WO2022170911A1

WO2022170911A1 - Method for authentication and authorization and communication equipment

Info

Publication number: WO2022170911A1
Application number: PCT/CN2022/071841
Authority: WO
Inventors: 张成晨; 邢玮俊
Original assignee: 华为技术有限公司
Priority date: 2021-02-10
Filing date: 2022-01-13
Publication date: 2022-08-18
Also published as: CN114915968A

Abstract

Provided in the present application are a method and equipment for authentication and authorization. The method comprises: when authentication and authorization of a terminal device fail, a core network side transmits indication information to the terminal device, the indication information indicating that the terminal device is capable of requesting a network resource, the network resource being used by the terminal device for communicating with another terminal device in a same system. A first network device of the core network side subscribes or queries an authentication and authorization state for the terminal device and then notifies the terminal device, or a third network device actively transmits an authentication and authorization state to the terminal device. The method and equipment provided in the present application allow the terminal device to perform reauthentication and reauthorization according to a requirement of self, thus increasing the success rate of reauthentication and reauthorization of the terminal device, also reducing the wastage of signaling caused by the request for the network resource being rejected when the terminal device is not permitted by the core network to perform reauthentication and reauthorization.

Description

Authentication and authorization method and communication device

This application claims the priority of the Chinese patent application with the application number 202110183980.3 and the invention title "Method and Communication Device for Authentication and Authorization", which was submitted to the State Intellectual Property Office of China on February 10, 2021, the entire contents of which are incorporated herein by reference Applying.

technical field

The present application relates to the field of communication, and, more particularly, to the field of methods and communication devices for authentication and authorization.

Background technique

In recent years, the gradual popularization of drone applications has brought various economic benefits and entertainment to the public, while also making the management of drones more complicated. After the drone is connected to the network, the drone system service can be obtained, which is conducive to better management of the drone.

The drone networking requires a series of authentication and authorization. When the UAV's authentication and authorization is rejected, it may need to be re-authenticated and authorized, that is, re-authentication and authorization. At present, how to re-authenticate and authorize drones in a timely and successful manner according to their own needs is an urgent problem to be solved.

SUMMARY OF THE INVENTION

The present application provides a method and device for authentication and authorization. After the authentication and authorization of a terminal device fails, an indication that the terminal device can request network resources for communicating with another terminal device in the same system is sent to the terminal device through the core network. , so that the terminal device can perform re-authentication and authorization according to its own needs, thereby improving the success rate of the terminal device's re-authentication and authorization, and reducing the terminal device's request to the core network for re-authentication and authorization when the core network does not allow re-authentication and authorization. Signaling waste caused by the rejection of network resources when another terminal device in the system communicates.

In a first aspect, an authentication and authorization method is provided, including: a first network device determines that authentication and authorization of a terminal device fails; the first network device receives first indication information, where the first indication information indicates that the terminal device can request a network resource, the network resource is used for the terminal device to communicate with another terminal device in the same system; the first network device sends second indication information to the terminal device according to the first indication information, and the second indication information indicates the The terminal device can request this network resource.

It should be understood that the authentication and authorization is the authentication and authorization performed by the third-party network device on the terminal device. In some implementations, in the case of a drone, the authentication authorization may be the authentication authorization of the UAV itself, the UAV flight plan authentication authorization, and the pairing authentication between the UAV and the UAV controller. The authorization, or other types of authentication authorization, is not limited in this application.

It should be understood that, in some implementation manners, in a drone scenario, the first indication information indicates that the terminal device can request network resources for the drone operation. It should be noted that the "drone operation" mentioned in this application may also be a drone service, or may also be other expressions, which is not limited in this application. It should be noted that the same system here can be an unmanned aerial vehicle system. Specifically, for the unmanned aerial vehicle system, the current unmanned aerial vehicle system only includes one unmanned aerial vehicle and one unmanned aerial vehicle controller. Network resources are used to communicate with the UAV controller in the UAV system. Regarding "another terminal device in the same system", this application does not limit the system name or the number of terminals in the system. For example, if there are multiple terminal devices in a system, the terminal device can be instructed to communicate with a certain terminal device in the system.

It should be understood that, in some implementations, the requesting network resources refers to that the terminal device obtains the network resources from the network through various channels, including but not limited to the registration process, the service request process, the session establishment process, and the session modification process. This is not limited.

It should be understood that, in some implementation manners, the first indication information indicates that the first network device can initiate authentication and authorization for the terminal device. After receiving the first indication information, if the first network device receives a network resource request from the terminal device for communicating with another terminal device in the same system, the first network device may be the terminal device The device initiates authentication and authorization.

It should be understood that "can" mentioned in this application can also be "may", "permit" or other possible expressions. For convenience, this application only uses "can" as an example for description, but it does not limit it. .

In the above technical solution, after the authentication and authorization of the terminal device fails, the first network device sends an indication that the terminal device can request network resources for communicating with another terminal device in the same system to the terminal device, so that the terminal device can follow the Re-authentication and authorization based on its own needs, thus improving the success rate of terminal equipment re-authentication and authorization, and reducing the terminal equipment's request to the core network for use with another terminal in the same system when the core network does not allow re-authentication and authorization. Signaling waste caused by the rejection of network resources for device communication.

With reference to the first aspect, in some implementations of the first aspect, the method further includes: the first network device sends a first request message to the second network device, where the first request message subscribes to the change of the authentication authorization state; or , the first request message queries the authentication and authorization state; wherein, the authentication and authorization state is whether the terminal device can request the network resource.

It should be noted that the "authentication and authorization status" mentioned in this application can also be whether the terminal device can perform re-authentication and authorization. For convenience, this application only uses the "authentication and authorization status as whether the terminal device can request the network resource". An example will be described, but this is not limited.

It should be understood that the "querying the authentication and authorization status" mentioned in this application can also be "requesting the authentication and authorization status". For the sake of convenience, this application only takes "querying the authentication and authorization status" as an example for description, but this is not limited. .

In the above technical solution, the first network device subscribes the terminal device to change the authentication and authorization state or queries the authentication and authorization state, so that the core network obtains the authentication and authorization state of the terminal device, and when the first network device learns that the terminal device can request the network resource , notify the terminal equipment; enable the terminal equipment to perform re-authentication and authorization according to its own needs, thereby improving the success rate of the terminal equipment re-authentication and authorization, and reducing the terminal equipment when the core network does not allow re-authentication and authorization. Signaling waste caused by network resources being rejected when communicating with another terminal device in the same system.

With reference to the first aspect, in some implementations of the first aspect, the method further includes: the first network device receiving a third request message from the terminal device, where the third request message requests the network resource.

It should be understood that the first network device may receive the third request message from the terminal device after the first network device sends the second indication information to the terminal device, or before the first network device sends the first request message to the second network device .

Specifically, after the first network device sends the second indication information to the terminal device, the terminal device can know that it can request the network service according to the second indication information, then when the terminal device needs to request the above network service, it will send the first The network device sends a third request message.

Or, when the terminal device needs to request the above-mentioned network service, it sends a third request message to the first network device, and the first network device queries the authentication and authorization state for the terminal device according to the received third request message.

The above technical solution enables the terminal device to request the network resources according to its own needs by querying the authentication and authorization status of the core network when the terminal device needs to request the above-mentioned network service, thereby improving the success rate of the terminal device re-authentication and authorization, and reducing the Signal waste caused by the terminal equipment being rejected when it requests the core network for network resources for communicating with another terminal equipment in the same system when the core network does not allow re-authentication and authorization.

With reference to the first aspect, in some implementations of the first aspect, the method further includes: the third request message includes third indication information, where the third indication information indicates that the terminal device requests to obtain the authentication authorization state.

It should be understood that, in some possible implementation manners, the third indication information indicates that the terminal device requests resources for the operation of the drone.

In the above technical solution, the terminal device independently initiates an authentication and authorization status query request, and then the first network device performs an authentication and authorization status query for the terminal device, so that the terminal device can query the authentication and authorization status in a timely and autonomous manner, thereby improving the performance of the terminal device. The success rate of re-authentication and authorization also reduces the signaling caused by the terminal device being rejected when it requests the core network for network resources for communicating with another terminal device in the same system when the core network does not allow re-authentication and authorization. waste.

With reference to the first aspect, in some implementations of the first aspect, the method further includes: the first network device sends a fourth request message to the second network device or the third network device according to the third request message, the first network device sending a fourth request message to the second network device or the third network device according to the third request message. The fourth request message requests to initiate authentication and authorization.

With reference to the first aspect, in some implementations of the first aspect, the method further includes: the first network device deletes the first information according to the first indication information, wherein the first information is stored by the first network device, The first information indicates at least one of the following: the authentication and authorization of the terminal device fails, and the terminal device cannot request the network resource.

In the above technical solution, after the authentication and authorization of the terminal device fails, the first network device determines that the terminal device can request the network resource and deletes the first information, so that the first network device does not receive the network resource request from the terminal device again. Instead of directly rejecting, a third-party network device is requested to perform authentication and authorization for the terminal device, so that the terminal device can timely request network resources without directly rejecting the terminal device's request because the first network device stores the first information.

With reference to the first aspect, in some implementations of the first aspect, the method further includes: the first network device stops a first timer according to the first indication information, wherein before the first timer stops or expires The first network device rejects second information from the terminal device, the second information requesting the network resource.

In the above technical solution, after the authentication and authorization of the terminal device fails, the first network device determines that the terminal device can request the network resource and stops the first timer, so that the first network device does not receive the network resource request from the terminal device again. Then directly reject it, but request the third-party network device to perform authentication and authorization for the terminal device, so that the terminal device can request network resources in time before the first timer stops or expires without the first network device starting the first timer. The server directly rejects the request of the terminal device.

In conjunction with the first aspect, in some implementations of the first aspect, the terminal device is a drone.

It should be understood that the terminal device in this application includes an unmanned aerial vehicle that can access the 3GPP system, and the unmanned aerial vehicle here may be an unmanned aerial vehicle, an unmanned vehicle, an unmanned ship, etc., which is not limited in this application.

In a second aspect, a communication method is provided, including: a terminal device determines that authentication and authorization of the terminal device fails; the terminal device receives second indication information from a first network device, where the second indication information can request network resources, the Network resources are used for the terminal device to communicate with another terminal device in the same system.

In the above technical solution, after the authentication and authorization of the terminal device fails, the terminal device can request network resources for communicating with another terminal device in the same system according to the received instruction from the first network device, so as to Requires re-authentication and authorization, thereby improving the success rate of terminal device re-authentication and authorization, and reducing the need for terminal devices to request the core network to communicate with another terminal device in the same system when the core network does not allow re-authentication and authorization. Signaling waste caused by rejection of network resources.

With reference to the second aspect, in some implementations of the second aspect, the method further includes: the terminal device sends a third request message to the first network device, where the third request message requests the network resource.

It should be understood that the terminal device may send the third request message after receiving the second indication information or before receiving the second indication information.

Specifically, after receiving the first indication information, the terminal device learns that it can request the above-mentioned network resources, and then sends a third request message according to its own needs. Alternatively, before receiving the second indication information, the terminal device actively requests the above-mentioned network resources from the core network or requests to obtain the authentication authorization state according to its own needs, and then receives the second indication information.

With reference to the second aspect, in some implementations of the second aspect, the third request message includes third indication information, the third indication information indicates that the terminal device requests to obtain an authentication and authorization state, and the authentication and authorization state is the terminal device Whether the device can request this network resource.

