WO2024007325A1 - Eap认证方法、装置、通信设备及存储介质 - Google Patents
Eap认证方法、装置、通信设备及存储介质 Download PDFInfo
- Publication number
- WO2024007325A1 WO2024007325A1 PCT/CN2022/104718 CN2022104718W WO2024007325A1 WO 2024007325 A1 WO2024007325 A1 WO 2024007325A1 CN 2022104718 W CN2022104718 W CN 2022104718W WO 2024007325 A1 WO2024007325 A1 WO 2024007325A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- eap
- message
- smf
- response message
- aaa server
- Prior art date
Links
- 238000004891 communication Methods 0.000 title claims abstract description 45
- 238000000034 method Methods 0.000 title claims description 83
- 230000004044 response Effects 0.000 claims abstract description 252
- 238000003672 processing method Methods 0.000 claims abstract description 48
- 238000012545 processing Methods 0.000 claims description 54
- 230000006870 function Effects 0.000 claims description 23
- 238000013475 authorization Methods 0.000 claims description 11
- 238000005516 engineering process Methods 0.000 description 20
- 238000007726 management method Methods 0.000 description 17
- 238000010586 diagram Methods 0.000 description 13
- 230000003993 interaction Effects 0.000 description 11
- 230000008569 process Effects 0.000 description 9
- 230000004048 modification Effects 0.000 description 7
- 238000012986 modification Methods 0.000 description 7
- 238000010295 mobile communication Methods 0.000 description 6
- 101150119040 Nsmf gene Proteins 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 230000011664 signaling Effects 0.000 description 4
- 230000005236 sound signal Effects 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 3
- 230000001133 acceleration Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 2
- 230000001413 cellular effect Effects 0.000 description 2
- 239000003795 chemical substances by application Substances 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000003384 imaging method Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
Definitions
- the present disclosure relates to but is not limited to the field of wireless communication technology, and in particular, to an EAP authentication method, device, communication equipment and storage medium.
- the Extensible Authentication Protocol (EAP) framework currently specified in wireless communications will be used for user equipment (User Equipment, UE) and external data network authentication, authorization and accounting (data network-(authentication, authorization, accounting) , DN-AAA) authentication between servers.
- the Session Management Function (SMF) will play the role of authenticator.
- the DN-AAA server will receive an EAP response or identity information only after the server sends an EAP request or identity information.
- SMF cannot send EAP responses or identity information to the DN-AAA server.
- Embodiments of the present disclosure provide an EAP authentication processing method, device, communication equipment, and storage medium.
- an EAP authentication processing method executed by SMF, including:
- the EAP response message includes: the identity information of the UE; the EAP response message is used by the DN-AAA server to initiate authentication based on the EAP identity information.
- sending the EAP response message includes: sending the EAP response message to the DN-AAA server based on the received identity information of the UE.
- the method includes: sending an EAP request message to the UE, where the EAP request message is used to request the identity information of the UE.
- sending the EAP response message includes: in response to the SMF supporting the Diameter protocol, sending a DER message to the DN-AAA server, where the DER message includes the EAP response message.
- sending the EAP response message includes: in response to the SMF supporting the RADIUS protocol, sending a first access request packet to the DN-AAA server, where the first access request packet includes: the EAP response message.
- the first access request packet includes EAP message attributes; the EAP message attributes include an EAP response message.
- the method includes: sending a second access request packet to the DN-AAA server; wherein the second access request packet is used to trigger the DN-AAA server to request an EAP response message;
- Send the first access request packet to the DN-AAA server including:
- the first access request packet is sent to the DN-AAA server; where the first access challenge packet is used to request an EAP response message.
- the second access request packet includes an EAP message attribute indicating an EAP start message, where the EAP start message is used to trigger the DN-AAA server to request an EAP response message.
- the method includes: receiving an EAP success message, where the EAP success message is sent after the DN-AAA server determines that the EAP authentication with the UE is successful.
- receiving the EAP success message includes:
- the method further includes:
- the identity information of the UE successfully authenticated by the EAP is sent to the UDM, where the identity information of the UE is used to be stored in the UDM.
- sending the EAP response message includes: sending the EAP response message to the DN-AAA server through the User Plane Function (UPF);
- UPF User Plane Function
- receiving the EAP success message including: receiving the EAP success message sent by the DN-AAA server through UPF.
- the SMF includes a Home Session Management Function (H-SMF);
- H-SMF Home Session Management Function
- the method includes: receiving the identity information of the UE sent by the UE through a visited mobile session function entity (Visited Session Management Function, V-SMF).
- V-SMF Visited Session Management Function
- an EAP authentication processing method is provided, which is executed by a DN-AAA server and includes:
- EAP-based authentication is initiated.
- the EAP response message includes: the identity information of the UE;
- Starting EAP authentication based on the EAP response message includes: starting authentication based on EAP identity information based on the EAP response message.
- receiving the EAP response message includes: receiving a DER message sent by the SMF, where the DER message includes the EAP response message.
- receiving the EAP response message includes: receiving a first access request packet sent by the SMF, where the first access request packet includes: an EAP response message.
- the first access request packet includes EAP message attributes; the EAP message attributes include an EAP response message.
- the process before receiving the first access request packet sent by SMF, the process includes:
- the second access request packet includes an EAP message attribute indicating an EAP start message, where the EAP start message is used to trigger the DN-AAA server to request an EAP response message.
- methods include:
- an EAP success message is sent.
- sending an EAP success message includes:
- a DEA message sent to SMF where the DEA message includes an EAP success message;
- receiving an EAP response message includes:
- Send EAP success message including:
- an EAP authentication processing device including:
- the first sending module is configured to send an EAP response message, where the EAP response message is used by the DN-AAA server to initiate EAP-based authentication.
- the EAP response message includes: the identity information of the UE; the EAP response message is used by the DN-AAA server to initiate authentication based on the EAP identity information.
- the first sending module is configured to send an EAP response message to the DN-AAA server based on the received identity information of the UE.
- the first sending module is configured to send an EAP request message to the UE, where the EAP request message is used to request the identity information of the UE.
- the first sending module is configured to send a DER message to the DN-AAA server in response to the SMF supporting the Diameter protocol, where the DER message includes an EAP response message.
- the first sending module is configured to respond to the SMF supporting the RADIUS protocol and send a first access request packet to the DN-AAA server, where the first access request packet includes: an EAP response message.
- the first access request packet includes EAP message attributes; the EAP message attributes include an EAP response message.
- the first sending module is configured to send a second access request packet to the DN-AAA server; wherein the second access request packet is used to trigger the DN-AAA server to request an EAP response message;
- the first sending module is configured to send the first access request packet to the DN-AAA server if it receives the first access challenge packet determined based on the second access request; wherein the first access challenge packet is used to request an EAP response message .
- the second access request packet includes an EAP message attribute indicating an EAP start message, where the EAP start message is used to trigger the DN-AAA server to request an EAP response message.
- the apparatus includes: a first receiving module configured to receive an EAP success message, where the EAP success message is sent after the DN-AAA server determines that the EAP authentication with the UE is successful.
- the first receiving module is configured to receive a DEA message sent by DN-AAA, where the DEA message includes an EAP success message; and/or
- the first receiving module is configured to receive a second access challenge packet sent by DN-AAA, where the second access challenge packet includes an EAP success message.
- the device further includes:
- the first processing module is configured to store the identity information of the UE successfully authenticated by EAP; or,
- the first processing module is configured to send the identity information of the UE successfully authenticated by EAP to the UDM, where the identity information of the UE is used to be stored in the UDM.
- the first sending module is configured to send the EAP response message to the DN-AAA server through UPF;
- the first receiving module is configured to receive the EAP success message sent by the DN-AAA server through UPF.
- the SMF includes H-SMF
- the first receiving module is configured to receive the identity information of the UE sent by the UE through V-SMF.
- an EAP authentication processing device which is executed by a DN-AAA server and includes:
- the second receiving module is configured to receive the EAP response message
- the second processing module is configured to start EAP-based authentication based on the EAP response message.
- the EAP response message includes: the identity information of the UE;
- the second processing module is configured to start authentication of EAP-based identity information based on the EAP response message.
- the second receiving module is configured to receive a DER message sent by the SMF, where the DER message includes an EAP response message.
- the second receiving module is configured to receive the first access request packet sent by the SMF, where the first access request packet includes: an EAP response message.
- the first access request packet includes EAP message attributes; the EAP message attributes include an EAP response message.
- the second receiving module is configured to receive a second access request packet sent by the SMF; wherein the second access request packet is used to trigger the DN-AAA server to request an EAP response message;
- the second sending module is configured to send a first access challenge packet to the SMF, where the first access challenge packet is used to request an EAP response message.
- the second access request packet includes an EAP message attribute indicating an EAP start message, where the EAP start message is used to trigger the DN-AAA server to request an EAP response message.
- the second sending module is configured to send an EAP success message in response to determining that the EAP authentication with the UE is successful.
- the second sending module is configured to send a DEA message to the SMF, where the DEA message includes an EAP success message; or,
- the second sending module is configured to send a second access challenge packet to the SMF, where the second access challenge packet includes an EAP success message.
