by the first communication device in the method embodiment of the present invention and achieve the same beneficial effects. To avoid repetition, details are not described herein again.
- an embodiment of the present invention provides another communication device.
- the communication device is a second communication device.
- the communication device 1200 includes:
- the obtaining module 1201 is configured to obtain at least one of the first information, the first indication information, the legal device list, and the third information;
- the execution module 1202 is configured to execute a first operation according to at least one of the first information, the first indication information, the legal device list, and the third information;
- the first information includes at least one of the following: index information of the second authentication server, related information of the manufacturer of the first communication device, and address related information of the second authentication server;
- the first indication information is used to request to obtain a certificate related to the first network or to indicate that the type of access is restricted service
- the third information includes at least one of the following:
- the address related information of the second authentication server is the address related information of the second authentication server.
- the first operation includes at least one of the following:
- the first server is a server capable of configuring a certificate related to the first network for the first communication device.
- the index information of the second authentication server in the first information and the mapping information between the index information of the second authentication server and the address-related information of the second authentication server in the third information, determine the first Two authentication server;
- the step of determining to request the second authentication server to authenticate the first communication device includes but is not limited to at least one of the following:
- the first indication information and/or the information related to the address of the second authentication server in the third information it is determined to request the second authentication server to authenticate the first communication device.
- the first communication device when the first communication device satisfies a second condition, confirm that the first communication device is a legal device of the first network;
- the second condition includes at least one of the following:
- the first communication device is authenticated by the second authentication server
- the first communication device is a communication device in the legal device list.
- the legal device list includes at least one of the following:
- a legal communication device of the first network that has not yet configured a certificate related to the first network
- a communication device that allows configuration of certificates related to the first network.
- the communication device further includes:
- the receiving module is configured to receive an access request and/or first indication information of the first communication device; wherein, the first indication information is used to request to obtain a certificate related to the first network or indicate that the type of access is restricted service;
- the request information for the first information includes at least one of the following:
- Second request information and the second request information is used to request index information of the second authentication server
- Third request information, and the third request information is used to request address related information of the second authentication server.
- the communication device further includes:
- the second sending module is configured to send second information when it is determined that the first communication device is a legal device of the first network, where the second information includes at least one of the following:
- the first server is a server capable of configuring a certificate related to the first network
- the first data channel is a data channel in the first network
- the second indication information is used to indicate at least one of the following:
- the first data channel is used for interaction between the first communication device and the first server;
- the first data channel is used by the first communication device to request a certificate related to the first network
- the communication device 1200 can implement various processes implemented by the second communication device in the method embodiment of the present invention and achieve the same beneficial effects. To avoid repetition, details are not described herein again.
- an embodiment of the present invention provides another communication device.
- the communication device is a third communication device.
- the communication device 1300 includes:
- the determining module 1301 is used to determine the third information
- the sending module 1302 is used to send third information
- the third information includes at least one of the following:
- the address related information of the second authentication server is the address related information of the second authentication server.
- the sending the related information of the second authentication server includes:
- the third condition includes at least one of the following:
- the mutual authentication between the third communication device and the first network passes.
- the communication device 1300 can implement each process implemented by the third communication device in the method embodiment of the present invention and achieve the same beneficial effects. To avoid repetition, details are not described herein again.
- the execution module 1402 is configured to execute a second operation according to the second information
- the second information includes at least one of the following:
- the default slice information is set to empty
- the first server is a server capable of configuring a certificate related to the first network
- the first terminal routing strategy is used to access the first server or the certificate download application
- the first data channel is a data channel in the first network
- the second indication information is used to indicate at least one of the following:
- the first data channel is used for interaction between the first communication device and the first server,
- the first data channel is used by the first communication device to request a certificate related to the first network
- the first data channel is used to configure a certificate related to the first network to the first communication device
- the third indication information is used to indicate at least one of the following: only restricted services are allowed, only control planes are allowed, user planes are not allowed, only access to the first server is allowed, and only certificate download applications are allowed.
- the second operation includes at least one of the following:
- a first data channel is established, and the first data channel satisfies at least one of the following: the first data channel is used for interaction between the first communication device and the first server, and the first data channel is used for first communication
- the device requests a certificate related to the first network, and the first data channel is used to configure the first communication device with a certificate related to the first network;
- the communication device 1400 can implement each process implemented by the fourth communication device in the method embodiment of the present invention and achieve the same beneficial effects. To avoid repetition, details are not described herein again.
- an embodiment of the present invention provides another communication device.
- the communication device is a fifth communication device.
- the communication device 1500 includes:
- the sending module 1501 is configured to send second information, where the second information includes at least one of the following:
- the first terminal routing strategy
- the default DNN information is set to empty
- the default slice information is set to empty
- the first terminal routing strategy is used to access the first server or the certificate download application
- the second indication information is used to indicate at least one of the following:
- the first data channel is used for interaction between the first communication device and the first server,
- the first data channel is used by the first communication device to request a certificate related to the first network
- the third indication information is used to indicate at least one of the following: only restricted services are allowed, only control planes are allowed, user planes are not allowed, only access to the first server is allowed, and only certificate download applications are allowed.