With reference to the second aspect, in some implementations of the second aspect, the method further includes: the terminal device deletes the second information according to the second indication information, wherein the second information is stored by the terminal device, and the second information Indicates at least one of the following: the authentication and authorization of the terminal device fails, and the terminal device cannot request the network resource.

With reference to the second aspect, in some implementations of the second aspect, the method further includes: the terminal device stops a second timer according to the first indication information, wherein the terminal stops or expires before the second timer The device cannot request this network resource.

In the above technical solution, after the authentication and authorization of the terminal device fails, the terminal device stops the second timer after receiving the first indication information, so that the terminal device is no longer restricted by the second timer and cannot request the network resource, but can request the network resource according to its own The demand requests the network resource, so that the terminal device can request the network resource in time before the second timer expires.

In conjunction with the second aspect, in some implementations of the second aspect, the terminal device is a drone.

In a third aspect, a method for authentication and authorization is provided, including: a second network device receiving fourth indication information, where the fourth indication information indicates that a terminal device can request network resources, and the network resources are used for the terminal device and the same system The second network device sends first indication information to the first network device, where the first indication information indicates that the terminal device can request the network resource.

In the above technical solution, after the authentication and authorization of the terminal device fails, the second network device stores the relevant information after receiving the fourth indication information, and sends it to the first network device, so that the first network device can receive the terminal device after receiving the information. When the resource request is received, it is determined whether the resource can be requested, so that the first network device that interacts with the terminal device will not directly reject the resource request, causing the terminal device to fail to request resources in time.

With reference to the third aspect, in some implementations of the third aspect, the method further includes: the second network device receives a first request message from the first network device, and the first request message subscribes to the change of the authentication authorization state , the authentication and authorization state is whether the terminal device can request the network resource; or, the first request message queries the authentication and authorization state, and the authentication and authorization state is whether the terminal device can request the network resource.

With reference to the third aspect, in some implementations of the third aspect, the method further includes: the second network device sends a fifth request message to the third network device, where the fifth request message subscribes to the change of the authentication authorization state; Or, the fifth request message queries the authentication and authorization status.

It should be understood that the second network device may not obtain the authentication and authorization state in advance, so after receiving the first request message, it needs to request the authentication and authorization state from the third network device or other network devices. As for the second network device requesting the authentication and authorization state equipment, which is not limited in this application.

Alternatively, the second network device has obtained the authentication and authorization state before receiving the first request message, then after receiving the first request message, it can directly feed back the authentication and authorization state to the first network device.

In conjunction with the third aspect, in some implementations of the third aspect, the terminal device is a drone.

In a fourth aspect, an authentication and authorization method is provided, comprising: a third network device determining that authentication and authorization of a terminal device fails; and the third network device determining fifth indication information, the fifth indication information indicating that the terminal device can request the network resource, the network resource is used for the terminal device to communicate with another terminal device in the same system; the third network device sends the fifth indication information.

It should be understood that the determination of the fifth indication information by the third network device may be by receiving the fifth indication information, or by directly determining by itself, which is not limited in this application.

It should be understood that the third network device may directly send the fifth indication information to the first network device, or may send the fifth indication information to the first network device through other network devices. Or, more simply and directly, the third network device may directly send the fifth indication information to the terminal device, which is not limited in this application.

In the above technical solution, after the authentication and authorization of the terminal device fails, the third network device determines that the terminal device can request the above-mentioned network resources, and actively sends relevant indication information to the core network or the terminal device, so that the terminal device can request network resources according to its own needs. , thereby improving the success rate of re-authentication and authorization of the terminal device, and also reducing the possibility that the terminal device requests the core network for network resources for communicating with another terminal device in the same system when the core network does not allow re-authentication and authorization. Signaling waste caused by rejection.

With reference to the fourth aspect, in some implementations of the fourth aspect, the method further includes: the third network device receives a sixth request message, and the sixth request message subscribes to the change of the authentication and authorization state, and the authentication and authorization state is the terminal Whether the device can request the network resource; or, the sixth request message queries the authentication and authorization status.

With reference to the fourth aspect, in some implementations of the fourth aspect, the terminal device is a drone.

In a fifth aspect, an authentication and authorization device is provided, comprising: a processing module for determining that authentication and authorization of a terminal device fails; a transceiver module for receiving first indication information, where the first indication information indicates that the terminal device can request network resources, the network resources are used for the terminal device to communicate with another terminal device in the same system; the transceiver module is also used to send second indication information to the terminal device according to the first indication information, the second indication The information indicates that the terminal device can request the network resource.

With reference to the fifth aspect, in some implementations of the fifth aspect, the transceiver module is further configured to: send a first request message to the second network device, where the first request message subscribes to the change of the authentication authorization state; or, the The first request message queries the authentication and authorization state; wherein, the authentication and authorization state is whether the terminal device can request the network resource.

With reference to the fifth aspect, in some implementations of the fifth aspect, the transceiver module is further configured to: receive a third request message from the terminal device, where the third request message requests the network resource.

With reference to the fifth aspect, in some implementations of the fifth aspect, the third request message includes third indication information, where the third indication information indicates that the terminal device requests to obtain the authentication authorization state.

With reference to the fifth aspect, in some implementations of the fifth aspect, the processing module is further configured to: delete the first information according to the first indication information, wherein the first information is stored by the first network device, and the first information is stored by the first network device. A piece of information indicates at least one of the following: the authentication and authorization of the terminal device fails, and the terminal device cannot request the network resource.

With reference to the fifth aspect, in some implementations of the fifth aspect, the processing module is further configured to: stop the first timer according to the first indication information, wherein, before the first timer is stopped, the first network The device rejects second information from the terminal device requesting the network resource.

With reference to the fifth aspect, in some implementations of the fifth aspect, the transceiver module is further configured to: send a fourth request message to the second network device or the third network device according to the third request message, the fourth request message The message requests to perform authentication authorization for the terminal device.

With reference to the fifth aspect, in some implementations of the fifth aspect, the terminal device is a drone.

In a sixth aspect, an authentication and authorization device is provided, comprising: a processing module for determining that the authentication and authorization of the terminal device fails; a transceiver module for receiving second indication information from a first network device, the second indication The information indicates that the terminal device is able to request network resources for the terminal device to communicate with another terminal device in the same system.

With reference to the sixth aspect, in some implementations of the sixth aspect, the transceiver module is further configured to: send a third request message to the first network device, where the third request message requests the network resource.

With reference to the sixth aspect, in some implementations of the sixth aspect, the third request message includes third indication information, and the third indication information indicates that the terminal device requests to obtain an authentication and authorization state, and the authentication and authorization state is the terminal device Whether the device can request this network resource.

With reference to the sixth aspect, in some implementations of the sixth aspect, the processing module is further configured to: stop the second timer according to the second indication information, wherein the terminal device cannot stop the second timer before the second timer is stopped. Request this network resource.

With reference to the sixth aspect, in some implementations of the sixth aspect, the terminal device is a drone.

In a seventh aspect, an authentication and authorization device is provided, comprising: a transceiver module for receiving fourth indication information, where the fourth indication information indicates that a terminal device can request network resources, and the network resources are used for the terminal device and the same communicates with another terminal device in the system; the transceiver module is further configured to send first indication information to the first network device, where the first indication information indicates that the terminal device can request the network resource.

With reference to the seventh aspect, in some implementations of the seventh aspect, the transceiver module is further configured to: receive a first request message from the first network device, the first request message subscribes to the change of the authentication authorization state, the The authentication and authorization state is whether the terminal device can request the network resource; or, the first request message queries the authentication and authorization state, and the authentication and authorization state is whether the terminal device can request the network resource.

With reference to the seventh aspect, in some implementations of the seventh aspect, the transceiver module is further configured to: send a fifth request message to the third network device, where the fifth request message subscribes to the change of the authentication authorization state; or, The fifth request message queries the authentication and authorization status.

With reference to the seventh aspect, in some implementations of the seventh aspect, the terminal device is an unmanned aerial vehicle.

In an eighth aspect, an authentication and authorization device is provided, comprising: a processing module configured to determine that authentication and authorization of a terminal device fails; the processing module is further configured to determine fifth indication information, where the fifth indication information indicates the terminal device A network resource can be requested, and the network resource is used for the terminal device to communicate with another terminal device in the same system; the transceiver module is used for sending the fifth indication information.

With reference to the eighth aspect, in some implementations of the eighth aspect, the transceiver module is further configured to: receive a sixth request message, where the six request message subscribes to a change in an authentication authorization state, where the authentication authorization state is whether the terminal device is The network resource can be requested; or, the sixth request message queries the authentication and authorization state.

With reference to the eighth aspect, in some implementations of the eighth aspect, the terminal device is an unmanned aerial vehicle.

In a ninth aspect, a communication device is provided, characterized in that it includes: a processor and a memory; the memory is used to store a computer program; the processor is used to execute the computer program stored in the memory, so that the communication The apparatus performs the methods and embodiments described in any one of the first to fourth aspects and implementations thereof.

In a tenth aspect, a computer-readable storage medium is provided, wherein a computer program is stored on the computer-readable storage medium, and when the computer program runs on a computer, the computer is made to execute the first to fourth aspects. Methods and embodiments described in any of the aspects and implementations thereof.

In an eleventh aspect, a chip system is provided, which is characterized by comprising: a processor for calling and running a computer program from a memory, so that a communication device installed with the chip system executes any of the first to fourth aspects. The methods and embodiments described in any aspect and implementation thereof.

A twelfth aspect provides a communication system, characterized in that the communication system includes a terminal device and a third network device, wherein the terminal device is configured to execute the methods and embodiments described in the second aspect and implementations thereof, The third network device is configured to execute the methods and embodiments described in the fourth aspect and its implementation.

A thirteenth aspect provides a communication system, characterized in that the communication system includes a terminal device, a third network device and a first network device, wherein the terminal device is configured to execute the second aspect and its implementation manners. Methods and embodiments, the third network device is used for the methods and embodiments described in the fourth aspect and its implementations, and the first network device is used for executing the methods and embodiments described in the first aspect and its implementations.

A fourteenth aspect provides a communication system, characterized in that the communication system includes a terminal device, a third network device, a first network device, and a second network device, wherein the terminal device is configured to perform the second aspect and its The methods and embodiments described in the implementation manner, the third network device is used for the methods and embodiments described in the fourth aspect and its implementation manners, and the first network device is used for executing the first aspect and its implementation manners. Methods and embodiments, the second network device is configured to execute the methods and embodiments described in the third aspect and implementations thereof.

Description of drawings

FIG. 1 shows a network architecture suitable for this embodiment of the present application.

FIG. 2 shows another network architecture suitable for this embodiment of the present application.

FIG. 3 shows a schematic diagram of an example of an application scenario to which the embodiments of the present application are applied.

FIG. 4 shows a schematic interaction diagram of an example of the authentication and authorization method of the present application.

FIG. 5 shows a schematic interaction diagram of yet another example of the authentication and authorization method of the present application.

FIG. 6 shows a schematic interaction diagram of another example of the authentication and authorization method of the present application.

FIG. 7 shows a schematic interaction diagram of another example of the authentication and authorization method of the present application.

FIG. 8 shows a schematic interaction diagram of yet another example of the authentication and authorization method of the present application.

FIG. 9 shows a schematic interaction diagram of yet another example of the authentication and authorization method of the present application.

FIG. 10 shows a schematic block diagram of an example of a communication device for authentication and authorization of the present application.

FIG. 11 shows a schematic block diagram of yet another example of the communication device for authentication and authorization of the present application.

Detailed ways

The technical solutions in the present application will be described below with reference to the accompanying drawings.