- the second receiving module is configured to receive the EAP response message sent by the SMF through UPF; and/or,
- the second sending module is configured to send an EAP success message to the SMF through UPF.
- a communication device includes:
- Memory used to store instructions executable by the processor
- the processor is configured to implement the EAP authentication processing method of any embodiment of the present disclosure when running executable instructions.
- a computer storage medium stores a computer executable program.
- the executable program is executed by a processor, the EAP authentication processing method of any embodiment of the present disclosure is implemented.
- the SMF sends an EAP response message to the DN-AAA server, where the EAP response message is used by the DN-AAA server to initiate EAP-based authentication.
- the EAP response message is used by the DN-AAA server to initiate EAP-based authentication.
- Figure 1 is a schematic structural diagram of a wireless communication system according to an exemplary embodiment.
- Figure 2 is a schematic diagram of an EAP authentication processing method according to an exemplary embodiment.
- Figure 3 is a schematic diagram of an EAP authentication processing method according to an exemplary embodiment.
- Figure 4 is a schematic diagram of an EAP authentication processing method according to an exemplary embodiment.
- Figure 5 is a schematic diagram of an EAP authentication processing method according to an exemplary embodiment.
- Figure 6 is a schematic diagram of an EAP authentication processing method according to an exemplary embodiment.
- Figure 7 is a schematic diagram of an EAP authentication processing method according to an exemplary embodiment.
- Figure 8 is a block diagram of an EAP authentication processing device according to an exemplary embodiment.
- Figure 9 is a block diagram of an EAP authentication processing device according to an exemplary embodiment.
- Figure 10 is a block diagram of a UE according to an exemplary embodiment.
- Figure 11 is a block diagram of a base station according to an exemplary embodiment.
- first, second, third, etc. may be used to describe various information in the embodiments of the present disclosure, the information should not be limited to these terms. These terms are only used to distinguish information of the same type from each other.
- first information may also be called second information, and similarly, the second information may also be called first information.
- word “if” as used herein may be interpreted as "when” or "when” or "in response to determining.”
- FIG. 1 shows a schematic structural diagram of a wireless communication system provided by an embodiment of the present disclosure.
- the wireless communication system is a communication system based on cellular mobile communication technology.
- the wireless communication system may include several user equipments 110 and several base stations 120.
- user equipment 110 may be a device that provides voice and/or data connectivity to a user.
- the user equipment 110 may communicate with one or more core networks via a Radio Access Network (RAN).
- RAN Radio Access Network
- the user equipment 110 may be an Internet of Things user equipment, such as a sensor device, a mobile phone (or a "cellular" phone) ) and computers with IoT user equipment, which may be, for example, fixed, portable, pocket-sized, handheld, computer-built-in, or vehicle-mounted devices.
- station station
- subscriber unit subscriber unit
- subscriber station subscriber station
- mobile station mobile station
- remote station remote station
- access point remote terminal
- remote terminal remote terminal
- the user equipment 110 may also be equipment of an unmanned aerial vehicle.
- the user equipment 110 may also be a vehicle-mounted device, for example, it may be an on-board computer with a wireless communication function, or a wireless user equipment connected to an external on-board computer.
- the user equipment 110 may also be a roadside device, for example, it may be a streetlight, a signal light or other roadside device with a wireless communication function.
- the base station 120 may be a network-side device in a wireless communication system.
- the wireless communication system can be the 4th generation mobile communication technology (the 4th generation mobile communication, 4G) system, also known as the Long Term Evolution (LTE) system; or the wireless communication system can also be a 5G system, Also called new air interface system or 5G NR system.
- the wireless communication system may also be a next-generation system of the 5G system.
- the access network in the 5G system can be called the New Generation-Radio Access Network (NG-RAN).
- NG-RAN New Generation-Radio Access Network
- the base station 120 may be an evolved base station (eNB) used in the 4G system.
- the base station 120 may also be a base station (gNB) that adopts a centralized distributed architecture in the 5G system.
- eNB evolved base station
- gNB base station
- the base station 120 adopts a centralized distributed architecture it usually includes a centralized unit (central unit, CU) and at least two distributed units (distributed units, DU).
- the centralized unit is equipped with a protocol stack including the Packet Data Convergence Protocol (PDCP) layer, the Radio Link Control protocol (Radio Link Control, RLC) layer, and the Media Access Control (Medium Access Control, MAC) layer;
- PDCP Packet Data Convergence Protocol
- RLC Radio Link Control
- MAC Media Access Control
- the distribution unit is provided with a physical (Physical, PHY) layer protocol stack, and the embodiment of the present disclosure does not limit the specific implementation of the base station 120.
- a wireless connection may be established between the base station 120 and the user equipment 110 through a wireless air interface.
- the wireless air interface is a wireless air interface based on the fourth generation mobile communication network technology (4G) standard; or the wireless air interface is a wireless air interface based on the fifth generation mobile communication network technology (5G) standard, such as
- the wireless air interface is a new air interface; alternatively, the wireless air interface may also be a wireless air interface based on the next generation mobile communication network technology standard of 5G.
- an E2E (End to End, end-to-end) connection can also be established between user equipments 110 .
- vehicle-to-vehicle (V2V) communication vehicle-to-roadside equipment (vehicle to Infrastructure, V2I) communication and vehicle-to-person (vehicle to pedestrian, V2P) communication in vehicle networking communication (vehicle to everything, V2X) Wait for the scene.
- V2V vehicle-to-vehicle
- V2I vehicle-to-roadside equipment
- V2P vehicle-to-person communication in vehicle networking communication
- V2X vehicle networking communication
- the above user equipment can be considered as the terminal equipment of the following embodiments.
- the above-mentioned wireless communication system may also include a network management device 130.
- the network management device 130 may be a core network device in a wireless communication system.
- the network management device 130 may be a mobility management entity (Mobility Management Entity) in an evolved packet core network (Evolved Packet Core, EPC). MME).
- the network management device can also be other core network devices, such as serving gateway (Serving GateWay, SGW), public data network gateway (Public Data Network GateWay, PGW), policy and charging rules functional unit (Policy and Charging Rules) Function, PCRF) or Home Subscriber Server (HSS), etc.
- serving gateway Serving GateWay, SGW
- public data network gateway Public Data Network GateWay, PGW
- Policy and Charging Rules Policy and Charging Rules
- PCRF Policy and Charging Rules
- HSS Home Subscriber Server
- the embodiments of the present disclosure enumerate multiple implementations to clearly describe the technical solutions of the embodiments of the present disclosure.
- the multiple embodiments provided in the embodiments of the present disclosure can be executed alone or in combination with the methods of other embodiments in the embodiments of the present disclosure. They can also be executed alone or in combination. It is then executed together with some methods in other related technologies; the embodiments of the present disclosure do not limit this.
- one execution subject when one execution subject sends a certain transmission to another execution subject, it may mean that one execution subject directly sends a transmission to another execution subject, or it may mean that one execution subject directly sends a transmission to another execution subject. It means that one execution subject sends a transmission to another execution subject through any other device; this is not limited in the embodiment of the present disclosure.
- the embodiment of the present disclosure provides an EAP authentication processing method, which is executed by SMF, including:
- Step S21 Send an EAP response message, where the EAP response message is used by the DN-AAA server to initiate EAP-based authentication.
- step S21 may be: receiving an EAP response message sent by the UE.
- the UE may be various mobile terminals or fixed terminals.
- the UE may be, but is not limited to, a mobile phone, a computer, a server, a wearable device, a vehicle-mounted terminal, a roadside unit (RSU, Road Side Unit), a game control platform or a multimedia device, etc.
- RSU Road Side Unit
- the SMF, DN-AAA server, UPF mentioned below, etc. can all be logical nodes or functions that are flexibly deployed in the communication network.
- the SMF, DN-AAA server and UPF can all be logical nodes or functions on the core network side; for another example, the DN-AAA server is a logical node or function in the data network connected to the core network.
- the EAP response message may be an EAP response-identity message or an EAP response/identity message.
- the EAP response-identity message or EAP response/identity message is a message in an encapsulated format.
- the SMF is a single SMF.
- the SMF includes: a visited session management function (V-SMF) and a home session management function (H-SMF); Among them, H-SMF sends an EAP response message to the DN-AAA server.
- V-SMF visited session management function
- H-SMF home session management function
- sending the EAP response message in step S21 includes: sending the EAP response message to the DN-AAA server through UPF.
- the embodiment of the present disclosure provides an EAP authentication processing method, which is executed by SMF and includes: sending an EAP response message to the DN-AAA server through UPF.
- the SMF sends an EAP response message to the DN-AAA server.
- the EAP response message is used by the DN-AAA server to initiate EAP-based authentication. In this way, there is no need to receive an EAP request from the DN-AAA server. You can send an EAP response message to the DN-AAA service through SMF, which is conducive to implementing EAP-based authentication.
- the EAP response message sent by SMF can be forwarded to the DN-AAA server through UPF, thereby successfully sending the EAP response message to the DN-AAA server.