- the fourth condition includes:
- the terminal accesses the restricted service of the first network or receives the first indication information sent by the terminal;
- the communication device 1500 can implement each process implemented by the third communication device in the method embodiment of the present invention and achieve the same beneficial effects. To avoid repetition, details are not described herein again.
- the communication device 1600 includes a memory 1601, a processor 1602, and a computer program 16011 stored on the memory 1601 and running on the processor 1602.
- the computer program 16011 is executed by the processor 1602 to implement the following steps:
- the address related information of the second authentication server is the address related information of the second authentication server
- the first indication information is used to request to obtain a certificate related to the first network or indicate that the type of access is restricted service.
- the sending the first information includes:
- the first condition includes at least one of the following:
- the first communication device has a second certificate
- the first communication device does not have a certificate related to the first network
- the first communication device requests to access the first network
- the first communication device requests access to the restricted service of the first network
- the first communication device requests to obtain a certificate related to the first network
- At least one item of the first information is acquired
- the request information for the first information includes at least one of the following:
- the request information for the first information includes at least one of the following:
- First request information and the first request information is used to request manufacturer information of the first communication device,
- Second request information and the second request information is used to request index information of the second authentication server
- Third request information, and the third request information is used to request address related information of the second authentication server.
- the first indication information is used to request to obtain a certificate related to the first network or indicate that the type of access is restricted service.
- At least one of the following information sent by the first target terminal is received:
- the first network supports the configuration of certificate information related to the first network to the first communication device.
- Acquire second information where the second information includes at least one of the following:
- the first terminal routing strategy
- the default DNN information is set to empty
- the default slice information is set to empty
- the first terminal routing strategy is used to access the first server or the certificate download application
- the first data channel is used for interaction between the first communication device and the first server,
- the first data channel is used by the first communication device to request a certificate related to the first network
- the third indication information is used to indicate at least one of the following: only restricted services are allowed, only control planes are allowed, user planes are not allowed, only access to the first server is allowed, and only certificate download applications are allowed.
- the computer program 16011 is executed by the processor 1602 to implement the following steps:
- the first information includes at least one of the following: index information of the second authentication server, related information of the manufacturer of the first communication device, and address related information of the second authentication server;
- the first indication information is used to request to obtain a certificate related to the first network or to indicate that the type of access is restricted service
- the third information includes at least one of the following:
- the address related information of the second authentication server is the address related information of the second authentication server.
- the first operation includes at least one of the following:
- the first server is a server capable of configuring a certificate related to the first network for the first communication device.
- the step of determining the second authentication server includes but is not limited to at least one of the following:
- the index information of the second authentication server in the first information and the mapping information between the index information of the second authentication server and the address-related information of the second authentication server in the third information, determine the first Two authentication server;
- the mapping information between the index information of the second authentication server and the address related information of the second authentication server in the third information Determine the second authentication server
- the step of determining to request the second authentication server to authenticate the first communication device includes but is not limited to at least one of the following:
- the first indication information and/or the information related to the address of the second authentication server in the third information it is determined to request the second authentication server to authenticate the first communication device.
- the first communication device when the first communication device satisfies a second condition, confirm that the first communication device is a legal device of the first network;
- the second condition includes at least one of the following:
- the first communication device is a communication device in the legal device list.
- the legal device list includes at least one of the following:
- a legal communication device of the first network that has not yet configured a certificate related to the first network
- a communication device that allows configuration of certificates related to the first network.
- the first indication information is used to request to obtain a certificate related to the first network or to indicate that the type of access is restricted service
- the request information for the first information includes at least one of the following:
- First request information and the first request information is used to request manufacturer information of the first communication device,
- Second request information and the second request information is used to request index information of the second authentication server
- the second information includes at least one of the following:
- the first server is a server capable of configuring a certificate related to the first network
- the first data channel is a data channel in the first network
- the second indication information is used to indicate at least one of the following:
- the first data channel is used for interaction between the first communication device and the first server;
- the first data channel is used by the first communication device to request a certificate related to the first network
- the first data channel is used to configure a certificate related to the first network to the first communication device.
- the computer program 16011 is executed by the processor 1602 to implement the following steps:
- the third information includes at least one of the following:
- the address related information of the second authentication server is the address related information of the second authentication server.
- the sending the related information of the second authentication server includes:
- the third condition includes at least one of the following:
- the mutual authentication between the third communication device and the first network passes.
- the computer program 16011 is executed by the processor 1602 to implement the following steps:
- the second information includes at least one of the following:
- the first terminal routing strategy
- the default DNN information is set to empty
- the default slice information is set to empty
- the first server is a server capable of configuring a certificate related to the first network
- the first terminal routing strategy is used to access the first server or the certificate download application
- the first data channel is a data channel in the first network
- the second indication information is used to indicate at least one of the following:
- the first data channel is used for interaction between the first communication device and the first server,
- the first data channel is used to configure a certificate related to the first network to the first communication device
- the third indication information is used to indicate at least one of the following: only restricted services are allowed, only control planes are allowed, user planes are not allowed, only access to the first server is allowed, and only certificate download applications are allowed.