The technical solutions provided in the embodiments of the present application can be applied to various communication systems, for example: a global system for mobile communications (GSM) system, a code division multiple access (CDMA) system, a wideband code division multiple access (CDMA) system, address (wideband code division multiple access, WCDMA) system, general packet radio service (general packet radio service, GPRS), long term evolution (long term evolution, LTE) system, LTE frequency division duplex (frequency division duplex, FDD) system, LTE time division duplex (TDD), universal mobile telecommunication system (UMTS), worldwide interoperability for microwave access (WiMAX) communication system, 5th generation (5G) ) system or new radio (NR) or future 3GPP system, etc.

Generally speaking, traditional communication systems support a limited number of connections and are easy to implement. However, with the development of communication technology, mobile communication systems will not only support traditional communication, but also support, for example, device to device (device to device, D2D) communication, machine to machine (M2M) communication, machine type communication (MTC), vehicle to everything (V2X) communication (also known as vehicle network communication), for example, Vehicle-to-vehicle (V2V) communication (also known as vehicle-to-vehicle communication), vehicle-to-infrastructure (V2I) communication (also known as vehicle-to-infrastructure communication), vehicle and pedestrian ( Vehicle to pedestrian (V2P) communication (also known as vehicle-to-person communication), and vehicle to network (V2N) communication (also known as vehicle-to-network communication).

FIG. 1 provides a network architecture, and each network element that may be involved in the network architecture will be described below with reference to FIG. 1 .

1. User equipment (UE): can be called terminal equipment, terminal, access terminal, subscriber unit, subscriber station, mobile station, mobile station, remote station, remote terminal, mobile equipment, user terminal, wireless communication equipment, User Agent or User Device. The UE may also be a cellular phone, a cordless phone, a session initiation protocol (SIP) phone, a wireless local loop (WLL) station, a personal digital assistant (PDA), a wireless communication capability handheld devices, computing devices or other processing devices connected to wireless modems, in-vehicle devices, wearable devices, terminal devices in 5G networks or future evolution of public land mobile networks (PLMN) or non-terrestrial The terminal equipment of the network (Non-Terrestrial Networks, NTN), etc., can also be terminal equipment, logical entities, intelligent equipment, such as terminal equipment such as mobile phones and intelligent terminals, or communication equipment such as servers, gateways, base stations, controllers, or objects. Internet-connected devices, such as sensors, electricity meters, water meters and other Internet of things (IoT) devices. It can also be a drone with communication capabilities (Unmanned Aerial Vehicle or Uncrewed Aerial Vehicle, UAV). This embodiment of the present application does not limit this.

2. Universal mobile telecommunications system (UMTS) terrestrial radio access network (UMTS terrestrial radio access network, UTRAN): such as the third generation (3rd generation, 3G)/second generation (2nd generation, 2G) connection access the network.

3. Global system for mobile communication (GSM)/enhanced data rate for GSM evolution (EDGE) terrestrial radio access network (GSM/EDGE terrestrial radio access network, GERAN): such as 3G /2G access network.

4. Evolved universal terrestrial radio access network (E-UTRAN): such as the fourth generation (4th generation, 4G) access network.

5. Serving gateway (S-GW) entity: It can be responsible for user plane processing, reasoning and forwarding of data packets and other functions.

6. Public data network (PDN) gateway (PDN gateway, P-GW) entity: user plane data link anchor point between the 3rd Generation Partnership Project (3rd Generation Partnership Project, 3GPP) and non-3GPP networks , which can be responsible for managing data routing between 3GPP and non-3GPP.

7. Mobility Management Entity (MME): It is mainly responsible for functions such as mobility management, bearer management, user authentication and authentication, and selection of S-GW and P-GW.

8. Operator's IP services: For example, it can be an IP multimedia subsystem (IMS), and IMS is a general network architecture that provides multimedia services based on an Internet Protocol (Internet Protocol, IP) network; another example It can be a packet switching service (packet switching service, PSS) and so on.

9. Policy and charging rules function (PCRF): It is the policy and charging control policy decision point of service data flow and IP bearer resources. It can select and provide policy and charging execution function units. Available policy and charging control decisions.

10. Home subscriber server (HSS): can support the main user database of the IMS network entity used to handle calls/sessions. The HSS can include user profiles, perform user authentication and authorization, and provide information about Information about the user's physical location.

11. Serving general packet radio service (GPRS) support node (serving GPRS support node, SGSN): can complete routing and forwarding of packet data packets, mobility management, session management, logical link management, authentication and encryption, CDR generation and output functions.

In this network architecture, the LTE-Uu interface is the reference point between the terminal and the E-UTRAN; the S1-U interface is the reference point between the E-UTRAN and the S-GW entity; the N5 interface is the S-GW entity and the P-GW entity. - the reference point between the GW entities; the SGi interface is the reference point between the P-GW entity and the IMS; the Rx interface is the reference point between the IMS and the PCRF; the Gx interface is the reference point between the P-GW entity and the PCRF ; Control plane interface S1-MME connects MME with E-UTRAN, similar to the control part of the wireless network layer in UMTS network, etc.; S11 interface is the reference point between MME and S-GW entity; S12 interface is UTRAN/GERAN The reference point with the S-GW entity; the S4 interface is the reference point between the SGSN and the S-GW entity; the S6a interface is the reference point between the MME and the HSS; the S3 interface is the reference point between the MME and the SGSN.

FIG. 2 provides another network architecture, and each network element that may be involved in the network architecture will be described below with reference to FIG. 2 .

1. UE: It has been introduced above with reference to FIG. 1 , and it is not repeated here for brevity.

2. Access network (AN): It provides network access functions for authorized users in a specific area, and can use different quality transmission tunnels according to user levels and business needs. The access network may be an access network using different access technologies. There are two types of current radio access technologies: 3GPP access technologies (such as those employed in 3G, 4G or 5G systems) and non-3rd Generation Partnership Project (non-3GPP) access technologies. 3GPP access technology refers to the access technology that conforms to 3GPP standard specifications. The access network using 3GPP access technology is called Radio Access Network (RAN). Among them, the access network equipment in the 5G system is called Next generation Node Base station (gNB). A non-3GPP access technology refers to an access technology that does not conform to 3GPP standard specifications, for example, an air interface technology represented by an access point (AP) in wifi.

An access network that implements access network functions based on wireless communication technology can be called a radio access network (RAN). The radio access network can manage radio resources, provide access services for terminals, and then complete the forwarding of control signals and user data between the terminal and the core network.

The radio access network can be, for example, a base station (NodeB), an evolved NodeB (evolved NodeB, eNB or eNodeB), a base station (gNB) in a 5G mobile communication system, a base station in a future mobile communication system, or an AP in a WiFi system, etc., It can also be a wireless controller in a cloud radio access network (CRAN) scenario, or the access network device can be a relay station, an access point, an in-vehicle device, a wearable device, and a network in the future 5G network equipment or network equipment in a future evolved PLMN network, etc. The embodiments of the present application do not limit the specific technology and specific device form adopted by the wireless access network device.

3. Access and mobility management function (AMF) entity: mainly used for mobility management and access management, etc., and can be used to implement mobility management entity (mobility management entity, MME) functions in addition to sessions Other functions other than management, such as lawful interception, or access authorization (or authentication) functions.

4. Session management function (SMF) entity: mainly used for session management, UE IP address allocation and management, selection of manageable user plane functions, policy control, or termination point of charging function interface and downlink data notification, etc. .

5. User plane function (User Plane Function, UPF) entity: that is, a data plane gateway. It can be used for packet routing and forwarding, or quality of service (QoS) processing of user plane data, etc. User data can be accessed to a data network (DN) through this network element. In this embodiment of the present application, it can be used to implement the function of the user plane gateway.

6. Data Network (DN): A network for providing data transmission. For example, an operator's service network, an Internet (Internet) network, a third-party service network, and the like.

7. Authentication server function (AUSF) entity: mainly used for user authentication, etc.

8. Network exposure function (NEF) entity: used to securely open services and capabilities provided by the 3GPP network function to the outside.

9. Network storage function ((NF) repository function, NRF) entity: used to store the description information of the network function entity and the services it provides, and to support service discovery, network element entity discovery, etc.

10. Policy control function (PCF) entity: a unified policy framework for guiding network behavior, providing policy rule information for control plane function network elements (such as AMF, SMF network elements, etc.).

11. Unified data management (UDM) entity: used to handle user identification, access authentication, registration, or mobility management, etc.

12. Application function (AF) entity: used to perform data routing affected by applications, access network open function network elements, or interact with the policy framework to perform policy control, etc. For example, it may be a V2X application server, a V2X application enabling server, or a drone server (which may include a drone monitoring server, or a drone application service server).

In the network architecture shown in Figure 2, the N1 interface is the reference point between the terminal and the AMF entity; the N2 interface is the reference point between the AN and the AMF entity, and is used for non-access stratum (NAS) messages. Sending, etc.; N3 interface is the reference point between (R)AN and UPF entity, used to transmit user plane data, etc.; N4 interface is the reference point between SMF entity and UPF entity, used to transmit tunnels such as N3 connections Identification information, data buffer indication information, and downlink data notification messages and other information; the N6 interface is the reference point between the UPF entity and the DN, and is used to transmit data on the user plane.

It should be understood that the network architecture shown in FIG. 1 and FIG. 2 can be applied to the embodiments of the present application. In addition, the network architecture applicable to the embodiments of the present application is not limited to this, and any network architecture that can implement the functions of the above network elements All are applicable to the embodiments of the present application.

It should also be understood that the AMF entity, the SMF entity, the UPF entity, the NEF entity, the AUSF entity, the NRF entity, the PCF entity, and the UDM entity shown in FIG. 1 or FIG. 2 can be understood as network elements in the core network for implementing different functions. , for example, can be combined into network slices on demand. These core network elements may be independent devices, or may be integrated into the same device to implement different functions, which is not limited in this application. It should be noted that the above-mentioned "network element" may also be referred to as an entity, a device, an apparatus, or a module, etc., which is not particularly limited in this application.

It should also be understood that the above naming is only used to distinguish different functions, and does not mean that these network elements are independent physical devices, and this application does not limit the specific form of the above network elements, for example, they can be integrated in the same physical device. , or they can be different physical devices. In addition, the above naming is only for the convenience of distinguishing different functions, and should not constitute any limitation to the present application, and the present application does not exclude the possibility of adopting other nomenclature in the 5G network and other future networks. For example, in a 6G network, some or all of the above-mentioned network elements may use the terms in 5G, and may also use other names. A unified description is provided here, and details are not repeated below.

It should also be understood that the name of the interface between each network element in FIG. 1 or FIG. 2 is only an example, and the name of the interface in the specific implementation may be other names, which is not specifically limited in this application. In addition, the names of the messages (or signaling) transmitted between the above network elements are only an example, and do not constitute any limitation on the functions of the messages themselves.

FIG. 3 shows a schematic diagram of an application scenario of an embodiment of the present application. As shown in FIG. 3 , the UAS 300 can perform information exchange and wireless communication with the network system with the UTM traffic management entity UTM303. For example, the UAV controller 301 or the UAV 302 can exchange information with an access network (radio access network, RAN) 304 and a core network (core network, CN) 305, and can also exchange information through the access network 304 or the core network 305 conducts information interaction with UTM303; UAV controller 301 can also conduct information exchange with UAV 302 through access network 304 or core network 305, and can also conduct information interaction with UAV 302 through UTM303.

