WO2022167083A1 - Gestion d'authentification infructueuse avec un réseau de données - Google Patents

Gestion d'authentification infructueuse avec un réseau de données Download PDF

Info

Publication number
WO2022167083A1
WO2022167083A1 PCT/EP2021/052746 EP2021052746W WO2022167083A1 WO 2022167083 A1 WO2022167083 A1 WO 2022167083A1 EP 2021052746 W EP2021052746 W EP 2021052746W WO 2022167083 A1 WO2022167083 A1 WO 2022167083A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
data network
access
network
mobile communications
Prior art date
Application number
PCT/EP2021/052746
Other languages
English (en)
Inventor
Ashok Kumar Nayak
Laurent Thiebaut
Bruno Landais
Original Assignee
Nokia Technologies Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Technologies Oy filed Critical Nokia Technologies Oy
Priority to PCT/EP2021/052746 priority Critical patent/WO2022167083A1/fr
Publication of WO2022167083A1 publication Critical patent/WO2022167083A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/18Management of setup rejection or failure

Definitions

  • Various example embodiments relate to handling of unsuccessful authentication with a data network. More specifically, various example embodiments exemplarily relate to measures (including methods, apparatuses and computer program products) for realizing handling of unsuccessful authentication with a data network.
  • the present specification generally relates to authorization and authentication as measures for improving security in mobile network communications.
  • Telecommunication networks are evolving rapidly across a broad technological environment which includes virtualization, loT and Industry 4.0. This is met by an equally broad yet deteriorating cybersecurity environment.
  • 5GS 5G system
  • 5GS has an optional authentication and authorization mechanism before a terminal such as a user equipment (UE) is allowed to access some data network (DN).
  • UE user equipment
  • DN data network
  • the DN-specific identity (TS 33.501) of a UE may be authenticated/authorized by the DN.
  • the data network authentication, authorization, and accounting (DN-AAA) server may belong to the 5G core network (5GC) or to the DN. If the UE provides authentication/authorization information corresponding to a DN-specific identity during the establishment of the PDU session, and the session management function (SMF) determines that secondary authentication/authorization of the PDU session establishment is required based on the SMF policy associated with the DN, the SMF passes the authentication/authorization information of the UE to the DN-AAA server. The DN-AAA server may then authenticate/authorize the PDU session establishment.
  • 5GC 5G core network
  • SMF session management function
  • the secondary authentication/authorization procedure is defined in TS 23.502, clause 4.3.2.3, and in TS 33.501, clause 11.
  • a UE is provided with a UE route selection policy (UR.SP).
  • UR.SP UE route selection policy
  • a UE is provided with UR.SP rules from a policy and charging function (PCF) e.g. during registration procedure, or the UE may receive UR.SP rules from the PCF any time once it has been registered to a 3GPP network.
  • PCF policy and charging function
  • UE uses the UR.SP to determine which PDU session to use to carry the traffic of an application and if needed to decide upon establishing a PDU session.
  • DNN data network name
  • UDM unified data management
  • SMF unified data management
  • TS 23.501, clause 5.6.6 local policy for secondary autnentication/autnorization or the DN for which a UE is trying to establish a PDU session
  • a DN-AAA server is not configured with the DN-specific identity or EAP identify of the UE, the secondary authentication/authorization fails, and the PDU session is rejected.
  • the UE-side UR.SP remains unchanged in such case, the UE would continue to use the same DNN in the future, and, the PDU session would be rejected again.
  • a repetition of the UE trying to establish a PDU session, execution of the secondary authentication/authorization procedure, failure of the secondary authentication/authorization procedure, and rejection of the PDU session would be a result. Consequently, many signaling messages are consumed, which leads to unnecessary usage of radio and as well core resources.
  • 5GC 3GPP
  • a method of a session management function entity of a mobile communications network comprising receiving, from an authentication and authorization entity with respect to a data network, a message indicative of that a terminal is not allowed to access said data network, wherein said message includes a reason for non-allowance of said terminal to access said data network, further comprising deciding to reject a session establishment of said terminal to said data network, and transmitting, towards an access and mobility management function entity of said mobile communications network, a message indicative of rejection of said session establishment of said terminal to said data network, wherein said message includes a reason for rejection of said session establishment of said terminal to said data network based on said reason for non-allowance of said terminal to access said data network.
  • a method of an access and mobility management function entity of a mobile communications network comprising receiving, from a session management function entity of said mobile communications network, a message indicative of rejection of a session establishment of a terminal to a data network, wherein said message includes a reason for rejection of said session establishment of said terminal to said data network, further comprising transmitting, towards a policy control function entity of said mobile communications network, a policy control update request message indicative of that said terminal is not allowed to access said data network.
  • a method of an access and mobility management function entity of a mobile communications network comprising receiving, from a terminal, a session establishment request requesting a session establishment between said terminal and a data network, determining whether said terminal has a subscription for said data network, and transmitting, towards a policy control runction entity of said mobile communications network, based on a result of said determining, a policy control update request message indicative of that said terminal is not allowed to access said data network.
  • a method of a policy control function entity of said mobile communications network comprising receiving, from an access and mobility management function entity of said mobile communications network, a policy control update request message indicative of that said terminal is not allowed to access a data network, modifying, based on said policy control update request message, entries related to said data network in a terminal route selection policy of said terminal, and transmitting said terminal route selection policy towards said terminal.
  • an apparatus of a session management function entity of a mobile communications network comprising receiving circuitry configured to receive, from an authentication and authorization entity with respect to a data network, a message indicative of that a terminal is not allowed to access said data network, wherein said message includes a reason for non-allowance of said terminal to access said data network, further comprising deciding circuitry configured to decide to reject a session establishment of said terminal to said data network, and transmitting circuitry configured to transmit, towards an access and mobility management function entity of said mobile communications network, a message indicative of rejection of said session establishment of said terminal to said data network, wherein said message includes a reason for rejection of said session establishment of said terminal to said data network based on said reason for non-allowance of said terminal to access said data network.