- the EAP response message includes: the identity information of the UE; the EAP response message is used by the DN-AAA server to initiate authentication based on the EAP identity information.
- Embodiments of the present disclosure provide an EAP authentication processing method, executed by SMF, including: sending an EAP response message, where the EAP response message includes the identity information of the UE; the EAP response message is used by the DN-AAA server to initiate EAP-based identity information. Certification.
- the identity information of the UE can be used to uniquely identify the UE.
- the identity information of the UE may be the identification information of the UE.
- the identification information of the UE may be, but is not limited to, Subscriber Permanent Identifier (SUPI), Generic Public Subscription Identifier (GPSI), Subscription Concealed Identifier (SUCI), etc. one.
- the identification information of the UE may be a number or index negotiated between the network device and the UE or specified by the communication protocol.
- SMF can obtain the identity information of the UE.
- identity information of the UE sent by the Access and Mobility Management Function (AMF) can be received.
- AMF Access and Mobility Management Function
- the EAP response message carrying the identity information of the UE can be sent directly through SMF, thereby facilitating the implementation of EAP-based authentication of the identity information of the UE.
- sending the EAP response message in step S21 includes: sending the EAP response message to the DN-AAA server based on the received identity information of the UE.
- the embodiment of the present disclosure provides an EAP authentication processing method, which is executed by SMF, including:
- Step S31 Based on the received identity information of the UE, send an EAP response message to the DN-AAA server.
- the EAP response message may be the EAP response message in step S21; the identity information of the UE may be the identity information of the UE in the above embodiments.
- the SMF may be the SMF in the above embodiments; for example, the SMF may be a single SMF; for another example, the SMF may be a V-SMF and an H-SMF.
- Embodiments of the present disclosure provide an EAP authentication processing method, which is executed by the SMF, including: receiving the identity information of the UE sent by the AMF; wherein the identity information of the UE is obtained by the AMF from the UE.
- step S31 includes: based on receiving the EAP response message, sending an EAP response message to the DN-AAA server, where the EAP response message includes the identity information of the UE.
- the SMF can obtain the identity information of the UE that the UE actively sends to the SMF, and then send the EAP response message to the DN-AAA server to trigger EAP-based authentication.
- the SMF includes H-SMF
- the method includes: receiving the identity information of the UE sent by the UE through V-SMF.
- Embodiments of the present disclosure provide an EAP authentication processing method, which is executed by H-SMF, including: receiving the identity information of the UE sent by the UE through the V-SMF.
- V-SMF can obtain the UE's identity information from the AMF.
- the H-SMF can obtain the UE's identity information sent by the UE based on the V-SMF.
- the process before step S21, includes: sending an EAP request message to the UE, where the EAP request message is used to request the identity information of the UE.
- the embodiment of the present disclosure provides an EAP authentication processing method, which is executed by SMF, including:
- an EAP response message is sent to the DN-AAA server.
- the EAP request message may be an EAP Request-Identity message or an EAP Request/Identity message.
- the EAP Request-Identity message or the EAP Request/Identity message is a message in a packaging format.
- the SMF may also receive an EAP response message sent by the UE, where the EAP response message includes the identity information of the UE.
- the SMF sending the EAP request message to the UE may be: the SMF sends the EAP request message to the AMF, and the AMF sends the EAP request message to the UE.
- the SMF receiving the UE's identity information sent by the UE may be: the AMF receives the UE's identity information sent by the UE and forwards the UE's identity information to the SMF.
- the interaction between SMF and UE can be realized through AMF.
- the SMF can actively send an EAP request message to the UE to request the UE's identity information sent by the UE or the EAP request message including the UE's identity information.
- sending the EAP response message in step S21 includes: in response to the SMF supporting the Diameter protocol, sending a DER message to the DN-AAA server, where the DER message includes the EAP response message.
- the embodiment of the present disclosure provides an EAP authentication processing method, which is executed by SMF, including:
- Step S41 In response to the SMF supporting the Diameter protocol, send a DER message to the DN-AAA server, where the DER message includes an EAP response message.
- the EAP response message may be the EAP response message in step S21; the identity information of the UE may be the identity information of the UE in the above embodiments.
- the SMF may be the SMF in the above embodiments; for example, the SMF may be a single SMF; for another example, the SMF may be at least one of V-SMF and H-SMF.
- the DER message may be a Diameter-EAP-Request message.
- the EAP payload (via EAP payload) of the DER message carries the EAP response message; the EAP response message includes identity information.
- the protocols supported by UPF may be consistent with the protocols supported by SMF. For example, if SMF supports Diameter protocol, then UPF supports Diameter protocol.
- the protocols supported by UPF may not be consistent with the protocols supported by SMF. For example, if SMF supports Diameter protocol, UPF does not need to support Diameter protocol; here, UPF can be used to forward messages.
- the EAP response message can be carried through the Diameter protocol, so that the DN-AAA server can understand the EAP response message. For example, understand the identity information of the UE included in the EAP response message, etc.
- an EAP response message can be sent directly to the DN-AAA server through SMF to trigger the EAP-based verification of the UE's identity information between the UE and the DN-AAA server; this can reduce signaling interactions.
- sending the EAP response message in step S21 includes: in response to the SMF supporting the RADIUS protocol, sending a first access request packet to the DN-AAA server, where the first access request packet includes: an EAP response message.
- this embodiment of the present disclosure provides an EAP authentication processing method, which is executed by SMF and includes:
- Step S51 In response to the SMF supporting the RADIUS protocol, send a first access request packet to the DN-AAA server, where the first access request packet includes: an EAP response message.
- the first access request packet includes EAP message attributes; the EAP message attributes include an EAP response message.
- the first access request packet may be Access-Request packet
- the EAP message attribute may be EAP-Message attribute.
- the method includes: sending a second access request packet to the DN-AAA server; wherein the second access request packet is used to trigger the DN-AAA server to request an EAP response message;
- sending the first access request packet to the DN-AAA server includes: if the first access challenge packet determined based on the second access request is received, sending the first access request packet to the DN-AAA server; wherein, the first access request packet is sent to the DN-AAA server.
- Challenge packet used to request EAP response messages.
- Embodiments of the present disclosure provide an EAP authentication processing method, executed by SMF, including:
- the first access request packet is sent to the DN-AAA server; where the first access challenge packet is used to request an EAP response message.
- the second access request packet includes an EAP message attribute indicating an EAP start message, where the EAP start message is used to trigger the DN-AAA server to request an EAP response message.
- the second access request packet may be an Access-Request packet
- the EAP start message may be an EAP-Start message
- the first access challenge packet can be Access-Challenge packet.
- the first access challenge packet can be used to request the UE's identity information.
- the SMF sends a second Access-Request packet to the DN-AAA server.
- the second Access-Request packet includes an EAP-Message attribute indicating an EAP-Start message. s));
- the second access request packet is used to trigger the DN-AAA server to request the UE's identity information.
- the DN-AAA server After receiving the second access request packet sent by SMF, the DN-AAA server sends a first access-challenge packet (Access-Challenge packet) to SMF.
- the first access-challenge packet includes the EAP message attributes that package the EAP request message, and the first access-challenge packet is An access challenge packet is used to request an EAP response message.
- SMF After receiving the first access challenge packet, SMF sends the first access request packet (Access-Request packet) to the DN-AAA server.
- the first access request packet includes EAP message attributes; the EAP message attributes include the EAP response message ( EAP Response/Identity message).
- the EAP response message includes the identity information of the UE.
- both the first access request packet and the second access request packet can be request packets in any other implementable format; both the first access challenge packet and the second access challenge packet can be in any other implementable format.
- Challenge packet there is no restriction on the first access request packet, the second access request packet, the first access challenge packet and the second access challenge packet.
- the EAP response message can also be encapsulated in any unit in the first access request packet. There is no restriction on the specific form in which the EAP response message is carried in the first access request packet.
- the protocols supported by UPF may be consistent with the protocols supported by SMF. For example, if SMF supports the Radius protocol, then UPF supports the Radius protocol.
- the protocols supported by UPF may not be consistent with the protocols supported by SMF. For example, if SMF supports the Radius protocol, UPF does not need to support the Radius protocol; here, UPF can be used to forward messages.
- the EAP response message can be carried through the RADIUS protocol, so that the DN-AAA server can understand the EAP response message. For example, understand the identity information of the UE included in the EAP response message, etc.
- the UE is not allowed to trigger the authentication of the UE's identity information based on EAP; however, since the RADIUS protocol can be used in the embodiment of the present disclosure, the RADIUS protocol can trigger the DN-Start message by sending an EAP-Start message.
- the AAA server requests an EAP response message. In this way, EAP-based authentication can be triggered through the EAP-Start message, thereby enabling the UE to actively trigger EAP-based authentication of the UE's identity information.
- Embodiments of the present disclosure provide an EAP authentication processing method, executed by SMF, including: receiving an EAP success message, where the EAP success message is sent after the DN-AAA server determines that the EAP authentication with the UE is successful.