- the second operation includes at least one of the following:
- the second information includes at least one of the following:
- the default DNN information is set to empty
- the first server is a server capable of configuring a certificate related to the first network
- the first data channel is a data channel in the first network
- the first data channel is used by the first communication device to request a certificate related to the first network
- the first data channel is used to configure a certificate related to the first network to the first communication device
- the third indication information is used to indicate at least one of the following: only restricted services are allowed, only control planes are allowed, user planes are not allowed, only access to the first server is allowed, and only certificate download applications are allowed.
- the fourth condition includes:
- the terminal accesses the restricted service of the first network or receives the first indication information sent by the terminal;
- the communication device 1600 can implement each process implemented by the communication device in the foregoing method embodiment, and in order to avoid repetition, details are not described herein again.
- the embodiment of the present invention also provides a computer-readable storage medium, and a computer program is stored on the computer-readable storage medium.
- a computer program is stored on the computer-readable storage medium.
- the computer-readable storage medium such as read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk, or optical disk, etc.
- the technical solution of the present invention essentially or the part that contributes to the existing technology can be embodied in the form of a software product, and the computer software product is stored in a storage medium (such as ROM/RAM, magnetic disk, The optical disc) includes several instructions to make a terminal (which can be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) execute the method described in each embodiment of the present invention.
- a terminal which can be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Databases & Information Systems (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
Description
Claims (34)
- 一种接入控制方法,应用于第一通信设备,包括:向第一目标端发送第一信息和/或第一指示信息,其中,所述第一信息包括如下至少一项:第二认证服务器的索引信息,所述第一通信设备的厂家的相关信息,所述第二认证服务器的地址相关信息;所述第一指示信息用于请求获取与第一网络相关的证书或指示接入的类型为受限服务。
- 如权利要求1所述的方法,其中,所述发送第一信息包括:当满足第一条件时,发送第一信息;其中,所述第一条件包括以下至少一项:所述第一通信设备具有第二证书;所述第一通信设备不具有与第一网络相关的证书;所述第一通信设备请求接入第一网络;所述第一通信设备请求接入第一网络的受限服务;所述第一通信设备请求获取与第一网络相关的证书;获取到所述第一信息中的至少一项;获取到对所述第一信息的请求信息;获取到第一网络支持受限服务的信息;获取到第一网络支持和/或要求对受限服务进行认证的信息;获取到第一网络支持和/或要求对所述第一通信设备的认证的信息;获取到所述第一网络支持向所述第一通信设备配置与所述第一网络相关的证书的信息。
- 如权利要求2所述的方法,其中,所述对所述第一信息的请求信息包括以下至少一项:对所述第一信息的请求信息包括以下至少一项:第一请求信息,且所述第一请求信息用于请求所述第一通信设备的厂家 信息,第二请求信息,且所述第二请求信息用于请求所述第二认证服务器的索引信息,第三请求信息,且所述第三请求信息用于请求所述第二认证服务器的地址相关信息。
- 如权利要求1所述的方法,其中,所述发送第一信息的步骤之前,所述方法还包括:向所述第一目标端发送接入请求和/或发送第一指示信息,其中,所述第一指示信息用于请求获取与第一网络相关的证书或指示接入的类型为受限服务。