  • an apparatus of an access and mobility management function entity of a mobile communications network comprising receiving circuitry configured to receive, from a session management function entity or saio moone communications network, a message indicative of rejection of a session establishment of a terminal to a data network, wherein said message includes a reason for rejection of said session establishment of said terminal to said data network, further comprising transmitting circuitry configured to transmit, towards a policy control function entity of said mobile communications network, a policy control update request message indicative of that said terminal is not allowed to access said data network.
  • an apparatus of an access and mobility management function entity of a mobile communications network comprising receiving circuitry configured to receive, from a terminal, a session establishment request requesting a session establishment between said terminal and a data network, determining circuitry configured to determine whether said terminal has a subscription for said data network, and transmitting circuitry configured to transmit, towards a policy control function entity of said mobile communications network, based on a result of said determining circuitry, a policy control update request message indicative of that said terminal is not allowed to access said data network.
  • an apparatus of a policy control function entity of said mobile communications network comprising receiving circuitry configured to receive, from an access and mobility management function entity of said mobile communications network, a policy control update request message indicative of that said terminal is not allowed to access a data network, modifying circuitry configured to modify, based on said policy control update request message, entries related to said data network in a terminal route selection policy of said terminal, and transmitting circuitry configured to transmit said terminal route selection policy towards said terminal.
  • an apparatus of a session management function entity of a mobile communications network comprising at least one processor, at least one memory mciuomg computer program code, and at least one interface configured for communication with at least another apparatus, the at least one processor, with the at least one memory and the computer program code, being configured to cause the apparatus to perform receiving, from an authentication and authorization entity with respect to a data network, a message indicative of that a terminal is not allowed to access said data network, wherein said message includes a reason for non-allowance of said terminal to access said data network, deciding to reject a session establishment of said terminal to said data network, and transmitting, towards an access and mobility management function entity of said mobile communications network, a message indicative of rejection of said session establishment of said terminal to said data network, wherein said message includes a reason for rejection of said session establishment of said terminal to said data network based on said reason for non-allowance of said terminal to access said data network.
  • an apparatus of an access and mobility management function entity of a mobile communications network comprising at least one processor, at least one memory including computer program code, and at least one interface configured for communication with at least another apparatus, the at least one processor, with the at least one memory and the computer program code, being configured to cause the apparatus to perform receiving, from a session management function entity of said mobile communications network, a message indicative of rejection of a session establishment of a terminal to a data network, wherein said message includes a reason for rejection of said session establishment of said terminal to said data network, and transmitting, towards a policy control function entity of said mobile communications network, a policy control update request message indicative of that said terminal is not allowed to access said data network.
  • an apparatus of an access and mobility management function entity of a mobile communications network comprising at least one processor, at least one memory including computer program code, and at least one interface configured for communication with at least another apparatus, the at least one processor, with the at least one memory and the computer program code, being configured to cause the apparatus to perform receiving, from a terminal, a session establishment request requesting a session establishment between said terminal and a data network, determining whether said terminal has a subscription for said data network, and transmitting, towards a policy control function entity of said mobile communications network, based on a result of said determining, a policy control update request message indicative of that said terminal is not allowed to access said data network.
  • an apparatus of a policy control function entity of said mobile communications network comprising at least one processor, at least one memory including computer program code, and at least one interface configured for communication with at least another apparatus, the at least one processor, with the at least one memory and the computer program code, being configured to cause the apparatus to perform receiving, from an access and mobility management function entity of said mobile communications network, a policy control update request message indicative of that said terminal is not allowed to access a data network, modifying, based on said policy control update request message, entries related to said data network in a terminal route selection policy of said terminal, and transmitting said terminal route selection policy towards said terminal.
  • a computer program product comprising computer-executable computer program code which, when the program is run on a computer (e.g. a computer of an apparatus according to any one of the aforementioned apparatus-related exemplary aspects of the present disclosure), is configured to cause the computer to carry out the method according to any one of the aforementioned method- related exemplary aspects of the present disclosure.
  • a computer e.g. a computer of an apparatus according to any one of the aforementioned apparatus-related exemplary aspects of the present disclosure
  • Such computer program product may comprise (or be embodied) a (tangible) computer-readable (storage) medium or the like on which the computerexecutable computer program code is stored, and/or the program may be directly loadable into an internal memory of the computer or a processor thereof.
  • any one of the above aspects enables an efficient avoidance of waste of radio and core network resources in particular in the above-outlined scenarios to thereby solve at least part of the problems and drawbacks identified in relation to the prior art.
  • handling of unsuccessful authentication with a data network More specifically, by way of example embodiments, there are provided measures and mechanisms for realizing handling of unsuccessful authentication with a data network.
  • Figure 1 is a block diagram illustrating an apparatus according to example embodiments
  • Figure 2 is a block diagram illustrating an apparatus according to example embodiments
  • Figure 3 is a block diagram illustrating an apparatus according to example embodiments
  • Figure 4 is a block diagram illustrating an apparatus according to example embodiments
  • Figure 5 is a block diagram illustrating an apparatus according to example embodiments