- receiving the EAP success message includes:
- the EAP success message is used to indicate that the identity information authentication of the UE based on EAP is successful.
- the successful EAP authentication between the DN-AAA server and the UE means that the DN-AAA server successfully authenticates the UE's identity information based on EAP.
- the identity information of the UE is authorized identity information.
- the DEA message may be a Diameter-EAP-Answer message.
- the payload of the DEA message (via EAP payload) carries the EAP success message.
- the second access-challenge packet may be an Access-Challenge packet.
- the EAP message attribute of the second access challenge packet carries the EAP success message.
- the SMF receives the DEA message sent by the DN-AAA server, and the DEA message includes the EAP success message; the SMF determines that the EAP-based identity information authentication of the UE is successful based on the EAP success message.
- the SMF receives the second access challenge packet sent by the DN-AAA server, and the EAP message attribute of the second access challenge packet includes the EAP success message; the SMF determines the EAP-based UE based on the EAP success message.
- the identity information authentication was successful.
- the SMF if it supports the Diameter protocol and/or the RADIUS protocol, it can determine to obtain and understand the DEA by receiving the DEA message packaged by the Diameter protocol and/or the second access packet packaged by the RADIUS protocol. Message and/or content from the Second Access Challenge Pack.
- receiving the EAP success message includes: receiving the EAP success message sent by the DN-AAA server through UPF.
- Embodiments of the present disclosure provide an EAP authentication processing method, executed by SMF, including: receiving an EAP success message sent by a DN-AAA server through UPF.
- Embodiments of the present disclosure provide an EAP authentication processing method, executed by SMF, including: receiving a DEA message sent by DN-AAA through UPF, where the DEA message includes an EAP success message; and/or receiving a second DEA message sent by DN-AAA. Access challenge packet, wherein the second access challenge packet includes an EAP success message.
- the EAP success message sent by the DN-AAA server can be forwarded to the SMF through the UPF, so that the SMF can successfully receive the EAP success message.
- the embodiment of the present disclosure provides an EAP authentication processing method, which is executed by SMF and includes: storing the identity information of the UE successfully authenticated by EAP.
- SMF can also store at least one of the following:
- embodiments of the present disclosure can store the identity information of the UE successfully authenticated by EAP to facilitate subsequent related operations based on the identity information of the UE.
- Embodiments of the present disclosure provide an EAP authentication processing method, executed by SMF, including: sending the identity information of a UE successfully authenticated by EAP to UDM, where the identity information of the UE is used to be stored in the UDM.
- the SMF can send the identity information of the UE successfully authenticated by the EAP to the UDM; after receiving the identity information of the UE, the UDM stores the identity information of the UE in the authorization information. If the SMF also sends the identification information of the DN and the identification information of the DN-AAA server corresponding to the identity information of the UE to the UDM, the UDM can also combine the identification information of the DN and/or the identification information of the DN-AAA server with the identity information of the UE. Corresponding storage.
- the SMF may send the identity information of the UE successfully authenticated by EAP and the DN identification information related to the UE's identity information and/or the identification information of the DN-AAA server to the UDM, so that the UDM can store the This information is beneficial to subsequent related operations based on the UE's identity information.
- the following EAP-based authentication processing method is executed by the DN-AAA server, which is similar to the above description of the EAP authentication processing method executed by SMF; and, for the embodiment of the EAP authentication processing method executed by the DN-AAA server
- the DN-AAAA server For technical details not disclosed in , please refer to the description of the example of the EAP authentication processing method performed by SMF, which will not be described in detail here.
- the embodiment of the present disclosure provides an EAP authentication processing method, which is executed by the DN-AAA server, including:
- Step S61 Receive the EAP response message
- Step S62 Based on the EAP response message, start EAP-based authentication.
- the EAP response message may be the EAP response message in step S21; the identity information of the UE may be the identity information of the UE in the above embodiments.
- the EAP response message may be an EAP response-identity message or an EAP response/identity message.
- the identity information of the UE may be the identification information of the UE.
- the identification information of the UE may be, but is not limited to, one of SUPI, GPSI, SUCI, etc.
- the identification information of the UE may be a number or index negotiated between the network device and the UE or specified by the communication protocol.
- S61 may be receiving the EAP response information sent by the SMF.
- the SMF may be the SMF in the above embodiments.
- the SMF may be a single SMF.
- the SMF may be at least one of V-SMF and H-SMF.
- the EAP response message includes: the identity information of the UE;
- Step S62 includes: initiating EAP-based authentication of identity information based on the EAP response message.
- Embodiments of the present disclosure provide an EAP authentication processing method, which is executed by a DN-AAA server, including: initiating authentication based on EAP identity information based on an EAP response message.
- step S61 includes: receiving a DER message sent by the SMF, where the DER message includes an EAP response message.
- Embodiments of the present disclosure provide an EAP authentication processing method, which is executed by a DN-AAA server, including: receiving a DER message sent by SMF, where the DER message includes an EAP response message.
- the DER message may be the DER message in the above embodiments.
- the DER message may be a Diameter-EAP-Request message.
- the EAP payload (via EAP payload) of the DER message carries the EAP response message; the EAP response message includes identity information.
- step S61 includes: receiving a first access request packet sent by the SMF, where the first access request packet includes: an EAP response message.
- Embodiments of the present disclosure provide an EAP authentication processing method, which is executed by a DN-AAA server, including: receiving a first access request packet sent by SMF, where the first access request packet includes: an EAP response message.
- the first access request packet includes EAP message attributes; the EAP message attributes include an EAP response message.
- the first access request packet and the second access request packet may be the first request packet and the second access request packet in the above embodiments respectively;
- the EAP message attributes may be the EAP message attributes in the above embodiments.
- both the first access request packet and the second access request packet may be Access-Request packets.
- the EAP message attribute may be EAP-Message attribute.
- the process before receiving the first access request packet sent by SMF, the process includes:
- the embodiment of the present disclosure provides an EAP authentication processing method, which is executed by a DN-AAA server, including:
- the second access request packet includes an EAP message attribute indicating an EAP start message, where the EAP start message is used to trigger the DN-AAA server to request an EAP response message.
- the first access challenge packet and the second access challenge packet may be the first access challenge packet and the second access challenge packet in the above embodiments respectively;
- the EAP start message may be the EAP start message in the above embodiments. information.
- both the first access challenge packet and the second access challenge packet can be Access-Challenge packets.
- An exemplary EAP start message may be an EAP-Start message.
- Embodiments of the present disclosure provide an EAP authentication processing method, which is executed by a DN-AAA server, including: in response to determining that the EAP authentication with the UE is successful, sending an EAP success message.
- sending an EAP success message includes:
- a DEA message sent to the SMF where the DEA message includes an EAP success message; or a second access challenge packet sent to the SMF, where the second access challenge packet includes an EAP success message.
- Embodiments of the present disclosure provide an EAP authentication processing method, which is executed by a DN-AAA server, including: a DEA message sent to the SMF, where the DEA message includes an EAP success message; or a second access challenge packet sent to the SMF, where , the second access challenge packet includes the EAP success message.
- receiving the EAP response message includes: receiving the EAP response message sent by the SMF through UPF.
- Embodiments of the present disclosure provide an EAP authentication processing method, which is executed by a DN-AAA server, including: receiving an EAP response message sent by SMF through UPF.
- sending the EAP success message includes: sending the EAP success message to the SMF through UPF.
- Embodiments of the present disclosure provide an EAP authentication processing method, which is executed by a DN-AAA server, including: sending an EAP success message to SMF through UPF.
- secondary authentication based on DN-AAA servers can be used.
- the 5G network also supports secondary authentication based on EAP by an external DN-AAA server.
- the process of secondary authentication based on the DN-AAA server involves two situations: roaming and non-roaming; in the non-roaming situation, V-SMF is not involved; in the case of home routing (HR) roaming, V-SMF will act as an agent in the VPLMN Signaling between the AFM and the H-SMF in the HPLMN; in the case of local offload (LBO) roaming, only one SMF of the VPLMN is involved.
- steps S701 to S706 in the following embodiments please refer to 4.2.2.2.2 and 4.3.2.2.1TS 23.502[3] in the protocol.
- H-SMF and H-UPF involved in the following embodiments can be implemented through the N4 message; and/or the interaction between the UE or UE client and the AMF involved below can be implemented through the N1 message. ; And/or, the interaction between AMF and SMF mentioned below can be realized through N11 message; and/or the interaction between H-UPF and DN-AAA server mentioned below can be realized through N6 message.
- the interaction between each network element or logical node or function and other networks or logical nodes or functions can be through any implementable message or signaling interaction, which is not limited here.
- the embodiment of the present disclosure provides an EAP authentication processing method, which is executed by a communication device.
- the communication device includes: SMF, DN-AAA server, AMF, V-SMF, H-SMF, home user plane function ( H-UPF), and at least one of authentication server function (AUSF); the method includes the following steps:
- Step S701 Send a registration request
- the UE sends a registration request to the AMF.
- the UE may refer to the UE or the EAP client corresponding to the UE.