It should be understood that the UAV controller 301 and the UAV 302 may be in the same access network or core network, or may be in different access networks or core networks, which is not limited in this embodiment of the present application.

1. Unmanned aerial vehicle controller (UAVC) 301: used to control the drone 302, such as controlling the flight state or flight action of the drone. The drone controller can be a smartphone, tablet, laptop, smart watch or smart remote control, traditional remote control, dedicated remote control, etc. It can also be a bracelet, ring, gloves, armband, watch, etc. Can be used for gestures The device for controlling the drone can also be a headgear such as a headgear that can be used to control the drone with a mind, or a device such as a smart jacket or jacket that can be used to control the drone by the user's body movements.

It should be understood that the specific type of the UAV controller is not limited herein. With the development of intelligence, the name and form of the device with the function of the drone controller may be different. For the convenience of description, in all the embodiments of the present application, the above-mentioned devices capable of having the function of a drone controller or capable of controlling the drone are collectively referred to as a drone controller.

The drone controller 201 can control the flight state of the drone 202. For example, the drone controller can control the direction, aileron, lift, tilt, speed, throttle, flaps, etc. of the drone, and can also control Actions such as turning, climbing, diving, rolling, hovering, taking off, and landing of the UAV are not limited in this embodiment of the present application.

2. Unmanned aerial vehicle (UAV) 302: Or, it can also be (uncrewed aerial vehicle, UAV), also known as unmanned aerial vehicle, aerial robot, which is controlled by radio remote control equipment and self-provided program The unmanned aircraft of the device can complete aerial flight tasks and various load tasks under unmanned conditions. The UAVs in the embodiments of the present application may be unmanned helicopters, fixed-wing aircraft, multi-rotor aircraft, unmanned airships, and unmanned paragliders; and may also include near-space vehicles, such as stratospheric airships, high-altitude balloons, solar-powered drones Human-machine, etc.; it can also be four-axis, six-axis, single-axis, vector control and other forms of drones. The drones in the embodiments of the present application can be used in the fields of military, industry, civil use, agriculture, construction, film and television, environmental protection, etc., as well as special industries that use drones for operations, such as using drones for military reconnaissance, patrol, Aerial photography, environmental monitoring, border monitoring, express delivery, power inspection, confirmation of rights, flood control and drought relief, post-disaster rescue, etc. This embodiment of the present application does not limit this.

It should be understood that the specific type of the drone is not limited herein. With the development of intelligence, the names of devices with unmanned aircraft functions may be different in order to be applied to different scenarios or to complete different aerial missions. For the convenience of description, in all the embodiments of the present application, the above-mentioned devices capable of unmanned aircraft functions are collectively referred to as unmanned aerial vehicles.

The UAV 202 may be equipped with various sensors or functional modules, such as gyroscopes (flight attitude perception), accelerometers, geomagnetic induction, barometric pressure sensors (rough hover height control), ultrasonic sensors (low altitude precision control or obstacle avoidance) , optical flow sensor (hovering horizontal position is accurately determined), global positioning system (global positioning system, GPS) module (horizontal position height rough positioning), control circuit, compass, etc., by collecting the angular rate, attitude, position of the UAV , acceleration, altitude and airspeed, etc., can automatically maintain the normal flight attitude of the drone. It should be understood that the names of the modules or hardware configured in the above-mentioned UAV are just an example, and in specific implementation, each functional module may also have other names, which are not limited in the embodiments of the present application. The unmanned aerial vehicle in the embodiment of the present application may also have more or less functional modules, and may also implement more or less functions, etc., and the embodiment of the present application does not limit this in any way.

It should also be understood that an unmanned aerial system (UAS) 300 may include one or more drone controllers 201 and one or more drones 202 . For example, a drone controller can control one or more drones, a drone can also be controlled by one or more drone controllers, and multiple drone controllers can cooperate to control multiple drones. Human-machine, which is not limited in this embodiment of the present application.

The UAV 202 in the UAV system 200 can be any one or more types mentioned above, and the UAV controller 201 can also be any one or more types mentioned above. The embodiment does not make any limitation on this. In addition to the network elements introduced above, this application also includes:

UAS service provider (USS): An entity that supports the safe and efficient use of airspace by providing services to the operator or pilot of the drone to meet the operational requirements of the drone. USS can provide any subset of functionality to meet the provider's business objectives. It should be noted that this name is only for convenience to express its function, and should not constitute any limitation to this application, and this application does not exclude the possibility of adopting other names in subsequent standards.

Unmanned aerial system traffic management (UTM): A set of functions and services for managing a range of automated device operations (e.g., drone certification, drone business authorization, drone policy management, unmanned airspace machine flow control). It should be noted that this name is only for convenience to express its function, and should not constitute any limitation to this application, and this application does not exclude the possibility of adopting other names in subsequent standards.

In addition, the entities of the USS and the UTM may be one entity, may be in an inclusive relationship, or may be in a parallel relationship, which is not limited in this application.

Third-party authorized entity (TPAE): can identify and/or track UAVs, and check for illegal UAVs within a certain range.

UAS application function network element (UAS application function, UAS AF), UAV flight enablement subsystem (UAV flight enablement subsystem, UFES). UAS AF or UFES provides a separate interface for USS or UTM, executes commands issued by USS or UTM, and is responsible for information transmission inside and outside the 3GPP system. It should be noted that this name is only for convenience to express its function, and should not constitute any limitation to this application, and this application does not exclude the possibility of adopting other names in subsequent standards. In addition, UAS AF or UFES may be an existing network element, such as NEF/SCEF, or a new network element, or may be deployed together with NEF or service capability exposure function (SCEF). In addition, the entities of UAS AF and UFES may be one entity, may be in an inclusive relationship, or may be in a parallel relationship, which is not limited in this application.

In recent years, the application of drones has gradually become popular. Especially in the civilian field, from small drones for personal entertainment to a variety of drones that bring economic value, such as plant protection drones, disaster relief drones, firefighting drones, express delivery Drones and more. However, while drones bring various economic benefits and entertainment to people, they also bring about the problem of how to manage drones.

UAVs suitable for remote control scenarios have more and more demands for networking. At present, in order to better manage UAVs, the application of 3GPP system in the entire UAV field is also getting more and more attention. Take the 5G system as an example. In a recent standards meeting, 3GPP is studying connected drones, and the system improves the management of drones through the network. In the 3GPP UAV system architecture, the UAV and the UAV controller are respectively connected to the 3GPP network, and the two communicate through the 3GPP network. Specifically, after the drone is connected to the Internet, UAS services can be obtained. For example, the drone controller can remotely control the flight of the drone through the network, the drone can send data information to the cloud through the network, and the drone can also Get timely obstacle avoidance assistance and more through the network. Among them, in order to control the flight of the drone through networking, the drone will request to establish a session to connect with its controller, which is called a command and control (command and control, C2) communication-related session.

UAV networking requires authentication and authorization of the UAV itself. If a session related to C2 communication needs to be established, C2 communication authentication and authorization are also required. These authentication authorizations need to be carried out in a third-party entity, namely USS or UTM. Currently, UAV authentication and authorization can be performed in the registration process or in the process of establishing a protocol data unit (PDU) session. To implement authentication and authorization, the UE must enforce UAV authentication and authorization in the registration process and in the process of establishing a PDU session, and the network side must enforce UAV authentication and authorization in the process of establishing a PDU session.

It should be noted that the UAV certification authorization in this application includes the certification authorization related to UAV, such as whether the UAV itself is legal (UAV certification authorization), whether the UAV flight plan is legal (the flight path certification authorization), whether the UAV can It communicates with a specific UAVC (paired authentication authorization), etc., or may also include other UAV-related authentication authorizations, which are not limited in this application.

For a scenario where the UAV fails to perform authentication and authorization, the UE may perform authentication and authorization again, that is, re-authentication and authorization. However, in the current solution, the re-authentication authorization is only for the scenario where the UAV authentication and authorization is performed during the registration, and more importantly, the UE cannot perform the re-authentication and authorization in time and on demand.

The embodiments of the present application will be described in detail below with reference to the accompanying drawings.

FIG. 4 shows a schematic interaction diagram of a method 400 for authentication and authorization provided by an embodiment of the present application. As shown in FIG. 4, method 400 is described below.

S401. Determine that the authentication and authorization of the terminal device fails.

It should be understood that the terminal device, the first network device, the second network device and the third network device can all determine that the authentication and authorization of the terminal device fails.

As an example, the terminal device receives indication information from the first network device, where the indication information is used to indicate that the authentication and authorization of the terminal device fails. Alternatively, as an example, the first network device may directly reject the registration request or session establishment request of the terminal device, without sending indication information to the terminal device, and the terminal device may also determine that the authentication and authorization fails, which is not limited in this application. Similarly, this application does not limit how other devices determine that the authentication and authorization of the terminal device fails.

It should be noted that "terminal equipment" and "UE" in this application include a UAV that can access the 3GPP system, such as a UAV that is internally configured with a universal subscriber identity module (USIM). The meanings of "network element" and "network equipment" in this application are the same.

S402. The first network device receives the first indication information.

The first indication information indicates that the terminal device can request network resources, and the network resources are used for the terminal device to communicate with another terminal device in the same system.

It should be understood that the first indication information here may be re-authentication authorization indication information, and the re-authentication authorization indication information indicates that the first network device can initiate authentication and authorization for the terminal device again. The requesting network resource here may refer to a registration request for drone operation, or a PDU session establishment request for drone operation, etc., which is not limited.

From the perspective of the terminal, the first indication information indicates that the terminal device can request network resources from the first network device, and from the perspective of the first network device, the first indication information indicates that the first network device requests for the terminal device Authorized. In other words, the authentication and authorization of the first network device is requested by the terminal device, and when the terminal device requests resources, the first network terminal device will request the authentication and authorization.

Therefore, when the first network device receives the first indication information, or in other words, after receiving the re-authentication authorization indication information, it means that the terminal device is allowed to request network resources, that is, when the first network device receives the request from the terminal, it will go to the Request authentication authorization for the end device. Otherwise, if the first network device does not receive an instruction to allow the terminal device to re-authenticate and authorize, even if the terminal device requests network resources, it will be rejected by the first network device, resulting in waste of signaling.

It should be noted that only when the authentication and authorization of the terminal device is successful, the first network device will determine whether network resources can be allocated for the drone operation. If the authentication and authorization fails, the first network device will definitely not operate for the drone. Allocate network resources.

As an example, in the UAV system, the first indication information indicates that the terminal device can request network resources for UAV operation. It should be understood that the drone operation here may also be referred to as drone service, or other expressions that can express similar meanings, which are not limited in this application.

The specific implementation of step S402 may be in various manners, for example, S402a or S402b below.

As shown in step S402a, the first network device may receive the first indication information from the second network device, and before that, the second network device may also receive one or more indication information from the third network device. It should be noted that the second network device in this application may correspond to the UDM in the 5G system, may also correspond to the HSS in the 4G system, or may be other network devices with similar functions, and this application does not do this. limited.

Alternatively, as shown in step S402b, the first network device may also receive the first indication information from the third network device. It should be noted that the third network device in this application may correspond to USS or UTM, or UAS AF, or may also be NEF in 5G system or SCEF in 4G system, which is not limited in this application.

S403. The first network device sends second indication information to the terminal device according to the first indication information.

Specifically, the second indication information indicates that the terminal device can request the above-mentioned network resource. It should be understood that the first indication information and the second indication information may be the same indication information, or may be different indication information. The present application does not limit the representation of the first indication information and/or the second indication information.