  • Figure 6 is a block diagram illustrating an apparatus according to example embodiments
  • Figure 7 is a block diagram illustrating an apparatus according to example embodiments.
  • Figure 8 is a schematic diagram of a procedure according to example embodiments.
  • Figure 9 is a schematic diagram of a procedure according to example embodiments.
  • Figure 10 is a schematic diagram of a procedure according to example embodiments.
  • Figure 11 is a schematic diagram of a procedure according to example embodiments.
  • Figure 12 shows a schematic diagram of signaling sequences according to example embodiments.
  • Figure 13 is a block diagram alternatively illustrating apparatuses according to example embodiments. Detailed description
  • DN-AAA DN authentication support mechanism
  • any DN authentication support mechanism may apply here, e.g., when the interface between the SMF and the DN authentication & authorization server is not based on AAA protocols like Radius and Diameter.
  • AAA may imply an accounting ability/functionality
  • the present disclosure and its embodiments is not limited to a respective entity having mandatorily such accounting ability/functionality, i.e., referring below to some AAA entity does not mean that such accounting ability/functionality is required for the respective responsible entity according to example embodiments and that the (DN) entity is actually carrying out accounting (in other words, an AAA entity mentioned below may have authentication and authorization abi lities/runctionai ities only out no accounting ability/functionality).
  • measures and mechanisms for (enabling/realizing) handling of unsuccessful authentication with a data network there are provided measures and mechanisms for (enabling/realizing) handling of unsuccessful authentication with a data network.
  • the PCF is triggered to update the UR.SP rules after the UE (as an example of a terminal) has requested the establishment of a PDU session towards e.g. a DN identified by a DNN or a network slice identified by a single network slice selection assistance information (S-NSSAI), which the UE is not allowed to access.
  • S-NSSAI single network slice selection assistance information
  • the DN-AAA server determines that the UE is not allowed to access this particular DN (any more), the DN-AAA server indicates this with an appropriate failure reason to the SMF. Subsequently, the SMF provides an indication tnat tne uE is not allowed (permanently) to access the DN(N) to AMF. According to example embodiments, the AMF relays such indication to the PCF. According to further example embodiments, the PCF is informed thereof by not just relaying the indication but by transmitting a different message indicative of that the UE is not allowed (permanently) to access the DN(N).
  • the PCF then updates the UR.SP by removing the DNN from the potential PDU sessions the UE may try to establish.
  • the PCF that updates the UR.SP rules on the UE is the PCF interfacing with the AMF; so that PCF may be different from a PCF interfacing with the SMF.
  • the information from the AMF is relayed to the PCF in the home public land mobile network (HPLMN) via the PCF in the visited public land mobile network (VPLMN).
  • HPLMN home public land mobile network
  • VPN visited public land mobile network
  • the PCF or SMF raises an alarm towards the operations, administration and maintenance (OAM), as the subscription data of the UE may need an update.
  • OAM operations, administration and maintenance
  • FIG. 1 is a block diagram illustrating an apparatus according to example embodiments.
  • the apparatus may be a network entity or network node 10 such as a session management function entity of a mobile communications network comprising a receiving circuitry 11, a deciding circuitry 12, and a transmitting circuitry 13.
  • the receiving circuitry 11 receives, from an authentication and authorization entity with respect to a data network (which may e.g. be an authentication, authorization, and accounting entity with respect to said data network), a message indicative of that a terminal is not allowed to access said data network.
  • the message includes a reason for non-allowance of said terminal to access a oata network.
  • the deciding circuitry 12 decides to reject a session establishment of said terminal to said data network.
  • the transmitting circuitry 13 transmits, towards an access and mobility management function entity of said mobile communications network, a message indicative of rejection of said session establishment of said terminal to said data network.
  • the message includes a reason for rejection of said session establishment of said terminal to said data network based on said reason for non-allowance of said terminal to access said data network.
  • Figure 8 is a schematic diagram of a procedure according to example embodiments.
  • the apparatus according to Figure 1 may perform the method of Figure 8 but is not limited to this method.
  • the method of Figure 8 may be performed by the apparatus of Figure 1 but is not limited to being performed by this apparatus.
  • a procedure comprises an operation of receiving (S81), from an authentication and authorization entity with respect to a data network, a message indicative of that a terminal is not allowed to access said data network, wherein said message includes a reason for non-allowance of said terminal to access a data network, an operation of deciding (S82) to reject a session establishment of said terminal to said data network, and an operation of transmitting (S83), towards an access and mobility management function entity of said mobile communications network, a message indicative of rejection of said session establishment of said terminal to said data network, wherein said message includes a reason for rejection of said session establishment of said terminal to said data network based on said reason for non-allowance of said terminal to access said data network.
  • an exemplary method may comprise an operation of transmitting, towards an operation and maintenance entity of said mobile communications network, an alarm message indicative of that said terminal is not allowed to access said data network, said alarm message including an identifier of said terminal and information on said data network.
  • said message is indicative of that said terminal is permanently not allowed to access said data network.
  • said mobile communications network is a 3GPP network.
  • the 3GPP network may be a 3GPP 5G network.
  • the 3GPP network may be a future 3GPP communication network, e.g. a 3GPP network of a later generation, e.g. a 3GPP 6G network.
  • said session establishment of said terminal to said data network is a protocol data unit session establishment.
  • said authentication and authorization entity with respect to said data network is an authentication and authorization entity of said data network (which may e.g. be an authentication, authorization, and accounting entity of said data network) or is an authentication and authorization entity of said mobile communications network (which may e.g. be an authentication, authorization, and accounting entity of said mobile communications network).
  • FIG 2 is a block diagram illustrating an apparatus according to example embodiments.
  • the apparatus may be a network entity or network node 20 such as an access and mobility management function entity of a mobile communications network comprising a receiving circuitry 21 and a transmitting circuitry 22.
  • the receiving circuitry 21 receives, from a session management function entity of said mobile communications network, a message indicative of rejection of a session establishment of a terminal to a data network.
  • the message includes a reason for rejection of said session establishment of said terminal to said data network.