- Step S702 initial authentication
- the UE performs primary authentication (or primary authentication) with the AUSF.
- Step S703 Establish NAS security mode
- the UE EAP client
- NAS non-access stratum
- Step S704 Send a PDU session establishment request
- the UE sends a NAS message to the AMF, where the NAS message is used to initiate the establishment of a new session protocol data unit (Protocol Data Unit, PDU) session; the NAS message includes the N1_SM container At least one of the PDU session establishment request, slice information, PDU session ID and PDN.
- the slice information can be determined by the single network slice selection assistance information (S-NSSAI) identifier;
- the PDN is the packet data network (PDN) that the UE wants to connect to, and the PDN is determined by the data network
- the name (Data Network Name, DNN) identification is determined.
- the N1_SM container is a load.
- the PDU session request may include the SM_PDU DN request container IE, and the SM_PDU DN request container IE includes information about PDU session authorization by the external DN.
- Step S705a Send Nsmf_PDUSession_CreateSMCContext request
- the AMF determines a V-SMF and sends an Nsmf PDUSession CreateSMContext request or an Nsmf PDUSession UpdateSMContext request to the V-SMF.
- Step S705b Receive Nsmf_PDUSession_CreateSMCContext response
- the AMF receives the Nsmf PDUSession CreateSMContext response or the Nsmf PDUSession UpdateSMContext response sent by the V-SMF.
- a single SMF acts as the V-SMV and H-SMF situations.
- step S706 or step S717 is skipped.
- step S705b it also includes: continuing the PDU session establishment request process (cf.4.3.2.2.2 TS 23.502);
- Step S706 Send Nsmf_PDUSession_Create request
- the V-SMF sends an Nsmf_PDUSession_Create request to the H-SMF.
- Step S707 SMF obtains subscription information from UDM and verifies whether the UE's request is compliant;
- the H-SMF obtains the subscription data from the UDM. SMF detects whether the subscription data requires secondary authentication, and whether the UE request is allowed according to the user subscription and local policy. If not allowed, H-SMF will reject the UE's request through SM-NAS signaling and skip the remaining steps of this step. If secondary authentication is required, the SMF may also have detected whether the UE has been authenticated and/or authorized by the relative DN; for example, as indicated by the DNN in step S705, or by the same AAA server in the previous PDU session establishment. Or authorized; if so, SMF can skip steps S708 to S715.
- information about successful authentication and/or authorization between the UE and the SMF office may be stored in the SMF and/or UDM.
- Step S708 Start EAP authentication
- H-SMF will trigger EAP authentication to obtain authorization information from the DN-AAA server. If there is no existing NA4 session, H-SMF selects a UPF with which to establish the N4 session. H-SMF notifies the DN-AAA server of the GPSI; and if the PDU session is of the IP_PDU type, it notifies the IP address of the UE that allocates the PDU session; or if the PDU session is of the Ethernet PDU type, it notifies the MAC address of the PDU session. .
- Step S709 Send EAP-request/authentication
- EAP-request/authentication may be the EAP request message in the above embodiment.
- H-SMF sends EAP Request/Identity to the UE.
- Step S710 Receive EAP-response/authentication
- EAP-response/authentication may be the EAP response message in the above embodiment
- the UE (EAP client) H-SMF receives the EAP-response/authentication (EAP Response/Identit) sent by the UE.
- NAI Network Access Identifier
- the secondary authentication DN specific identity may be sent by the UE in step S704.
- H-SMF forms an EAP response message (EAP Response/Identity message) containing identity information.
- Step S711 N4 session establishment
- H-SMF selects a UPF and establishes an N4 session with the UPF.
- the UPF selected by H-SMF may be H-UPF.
- the interaction between H-SMF and H-UPF can be transmitted through N4 sessions.
- the H-UPF if the H-SMF supports the Diameter protocol, then the H-UPF at least supports the Diameter protocol; and/or, if the H-SMF supports the Radius protocol, then the H-UPF at least supports the Radius protocol.
- H-UPF may not support Diameter protocol and/or Radius protocol.
- H-UPF can be used to forward messages, such as forwarding DER messages or access packets.
- step S712 includes step S712a; alternatively, step S712 includes steps S712b to S712d.
- Step S712a N4 transmits a DER message, where the DER message includes an EAP response message;
- H-SMF identifies the DN-AAA server based on the identity information and local configuration provided by the UE. If H-SMF supports the Diameter protocol, it sends a DER (Diameter-EAP-Request) message to the DN-AAA server through H-UPF; the EAP payload (via EAP payload) of the DER message carries the EAP response message; the EAP response message includes Identity Information.
- H-SMF supports Diameter protocol, which may be: Diameter protocol can be applied in EAP and the EAP response message can be received by H-SMF (or SMF).
- steps S712b to S712c may be skipped.
- H-SMF sends a DER message to the DN-AAA server through H-UPF, including: H-SMF sends a DER message to H-UPF, and H-UPF sends a DER message to the DN-AAA server.
- Step S712b Send a second access request packet, where the second access request packet includes an EAP message attribute indicating an EAP start message;
- H-SMF if H-SMF supports the RADIUS protocol, it sends a second access-request packet (Access-Request packet) to the DN-AAA server through H-UPF; the second access-request packet includes an instruction to start EAP (EAP -Start) message's EAP message attribute (EAP-Message attribute); the EAP-Start message is used to trigger the DN-AAA server to request an EAP response message.
- EAP -Start EAP message's EAP message attribute
- EAP-Start message is used to trigger the DN-AAA server to request an EAP response message.
- H-SMF sends a second access request packet to the DN-AAA server through H-UPF, including: H-SMF sends a second access request packet to H-UPF, and H-UPF sends a second access request packet to the DN-AAA server. Bag.
- Step S712c Receive the first access challenge packet, where the first access challenge packet is used to request an EAP response message;
- H-SMF receives the first access-challenge packet (Access-Challenge packet) sent by the DN-AAA server through H-UPF; the first access challenge includes the EAP message attributes that encapsulate the EAP request message; EAP The request message package is used to request the EAP response message.
- H-SMF receives the first access challenge packet sent by the DN-AAA server through H-UPF, which may be: H-UPF receives the first access challenge packet from the DN-AAA server, and sends the first access challenge packet to H -SMF.
- Step S712d Send a first access request packet, where the first access request packet includes an EAP response message;
- H-SMF sends a first access-request packet (Access-Request packet) to the DN-AAA server through H-UPF, where the first access-request packet includes EAP message attributes; the EAP message attributes include EAP response information.
- the EAP response information includes the identity information of the UE.
- H-SMF sends the first access request packet to the DN-AAA server through H-UPF, which may be: H-SMF sends the first access request packet to H-UPF, and H-UPF sends the first access request packet to the DN-AAA server. Request package.
- Step S713 Exchange EAP request messages or EAP response messages through N4 and/or NAS;
- EAP messages may be exchanged between the UE and the DN-AAA server through N4 and/or NAS, where the EAP messages include EAP request messages or EAP response messages.
- additional authorization information defined in clause 5.6.6 of the protocol can also be exchanged between the UE and the DN-AAA server.
- step S714 includes step S714a or step S714b.
- Step S714a Receive the DEA message, where the DEA message includes the EAP success message;
- the H-SMF supports the Diameter protocol
- the DEA Diameter-EAP-Answer
- the payload of the DEA message carries the EAP success message
- the EAP success message is used to indicate the EAP Authentication successful.
- H-SMF receives the DEA message through H-UPF, which may be: H-UPF receives the DEA message and sends the DEA message to H-SMF.
- Step S714b Receive the second access challenge packet, where the second access challenge packet includes the EAP success message;
- the second access challenge packet is received through the H-UPF; the second access challenge packet includes an EAP success message; the EAP success message is used to indicate that the EAP authentication is successful.
- H-SMF receives the second access challenge packet through H-UPF, which may be: H-UPF receives the second access challenge packet and sends the second access challenge packet to H-SMF.
- H-UPF receives the second access challenge packet and sends the second access challenge packet to H-SMF.
- Step S715 EAP authentication ends
- the H-SMF determines the end of EAP-based authentication.
- H-SMF stores one of the UE's identity information, DNN, DN, and DN-AAA server identification information in H-SMF for successful authentication or authorization between the UE and H-SMF.
- the H-SMF may also send one of the UE's identity information, DNN, DN, and DN-AAA server identification information to the UDM for storage by the UDM.
- the H-SMF may be the SMF in the above embodiment.
- step S715 it also includes: continuing the PDU session establishment request process (cf.4.3.2.2.2 TS 23.502).
- H-SMF determines that the UE's identity information is authorized successfully, it determines to continue the PDU session establishment request process.
- Step S716a Send N4 session modification request
- the H-SMF sends an N4 session modification request to the H-UPF to request to initiate an N4 session modification process with the H-UPF.
- Step S716b Receive N4 session modification response
- the H-SMF receives the N4 session modification response sent by the H-UPF to determine to initiate the N4 session modification process with the H-UPF.