- 如权利要求1所述的方法,其中,所述发送第一信息的步骤之前,所述方法还包括:接收第一目标端发送的以下至少一项信息:对所述第一信息的请求信息;第一网络支持受限服务的信息;第一网络支持和/或要求对受限服务进行认证的信息;第一网络支持和/或要求对所述第一通信设备的认证的信息;第一网络支持向所述第一通信设备配置与第一网络相关的证书的信息。
- 如权利要求1所述的方法,还包括:获取第二信息,其中,所述第二信息包括如下至少一项:第一终端路由选择策略;默认DNN信息设置为空;默认切片信息设置为空;用于第一数据通道建立的相关信息;第二指示信息;第三指示信息;第一服务器的地址相关信息;第二认证服务器的地址相关信息;其中,所述第一服务器为能够配置与第一网络相关的证书的服务器;所述第一终端路由选择策略用于访问第一服务器或证书下载应用;所述第一数据通道为第一网络中的数据通道;所述第二指示信息用于指示以下至少一项:所述第一数据通道用于第一通信设备与第一服务器间的交互,所述第一数据通道用于第一通信设备请求与第一网络相关的证书,所述第一数据通道用于向第一通信设备配置与第一网络相关的证书;所述第三指示信息用于指示以下至少一项:仅允许受限服务,仅允许控制面,不允许用户面,仅允许访问第一服务器,仅允许证书下载应用。
- 一种接入控制方法,应用于第二通信设备,包括:获取第一信息、第一指示信息、合法设备列表和第三信息中的至少一项;根据所述第一信息、第一指示信息、合法设备列表和第三信息中的至少一项,执行第一操作;其中,所述第一信息包括如下至少一项:第二认证服务器的索引信息,第一通信设备的厂家的相关信息,所述第二认证服务器的地址相关信息;所述第一指示信息用于请求获取与第一网络相关的证书或指示接入的类型为受限服务;所述第三信息包括以下至少一项:所述第二认证服务器的索引信息与所述第二认证服务器的地址相关信息的映射信息;所述第二认证服务器的地址相关信息。
- 如权利要求7所述的方法,其中,所述第一操作包括如下至少一项:确定所述第二认证服务器;确定向所述第二认证服务器请求对第一通信设备进行认证;向所述第二认证服务器请求对第一通信设备进行认证;向所述第二认证服务器请求对第一通信设备进行认证;向第一服务器请求对所述第一通信设备进行认证;向所述第一服务器发送所述第一信息;确认所述第一通信设备是否为第一网络的合法设备;确认是否允许为所述第一通信设备配置所述与第一网络相关的证书;确认是否允许所述第一网络接受所述第一通信设备的注册请求;其中,所述第一服务器为能够为所述第一通信设备配置与所述第一网络相关的证书的服务器。
- 如权利要求8所述的方法,其中,所述确定第二认证服务器的步骤包括但不限于如下至少一项:根据第一信息中的所述第二认证服务器的索引信息,以及所述第三信息中的所述第二认证服务器的索引信息与所述第二认证服务器的地址相关信息的映射信息,确定第二认证服务器;根据第一信息中的所述第一通信设备的厂家的相关信息,以及所述第三信息中的所述第二认证服务器的索引信息与所述第二认证服务器的地址相关信息的映射信息,确定第二认证服务器;根据第一信息中的所述第二认证服务器的地址相关信息和/或所述第三信息中的所述第二认证服务器的地址相关信息,确定第二认证服务器;根据第一指示信息和/或所述第三信息中的所述第二认证服务器的地址相关信息,确定第二认证服务器;和/或,所述确定向所述第二认证服务器请求对第一通信设备进行认证的步骤包括但不限于如下至少一项:根据第一指示信息和/或第一信息,确定向所述第二认证服务器请求对第一通信设备进行认证;根据第一指示信息和/或第三信息中的所述第二认证服务器的地址相关信息,确定向所述第二认证服务器请求对第一通信设备进行认证。
- 如权利要求8所述的方法,其中,在所述第一通信设备满足第二条件时,确认所述第一通信设备为所述第一网络的合法设备;其中,所述第二条件包括如下至少一项:所述第一通信设备通过所述第二认证服务器的认证;所述第一通信设备是合法设备列表中的通信设备。
- 如权利要求10所述的方法,其中,所述合法设备列表包括如下至少一项:还未配置与第一网络相关的证书的第一网络的合法通信设备;允许配置与第一网络相关的证书的通信设备。
- 如权利要求7所述的方法,其中,所述获取第一信息之前,所述方法还包括:接收第一通信设备的接入请求和/或第一指示信息;其中,所述第一指示信息用于请求获取与第一网络相关的证书或指示接入的类型为受限服务;基于所述接入请求和/或第一指示信息,发送对第一信息的请求信息。
- 如权利要求12所述的方法,其中,所述对第一信息的请求信息包括以下至少一项:第一请求信息,且所述第一请求信息用于请求所述第一通信设备的厂家信息,第二请求信息,且所述第二请求信息用于请求所述第二认证服务器的索引信息,第三请求信息,且所述第三请求信息用于请求所述第二认证服务器的地址相关信息。
- 如权利要求7所述的方法,还包括:在确定所述第一通信设备为第一网络的合法设备的情况下,发送第二信息,其中,所述第二信息包括如下至少一项:用于第一数据通道建立的相关信息;第二指示信息;第一服务器的地址相关信息;其中,所述第一服务器为能够配置与第一网络相关的证书的服务器;所述第一数据通道为第一网络中的数据通道;第二指示信息用于指示以下至少一项:所述第一数据通道用于第一通信设备与第一服务器间的交互;所述第一数据通道用于第一通信设备请求与第一网络相关的证书;所述第一数据通道用于向第一通信设备配置与第一网络相关的证书。
- 一种接入控制方法,应用于第三通信设备,包括:确定第三信息;发送第三信息;其中,所述第三信息包括如下至少一项:第二认证服务器的索引信息与所述第二认证服务器的地址相关信息的映射信息;所述第二认证服务器的地址相关信息。
- 如权利要求15所述的方法,其中,所述发送所述第二认证服务器的相关信息,包括:满足第三条件的情况下,发送所述第二认证服务器的相关信息;所述第三条件包括如下至少一项:所述第三通信设备与所述第二认证服务器间相互认证通过;所述第三通信设备与第一网络间相互认证通过。
- 一种接入控制方法,应用于第四通信设备,包括:获取第二信息;根据所述第二信息,执行第二操作;其中,所述第二信息包括如下至少一项:第一终端路由选择策略;默认DNN信息设置为空;默认切片信息设置为空;用于第一数据通道建立的相关信息;第二指示信息;第三指示信息;第一服务器的地址相关信息;第二认证服务器的地址相关信息;其中,所述第一服务器为能够配置与第一网络相关的证书的服务器;所述第一终端路由选择策略用于访问第一服务器或证书下载应用;所述第一数据通道为第一网络中的数据通道;所述第二指示信息用于指示以下至少一项:所述第一数据通道用于第一通信设备与第一服务器间的交互,所述第一数据通道用于第一通信设备请求与第一网络相关的证书,所述第一数据通道用于向第一通信设备配置与第一网络相关的证书;所述第三指示信息用于指示以下至少一项:仅允许受限服务,仅允许控制面,不允许用户面,仅允许访问第一服务器,仅允许证书下载应用。