It should be understood that after the network device sends the indication information that allows the terminal device to request the above network resource to the terminal device, the network device will trigger the next authentication and authorization only after the terminal device requests the above network resource from the core network. As an example, in the scenario of the unmanned aerial system, the failure of the UE's UAV authentication and authorization may be because there are many UEs requesting access to the 3GPP network, and the USS or UTM cannot supervise more than a certain number of UEs at the same time, or does not allow a certain number of UEs at the same time. More than a certain number of UEs appear in the area at the same time; after a period of time, when the number of UEs in UAV operation falls below the certain number, the USS or UTM can notify the UE through the core network and can now provide the UE with the requested If the network resources are available, the UE requests to establish a session for communication with the UAV controller at this time, and the core network initiates authentication and authorization for the UE.

It should be noted that the first network device in this application may be an SMF and/or AMF in a 5G system, or an MME in a 4G system, or may be other network devices with similar functions, which are not covered in this application. limited.

In this embodiment of the present application, after the authentication and authorization of the UE fails, an indication that the terminal device can request network resources for communicating with another terminal device in the same system is sent to the terminal device through the core network, so that the UE can follow its own needs. Perform re-authentication and authorization, thereby improving the success rate of UE re-authentication and authorization, and reducing the UE's request to the core network for network resources for communicating with another terminal device in the same system when the core network does not allow re-authentication and authorization. Signaling waste caused by rejection.

FIG. 5 shows a schematic flowchart of a method 500 for authentication and authorization provided by an embodiment of the present application. As shown in FIG. 5, the method 500 is described below.

S501. The UE sends a registration request message to the AMF.

The registration request message is used to register the UE in the 3GPP system.

S502. The AMF sends a subscription request message to the UDM.

Specifically, this message is used to indicate the update of the re-authentication status of the subscription UAV. The UAV re-authentication authorization status refers to whether the UAV can initiate re-authentication and authorization again after authentication and authorization fails. The subscription request message is used to request the UDM to notify the AMF when the UAV authentication and authorization status of the UE changes.

In this embodiment, after the UAV authentication and authorization of the UE fails, the default state of the core network side is that the UE is not allowed to perform re-authentication and authorization again, and the subsequent state may be changed to allow the UE to perform re-authentication and authorization again, which is the state that has occurred. renew. Then the UDM will notify the AMF when the re-authentication status changes.

As an example, when the AMF determines that the UE has an aviation subscription (aerial subscription), it sends a subscription request message to the UDM.

Specifically, the AMF may determine that the UE has an aviation subscription in various ways. For example, the AMF may first query the UDM whether the UE has an aviation subscription, and the UDM returns the UE's aviation subscription information; or, the UE includes indication information in the registration request message. The indication information is used to indicate that the registration of the UE is used for UAV operation. In other words, if the UE performs the registration process as a UAV, the network side needs to check whether the UE has relevant subscription information.

S503, the UDM returns a subscription response message to the AMF.

The AMF can determine that the UDM has confirmed the subscription request according to the subscription response message.

It should be noted that, step S502 and step S503 may be performed before step S504, or may be performed after step S505, which is not limited in this application.

S504, the AMF returns a registration response to the UE.

The UE may determine that the UE has been registered in the 3GPP system according to the registration response message.

S505, the UAV performs authentication and authorization in the process of establishing the PDU session.

As an example, the USS/UTM rejects the UAV's authentication authorization for some reason. The SMF receives the indication of rejecting the UAV authentication and authorization sent by the USS/UTM, and the SMF notifies the AMF of the failure of the UAV authentication and authorization, so that the AMF determines not to register the UAV.

Optionally, in S506, after receiving the subscription request message, the UDM sends a subscription request to the UAS AF/NEF.

The subscription request is used to request the UAV re-authentication authorization status request.

Optionally, in S507, after receiving the subscription request message, the UAS AF/NEF sends a subscription request to the USS/UTM.

Optionally, in S508, after receiving the subscription request, the USS/UTM sends a subscription response message to the UAS AF/NEF to confirm that the subscription has been accepted.

Optionally, in S509, after receiving the subscription response message, the UAS AF/NEF sends a subscription response message to the UDM.

It should be noted that the UAS AF/NEF may not exist, that is, the UDM directly sends a subscription request to the USS/UTM, or the UDM can also send a subscription request to the USS/UTM through other network devices. Therefore, steps S506 to S509 are only an optional solution, which is not limited in this application.

S510. The USS/UTM sends a UAV re-authentication authorization instruction to the UAS AF/NEF.

Specifically, after the UAV authentication and authorization fails, the USS/UTM determines that the UE can perform the UAV authentication and authorization again, and can send the UAV re-authentication authorization indication. As for how the USS/UTM can perform authentication and authorization again by the UE, this application does not limit it.

As an example, the UE may obtain the permission of the USS/UTM offline, or the UE may establish a session with the USS/UTM, and the UAV and the USS/UTM may obtain the permission after interacting with the USS/UTM through the user plane of the session.

S511. The UAS AF/NEF forwards the UAV re-authentication authorization instruction to the UDM.

It should be noted that the UAS AF/NEF may not exist, that is, the USS/UTM directly sends the above request to the UDM, or the USS/UTM can also send the above request to the UDM through other network devices. Therefore, step S510 and step S511 are only an optional solution, which is not limited in this application.

S512. The UDM sends a UAV re-authentication authorization state update notification to the AMF.

Specifically, after receiving the UAV re-authentication authorization instruction, the UDM determines that the UE can perform UAV re-authentication authorization, and then sends the above notification to the AMF.

S513. The AMF sends a configuration update command to the UE.

As an example, the configuration update command may contain a UAV re-authentication authorization indication.

After receiving the UAV re-authentication authorization instruction, the UE can initiate session establishment or modification again as required, and perform UAV authentication and authorization in it.

Optionally, the AMF deletes information related to the UAV authentication and authorization failure.

As an example, if the UE fails the UAV authentication and authorization, the AMF stores the result of the UAV authentication and authorization failure. The form of storing the result can be an indicator (Flag), which indicates that the authentication and authorization of the UE has failed, or that the UE cannot request network resources for the UAV operation; or it can be a timer, before the timer stops. The AMF will reject the request sent by the UE to request network resources for the UAV operation; or it may be in other ways. In the case that the AMF has stored the result, the UE will be rejected when sending a request to the AMF to request network resources for the UAV operation. After receiving the re-authentication authorization instruction, the AMF deletes the information related to the failure of the UAV authentication and authorization.

It should be understood that in the present embodiment, in the registration process or after the registration process, the AMF subscribes to the UDM to update the UAV authentication and authorization state. After the UAV authentication and authorization state is updated, the core network informs the UE of the update of the authentication and authorization state. As an example, this embodiment is specifically applied to a scenario where the UE does not perform de-registration of the 3GPP system after the UAV authentication and authorization fails.

In this embodiment of the present application, after the UAV authentication and authorization of the UE fails, the update of the UAV authentication and authorization status is provided to the UE through the core network in a timely manner, and the UE can perform re-authentication and authorization according to its own needs according to the status update information provided by the core network. Therefore, the success rate of UE re-authentication and authorization is improved, and the signaling waste caused by the rejection of UE's request for UAV operation to request network resources when the core network does not allow re-authentication and authorization to the core network is reduced.

FIG. 6 shows a schematic flowchart of a method 600 for authentication and authorization provided by an embodiment of the present application. As shown in FIG. 6, method 600 is described below.

S601. The UE performs a registration process.

The UE registers with the 3GPP system, and the specific process is the same as steps S501 and S504 in the method 500 .

S602, the UE sends a session establishment request to the SMF.

Alternatively, the UE may also send a session modification request to the SMF.

S603. The SMF sends a UAV authentication authorization request message to the UAS AF/NEF.

Alternatively, the SMF may directly send the UAV authentication authorization request message to the USS/UTM.

Which network device the SMF sends the request message to and how to send the request message are not limited in this application.

S604. The UAS AF/NEF forwards the UAV authentication authorization request message to the USS/UTM.

S605. The USS/UTM sends a UAV authentication authorization rejection response message to the UAS AF/NEF.

As an example, the USS/UTM authenticates and authorizes the UAV, for some reason the USS/UTM determines that the UAV authentication and authorization failed, and further, the USS/UTM may include the reason for the UAV authentication and authorization failure in the reject response message. This application does not limit the reasons for the failure of authentication and authorization.

S606. The UAS AF/NEF forwards the UAV authentication authorization rejection response message to the SMF.

S607. The SMF sends a subscription message to the UDM.

Specifically, after receiving the UAV authentication and authorization rejection response, the SMF sends a subscription message to the UDM for subscribing to the update of the UAV re-authentication and authorization state. As an example, after receiving the UAV authentication and authorization rejection response, the SMF decides to allow the establishment/modification of the session, and then sends the subscription message to the UDM.

S608. The UDM sends a subscription response to the SMF to confirm that the subscription has been accepted.

S609, the SMF allows the establishment of the session, and sends a session establishment acceptance response message to the UE.

Alternatively, the SMF allows the modification of the session and sends a session modification accept response message to the UE.

Further, an indication of UAV authentication and authorization failure is included in the session establishment/modification acceptance response message.

S610 to S613 are the same as steps S506 to S509 in the method 500, and are not repeated here.

S614 to S616 are the same as steps S510 and S511 in the method 500, and are not repeated here.

S617, the SMF sends a PDU session update command to the UE.

Specifically, the SMF indicates the UAV re-authentication authorization to the UE through the PDU session update procedure, that is, the UAV re-authentication authorization indication is included in the PDU session update command.

Optionally, the SMF deletes information related to the UAV authentication and authorization failure.

As an example, if the UE fails the UAV authentication and authorization, the SMF stores the result of the UAV authentication and authorization failure. The form of storing the result can be an indicator (Flag), which indicates that the authentication and authorization of the UE has failed, or that the UE cannot request network resources for the UAV operation; or it can be a timer, before the timer stops. The SMF will reject the request sent by the UE to request network resources for the UAV operation; or it may be in other ways. In the case that the SMF has stored the result, the UE will be rejected when sending a request to the AMF to request network resources for UAV operation. After receiving the re-authentication authorization instruction, the SMF deletes the information related to the failure of the UAV authentication and authorization.

Or, as an example, the SMF may also notify the AMF that the UAV authentication and authorization fails, and the AMF sends a configuration update command to the UE, where the configuration update command includes the UAV re-authentication and authorization indication. After receiving the configuration update command, the UE can initiate session establishment/modification again as required, and perform authentication and authorization therein.

It should be understood that, during the session establishment process in this embodiment, the SMF subscribes to the UDM to update the UAV authentication and authorization state. After the UAV authentication and authorization state is updated, the core network informs the UE of the update of the authentication and authorization state. As an example, this embodiment is specifically applied to a scenario where the PDU session is not released after the UAV authentication and authorization fails.

FIG. 7 shows a schematic flowchart of a method 700 for authentication and authorization provided by an embodiment of the present application. As shown in FIG. 7, method 700 is described below.

S701, the UE performs the registration process, and then performs UAV authentication and authorization in the PDU session establishment/modification process, and the UAV authentication and authorization fails. The specific steps are the same as the steps S01 to S606 and S609 in the method 600, and are not repeated here.

S702 and S703 are the same as steps S510 and S511 in the method 500, and are not repeated here.

S704, the UE initiates a registration request or a service request.

Further, as an example, the above request message may include a re-authentication authorization indication, where the re-authentication indication is used to instruct to request network resources for the UAV operation.

It should be understood that the registration in this step belongs to the mobile registration, while the registration in the method 500 and the method 600 belongs to the initial registration.