- Step S717 Send an Nsmf_PDUSession_Create response, which carries the EAP success message;
- the H-SMF sends an Nsmf_PDUSession_Create response to the V-SMF, and the Nsmf_PDUSession_Create response carries the EAP success message.
- Step S718 Send the Namf_Communication_N1N2 message, which carries the EAP success message;
- the V-SMF sends a Namf_Communication_N1N2 message to the AMF, and the Namf_Communication_N1N2 message carries the EAP success message.
- Step S719 PDU establishment accepted, EAP successful
- the AMF sends a NAS_SM_PDU session establishment accept message to the UE (client), where the NAS_SM_PDU session establishment accept message includes an EAP success message.
- step S719 it includes: performing steps as shown in Figure 4.3.2.2.2-1 of TS 23.502.
- an embodiment of the present disclosure provides an EAP authentication processing device, including:
- the first sending module 51 is configured to send an EAP response message, where the EAP response message is used by the DN-AAA server to initiate EAP-based authentication.
- the EAP authentication processing device provided by the embodiment of the present disclosure can be applied to SMF.
- the EAP response message includes: the identity information of the UE; the EAP response message is used by the DN-AAA server to initiate authentication based on the EAP identity information.
- the embodiment of the present disclosure provides an EAP authentication processing device, including: a first sending module 51, configured to send an EAP response message, including: the identity information of the UE; wherein the EAP response message is used by the DN-AAA server to initiate EAP-based authentication. Authentication of identity information.
- Embodiments of the present disclosure provide an EAP authentication processing device, including: a first sending module 51 configured to send an EAP response message to a DN-AAA server based on the received identity information of the UE.
- Embodiments of the present disclosure provide an EAP authentication processing device, including: a first sending module 51 configured to send an EAP request message to a UE, where the EAP request message is used to request the identity information of the UE;
- Embodiments of the present disclosure provide an EAP authentication processing device, including: a first sending module 51 configured to respond to SMF supporting the Diameter protocol and send a DER message to the DN-AAA server, where the DER message includes an EAP response message.
- the embodiment of the present disclosure provides an EAP authentication processing device, including: a first sending module 51 configured to respond to the SMF supporting the RADIUS protocol and send a first access request packet to the DN-AAA server, where the first access request packet, Includes: EAP response message.
- the first access request packet includes EAP message attributes; the EAP message attributes include an EAP response message.
- An embodiment of the present disclosure provides an EAP authentication processing device, including:
- the first sending module 51 is configured to send a second access request packet to the DN-AAA server; where the second access request packet is used to trigger the DN-AAA server to request an EAP response message;
- the first sending module 51 is configured to send the first access request packet to the DN-AAA server if it receives the first access challenge packet determined based on the second access request; wherein the first access challenge packet is used to request an EAP response. information.
- the second access request packet includes an EAP message attribute indicating an EAP start message, where the EAP start message is used to trigger the DN-AAA server to request an EAP response message.
- Embodiments of the present disclosure provide an EAP authentication processing device, including: a first receiving module configured to receive an EAP success message, where the EAP success message is sent after the DN-AAA server determines that the EAP authentication with the UE is successful.
- Embodiments of the present disclosure provide an EAP authentication processing device, including: a first receiving module configured to receive a DEA message sent by DN-AAA, where the DEA message includes an EAP success message.
- Embodiments of the present disclosure provide an EAP authentication processing device, including: a first receiving module configured to receive a second access challenge packet sent by DN-AAA, where the second access challenge packet includes an EAP success message.
- Embodiments of the present disclosure provide an EAP authentication processing device, including: a first processing module configured to store identity information of a UE successfully authenticated by EAP.
- Embodiments of the present disclosure provide an EAP authentication processing device, including: a first processing module configured to send the identity information of a UE successfully authenticated by EAP to the UDM, where the identity information of the UE is used to be stored in the UDM.
- the embodiment of the present disclosure provides an EAP authentication processing device, including: a first sending module 51 configured to send an EAP response message to the DN-AAA server through UPF; and/or,
- the first receiving module is configured to receive the EAP success message sent by the DN-AAA server through UPF.
- the SMF includes H-SMF.
- Embodiments of the present disclosure provide an EAP authentication processing device, including: a first receiving module configured to receive the identity information of the UE sent by the UE through V-SMF.
- an EAP authentication processing device including:
- the second receiving module 61 is configured to receive the EAP response message
- the second processing module 62 is configured to initiate EAP-based authentication based on the EAP response message.
- the embodiment of the present disclosure provides an EAP authentication processing device, which can be applied in a DN-AAA server.
- the EAP response message includes: the identity information of the UE;
- the second processing module 62 is configured to initiate authentication of EAP-based identity information based on the EAP response message.
- Embodiments of the present disclosure provide an EAP authentication processing device, including: a second processing module 62 configured to initiate authentication based on EAP identity information based on the EAP response message.
- the embodiment of the present disclosure provides an EAP authentication processing device, including: a second receiving module 61 configured to receive a DER message sent by the SMF, where the DER message includes an EAP response message.
- Embodiments of the present disclosure provide an EAP authentication processing device, including: a second receiving module 61 configured to receive a first access request packet sent by SMF, where the first access request packet includes: an EAP response message.
- the first access request packet includes EAP message attributes; the EAP message attributes include an EAP response message.
- An embodiment of the present disclosure provides an EAP authentication processing device, including:
- the second receiving module 61 is configured to receive the second access request packet sent by the SMF; wherein the second access request packet is used to trigger the DN-AAA server to request an EAP response message;
- the second sending module is configured to send a first access challenge packet to the SMF, where the first access challenge packet is used to request an EAP response message.
- the second access request packet includes an EAP message attribute indicating an EAP start message, where the EAP start message is used to trigger the DN-AAA server to request an EAP response message.
- Embodiments of the present disclosure provide an EAP authentication processing device, including: a second sending module configured to send an EAP success message in response to determining that the EAP authentication with the UE is successful.
- Embodiments of the present disclosure provide an EAP authentication processing device, including: a second sending module configured to send a DEA message to the SMF, where the DEA message includes an EAP success message.
- Embodiments of the present disclosure provide an EAP authentication processing device, including: a second sending module configured to send a second access challenge packet to the SMF, where the second access challenge packet includes an EAP success message.
- the embodiment of the present disclosure provides an EAP authentication processing device, including: a second receiving module 61 configured to receive an EAP response message sent by SMF through UPF.
- Embodiments of the present disclosure provide an EAP authentication processing device, including: a second sending module configured to send an EAP success message to the SMF through UPF.
- An embodiment of the present disclosure provides a communication device, including:
- Memory used to store instructions executable by the processor
- the processor is configured to implement the EAP authentication processing method of any embodiment of the present disclosure when running executable instructions.
- the communication device may include but is not limited to at least one of: UE, SMF, DN-AAA server, and UPF.
- the processor may include various types of storage media, which are non-transitory computer storage media that can continue to memorize the information stored thereon after the user equipment is powered off.
- the processor may be connected to the memory through a bus or the like, and be used to read the executable program stored in the memory, for example, at least one of the methods shown in FIGS. 2 to 7 .
- An embodiment of the present disclosure also provides a computer storage medium.
- the computer storage medium stores a computer executable program.
- the executable program is executed by a processor, the EAP authentication processing method of any embodiment of the present disclosure is implemented. For example, at least one of the methods shown in FIGS. 2 to 7 .
- Figure 10 is a block diagram of a user equipment 800 according to an exemplary embodiment.
- the user device 800 may be a mobile phone, a computer, a digital broadcast user device, a messaging device, a game console, a tablet device, a medical device, a fitness device, a personal digital assistant, or the like.
- user equipment 800 may include one or more of the following components: a processing component 802 , a memory 804 , a power supply component 806 , a multimedia component 808 , an audio component 810 , an input/output (I/O) interface 812 , and a sensor component 814 , and communication component 816.
- a processing component 802 may include one or more of the following components: a processing component 802 , a memory 804 , a power supply component 806 , a multimedia component 808 , an audio component 810 , an input/output (I/O) interface 812 , and a sensor component 814 , and communication component 816.
- a processing component 802 may include one or more of the following components: a processing component 802 , a memory 804 , a power supply component 806 , a multimedia component 808 , an audio component 810 , an input/output (I/O) interface 812 , and a sensor component 814 , and communication component 8
- Processing component 802 generally controls the overall operations of user device 800, such as operations associated with display, phone calls, data communications, camera operations, and recording operations.
- the processing component 802 may include one or more processors 820 to execute instructions to complete all or part of the steps of the above method.
- processing component 802 may include one or more modules that facilitate interaction between processing component 802 and other components.
- processing component 802 may include a multimedia module to facilitate interaction between multimedia component 808 and processing component 802.
- Memory 804 is configured to store various types of data to support operations at user device 800 . Examples of such data include instructions for any application or method operating on user device 800, contact data, phonebook data, messages, pictures, videos, etc.
- Memory 804 may be implemented by any type of volatile or non-volatile storage device, or a combination thereof, such as static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EEPROM), Programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disk.