- 如权利要求17所述的方法,其中,所述第二操作包括以下至少一项:建立第一数据通道,且所述第一数据通道满足至少以下之一:所述第一数据通道用于第一通信设备与第一服务器间的交互,所述第一数据通道用于第一通信设备请求与第一网络相关的证书,所述第一数据通道用于向第一通信设备配置与第一网络相关的证书;向第一服务器请求配置与第一网络相关的证书;向第二认证服务器请求配置与第一网络相关的证书;拒绝应用层除了目标第一服务器和/或证书下载应用之外访问请求或数据发送请求;仅允许目标为第一服务器和/或证书下载应用的访问请求或数据发送请求。
- 一种接入控制方法,应用于第五通信设备,包括:发送第二信息,其中,所述第二信息包括如下至少一项:第一终端路由选择策略;默认DNN信息设置为空;默认切片信息设置为空;用于第一数据通道建立的相关信息;第二指示信息;第三指示信息;第一服务器的地址相关信息;第二认证服务器的地址相关信息;其中,所述第一服务器为能够配置与第一网络相关的证书的服务器;所述第一终端路由选择策略用于访问第一服务器或证书下载应用;所述第一数据通道为第一网络中的数据通道;所述第二指示信息用于指示以下至少一项:所述第一数据通道用于第一通信设备与第一服务器间的交互,所述第一数据通道用于第一通信设备请求与第一网络相关的证书,所述第一数据通道用于向第一通信设备配置与第一网络相关的证书;所述第三指示信息用于指示以下至少一项:仅允许受限服务,仅允许控制面,不允许用户面,仅允许访问第一服务器,仅允许证书下载应用。
- 如权利要求19所述的方法,其中,在满足第四条件的情况下,执行确定第二信息相关操作和/或发送第二信息;其中,所述第四条件包括:终端接入第一网络的受限服务或接收到终端发送的第一指示信息;确认终端初始认证通过或确认所述终端通过所述第二认证服务器的认证;确认所述第一通信设备是非仿冒设备;确认所述终端为第一网络的合法设备或终端是合法设备列表中的通信设备;确认终端允许被配置所述第一网络相关的证书。
- 一种通信设备,所述通信设备为第一通信设备,包括:第一发送模块,用于向第一目标端发送第一信息和/或第一指示信息,其中,所述第一信息包括如下至少一项:第二认证服务器的索引信息,所述第一通信设备的厂家的相关信息,所述第二认证服务器的地址相关信息;所述第一指示信息用于请求获取与第一网络相关的证书或指示接入的类型为受限服务。
- 如权利要求21所述的终端,其中,所述发送第一信息包括:当满足第一条件时,发送第一信息;其中,所述第一条件包括以下至少一项:所述第一通信设备具有第二证书;所述第一通信设备不具有与第一网络相关的证书;所述第一通信设备请求接入第一网络;所述第一通信设备请求接入第一网络的受限服务;所述第一通信设备请求获取与第一网络相关的证书;获取到所述第一信息中的至少一项;获取到对所述第一信息的请求信息;获取到第一网络支持受限服务的信息;获取到第一网络支持和/或要求对受限服务进行认证的信息;获取到第一网络支持和/或要求对所述第一通信设备的认证的信息;获取到所述第一网络支持向所述第一通信设备配置与所述第一网络相关的证书的信息。
- 如权利要求22所述的终端,其中,所述对所述第一信息的请求信息包括以下至少一项:对所述第一信息的请求信息包括以下至少一项:第一请求信息,且所述第一请求信息用于请求所述第一通信设备的厂家信息,第二请求信息,且所述第二请求信息用于请求所述第二认证服务器的索引信息,第三请求信息,且所述第三请求信息用于请求所述第二认证服务器的地址相关信息。
- 如权利要求21所述的终端,其中,所述发送第一信息的步骤之前,所述通信设备还包括:第二发送模块,用于向所述第一目标端发送接入请求和/或发送第一指示信息,其中,所述第一指示信息用于请求获取与第一网络相关的证书或指示接入的类型为受限服务。
- 一种通信设备,所述通信设备为第二通信设备,包括:获取模块,用于获取第一信息、第一指示信息和第三信息中的至少一项;执行模块,用于根据所述第一信息、第一指示信息和第三信息中的至少一项,执行第一操作;其中,所述第一信息包括如下至少一项:第二认证服务器的索引信息,第一通信设备的厂家的相关信息,所述第二认证服务器的地址相关信息;所述第一指示信息用于请求获取与第一网络相关的证书或指示接入的类 型为受限服务;所述第三信息包括以下至少一项:所述第二认证服务器的索引信息与所述第二认证服务器的地址相关信息的映射信息;所述第二认证服务器的地址相关信息。
- 如权利要求25所述的通信设备,其中,所述第一操作包括如下至少一项:确定所述第二认证服务器;确定向所述第二认证服务器请求对第一通信设备进行认证;向所述第二认证服务器请求对第一通信设备进行认证;向所述第二认证服务器请求对第一通信设备进行认证;向第一服务器请求对所述第一通信设备进行认证;向所述第一服务器发送所述第一信息;确认所述第一通信设备是否为第一网络的合法设备;确认是否允许为所述第一通信设备配置所述与第一网络相关的证书;确认是否允许所述第一网络接受所述第一通信设备的注册请求;其中,所述第一服务器为能够为所述第一通信设备配置与所述第一网络相关的证书的服务器。
- 如权利要求26所述的通信设备,其中,所述确定第二认证服务器的步骤包括但不限于如下至少一项:根据第一信息中的所述第二认证服务器的索引信息,以及所述第三信息中的所述第二认证服务器的索引信息与所述第二认证服务器的地址相关信息的映射信息,确定第二认证服务器;根据第一信息中的所述第一通信设备的厂家的相关信息,以及所述第三信息中的所述第二认证服务器的索引信息与所述第二认证服务器的地址相关信息的映射信息,确定第二认证服务器;根据第一信息中的所述第二认证服务器的地址相关信息和/或所述第三信息中的所述第二认证服务器的地址相关信息,确定第二认证服务器;根据第一指示信息和/或所述第三信息中的所述第二认证服务器的地址 相关信息,确定第二认证服务器;和/或,所述确定向所述第二认证服务器请求对第一通信设备进行认证的步骤包括但不限于如下至少一项:根据第一指示信息和/或第一信息,确定向所述第二认证服务器请求对第一通信设备进行认证;根据第一指示信息和/或第三信息中的所述第二认证服务器的地址相关信息,确定向所述第二认证服务器请求对第一通信设备进行认证。
- 如权利要求26所述的通信设备,其中,在所述第一通信设备满足第二条件时,确认所述第一通信设备为所述第一网络的合法设备;其中,所述第二条件包括如下至少一项:所述第一通信设备通过所述第二认证服务器的认证;所述第一通信设备是合法设备列表中的通信设备。
- 一种通信设备,所述通信设备为第三通信设备,包括:发送模块,用于发送第三信息;其中,所述第三信息包括如下至少一项:第二认证服务器的索引信息与所述第二认证服务器的地址相关信息的映射信息;所述第二认证服务器的地址相关信息。
- 如权利要求29所述的通信设备,其中,所述发送所述第二认证服务器的相关信息,包括:满足第三条件的情况下,发送所述第二认证服务器的相关信息;所述第三条件包括如下至少一项:所述第三通信设备与所述第二认证服务器间相互认证通过;所述第三通信设备与第一网络间相互认证通过。