  • the transmitting circuitry 22 transmits, towards a policy control function entity of said mobile communications network, a policy control update request message indicative of that said terminal is not allowed to access said data network.
  • Figure 9 is a schematic diagram of a procedure according to example embodiments.
  • the apparatus according to Figure 2 may perform the method of Figure 9 but is not limited to this method.
  • the method of Figure 9 may be performed by the apparatus of Figure 2 but is not limited to being performed by this apparatus.
  • a procedure comprises an operation of receiving (S91), from a session management function entity of said mobile communications network, a message indicative of rejection of a session establishment of a terminal to a data network, wherein said message includes a reason for rejection of said session establishment of said terminal to said data network, and an operation of transmitting (S92), towards a policy control function entity of said mobile communications network, a policy control update request message indicative of that said terminal is not allowed to access said data network.
  • Figure 3 is a block diagram illustrating an apparatus according to example embodiments.
  • Figure 3 illustrates a variation of the apparatus shown in Figure 2.
  • the apparatus according to Figure 3 may thus further comprise a deciding circuitry 31.
  • At least some of the functionalities of the apparatus shown in Figure 2 may be shared between two physically separate devices forming one operational entity. Therefore, the apparatus may be seen to depict the operational entity comprising one or more pnysically separate devices for executing at least some of the described processes.
  • said reason for rejection of said session establishment of said terminal to said data network is indicative of that said terminal is permanently not allowed to access said data network.
  • an exemplary method may comprise an operation of receiving, from said policy control function entity of said mobile communications network, a request to get notified upon any incidence of non-allowance of access, to said data network, of a communication entity asking for an establishment of a session between said communication entity and said data network, and an operation of deciding whether to transmit said policy control update request message towards said policy control function entity of said mobile communications network based on said request.
  • said operation of transmitting (S92) said policy control update request message indicative of that said terminal is not allowed to access said data network may be the result of said policy control function entity of said mobile communications network having requested to receive such indication (i.e. said operation of transmitting (S92) may be issued upon receipt of said message indicative of rejection of said session establishment of said terminal to a data network only in case that, beforehand, said policy control function entity of said mobile communications network has requested to receive such indication).
  • this request may for example be exchanged with a newly defined value of PolicyControlRequestTrigger defined in clause 5.6.3.6 of TS 29.514.
  • This new value is then indicative of a request to contact the policy control function entity of said mobile communications network when the terminal is not allowed to access a data network.
  • said policy control update request message is indicative of that said terminal is permanently not allowed to access said data network.
  • said mobile communications network is a 3GPP network.
  • the 3GPP network may be a 3GPP 5G network.
  • the 3GPP network may be a future 3GPP communication network, e.g. a 3GPP network of a later generation, e.g. a 3GPP 6G network.
  • said session establishment of said terminal to said data network is a protocol data unit session establishment.
  • FIG. 4 is a block diagram illustrating an apparatus according to example embodiments.
  • the apparatus may be a network entity or network node 40 such as an access and mobility management function entity of a mobile communications network comprising a receiving circuitry 41, a determining circuitry 42, and a transmitting circuitry 53.
  • the receiving circuitry 51 receives, from a terminal, a session establishment request requesting a session establishment between said terminal and a data network.
  • the determining circuitry 52 determines whether said terminal has a subscription for said data network.
  • the transmitting circuitry 43 transmits, towards a policy control function entity of said mobile communications network, based on a result of said determining circuitry 52, a policy control update request message indicative of that said terminal is not allowed to access said data network.
  • Figure 10 is a schematic diagram of a procedure according to example embodiments.
  • the apparatus according to Figure 4 may perform the method of Figure 10 but is not limited to this method.
  • the method of Figure 10 may be performed by the apparatus of Figure 4 but is not limited to being performed by this apparatus.
  • a procedure according to example embodiments comprises an operation of receiving (S101), from a terminal, a session establishment request requesting a session establishment between said terminal and a data network, an operation of determining (S102) whether said terminal has a subscription for said data network, and an operation of transmitting (S103), towards a policy control function entity of said mobile communications network, based on a result of said determining (S102), a policy control update request message indicative of that said terminal is not allowed to access said data network.
  • Figure 5 is a block diagram illustrating an apparatus according to example embodiments.
  • Figure 5 illustrates a variation of the apparatus shown in Figure 4.
  • the apparatus according to Figure 5 may thus further comprise a deciding circuitry 51.
  • At least some of the functionalities of the apparatus shown in Figure 4 may be shared between two physically separate devices forming one operational entity. Therefore, the apparatus may be seen to depict the operational entity comprising one or more physically separate devices for executing at least some of the described processes.
  • exemplary details of the transmitting operation (S103) are given, which are inherently independent from each other as such. According to such modification, in said transmitting operation (S103), said policy control update request message indicative of that said terminal is not allowed to access said data network is transmitted, if said result of said determining (S102) is indicative of that said terminal has no subscription for said data network.
  • an exemplary method may comprise an operation of receiving, from said policy control function entity or saio mooiie communications network, a request to get notified upon any incidence of non-allowance of access, to said data network, of a communication entity asking for an establishment of a session between said communication entity and said data network, and an operation of deciding whether to transmit said policy control update request message towards said policy control function entity of said mobile communications network based on said request.
  • said operation of transmitting (S103) said policy control update request message indicative of that said terminal is not allowed to access said data network may be the result of said policy control function entity of said mobile communications network having requested to receive such indication (i.e. said operation of transmitting (S103) may be issued upon receipt of said session establishment request from said terminal having no subscription for said data network only in case that, beforehand, said policy control function entity of said mobile communications network has requested to receive such indication).