- SRAM static random access memory
- EEPROM electrically erasable programmable read-only memory
- EEPROM erasable programmable read-only memory
- EPROM Programmable read-only memory
- PROM programmable read-only memory
- ROM read-only memory
- magnetic memory flash memory, magnetic or optical disk.
- Power supply component 806 provides power to various components of user equipment 800.
- Power supply components 806 may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power to user device 800 .
- Multimedia component 808 includes a screen that provides an output interface between the user device 800 and the user.
- the screen may include a liquid crystal display (LCD) and a touch panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive input signals from the user.
- the touch panel includes one or more touch sensors to sense touches, swipes, and gestures on the touch panel. The touch sensor may not only sense the boundary of a touch or slide action, but also detect the duration and pressure associated with the touch or slide action.
- multimedia component 808 includes a front-facing camera and/or a rear-facing camera.
- the front camera and/or the rear camera may receive external multimedia data.
- Each front-facing camera and rear-facing camera can be a fixed optical lens system or have a focal length and optical zoom capabilities.
- Audio component 810 is configured to output and/or input audio signals.
- audio component 810 includes a microphone (MIC) configured to receive external audio signals when user device 800 is in operating modes, such as call mode, recording mode, and voice recognition mode. The received audio signal may be further stored in memory 804 or sent via communication component 816 .
- audio component 810 also includes a speaker for outputting audio signals.
- the I/O interface 812 provides an interface between the processing component 802 and a peripheral interface module, which may be a keyboard, a click wheel, a button, etc. These buttons may include, but are not limited to: Home button, Volume buttons, Start button, and Lock button.
- Sensor component 814 includes one or more sensors that provide various aspects of status assessment for user device 800 .
- the sensor component 814 can detect the open/closed state of the device 800, the relative positioning of components, such as the display and keypad of the user device 800, the sensor component 814 can also detect the user device 800 or a component of the user device 800. position changes, the presence or absence of user contact with user device 800 , user device 800 orientation or acceleration/deceleration and temperature changes of user device 800 .
- Sensor assembly 814 may include a proximity sensor configured to detect the presence of nearby objects without any physical contact.
- Sensor assembly 814 may also include a light sensor, such as a CMOS or CCD image sensor, for use in imaging applications.
- the sensor component 814 may also include an acceleration sensor, a gyroscope sensor, a magnetic sensor, a pressure sensor, or a temperature sensor.
- Communication component 816 is configured to facilitate wired or wireless communication between user device 800 and other devices.
- User equipment 800 may access a wireless network based on a communication standard, such as WiFi, 4G or 5G, or a combination thereof.
- the communication component 816 receives broadcast signals or broadcast related information from an external broadcast management system via a broadcast channel.
- the communications component 816 also includes a near field communications (NFC) module to facilitate short-range communications.
- NFC near field communications
- the NFC module can be implemented based on radio frequency identification (RFID) technology, infrared data association (IrDA) technology, ultra-wideband (UWB) technology, Bluetooth (BT) technology and other technologies.
- RFID radio frequency identification
- IrDA infrared data association
- UWB ultra-wideband
- Bluetooth Bluetooth
- user equipment 800 may be configured by one or more application specific integrated circuits (ASICs), digital signal processors (DSPs), digital signal processing devices (DSPDs), programmable logic devices (PLDs), field programmable Programmed gate array (FPGA), controller, microcontroller, microprocessor or other electronic components are implemented for executing the above method.
- ASICs application specific integrated circuits
- DSPs digital signal processors
- DSPDs digital signal processing devices
- PLDs programmable logic devices
- FPGA field programmable Programmed gate array
- controller microcontroller, microprocessor or other electronic components are implemented for executing the above method.
- a non-transitory computer-readable storage medium including instructions such as a memory 804 including instructions, which can be executed by the processor 820 of the user device 800 to complete the above method is also provided.
- the non-transitory computer-readable storage medium may be ROM, random access memory (RAM), CD-ROM, magnetic tape, floppy disk, optical data storage device, etc.
- an embodiment of the present disclosure shows the structure of a base station.
- the base station 900 may be provided as a network side device.
- base station 900 includes a processing component 922, which further includes one or more processors, and memory resources represented by memory 932 for storing instructions, such as application programs, executable by processing component 922.
- the application program stored in memory 932 may include one or more modules, each corresponding to a set of instructions.
- the processing component 922 is configured to execute instructions to perform any of the foregoing methods applied to the base station.
- Base station 900 may also include a power supply component 926 configured to perform power management of base station 900, a wired or wireless network interface 950 configured to connect base station 900 to a network, and an input/output (I/O) interface 958.