- 一种通信设备,所述通信设备为第四通信设备,包括:获取模块,用于获取第二信息;执行模块,用于根据所述第二信息,执行第二操作;其中,所述第二信息包括如下至少一项:用于第一数据通道建立的相关信息;第二指示信息;第一服务器的地址相关信息;第二认证服务器的地址相关信息;其中,所述第一服务器为能够配置与第一网络相关的证书的服务器;所述第一数据通道为第一网络中的数据通道;所述第二指示信息用于指示以下至少一项:所述第一数据通道用于第一通信设备与第一服务器间的交互;所述第一数据通道用于第一通信设备请求与第一网络相关的证书;所述第一数据通道用于向第一通信设备配置与第一网络相关的证书。
- 一种通信设备,所述通信设备为第五通信设备,包括:发送模块,用于发送第二信息,其中,所述第二信息包括如下至少一项:用于第一数据通道建立的相关信息;第二指示信息;第一服务器的地址相关信息;第二认证服务器的地址相关信息;其中,所述第一服务器为能够配置与第一网络相关的证书的服务器;所述第一数据通道为第一网络中的数据通道;所述第二指示信息用于指示以下至少一项:所述第一数据通道用于第一通信设备与第一服务器间的交互;所述第一数据通道用于第一通信设备请求与第一网络相关的证书;所述第一数据通道用于向第一通信设备配置与第一网络相关的证书。
- 一种通信设备,包括处理器、存储器及存储在所述存储器上并可在所述处理器上运行的计算机程序,所述计算机程序被所述处理器执行时实现如权利要求1至6中任一项所述的接入控制方法的步骤,或者,实现如权利要求7至14中任一项所述的接入控制方法的步骤,或者,实现如权利要求15至16中任一项所述的接入控制方法的步骤,或者,实现如权利要求17至18中任一项所述的接入控制方法的步骤,或者,实现如权利要求19至20中任一项所述的接入控制方法的步骤。
- 一种计算机可读存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现如权利要求1至6中任一项所述的接入控制方法的步骤,或者,实现如权利要求7至14中任一项所述的接入控制方法的步骤,或者,实现如权利要求15至16中任一项所述的接入控制方法的步骤,或者,实现如权利要求17至18中任一项所述的接入控制方法的步骤,或者,实现如权利要求19至20中任一项所述的接入控制方法的步骤。
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020227035733A KR20220154207A (ko) | 2020-03-20 | 2021-03-19 | 접속 제어 방법 및 통신기기 |
JP2022554249A JP2023516782A (ja) | 2020-03-20 | 2021-03-19 | アクセス制御方法及び通信機器 |
EP21770556.5A EP4124084A4 (en) | 2020-03-20 | 2021-03-19 | ACCESS CONTROL METHOD AND COMMUNICATION DEVICE |
BR112022018580A BR112022018580A2 (pt) | 2020-03-20 | 2021-03-19 | Método de controle de acesso e dispositivo de comunicações |
US17/947,713 US20230017260A1 (en) | 2020-03-20 | 2022-09-19 | Access control method and communications device |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010203175.8 | 2020-03-20 | ||
CN202010203175.8A CN113498055B (zh) | 2020-03-20 | 2020-03-20 | 接入控制方法及通信设备 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/947,713 Continuation US20230017260A1 (en) | 2020-03-20 | 2022-09-19 | Access control method and communications device |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2021185347A1 true WO2021185347A1 (zh) | 2021-09-23 |
Family
ID=77770505
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2021/081741 WO2021185347A1 (zh) | 2020-03-20 | 2021-03-19 | 接入控制方法及通信设备 |
Country Status (7)
Country | Link |
---|---|
US (1) | US20230017260A1 (zh) |
EP (1) | EP4124084A4 (zh) |
JP (1) | JP2023516782A (zh) |
KR (1) | KR20220154207A (zh) |
CN (1) | CN113498055B (zh) |
BR (1) | BR112022018580A2 (zh) |
WO (1) | WO2021185347A1 (zh) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050154895A1 (en) * | 2002-04-26 | 2005-07-14 | Junbiao Zhang | Transitive authentication authorization accounting in the interworking between access networks |
US20070248050A1 (en) * | 2006-04-25 | 2007-10-25 | Motorola, Inc. | Method and system for propagating mutual authentication data in wireless communication networks |
CN101946455A (zh) * | 2008-02-21 | 2011-01-12 | 上海贝尔股份有限公司 | 用于异构网络的一次通过认证机制和系统 |
CN102215487A (zh) * | 2010-04-09 | 2011-10-12 | 国际商业机器公司 | 通过公共无线网络安全地接入专用网络的方法和系统 |
CN104769909A (zh) * | 2012-08-30 | 2015-07-08 | 艾诺威网络有限公司 | 网间认证 |