  • this request may for example be exchanged with a newly defined value of PolicyControlRequestTrigger defined in clause 5.6.3.6 of TS 29.514. This new value is then indicative of a request to contact the policy control function entity of said mobile communications network when the terminal is not allowed to access a data network.
  • said policy control update request message is indicative of that said terminal is permanently not allowed to access said data network.
  • said mobile communications network is a 3GPP network.
  • the 3GPP network may be a 3GPP 5G network.
  • the 3GPP network may be a future 3GPP communication network, e.g. a 3GPP network of a later generation, e.g. a 3GPP 6G network.
  • said session establishment of said terminal to said data network is a protocol data unit session establishment.
  • FIG 6 is a block diagram illustrating an apparatus according to example embodiments.
  • the apparatus may be a network entity or network node 60 such as a policy control function entity of said mobile communications network comprising a receiving circuitry 61, a modifying circuitry 62, and a transmitting circuitry 63.
  • the receiving circuitry 61 receives, from an access and mobility management function entity of said mobile communications network, a policy control update request message indicative of that said terminal is not allowed to access said data network.
  • the modifying circuitry 62 modifies, based on said policy control update request message, entries related to said data network in a terminal route selection policy of said terminal.
  • the transmitting circuitry 63 transmits said terminal route selection policy towards said terminal.
  • Figure 11 is a schematic diagram of a procedure according to example embodiments.
  • the apparatus according to Figure 6 may perform the method of Figure 11 but is not limited to this method.
  • the method of Figure 11 may be performed by the apparatus of Figure 6 but is not limited to being performed by this apparatus.
  • a procedure comprises an operation of receiving (Sill), from an access and mobility management function entity of said mobile communications network, a policy control update request message indicative of that said terminal is not allowed to access said data network, an operation of modifying (SI 12), based on said policy control update request message, entries related to said data network in a terminal route selection policy of said terminal, and an operation of transmitting (S113) said terminal route selection policy towards said terminal.
  • Figure 7 is a block diagram illustrating an apparatus according to example embodiments.
  • Figure 7 illustrates a variation of the apparatus shown in Figure 6.
  • the apparatus according to Figure / may thus further comprise a removing circuitry 71.
  • At least some of the functionalities of the apparatus shown in Figure 6 may be shared between two physically separate devices forming one operational entity. Therefore, the apparatus may be seen to depict the operational entity comprising one or more physically separate devices for executing at least some of the described processes.
  • Such exemplary modifying operation (S112) may comprise an operation of removing said entries related to said data network in said terminal route selection policy of said terminal.
  • an exemplary method may comprise an operation of transmitting, towards an operation and maintenance entity of said mobile communications network, an alarm message indicative of that said terminal is not allowed to access said data network, said alarm message including an identifier of said terminal and information on said data network.
  • an exemplary method may comprise an operation of deciding whether to request to get notified upon any incidence of non-allowance of access, to said data network, of any communication entity asking for establishment of session between said communication entity and said data network, and an operation of transmitting, adosaio oeciomg, towards said access and mobility management function entity of said mobile communications network, a request to get notified upon any incidence of nonallowance of access, to said data network, of any communication entity asking for establishment of session between said communication entity and said data network.
  • this request may for example be exchanged with a newly defined value of PolicyControlRequestTrigger defined in clause 5.6.3.6 of TS 29.514.
  • This new value is then indicative of a request to contact the policy control function entity of said mobile communications network when the terminal is not allowed to access a data network.
  • said mobile communications network is a 3GPP network.
  • the 3GPP network may be a 3GPP 5G network.
  • the 3GPP network may be a future 3GPP communication network, e.g. a 3GPP network of a later generation, e.g. a 3GPP 6G network.
  • Figure 12 shows a schematic diagram of signaling sequences according to example embodiments.
  • the UE (as an example of a terminal) is already registered successfully with the 5GC and the UR.SP is already provided by the PCF, and, on the other hand, either in the UDM, the DNN is marked for secondary authentication/authorization, or in the SMF, a local policy is provided for secondary authentication/authorization for the DN.
  • a step 1 in Figure 12 several processing and signaling is effected.
  • the UE is initiating a PDU session establishment, ano tne invokes secondary authentication/authorization.
  • DN-AAA server
  • the DN-AAA server
  • the authentication fails.
  • the DN-AAA server indicates a permanent failure reason (e.g. "DN-specific identity/EAP identity is not allowed to access the DN") to the SMF e.g. in an "Authentication/Authorization response" message.
  • a permanent failure reason e.g. "DN-specific identity/EAP identity is not allowed to access the DN”
  • the SMF sends a notification indicative of rejection of the PDU session establishment to the UE via the AMF (e.g. "Nsmf_PDUSession_SMContextStatusNotify (Release)").
  • a notification indicative of rejection of the PDU session establishment e.g. "Nsmf_PDUSession_SMContextStatusNotify (Release)".
  • Nsmf_PDUSession_SMContextStatusNotify (Release) contains the error information for AMF that the UE is not allowed (permanently) to access the DN(N).
  • the error information may be conveyed as one cause of a cause enumeration defining several entries of cause information.
  • the cause may have an enumeration value "REL_DUE_TO_EAP_ID_NOT_ALLOWED” and an enumeration description "Release due to EAP ID (UE ID) is not allowed to access the DNN”.
  • the AMF may detect on its own (without exchanging PDU session establishment signaling with the SMF, for example, without receiving the notification indicative of rejection of the PDU session establishment (e.g. "Nsmf_PDUSession_SMContextStatusNotify (Release)") from the SMF) that the UE is asking for the establishment of a PDU session towards a DNN for which the UE has no subscription.
  • the notification indicative of rejection of the PDU session establishment e.g. "Nsmf_PDUSession_SMContextStatusNotify (Release)
  • steps 2 to 4 in Figure 12 may be replaced by that the AMF detects that the UE is asking for the establishment of a PDU Session towards a DNN for which it has no subscription.
  • the UE sends a PDU session establishment request to the network.
  • This is handled by the AMF that detects that the target DNN is not part of the subscription (and there is no wildcard subscription information that would allow the UE to access to a DNN not explicitly listed as authorized).
  • step 5 in Figure 12 is entered upon such detection by the AMF.