S705. The AMF sends a subscription query request message to the UDM, which is used to request to query the re-authentication authorization status.

As an example, according to the UAV authentication and authorization failure of the terminal device and the registration request or service request received in step S704, the AMF determines that the UE needs to initiate authentication and authorization again after the UAV authentication and authorization fails, so as to send a subscription query request message to the UDM . Specifically, the AMF may store the failure of the previous UAV authentication and authorization of the UE, so as to determine that the registration request or the service request this time is used for the UAV operation. As an example, the AMF determines, according to the re-authentication authorization indication included in the request message received in step S704, that the UE needs to initiate authentication and authorization again after the UAV authentication and authorization fails, thereby sending a subscription query request message to the UDM.

S706: The UDM sends a subscription query response message to the AMF, and the query response includes the queried re-authentication status of the UE.

S707, the AMF sends a registration response or a service response to the UE.

As an example, after receiving the registration response or the service response, the UE determines to allow the UAV re-authentication and authorization, or allows the UE to request network resources for the UAV operation after the authentication and authorization fails.

As an example, further, the above-mentioned response indicates that UAV re-authentication authorization is allowed, and after receiving the response, the UE may initiate session establishment/modification again as required, and perform authentication and authorization therein.

Optionally, the AMF deletes information related to the UAV authentication and authorization failure. The related example is the same as the example in step S513 in the method 500 .

Or, as an example, the authentication and authorization can also be initiated by the SMF. Specifically, if the re-authentication and authorization status indicates that the UAV can authenticate and authorize again after the UAV authentication and authorization fails, the AMF can send a re-authentication and authorization instruction to the SMF, and the SMF sends an authentication and authorization request to the USS/UTM after receiving the instruction.

It should be understood that in this embodiment, the UAV re-authentication authorization state is actively configured to the UDM through the USS/UTM, the UE initiates a registration request/service request after the UAV authentication and authorization fails, and the AMF queries the UDM for the re-authentication authorization state, and then feeds it back to the UE. As an example, this embodiment is applicable to a scenario in which the UE is allowed to query the re-authentication and authorization status before performing re-authentication and authorization.

In the embodiment of the present application, after the UAV authentication and authorization of the UE fails, the UE actively obtains the re-authentication and authorization status, so that the UE can perform the re-authentication and authorization according to its own needs, thereby improving the success rate of the UE's re-authentication and authorization, and reducing the UE's re-authentication and authorization. Signal waste caused by the rejection of a request for network resources for UAV operation to be sent to the core network when the core network does not allow re-authentication authorization.

FIG. 8 shows a schematic flowchart of a method 800 for authentication and authorization provided by an embodiment of the present application. As shown in FIG. 8, method 800 is described below.

S801 to S803 are the same as steps S701 to S703 in the method 700 .

S804, the UE sends a session establishment/modification request message to the SMF.

As an example, further, the request message may include a re-authentication authorization indication, where the re-authentication indication is used to instruct to request network resources for the UAV operation.

S805. The SMF sends a subscription query request message to the UDM, which is used to request to query the re-authentication authorization status.

As an example, according to the failure of the UAV authentication and authorization of the terminal device and the registration request or service request received in step S804, the SMF determines that the UE needs to initiate the authentication and authorization again after the UAV authentication and authorization fails, so as to send a subscription query request message to the UDM . Specifically, for example, the SMF may store the failure of the previous UAV authentication and authorization of the UE, so as to determine that the registration request or the service request is used for the UAV operation.

S806: The UDM sends a subscription query response message to the SMF, and the query response includes the queried re-authentication authorization state of the UE.

S807. The SMF sends a session modification command to the UE.

As an example, after receiving the session modification command, the UE determines to allow the UAV re-authentication and authorization, or allows the UE to request network resources for the UAV operation after the authentication and authorization fails. Then, after receiving the session modification command, the UE can initiate session establishment/modification again as required, and perform authentication and authorization therein.

As an example, further, the session modification command may include a re-authentication authorization state.

It should be understood that the states here can be divided into two types, namely, allowing the UE to perform re-authentication and authorization and not allowing the UE to perform re-authentication and authorization. If the re-authentication authorization status received by the UE is to allow the UE to perform re-authentication and authorization, the UE may initiate session establishment/modification again as required after receiving the session modification command, and perform authentication and authorization therein.

Optionally, the SMF deletes information related to the UAV authentication and authorization failure. The related example is the same as the example in step S617 in the method 600 .

It should be understood that in this embodiment, the UAV re-authentication authorization state is actively configured to the UDM through the USS/UTM, the UE initiates a registration request/service request after the UAV authentication and authorization fails, and the SMF queries the UDM for the re-authentication authorization state, and then feeds it back to the UE. As an example, this embodiment is applicable to a scenario in which the UE is allowed to query the re-authentication and authorization status before performing re-authentication and authorization.

FIG. 9 shows a schematic flowchart of a method 900 for authentication and authorization provided by an embodiment of the present application. As shown in FIG. 9, method 900 is described below.

S901, which is consistent with step S701 in the method 700.

S902, the USS/UTM sends a UAV re-authentication authorization instruction to the AMF.

It should be understood that in the implementation process, multiple network devices may pass between USS/UTM and AMF/SMF, such as UDM, UAS AF/NEF mentioned in this application, or direct transmission, which is not limited in this application .

Or, more simply and directly, the USS/UTM may send the indication directly to the UE.

S903. After receiving the UAV re-authentication authorization instruction, the AMF/SMF indicates the re-authentication authorization to the UE.

For the AMF scenario, as an example, the configuration update command message is used to carry the above indication in the message; for the SMF scenario, as an example, the PDU session update command message is used to carry the above indication in the message. If the re-authentication and authorization status indicates that the authentication and authorization can be performed again after the UAV authentication and authorization fails, the UE can initiate session establishment/modification again as required after receiving, and perform authentication and authorization therein.

Optionally, AMF/SMF deletes information related to UAV authentication and authorization failure.

As an example, if the UE fails the UAV authentication and authorization, the AMF/SMF stores the result of the UAV authentication and authorization failure. The form of storing the result can be an indicator (Flag), which indicates that the authentication and authorization of the UE has failed, or that the UE cannot request network resources for the UAV operation; or it can be a timer, before the timer stops. The AMF/SMF will reject the request sent by the UE to request network resources for the UAV operation; or it may be in other ways. In case the AMF/SMF has already stored the result, the UE will be rejected when sending a request to the AMF/SMF to request network resources for the UAV operation. After receiving the re-authentication authorization instruction, the AMF/SMF deletes the information related to the UAV authentication and authorization failure.

In the embodiment of the present application, the USS/UTM sends the re-authentication authorization indication to the core network, and then sends it to the UE, and the UE simply and directly obtains the re-authentication authorization state. It enables the UE to perform re-authentication and authorization according to its own needs, thereby improving the success rate of the UE's re-authentication and authorization, and reducing the UE's request for network resources for UAV operations when the core network does not allow re-authentication and authorization. Signaling waste caused by rejected requests.

In the above, the methods provided by the embodiments of the present application are described in detail with reference to FIG. 4 to FIG. 9 . Hereinafter, the device provided by the embodiment of the present application will be described in detail with reference to FIG. 10 to FIG. 11 .

FIG. 10 is a schematic block diagram of a communication apparatus for authentication and authorization provided by an embodiment of the present application. As shown in FIG. 10 , the communication device 10 may include a transceiver module 11 and a processing module 12 .

The transceiver module 11 may be used to receive information sent by other devices, and may also be used to send information to other devices. For example, receiving the second indication information or sending the first indication information. The processing module 12 can be used to process the content of the device, for example, to determine that the authentication and authorization of the terminal device fails.

In a possible design, the communication apparatus 10 may correspond to the terminal device in the above method embodiment.

Specifically, the communication apparatus 10 may correspond to a terminal device in any one of the methods 400 to 900 according to the embodiments of the present application, and the communication apparatus 10 may include a device for performing operations performed by the terminal device in the corresponding method. modules, and each unit in the communication apparatus 10 is respectively to implement the operations performed by the terminal device in the corresponding method.

Exemplarily, when the communication apparatus 10 corresponds to the terminal device in the method 400, the transceiver module 11 is configured to execute step S403, and the processing module 12 is configured to instruct step S401.

Exemplarily, when the communication apparatus 10 corresponds to the UE in the method 500, the transceiver module 11 is configured to perform steps S501, S504 and S513, and the processing module 12 is configured to perform step S505.

Exemplarily, when the communication apparatus 10 corresponds to the UE in the method 600, the transceiver module 11 is configured to perform steps S602, S609, and S617, and the processing module 12 is configured to perform step S601.

Exemplarily, when the communication apparatus 10 corresponds to the UE in the method 700, the transceiver module 11 is configured to perform steps S704 and S707, and the processing module 12 is configured to perform step S701.

Exemplarily, when the communication apparatus 10 corresponds to the UE in the method 800, the transceiver module 11 is configured to perform steps S804 and S807, and the processing module 12 is configured to perform step S801.

Exemplarily, when the communication device 10 corresponds to the UE in the method 900, the transceiver module 11 is configured to perform step S903, and the processing module 12 is configured to perform step S901.

Specifically, the processing module 12 is configured to determine that the authentication and authorization of the terminal device fails; the transceiver module 11 is configured to receive second indication information from the first network device, where the second indication information indicates that the terminal device can request network resources, The network resources are used for the terminal device to communicate with another terminal device in the same system.

The transceiver module 11 is further configured to: send a third request message to the first network device, where the third request message requests the network resource.

Wherein, the third request message includes third indication information, where the third indication information indicates that the terminal device requests to obtain an authentication and authorization state, and the authentication and authorization state is whether the terminal device can request the network resource.

The processing module 12 is further configured to: stop the second timer according to the second indication information, wherein the terminal device cannot request the network resource before the second timer is stopped.

Among them, the terminal equipment is a drone.

In a possible design, the communication apparatus 10 may correspond to the first network device or AMF or SMF in the above method embodiment.

Specifically, the communication apparatus 10 may correspond to the first network device or AMF or SMF in any one of the methods 400 to 900 according to the embodiments of the present application, and the communication apparatus 10 may include a method for executing A module of operations performed by a network device or AMF or SMF, and each unit in the communication apparatus 10 is respectively to implement the operations performed by the first network device or AMF or SMF in the corresponding method.

Exemplarily, when the communication apparatus 10 corresponds to the first network device in the method 400, the transceiver module 11 is configured to execute step S402a or S402b, and the processing module 12 is configured to instruct step S401.

Exemplarily, when the communication device 10 corresponds to the AMF in the method 500, the transceiver module 11 is configured to execute steps S501, S502, S503, S504, S512, and S513, and the processing module 12 is configured to execute step S505.

Exemplarily, when the communication device 10 corresponds to the SMF in the method 600, the transceiver module 11 is configured to execute steps S602, S603, S606, S607, S608, S609, S606, and S617, and the processing module 12 is configured to execute step S601.

Exemplarily, when the communication device 10 corresponds to the AMF in the method 700, the transceiver module 11 is configured to execute steps S704, S705, S706, and S707, and the processing module 12 is configured to execute step S701.

Exemplarily, when the communication device 10 corresponds to the SMF in the method 800, the transceiver module 11 is configured to execute steps S804, S805, S806, and S807, and the processing module 12 is configured to execute step S801.

Exemplarily, when the communication device 10 corresponds to the AMF or SMF in the method 900, the transceiver module 11 is configured to execute step S903, and the processing module 12 is configured to execute step S901.