CN106465120A (zh) * | 2014-04-15 | 2017-02-22 | 瑞典爱立信有限公司 | 用于对网路进行集成的方法和节点 |
Family Cites Families (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2004235890A (ja) * | 2003-01-29 | 2004-08-19 | Canon Inc | 認証方法 |
US8743778B2 (en) * | 2006-09-06 | 2014-06-03 | Devicescape Software, Inc. | Systems and methods for obtaining network credentials |
JP2009031848A (ja) * | 2007-07-24 | 2009-02-12 | Fujitsu Ltd | 認証転送装置 |
JP2009223389A (ja) * | 2008-03-13 | 2009-10-01 | Ricoh Co Ltd | 接続制御装置、接続制御方法及び接続制御プログラム |
EP2680628A1 (en) * | 2012-06-27 | 2014-01-01 | Rogers Communications Inc. | System and method for remote provisioning of embedded universal integrated circuit cards. |
WO2014052750A2 (en) * | 2012-09-27 | 2014-04-03 | Interdigital Patent Holdings, Inc. | End-to-end architecture, api framework, discovery, and access in a virtualized network |
KR20160114437A (ko) * | 2015-03-24 | 2016-10-05 | 아주대학교산학협력단 | Mac 어드레스를 이용하여 인증을 수행하기 위한 시스템 및 그 방법 |
KR102633995B1 (ko) * | 2016-08-22 | 2024-02-06 | 삼성전자 주식회사 | 무선 통신 시스템에서, 단말과 써드 파티 서버 간의 인증 요청 방법 및, 이를 위한 단말 및 네트워크 슬라이스 인스턴스 관리 장치 |
KR102589503B1 (ko) * | 2017-01-02 | 2023-10-16 | 삼성전자 주식회사 | 데이터 사용량을 공유 받는 공유 대상 장치를 설정하는 방법과, 이를 위한 전자 장치 |
CN110401951B (zh) * | 2018-04-25 | 2022-10-18 | 华为技术有限公司 | 认证无线局域网中终端的方法、装置和系统 |
US10558794B2 (en) * | 2018-05-09 | 2020-02-11 | Cody Myers | Indexable authentication system and method |
-
2020
- 2020-03-20 CN CN202010203175.8A patent/CN113498055B/zh active Active
-
2021
- 2021-03-19 JP JP2022554249A patent/JP2023516782A/ja active Pending
- 2021-03-19 KR KR1020227035733A patent/KR20220154207A/ko active Search and Examination
- 2021-03-19 WO PCT/CN2021/081741 patent/WO2021185347A1/zh active Application Filing
- 2021-03-19 EP EP21770556.5A patent/EP4124084A4/en active Pending
- 2021-03-19 BR BR112022018580A patent/BR112022018580A2/pt unknown
-
2022
- 2022-09-19 US US17/947,713 patent/US20230017260A1/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050154895A1 (en) * | 2002-04-26 | 2005-07-14 | Junbiao Zhang | Transitive authentication authorization accounting in the interworking between access networks |
US20070248050A1 (en) * | 2006-04-25 | 2007-10-25 | Motorola, Inc. | Method and system for propagating mutual authentication data in wireless communication networks |
CN101946455A (zh) * | 2008-02-21 | 2011-01-12 | 上海贝尔股份有限公司 | 用于异构网络的一次通过认证机制和系统 |
CN102215487A (zh) * | 2010-04-09 | 2011-10-12 | 国际商业机器公司 | 通过公共无线网络安全地接入专用网络的方法和系统 |
CN104769909A (zh) * | 2012-08-30 | 2015-07-08 | 艾诺威网络有限公司 | 网间认证 |
CN106465120A (zh) * | 2014-04-15 | 2017-02-22 | 瑞典爱立信有限公司 | 用于对网路进行集成的方法和节点 |
Also Published As
Publication number | Publication date |
---|---|
CN113498055B (zh) | 2022-08-26 |
EP4124084A1 (en) | 2023-01-25 |
CN113498055A (zh) | 2021-10-12 |
EP4124084A4 (en) | 2023-09-27 |
US20230017260A1 (en) | 2023-01-19 |
KR20220154207A (ko) | 2022-11-21 |
BR112022018580A2 (pt) | 2022-11-08 |