  • the AMF determines that a Policy Control Request Trigger condition is met where this Policy Control Request Trigger condition is related with the fact that the terminal is not allowed to access a data network.
  • a new value of PolicyControlRequestTrigger may be defined in clause 5.6.3.6 of TS 29.514. This new value is indicative of a request to contact the policy control function entity of said mobile communications network when the terminal is not allowed to access a data network.
  • the AMF triggers e.g.
  • NpcfJJEPolicyControl Update Request (UE Policy Association ID associated with the SUPI and the Policy Control Request Trigger met) that contains an indication that the UE is not allowed (permanently) to access the DNN. In a roaming case, this may De relayed over an N 4 interface (vPCF-hPCF interface).
  • the PCF determines to update the UR.SP with respect to the DNN.
  • this updated UR.SP is pushed to UE as part of an existing UE configuration update procedure:
  • the (Home-)PCF ((H-)PCF) may create the UE policy container including UE policy information as defined in clause 6.6 of TS 23.503.
  • the H-PCF may include the UE policy container in the "NpcfJJEPolicyControl UpdateNotify Request".
  • the AMF Upon request of the PCF, the AMF initiates the UE Configuration Update procedure (TS 23.502 clause 4.2.4.3) to update the policies on the UE.
  • signaling messages exchanged between the UE and the 5GC are saved in particular by avoiding the UE to repeat a request for a PDU session with respect to a specific DN.
  • the PCF or the SMF raises an alarm with a user identifier like subscription permanent identifier (SUPI), subscription concealed identifier (SUCI), generic public subscription identifier (GPSI), and DN information, to the operator (e.g. to the OAM). Based on this alarm, the operator can take some corrective action like configuring the DN-specific identity for the UE in DN-AAA server or removing the subscription of the UE to the DNN from the UDM/unified data repository (UDR) data.
  • SUPI subscription permanent identifier
  • SUCI subscription concealed identifier
  • GPSI generic public subscription identifier
  • DN information e.g. to the OAM
  • the operator can take some corrective action like configuring the DN-specific identity for the UE in DN-AAA server or removing the subscription of the UE to the DNN from the UDM/unified data repository (UDR) data.
  • UDM/unified data repository UDM/unified data repository
  • the network entity may comprise further units that are necessary for its respective operation. However, a description of these units is omitted in this specification.
  • the arrangement of the functional blocks of the devices is not construed to limit the disclosure, and the functions may be performed by one block or further split into sub-blocks.
  • the apparatus i.e. network entity (or some other means) is configured to perform some function
  • this is to be construed to be equivalent to a description stating that a (i.e. at least one) processor or corresponding circuitry, potentially in cooperation with computer program code stored in the memory of the respective apparatus, is configured to cause the apparatus to perform at least the thus mentioned function.
  • a (i.e. at least one) processor or corresponding circuitry potentially in cooperation with computer program code stored in the memory of the respective apparatus, is configured to cause the apparatus to perform at least the thus mentioned function.
  • function is to be construed to be equivalently implementable by specifically configured circuitry or means for performing the respective function (i.e. the expression "unit configured to” is construed to be equivalent to an expression such as "means for").
  • the apparatus (network entity) 10' (corresponding to the network entity 10) comprises a processor 131, a memory 132 and an interface 133, which are connected by a bus 134 or the like.
  • the apparatus (network entity) 20' (corresponding to the network entity 20) comprises a processor 131, a memory 132 and an interface 133, which are connected by a bus 134 or the like.
  • the apparatus (network entity) 40' (corresponding to the network entity 40) comprises a processor 131, a memory 132 and an interrace 155, wmcn are connected by a bus 134 or the like.
  • the apparatus (network entity) 60' (corresponding to the network entity 60) comprises a processor 131, a memory 132 and an interface 133, which are connected by a bus 134 or the like.
  • the apparatuses 10', 20', 40', 60' may be connected via link 135 with respective others of apparatuses 10', 20', 40', 60' via respective links 135.
  • the processor 131 and/or the interface 133 may also include a modem or the like to facilitate communication over a (hardwire or wireless) link, respectively.
  • the interface 133 may include a suitable transceiver coupled to one or more antennas or communication means for (hardwire or wireless) communications with the linked or connected device(s), respectively.
  • the interface 133 is generally configured to communicate with at least one other apparatus, i.e. the interface thereof.
  • the memory 132 may store respective programs assumed to include program instructions or computer program code that, when executed by the respective processor, enables the respective electronic device or apparatus to operate in accordance with the example embodiments.
  • the respective devices/apparatuses may represent means for performing respective operations and/or exhibiting respective functionalities, and/or the respective devices (and/or parts thereof) may have functions for performing respective operations and/or exhibiting respective functionalities.
  • processor or some other means
  • the processor is configured to perform some function
  • this is to be construed to be equivalent to a description stating that at least one processor, potentially in cooperation with computer program code stored in the memory of the respective apparatus, is configured to cause the apparatus to perform at least the thus mentioned function.
  • function is to be construed to be equivalently impiementaoie oy specifically configured means for performing the respective function (i.e. the expression "processor configured to [cause the apparatus to] perform xxx-ing” is construed to be equivalent to an expression such as "means for xxx-ing").
  • an apparatus representing the network entity 10 comprises at least one processor 131, at least one memory 132 including computer program code, and at least one interface 133 configured for communication with at least another apparatus.
  • the processor i.e. the at least one processor 131, with the at least one memory
  • the computer program code is configured to perform receiving, from an authentication and authorization entity with respect to a data network, a message indicative of that a terminal is not allowed to access said data network, wherein said message includes a reason for non-allowance of said terminal to access a data network (thus the apparatus comprising corresponding means for receiving), to perform deciding to reject a session establishment of said terminal to said data network (thus the apparatus comprising corresponding means for deciding), and to perform transmitting, towards an access and mobility management function entity of said mobile communications network, a message indicative of rejection of said session establishment of said terminal to said data network, wherein said message includes a reason for rejection of said session establishment of said terminal to said data network based on said reason for non-allowance of said terminal to access said data network (thus the apparatus comprising corresponding means for transmitting).
  • an apparatus representing the network entity 20 comprises at least one processor 131, at least one memory 132 including computer program code, and at least one interface