Specifically, the processing module 12 is used to determine that the authentication and authorization of the terminal device fails; the transceiver module 11 is used to receive first indication information, where the first indication information indicates that the terminal device can request network resources, and the network resources are used for the terminal The device communicates with another terminal device in the same system; the transceiver module 11 is also used to send second indication information to the terminal device according to the first indication information, and the second indication information indicates that the terminal device can request the network resource.

The transceiver module 11 is further configured to: send a first request message to the second network device, the first request message subscribes to the change of the authentication and authorization state; or, the first request message queries the authentication and authorization state; wherein, the authentication and authorization state Whether the terminal device can request the network resource.

The transceiver module 11 is further configured to: receive a third request message from the terminal device, where the third request message requests the network resource. Wherein, the third request message includes third indication information, and the third indication information indicates that the terminal device requests to obtain the authentication authorization state.

The processing module 12 is further configured to: delete the first information according to the first indication information, wherein the first information is stored by the first network device, and the first information indicates at least one of the following: the authentication and authorization of the terminal device fails, The terminal device cannot request the network resource.

The processing module 12 is further configured to: stop the first timer according to the first indication information, wherein the first network device rejects the second information from the terminal device before the stop of the first timer, the second information Request this network resource.

The transceiver module 11 is further configured to: send a fourth request message to the second network device or the third network device according to the third request message, where the fourth request message requests to perform authentication and authorization on the terminal device.

Among them, the terminal equipment is a drone.

In a possible design, the communication apparatus 10 may correspond to the second network device or UDM in the above method embodiment.

Specifically, the communication apparatus 10 may correspond to the second network device or UDM in any one of the methods 400 to 800 according to the embodiments of the present application, and the communication apparatus 10 may include a method for executing the corresponding method by the second network It is a module of operations performed by the device or UDM, and each unit in the communication apparatus 10 is respectively in order to implement the operations performed by the second network device or UDM in the corresponding method.

Exemplarily, when the communication apparatus 10 corresponds to the second network device in the method 400, the transceiver module 11 is configured to execute step S402a, and the processing module 12 is configured to instruct step S401.

Exemplarily, when the communication device 10 corresponds to the UDM in the method 500, the transceiver module 11 is configured to execute steps S502, S503, S506, S509, S510, S511, and S512, and the processing module 12 is configured to execute step S505.

Exemplarily, when the communication device 10 corresponds to the UDM in the method 600, the transceiver module 11 is configured to execute steps S607, S608, S610, S613, S615, and S616, and the processing module 12 is configured to execute step S601.

Exemplarily, when the communication device 10 corresponds to the UDM in the method 700, the transceiver module 11 is configured to execute steps S703, S705, S705, and S706, and the processing module 12 is configured to execute step S701.

Exemplarily, when the communication device 10 corresponds to the UDM in the method 800, the transceiver module 11 is configured to execute steps S803, S805, S806, and S807, and the processing module 12 is configured to execute step S801.

Specifically, the transceiver module 11 is configured to receive fourth indication information, where the fourth indication information indicates that the terminal device can request network resources, and the network resources are used for the terminal device to communicate with another terminal device in the same system; the transceiver Module 11 is further configured to send first indication information to the first network device, where the first indication information indicates that the terminal device can request the network resource.

The transceiver module 11 is further configured to receive a first request message from the first network device, where the first request message subscribes to a change in an authentication authorization state, where the authentication authorization state is whether the terminal device can request the network resource; or, The first request message queries an authentication and authorization state, where the authentication and authorization state is whether the terminal device can request the network resource.

The transceiver module 11 is further configured to: send a fifth request message to the third network device, where the fifth request message subscribes to the change of the authentication and authorization state; or, the fifth request message queries the authentication and authorization state.

Among them, the terminal equipment is a drone.

In a possible design, the communication apparatus 10 may correspond to the third network equipment or UAS AF or NEF or USS or UTM in the above method embodiment.

Specifically, the communication apparatus 10 may correspond to the third network device or UAS AF or NEF or USS or UTM in any one of the methods 400 to 900 according to the embodiments of the present application, and the communication apparatus 10 may include a device for executing Modules of operations performed by the third network device or UAS AF or NEF or USS or UTM in the corresponding method, and each unit in the communication device 10 is respectively implemented by the third network device or UAS AF or NEF in the corresponding method. Or what USS or UTM does.

Exemplarily, when the communication apparatus 10 corresponds to the third network device in the method 400, the transceiver module 11 is configured to execute step S402b, and the processing module 12 is configured to instruct step S401.

Exemplarily, when the communication device 10 corresponds to the UAS AF or NEF in the method 500, the transceiver module 11 is configured to execute steps S506, S507, S508, S509, S510, and S511, and the processing module 12 is configured to execute step S505.

Exemplarily, when the communication device 10 corresponds to USS or UTM in the method 500, the transceiver module 11 is configured to perform steps S507, S508, and S510, and the processing module 12 is configured to perform step S505.

Exemplarily, when the communication device 10 corresponds to the UAS AF or NEF in the method 600, the transceiver module 11 is configured to perform steps S603, S604, S605, S606, S610, S611, S612, S613, S614, and S615.

Exemplarily, when the communication device 10 corresponds to the USS or UTM in the method 600, the transceiver module 11 is configured to perform steps S604, S605, S611, S612, and S614.

Exemplarily, when the communication device 10 corresponds to the UAS AF or NEF in the method 700, the transceiver module 11 is configured to execute steps S702 and S703, and the processing module 12 is configured to execute step S701.

Exemplarily, when the communication device 10 corresponds to USS or UTM in the method 700, the transceiver module 11 is configured to perform step S702, and the processing module 12 is configured to perform step S701.

Exemplarily, when the communication device 10 corresponds to the UAS AF or NEF in the method 800, the transceiver module 11 is configured to execute steps S802 and S803, and the processing module 12 is configured to execute step S801.

Exemplarily, when the communication device 10 corresponds to the USS or UTM in the method 800, the transceiver module 11 is configured to perform step S802, and the processing module 12 is configured to perform step S801.

Exemplarily, when the communication device 10 corresponds to USS or UTM in the method 900, the transceiver module 11 is configured to execute step S902, and the processing module 12 is configured to execute step S901.

Specifically, the processing module 12 is configured to determine that the authentication and authorization of the terminal device fails; the processing module 12 is further configured to determine fifth indication information, where the fifth indication information indicates that the terminal device can request network resources, and the network resources are used for The terminal device communicates with another terminal device in the same system; the transceiver module 11 is configured to send the fifth indication information.

The transceiver module 12 is further configured to: receive a sixth request message, where the sixth request message subscribes to the change of the authentication and authorization state, and the authentication and authorization state is whether the terminal device can request the network resource; or, the sixth request message queries the Authentication authorization status.

Among them, the terminal equipment is a drone.

FIG. 11 is a schematic diagram of an apparatus 20 for information transmission provided by an embodiment of the present application.

In a possible design, the apparatus 20 may be a terminal device, including various handheld devices with wireless communication functions, vehicle-mounted devices, wearable devices, computing devices, or other processing devices connected to a wireless modem, as well as various forms of The terminal, mobile station, terminal, user equipment, soft terminal, etc., can also be a chip or a chip system located on the terminal equipment.

In a possible design, the apparatus 20 may be AMF, SMF or MME, including various devices for mobility management and access management and/or for session management functions, etc. Chip or system on chip on SMF or MME etc.

In a possible design, the apparatus 20 may be a UDM, including various devices for processing user identification, access authentication, registration, or mobility management, or may be a chip or a chip system located on the UDM.

In a possible design, the device 20 may be a UAS AF or NEF, or a chip or a chip system or the like located on the UAS AF or NEF.

In a possible design, the device 20 may be a USS or a UTM, or a chip or a chip system or the like located on the USS or UTM.

The apparatus 20 may include a processor 21 (ie, an example of a processing module) and a memory 22 . The memory 22 is used for storing instructions, and the processor 21 is used for executing the instructions stored in the memory 22, so that the apparatus 20 implements the execution of the devices in the various possible designs described above in the methods corresponding to FIG. 4 to FIG. 9 . step.

Further, the device 20 may further include an input port 23 (ie, an example of a transceiver module) and an output port 24 (ie, another example of a transceiver module). Further, the processor 21, the memory 22, the input port 23 and the output port 24 can communicate with each other through an internal connection path to transmit control and/or data signals. The memory 22 is used to store a computer program, and the processor 21 can be used to call and run the computer program from the memory 22 to control the input port 23 to receive signals, control the output port 24 to send signals, and complete the process of the terminal device in the above method. step. The memory 22 may be integrated in the processor 21 or may be provided separately from the processor 21 .

Optionally, if the information transmission device 20 is a communication device, the input port 23 is a receiver, and the output port 24 is a transmitter. The receiver and the transmitter may be the same or different physical entities. When they are the same physical entity, they can be collectively referred to as transceivers.

Optionally, if the device 20 is a chip or a circuit, the input port 23 is an input interface, and the output port 24 is an output interface.

As an implementation manner, the functions of the input port 23 and the output port 34 can be considered to be implemented by a transceiver circuit or a dedicated chip for transceiver. The processor 21 can be considered to be implemented by a dedicated processing chip, a processing circuit, a processor or a general-purpose chip.

As another implementation manner, a general-purpose computer may be used to implement the device provided by the embodiments of the present application. The program codes that will implement the functions of the processor 21 , the input port 23 and the output port 24 are stored in the memory 22 , and the general-purpose processor implements the functions of the processor 21 , the input port 23 and the output port 24 by executing the codes in the memory 22 .

Wherein, each module or unit in the apparatus 20 may be used to perform each action or process performed by the device (eg, terminal device) performing random access in the above method, and detailed description thereof is omitted here to avoid redundant description.

For the concepts related to the technical solutions provided by the embodiments of the present application involved in the apparatus 20, for explanations and detailed descriptions and other steps, please refer to the descriptions of the foregoing methods or other embodiments, which will not be repeated here.

It should be understood that, in this embodiment of the present application, the processor may be a central processing unit (CPU, central processing unit), and the processor may also be other general-purpose processors, digital signal processors (DSP, digital signal processors), dedicated integrated circuit (application specific integrated circuit, ASIC), off-the-shelf programmable gate array (field programmable gate array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

It should also be understood that the memory in the embodiments of the present application may be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory. The non-volatile memory may be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically programmable Erase programmable read-only memory (electrically EPROM, EEPROM) or flash memory. Volatile memory may be random access memory (RAM), which acts as an external cache. By way of example and not limitation, many forms of RAM are available, such as static random access memory (SRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory (SDRAM), Double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous link dynamic random access memory (synchlink DRAM, SLDRAM) and direct Memory bus random access memory (direct rambus RAM, DR RAM).

The above embodiments may be implemented in whole or in part by software, hardware, firmware or any other combination. When implemented in software, the above-described embodiments may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions or computer programs. When the computer instructions or computer programs are loaded or executed on a computer, all or part of the processes or functions described in the embodiments of the present application are generated. The computer may be a general purpose computer, special purpose computer, computer network, or other programmable device. The computer instructions may be stored in or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be downloaded from a website site, computer, server or data center Transmission to another website site, computer, server or data center by wire (eg, infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device such as a server, a data center, or the like that contains one or more sets of available media. The usable media may be magnetic media (eg, floppy disks, hard disks, magnetic tapes), optical media (eg, DVDs), or semiconductor media. The semiconductor medium may be a solid state drive.