JP2023516782A (ja) | 2023-04-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11533401B2 (en) | Charging policy information for a packet data unit session in a wireless network | |
US20230300257A1 (en) | Policy information to policy control and confirmation to session management | |
US10660016B2 (en) | Location based coexistence rules for network slices in a telecommunication network | |
EP3627793B1 (en) | Session processing method and device | |
US9571482B2 (en) | Secure on-line sign-up and provisioning for Wi-Fi hotspots using a device management protocol | |
WO2020221956A1 (en) | Service authorization for indirect communication in a communication system | |
JP5934364B2 (ja) | Soap−xml技術を使用したwi−fiホットスポットのための安全なオンラインサインアップ及び提供のためのモバイルデバイス及び方法 | |
BR112020000932A2 (pt) | método de gerenciamento de segurança de rede, e aparelho | |
US20210377054A1 (en) | Systems and methods for managing public key infrastructure certificates for components of a network | |
US11496894B2 (en) | Method and apparatus for extensible authentication protocol | |
WO2021094349A1 (en) | Multi-step service authorization for indirect communication in a communication system | |
WO2010069202A1 (zh) | 认证协商方法及系统、安全网关、家庭无线接入点 | |
CN114339688A (zh) | 用于ue与边缘数据网络的认证的装置和方法 | |
CN115777193A (zh) | 用于边缘使能器服务器装载的边缘安全程序 | |
WO2022247812A1 (zh) | 一种鉴权方法、通信装置和系统 | |
WO2023046457A1 (en) | Restricting onboard traffic | |
WO2009082910A1 (fr) | Procédé et dispositif de configuration de réseau pour un terminal d'utilisateur | |
US9137661B2 (en) | Authentication method and apparatus for user equipment and LIPA network entities | |
TW202234940A (zh) | 與第三層無線傳輸/接收單元到網路相關認證及授權 | |
US20230396602A1 (en) | Service authorization method and system, and communication apparatus | |
WO2021185347A1 (zh) | 接入控制方法及通信设备 | |
US20140093080A1 (en) | Method and system to differentiate and assigning ip addresses to wireless femto cells h(e)nb (home (evolved) nodeb) and lgw (local gateway) by using ikev2 (internet key exchange version 2 protocol) procedure | |
WO2017129101A1 (zh) | 路由控制方法、装置及系统 | |
WO2020208294A1 (en) | Establishing secure communication paths to multipath connection server with initial connection over public network | |
CN115989689A (zh) | 用于边缘数据网络的用户装备认证和授权规程 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 21770556 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2022554249 Country of ref document: JP Kind code of ref document: A |
|
REG | Reference to national code |
Ref country code: BR Ref legal event code: B01A Ref document number: 112022018580 Country of ref document: BR |
|
ENP | Entry into the national phase |
Ref document number: 20227035733 Country of ref document: KR Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2021770556 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: 2021770556 Country of ref document: EP Effective date: 20221020 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 112022018580 Country of ref document: BR Kind code of ref document: A2 Effective date: 20220916 |