  • the processor i.e. the at least one processor 131, with the at least one memory 132 and the computer program code
  • the processor is conngureo to perrorm receiving, from a session management function entity of said mobile communications network, a message indicative of rejection of a session establishment of a terminal to a data network, wherein said message includes a reason for rejection of said session establishment of said terminal to said data network (thus the apparatus comprising corresponding means for receiving), and to perform transmitting, towards a policy control function entity of said mobile communications network, a policy control update request message indicative of that said terminal is not allowed to access said data network (thus the apparatus comprising corresponding means for transmitting).
  • an apparatus representing the network entity 40 comprises at least one processor 131, at least one memory 132 including computer program code, and at least one interface
  • the processor i.e. the at least one processor 131, with the at least one memory 132 and the computer program code
  • the processor is configured to perform receiving, from a terminal, a session establishment request requesting a session establishment between said terminal and a data network (thus the apparatus comprising corresponding means for receiving), to perform determining whether said terminal has a subscription for said data network (thus the apparatus comprising corresponding means for determining), and to perform transmitting, towards a policy control function entity of said mobile communications network, based on a result of said determining, a policy control update request message indicative of that said terminal is not allowed to access said data network (thus the apparatus comprising corresponding means for transmitting).
  • an apparatus representing the network entity 60 comprises at least one processor 131, at least one memory 132 including computer program code, and at least one interface 133 configured for communication with at least anotner apparatus.
  • I ne processor i.e.
  • the at least one processor 131 with the at least one memory 132 and the computer program code) is configured to perform receiving, from an access and mobility management function entity of said mobile communications network, a policy control update request message indicative of that said terminal is not allowed to access said data network (thus the apparatus comprising corresponding means for receiving), to perform modifying, based on said policy control update request message, entries related to said data network in a terminal route selection policy of said terminal (thus the apparatus comprising corresponding means for modifying), and to perform transmitting said terminal route selection policy towards said terminal (thus the apparatus comprising corresponding means for transmitting).
  • any method step is suitable to be implemented as software or by hardware without changing the idea of the embodiments and its modification in terms of the functionality implemented;
  • CMOS Complementary MOS
  • BiMOS Bipolar MOS
  • BiCMOS Bipolar CMOS
  • ECL emitter Coupled Logic
  • TTL Transistor-Transistor Logic
  • ASIC Application Specific IC (Integrated Circuit)
  • FPGA Field-programmable Gate Arrays
  • CPLD Complex Programmable Logic Device
  • DSP Digital Signal Processor
  • - devices, units or means e.g. the above-defined network entity or network register, or any one of their respective units/means
  • an apparatus like the user equipment and the network entity /network register may be represented by a semiconductor chip, a chipset, or a (hardware) module comprising such chip or chipset; this, however, does not exclude the possibility that a functionality of an apparatus or module, instead of being hardware implemented, be implemented as software in a (software) module such as a computer program or a computer program product comprising executable software code portions for execution/being run on a processor;
  • a device may be regarded as an apparatus or as an assembly of more than one apparatus, whether functionally in cooperation with each other or functionally independently of each other but in a same device housing, for example.
  • respective functional blocks or elements according to above-described aspects can be implemented by any known means, either in hardware and/or software, respectively, if it is only adapted to perform the described functions of the respective parts.
  • the mentioned method steps can be realized in individual functional blocks or by individual devices, or one or more of the method steps can be realized in a single functional block or by a single device.
  • any method step is suitable to be implemented as software or by hardware without changing the idea of the present disclosure.
  • Devices and means can be implemented as individual devices, but this does not exclude that they are implemented in a distributed fashion throughout the system, as long as the functionality of the device is preserved. Such and similar principles are to be considered as known to a skilled person.
  • Software in the sense of the present description comprises software code as such comprising code means or portions or a computer program or a computer program product for performing the respective functions, as well as software (or a computer program or a computer program product) embodied on a tangible medium such as a computer-readable (storage) medium having stored thereon a respective data structure or code means/portions or embodied in a signal or in a chip, potentially during processing thereof.
  • the present disclosure also covers any conceivable combination of method steps and operations described above, and any conceivable combination of nodes, apparatuses, modules or elements described above, as long as the above-described concepts of methodology and structural arrangement are applicable.
  • Such measures exemplarily comprise, at an access and mobility management function entity of a mobile communications network, receiving, from a session management function entity of said mobile communications network, a message indicative of rejection of a session establishment of a terminal to a data network, wherein said message includes a reason for rejection of said session establishment of said terminal to said data network, and transmitting, towards a policy control function entity of said mobile communications network, a policy control update request message indicative or tnat said terminal is not allowed to access said data network.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Des mesures, destinées à la gestion d'une authentification infructueuse avec un réseau de données, sont divulguées. De telles mesures comprennent, à titre d'exemple, au niveau d'une entité à fonction de gestion d'accès et de mobilité d'un réseau de communication mobile, la réception, en provenance d'une entité à fonction de gestion de session dudit réseau de communication mobile, d'un message indiquant le rejet d'un établissement de session d'un terminal à un réseau de données, ledit message comprenant une raison de rejet dudit établissement de session dudit terminal audit réseau de données, et la transmission, à une entité à fonction de contrôle de politique dudit réseau de communication mobile, d'un message de requête de mise à jour de contrôle de politique indiquant que ledit terminal n'est pas autorisé à accéder audit réseau de données.
PCT/EP2021/052746 2021-02-05 2021-02-05 Gestion d'authentification infructueuse avec un réseau de données WO2022167083A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2021/052746 WO2022167083A1 (fr) 2021-02-05 2021-02-05 Gestion d'authentification infructueuse avec un réseau de données