It should be understood that the term "and/or" in this document is only an association relationship to describe associated objects, indicating that there can be three kinds of relationships, for example, A and/or B, which can mean that A exists alone, and A and B exist at the same time , there are three cases of B alone. In addition, the character "/" in this document generally indicates that the related objects are an "or" relationship.

It should be understood that, in various embodiments of the present application, the size of the sequence numbers of the above-mentioned processes does not mean the sequence of execution, and the execution sequence of each process should be determined by its functions and internal logic, and should not be dealt with in the embodiments of the present application. implementation constitutes any limitation.

Those of ordinary skill in the art can realize that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application. Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working process of the above-described systems, devices and units may refer to the corresponding processes in the foregoing method embodiments, which will not be repeated here. In the several embodiments provided in this application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented. On the other hand, the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.

The units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment. In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit. The functions, if implemented in the form of software functional units and sold or used as independent products, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application can be embodied in the form of a software product in essence, or the part that contributes to the prior art or the part of the technical solution. The computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage medium includes: a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk and other mediums that can store program codes.

The above are only specific embodiments of the present application, but the protection scope of the present application is not limited to this. should be covered within the scope of protection of this application. Therefore, the protection scope of the present application should be based on the protection scope of the claims.

Claims

A method for authentication and authorization, comprising:

The first network device determines that the authentication and authorization of the terminal device fails;

the first network device receives first indication information, the first indication information indicates that the terminal device can request network resources, and the network resources are used for the terminal device to communicate with another terminal device in the same system;

The first network device sends second indication information to the terminal device according to the first indication information, where the second indication information indicates that the terminal device can request the network resource.
The method according to claim 1, wherein the method further comprises:

sending, by the first network device, a first request message to the second network device, where the first request message subscribes to the change of the authentication and authorization state;

Or, the first request message queries the authentication authorization state;

The authentication and authorization state is whether the terminal device can request the network resource.
The method according to claim 1 or 2, wherein the method further comprises:

The first network device receives a third request message from the terminal device, where the third request message requests the network resource.
The method according to claim 3, wherein the method further comprises:

The third request message includes third indication information, where the third indication information indicates that the terminal device requests to obtain the authentication and authorization state.
The method according to any one of claims 1 to 4, wherein the method further comprises:

The first network device deletes the first information according to the first indication information,

Wherein, the first information is stored by the first network device, and the first information indicates at least one of the following: the authentication and authorization of the terminal device fails, and the terminal device cannot request the network resource.
The method according to any one of claims 1 to 5, wherein the method further comprises:

The first network device stops the first timer according to the first indication information, wherein before the first timer stops, the first network device rejects the second information from the terminal device, and the first network device rejects the second information from the terminal device. The second message requests the network resource.
The method according to claim 3, wherein the method further comprises:

The first network device sends a fourth request message to the second network device or the third network device according to the third request message, where the fourth request message requests to perform authentication and authorization on the terminal device.
The method according to any one of claims 1 to 7, wherein the terminal device is an unmanned aerial vehicle.
A method for authentication and authorization, comprising:

The terminal device determines that the authentication and authorization of the terminal device fails;

The terminal device receives second indication information from the first network device, the second indication information indicates that the terminal device can request network resources, the network resources are used for the terminal device and another in the same system Terminal device communication.
The method according to claim 9, wherein the method further comprises:

The terminal device sends a third request message to the first network device, where the third request message requests the network resource.
The method according to claim 10, wherein the third request message includes third indication information, the third indication information indicates that the terminal device requests to obtain an authentication and authorization state, and the authentication and authorization state is the whether the terminal device can request the network resource.
The method according to any one of claims 9 to 11, wherein the method further comprises:

The terminal device stops a second timer according to the second indication information, wherein the terminal device cannot request the network resource before the second timer is stopped.
The method according to any one of claims 9 to 12, wherein the terminal device is an unmanned aerial vehicle.
A method for authentication and authorization, comprising:

The second network device receives fourth indication information, the fourth indication information indicates that the terminal device can request network resources, and the network resources are used for the terminal device to communicate with another terminal device in the same system;

The second network device sends first indication information to the first network device, where the first indication information indicates that the terminal device can request the network resource.
The method of claim 14, wherein the method further comprises:

The second network device receives a first request message from the first network device, the first request message subscribes to the change of the authentication and authorization state, and the authentication and authorization state is whether the terminal device can request the network resource ;

Alternatively, the first request message queries an authentication and authorization state, where the authentication and authorization state is whether the terminal device can request the network resource.
The method of claim 15, wherein the method further comprises:

The second network device sends a fifth request message to the third network device, where the fifth request message subscribes to the change of the authentication authorization state;

Alternatively, the fifth request message queries the authentication and authorization state.
The method according to any one of claims 14 to 16, wherein the terminal device is an unmanned aerial vehicle.
A method for authentication and authorization, comprising:

The third network device determines that the authentication and authorization of the terminal device fails;

The third network device determines fifth indication information, the fifth indication information indicates that the terminal device can request network resources, and the network resources are used for the terminal device to communicate with another terminal device in the same system;

The third network device sends the fifth indication information.
The method of claim 18, wherein the method further comprises:

The third network device receives a sixth request message, and the sixth request message subscribes to the change of the authentication and authorization state, and the authentication and authorization state is whether the terminal device can request the network resource;

Alternatively, the sixth request message queries the authentication and authorization status.
The method according to claim 18 or 19, wherein the terminal device is an unmanned aerial vehicle.
A device for authentication and authorization, comprising:

The processing module is used to determine the authentication and authorization failure of the terminal device;

a transceiver module, configured to receive first indication information, where the first indication information indicates that the terminal device can request network resources, and the network resources are used for the terminal device to communicate with another terminal device in the same system;

The transceiver module is further configured to send second indication information to the terminal device according to the first indication information, where the second indication information indicates that the terminal device can request the network resource.
The device according to claim 21, wherein the transceiver module is further configured to:

sending a first request message to the second network device, where the first request message subscribes to the change of the authentication and authorization state;

Or, the first request message queries the authentication authorization state;

The authentication and authorization state is whether the terminal device can request the network resource.
The device according to claim 21 or 22, wherein the transceiver module is further configured to:

A third request message from the terminal device is received, where the third request message requests the network resource.
The apparatus of claim 23, wherein:

The third request message includes third indication information, where the third indication information indicates that the terminal device requests to obtain the authentication and authorization state.
The device according to any one of claims 21 to 24, wherein the processing module is further configured to:

delete the first information according to the first indication information,

Wherein, the first information is stored by the first network device, and the first information indicates at least one of the following: the authentication and authorization of the terminal device fails, and the terminal device cannot request the network resource.
The device according to any one of claims 21 to 25, wherein the processing module is further configured to:

Stop a first timer according to the first indication information, wherein before the first timer is stopped, the first network device rejects second information from the terminal device, the second information requests the network resource.
The device according to claim 23, wherein the transceiver module is further configured to:

Send a fourth request message to the second network device or the third network device according to the third request message, where the fourth request message requests to perform authentication and authorization on the terminal device.
The apparatus according to any one of claims 21 to 27, wherein the terminal device is an unmanned aerial vehicle.
A device for authentication and authorization, comprising:

a processing module, configured to determine that the authentication and authorization of the terminal device fails;

The transceiver module is configured to receive second indication information from the first network device, the second indication information indicates that the terminal device can request network resources, and the network resources are used for the terminal device to communicate with another device in the same system. A terminal device communicates.
The device according to claim 29, wherein the transceiver module is further configured to:

Send a third request message to the first network device, where the third request message requests the network resource.
The apparatus according to claim 30, wherein the third request message includes third indication information, the third indication information indicates that the terminal device requests to obtain an authentication and authorization state, and the authentication and authorization state is all whether the terminal device can request the network resource.
The device according to any one of claims 29 to 31, wherein the processing module is further configured to:

Stop a second timer according to the second indication information, wherein the terminal device cannot request the network resource before the second timer is stopped.
The apparatus according to any one of claims 29 to 32, wherein the terminal device is an unmanned aerial vehicle.
A device for authentication and authorization, comprising:

a transceiver module, configured to receive fourth indication information, where the fourth indication information indicates that the terminal device can request network resources, and the network resources are used for the terminal device to communicate with another terminal device in the same system;

The transceiver module is further configured to send first indication information to the first network device, where the first indication information indicates that the terminal device can request the network resource.
The device according to claim 34, wherein the transceiver module is further configured to:

receiving a first request message from the first network device, where the first request message subscribes to a change in an authentication authorization state, where the authentication authorization state is whether the terminal device can request the network resource;

Alternatively, the first request message queries an authentication and authorization state, where the authentication and authorization state is whether the terminal device can request the network resource.
The device according to claim 35, wherein the transceiver module is further configured to:

sending a fifth request message to the third network device, where the fifth request message subscribes to the change of the authentication authorization state;

Alternatively, the fifth request message queries the authentication and authorization state.
The apparatus according to any one of claims 34 to 36, wherein the terminal device is an unmanned aerial vehicle.
A device for authentication and authorization, comprising:

The processing module is used to determine the authentication and authorization failure of the terminal device;

The processing module is further configured to determine fifth indication information, where the fifth indication information indicates that the terminal device can request network resources, and the network resources are used for the terminal device and another terminal device in the same system communication;

A transceiver module, configured to send the fifth indication information.
The device according to claim 38, wherein the transceiver module is further configured to:

receiving a sixth request message, where the sixth request message subscribes to a change in an authentication authorization state, where the authentication authorization state is whether the terminal device can request the network resource;

Alternatively, the sixth request message queries the authentication and authorization status.
The apparatus according to claim 38 or 39, wherein the terminal device is an unmanned aerial vehicle.
A communication device, characterized in that it includes:

processor and memory;

the memory for storing computer programs;

the processor for executing the computer program stored in the memory, so that the communication device executes the communication method according to any one of claims 1 to 8, or executes any one of claims 9 to 13 The communication method described above, or the communication method described in any one of claims 14 to 17, or the communication method described in any one of claims 18 to 20.
A computer-readable storage medium, characterized in that, a computer program is stored on the computer-readable storage medium, and when the computer program runs on a computer, the computer is made to execute any one of claims 1 to 8. The communication method described in item 1, or the communication method according to any one of claims 9 to 13, or the communication method according to any one of claims 14 to 17, or the execution of any one of claims 18 to 20. A method of communication as described.
A chip system, characterized by comprising: a processor for calling and running a computer program from a memory, so that a communication device installed with the chip system executes the communication according to any one of claims 1 to 8 method, or perform the communication method described in any one of claims 9 to 13, or perform the communication method described in any one of claims 14 to 17, or perform the communication method described in any one of claims 18 to 20 communication method.
A communication system, characterized in that the communication system includes a terminal device and a third network device, wherein the terminal device is configured to execute the method according to any one of claims 9 to 13, the third network device Apparatus for performing the method of any of claims 18 to 20.
A communication system, characterized in that the communication system comprises a terminal device, a third network device and a first network device, wherein the terminal device is configured to execute the method according to any one of claims 9 to 13, The third network device is configured to perform the method according to any one of claims 18 to 20, and the first network device is configured to perform the method according to any one of claims 1 to 8.
A communication system, characterized in that the communication system includes a terminal device, a third network device, a first network device and a second network device, wherein the terminal device is configured to perform any one of claims 9 to 13 The method, the third network device is configured to execute the method as claimed in any one of claims 18 to 20, and the first network device is configured to execute the method as claimed in any one of claims 1 to 8 , the second network device is configured to perform the method according to any one of claims 14 to 17.