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2021/052746 WO2022167083A1 (fr) 2021-02-05 2021-02-05 Gestion d'authentification infructueuse avec un réseau de données

Publications (1)

Publication Number Publication Date
WO2022167083A1 true WO2022167083A1 (fr) 2022-08-11

Family

ID=74587005

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2021/052746 WO2022167083A1 (fr) 2021-02-05 2021-02-05 Gestion d'authentification infructueuse avec un réseau de données

Country Status (1)

Country Link
WO (1) WO2022167083A1 (fr)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200162919A1 (en) * 2018-11-16 2020-05-21 Lenovo (Singapore) Pte. Ltd. Accessing a denied network resource

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200162919A1 (en) * 2018-11-16 2020-05-21 Lenovo (Singapore) Pte. Ltd. Accessing a denied network resource

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
NOKIA ET AL: "Corrections to 5GMM and 5GSM causes mappings", vol. CT WG4, no. Montreal, Canada; 20190225 - 20190301, 4 March 2019 (2019-03-04), XP051684738, Retrieved from the Internet <URL:http://www.3gpp.org/ftp/3guInternal/3GPP%5FUltimate%5FCRPacks/CP%2D190031%2Ezip> [retrieved on 20190304] *
SHARP: "DISC on 5GSM cause #29 "user authentication or authorization failed"", vol. CT WG1, no. Brastislava, Slovakia; 20190121 - 20190125, 11 January 2019 (2019-01-11), XP051592045, Retrieved from the Internet <URL:http://www.3gpp.org/ftp/Meetings%5F3GPP%5FSYNC/CT1/Docs/C1%2D190079%2Ezip> [retrieved on 20190111] *

Similar Documents

Publication Publication Date Title
US11425202B2 (en) Session processing method and device
US11818570B2 (en) Methods, systems, and computer readable media for message validation in fifth generation (5G) communications networks
EP3629613B1 (fr) Procédé de vérification de réseau, dispositif et système pertinents
CN111373836B (zh) 第五代会话管理处理方法及其用户设备
EP1932276B1 (fr) Procede pour assurer la securite d&#39;une telecommunication mobile dans un reseau de communication mobile et dispositif utilise a cette fin
US20190380028A1 (en) User equipment identity implementation in mobile edge scenarios
US8615234B2 (en) Automatic profile updating for a wireless communication device
US20210385284A1 (en) Session establishment method and apparatus
CN110583034A (zh) 在移动通信网络中接入与提供网络切片的方法、系统和装置
EP2774402A1 (fr) Sécurisation de communications de données dans un réseau de communication
CN113632512A (zh) 在移动性过程期间传输监视事件信息
US20230062452A1 (en) Device and method for providing service according to wireless communication network type in edge computing system
US20220360670A1 (en) System and method to enable charging and policies for a ue with one or more user identities
EP4135378A1 (fr) Procédé, appareil et dispositif de commande d&#39;authentification de tranche de réseau et support de stockage
US20220303935A1 (en) Amf re-allocation solution with network slice isolation
US8422428B1 (en) Device management for a wireless communication device having and invalid user identifier
EP3203692B1 (fr) Procédé, appareil et système d&#39;acquisition de message de réponse, et procédé, appareil et système de routage de message de réponse
US11743711B2 (en) Enforcement of steering of roaming for user equipment via a proxy
CN112136301A (zh) 通信系统中用于安全性管理的错误处理框架
WO2022167083A1 (fr) Gestion d&#39;authentification infructueuse avec un réseau de données
EP2837162B1 (fr) Dispositif, procédé, système et produit de programme d&#39;ordinateur pour la gestion de défaillance de serveur
CN115334490A (zh) 网络分片准入控制(nsac)发现和漫游增强
CN114024693A (zh) 一种认证方法、装置、会话管理功能实体、服务器及终端
US20220394596A1 (en) Enforcement of maximum number of admitted terminals per network slice
US20150264629A1 (en) User location based network registration

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21704462

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21704462

Country of ref document: EP

Kind code of ref document: A1