- Base station 900 may operate based on an operating system stored in memory 932, such as Windows ServerTM, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM or the like.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本公开实施例提供一种EAP认证处理方法、装置、通信设备及存储介质;EAP认证处理方法由SMF执行,包括:发送EAP响应消息,其中,EAP响应消息用于DN-AAA服务器启动基于EAP的认证。
Description
本公开涉及但不限于无线通信技术领域,尤其涉及一种EAP认证方法、装置、通信设备及存储介质。
目前无线通信中规定的可扩展的认证协议(Extensible Authentication Protocol,EAP)框架将用于用户设备(User Equipment,UE)和外部数据网络中认证授权计费(data network-(authentication、authorization、accounting),DN-AAA)服务器之间的认证。会话管理功能(Session Management Function,SMF)将扮演认证者的角色。根据目前无线通信,只有在服务器发送EAP请求或者身份信息后,DN-AAA服务器才会收到EAP响应或者身份信息。然而,目前SMF无法向DN-AAA服务器发送EAP响应或者身份信息等。
发明内容
本公开实施例提供一种EAP认证处理方法、装置、通信设备及存储介质。
根据本公开的第一方面,提供一种EAP认证处理方法,由SMF执行,包括:
发送EAP响应消息,其中,EAP响应消息用于DN-AAA服务器启动基于EAP的认证。
在一些实施例中,EAP响应消息,包括:UE的身份信息;EAP响应消息用于DN-AAA服务器启动基于EAP的身份信息的认证。
在一些实施例中,发送EAP响应消息,包括:基于接收到UE的身份信息,向DN-AAA服务器发送EAP响应消息。
在一些实施例中,方法包括:向UE发送EAP请求消息,其中,EAP请求消息,用于请求UE的身份信息。
在一些实施例中,发送EAP响应消息,包括:响应于SMF支持Diameter协议,向DN-AAA服务器发送DER消息,其中,DER消息包括EAP响应消息。
在一些实施例中,发送EAP响应消息,包括:响应于SMF支持RADIUS协议,向DN-AAA服务器发送第一访问请求包,其中,第一访问请求包,包括:EAP响应消息。
在一些实施例中,第一访问请求包,包括EAP消息属性;EAP消息属性包括EAP响应消息。
在一些实施例中,方法包括:向DN-AAA服务器发送第二访问请求包;其中,第二访问请求包,用于触发DN-AAA服务器请求EAP响应消息;
向DN-AAA服务器发送第一访问请求包,包括:
若接收到基于第二访问请求确定的第一访问挑战包,向DN-AAA服务器发送第一访问请求包;其中,第一访问挑战包,用于请求EAP响应消息。
在一些实施例中,第二访问请求包,包括指示EAP开始消息的EAP消息属性,其中,EAP开始消息用于触发DN-AAA服务器请求EAP响应消息。
在一些实施例中,方法包括:接收EAP成功消息,其中,EAP成功消息是DN-AAA服务器确定与UE的EAP认证成功后发送的。
在一些实施例中,接收EAP成功消息,包括:
接收DN-AAA发送的DEA消息,其中,DEA消息包括EAP成功消息;和/或,
接收DN-AAA发送的第二访问挑战包,其中,第二访问挑战包,包括EAP成功消息。
在一些实施例中,方法还包括:
存储EAP成功认证的UE的身份信息;或者,
将EAP成功认证的UE的身份信息发送给UDM,其中,UE的身份信息用于存储在UDM中。
在一些实施例中,发送EAP响应消息,包括:通过用户面功能(User Plane Function,UPF)向DN-AAA服务器发送EAP响应消息;
和/或,接收EAP成功消息,包括:通过UPF接收DN-AAA服务器发送的EAP成功消息。
在一些实施例中,SMF包括归属会话功能实体(Home Session Management Function,H-SMF);
方法包括:通过拜访地移动会话功能实体(Visited Session Management Function,V-SMF)接收UE发送的UE的身份信息。
根据本公开的第二方面,提供一种EAP认证处理方法,由DN-AAA服务器执行,包括:
接收EAP响应消息;
基于EAP响应消息,启动基于EAP的认证。
在一些实施例中,EAP响应消息,包括:UE的身份信息;
基于EAP响应消息,启动EAP认证,包括:基于EAP响应消息,启动基于EAP的身份信息的认证。
在一些实施例中,接收EAP响应消息,包括:接SMF发送的DER消息,其中,DER消息包括EAP响应消息。
在一些实施例中,接收EAP响应消息,包括:接收SMF发送的第一访问请求包,其中,第一访问请求包,包括:EAP响应消息。
在一些实施例中,第一访问请求包,包括EAP消息属性;EAP消息属性包括EAP响应消息。
在一些实施例中,接收SMF发送的第一访问请求包之前,包括:
接收SMF发送的第二访问请求包;其中,第二访问请求包,用于触发DN-AAA服务器请求EAP响应消息;
向SMF发送第一访问挑战包,其中,第一访问挑战包,用于请求EAP响应消息。
在一些实施例中,第二访问请求包,包括指示EAP开始消息的EAP消息属性,其中,EAP开始消息用于触发DN-AAA服务器请求EAP响应消息。
在一些实施例中,方法包括:
响应于确定与UE的EAP认证成功,发送EAP成功消息。
在一些实施例中,发送EAP成功消息,包括:
向SMF发送的DEA消息,其中,DEA消息包括EAP成功消息;或者,
向SMF发送的第二访问挑战包,其中,第二访问挑战包,包括EAP成功消息。
在一些实施例中,接收EAP响应消息,包括:
通过UPF接收SMF发送的EAP响应消息;和/或,
发送EAP成功消息,包括:
通过UPF向SMF发送EAP成功消息。
根据本公开的第三方面,提供一种EAP认证处理装置,包括:
第一发送模块,被配置为发送EAP响应消息,其中,EAP响应消息用于DN-AAA服务器启动基于EAP的认证。
在一些实施例中,EAP响应消息,包括:UE的身份信息;EAP响应消息用于DN-AAA服务器启动基于EAP的身份信息的认证。
在一些实施例中,第一发送模块,被配置为基于接收到UE的身份信息,向DN-AAA服务器发送EAP响应消息。
在一些实施例中,第一发送模块,被配置为向UE发送EAP请求消息,其中,EAP请求消息,用于请求UE的身份信息。
在一些实施例中,第一发送模块,被配置为响应于SMF支持Diameter协议,向DN-AAA服务器发送DER消息,其中,DER消息包括EAP响应消息。
在一些实施例中,第一发送模块,被配置为响应于SMF支持RADIUS协议,向DN-AAA服务器发送第一访问请求包,其中,第一访问请求包,包括:EAP响应消息。
在一些实施例中,第一访问请求包,包括EAP消息属性;EAP消息属性包括EAP响应消息。
在一些实施例中,第一发送模块,被配置为向DN-AAA服务器发送第二访问请求包;其中,第二访问请求包,用于触发DN-AAA服务器请求EAP响应消息;
第一发送模块,被配置为若接收到基于第二访问请求确定的第一访问挑战包,向DN-AAA服务器发送第一访问请求包;其中,第一访问挑战包,用于请求EAP响应消息。
在一些实施例中,第二访问请求包,包括指示EAP开始消息的EAP消息属性,其中,EAP开始消息用于触发DN-AAA服务器请求EAP响应消息。
在一些实施例中,装置包括:第一接收模块,被配置为接收EAP成功消息,其中,EAP成功消息是DN-AAA服务器确定与UE的EAP认证成功后发送的。
在一些实施例中,第一接收模块,被配置为接收DN-AAA发送的DEA消息,其中,DEA消息 包括EAP成功消息;和/或
第一接收模块,被配置为接收DN-AAA发送的第二访问挑战包,其中,第二访问挑战包,包括EAP成功消息。
在一些实施例中,装置还包括:
第一处理模块,被配置为存储EAP成功认证的UE的身份信息;或者,
第一处理模块,被配置为将EAP成功认证的UE的身份信息发送给UDM,其中,UE的身份信息用于存储在UDM中。
在一些实施例中,第一发送模块,被配置为通过UPF向DN-AAA服务器发送EAP响应消息;
和/或,
第一接收模块,被配置为通过UPF接收DN-AAA服务器发送的EAP成功消息。
在一些实施例中,SMF包括H-SMF;
第一接收模块,被配置为通过V-SMF接收UE发送的UE的身份信息。
根据本公开的第二方面,提供一种EAP认证处理装置,由DN-AAA服务器执行,包括:
第二接收模块,被配置为接收EAP响应消息;
第二处理模块,被配置为基于EAP响应消息,启动基于EAP的认证。
在一些实施例中,EAP响应消息,包括:UE的身份信息;
第二处理模块,被配置为基于EAP响应消息,启动基于EAP的身份信息的认证。
在一些实施例中,第二接收模块,被配置为接SMF发送的DER消息,其中,DER消息包括EAP响应消息。
在一些实施例中,第二接收模块,被配置为接收SMF发送的第一访问请求包,其中,第一访问请求包,包括:EAP响应消息。
在一些实施例中,第一访问请求包,包括EAP消息属性;EAP消息属性包括EAP响应消息。
在一些实施例中,第二接收模块,被配置为接收SMF发送的第二访问请求包;其中,第二访问请求包,用于触发DN-AAA服务器请求EAP响应消息;
第二发送模块,被配置为向SMF发送第一访问挑战包,其中,第一访问挑战包,用于请求EAP响应消息。
在一些实施例中,第二访问请求包,包括指示EAP开始消息的EAP消息属性,其中,EAP开始消息用于触发DN-AAA服务器请求EAP响应消息。
在一些实施例中,第二发送模块,被配置为响应于确定与UE的EAP认证成功,发送EAP成功消息。
在一些实施例中,第二发送模块,被配置为向SMF发送的DEA消息,其中,DEA消息包括EAP成功消息;或者,
第二发送模块,被配置为向SMF发送的第二访问挑战包,其中,第二访问挑战包,包括EAP成功消息。
在一些实施例中,第二接收模块,被配置为通过UPF接收SMF发送的EAP响应消息;和/或,
第二发送模块,被配置为通过UPF向SMF发送EAP成功消息。
根据本公开的第五方面,提供一种通信设备,通信设备,包括:
处理器;
用于存储处理器可执行指令的存储器;
其中,处理器被配置为:用于运行可执行指令时,实现本公开任意实施例的EAP认证处理方法。
根据本公开的第六方面,提供一种计算机存储介质,计算机存储介质存储有计算机可执行程序,可执行程序被处理器执行时实现本公开任意实施例的EAP认证处理方法。
本公开实施例提供的技术方案可以包括以下有益效果:
在本公开实施例中,SMF向DN-AAA服务器发送EAP响应消息,其中,EAP响应消息用于DN-AAA服务器启动基于EAP的认证。如此,可以无需在接收到DN-AAA服务器的EAP请求时,就可以通过SMF向DN-AAA服务发送EAP响应消息,进而有利于实现基于EAP的认证。。
应当理解的是,以上的一般描述和后文的细节描述仅是示例性和解释性的,并不能限制本公开实施例。
图1是根据一示例性实施例示出的一种无线通信系统的结构示意图。
图2是根据一示例性实施例示出的一种EAP认证处理方法的示意图。
图3是根据一示例性实施例示出的一种EAP认证处理方法的示意图。
图4是根据一示例性实施例示出的一种EAP认证处理方法的示意图。
图5是根据一示例性实施例示出的一种EAP认证处理方法的示意图。
图6是根据一示例性实施例示出的一种EAP认证处理方法的示意图。
图7是根据一示例性实施例示出的一种EAP认证处理方法的示意图。
图8是根据一示例性实施例示出的一种EAP认证处理装置的框图。
图9是根据一示例性实施例示出的一种EAP认证处理装置的框图。
图10是根据一示例性实施例示出的一种UE的框图。
图11是根据一示例性实施例示出的一种基站的框图。
这里将详细地对示例性实施例进行说明,其示例表示在附图中。下面的描述涉及附图时,除非另有表示,不同附图中的相同数字表示相同或相似的要素。以下示例性实施例中所描述的实施方式并不代表与本公开实施例相一致的所有实施方式。相反,它们仅是与如所附权利要求书中所详述的、本公开实施例的一些方面相一致的装置和方法的例子。
在本公开实施例使用的术语是仅仅出于描述特定实施例的目的,而非旨在限制本公开实施例。在本公开实施例和所附权利要求书中所使用的单数形式的“一种”和“该”也旨在包括多数形式,除非上下文清楚地表示其他含义。还应当理解,本文中使用的术语“和/或”是指并包含一个或多个相关联的列出项目的任何或所有可能组合。
应当理解,尽管在本公开实施例可能采用术语第一、第二、第三等来描述各种信息,但这些信息不应限于这些术语。这些术语仅用来将同一类型的信息彼此区分开。例如,在不脱离本公开实施例范围的情况下,第一信息也可以被称为第二信息,类似地,第二信息也可以被称为第一信息。取决于语境,如在此所使用的词语“如果”可以被解释成为“在……时”或“当……时”或“响应于确定”。
请参考图1,其示出了本公开实施例提供的一种无线通信系统的结构示意图。如图1所示,无线通信系统是基于蜂窝移动通信技术的通信系统,该无线通信系统可以包括:若干个用户设备110以及若干个基站120。
其中,用户设备110可以是指向用户提供语音和/或数据连通性的设备。用户设备110可以经无线接入网(Radio Access Network,RAN)与一个或多个核心网进行通信,用户设备110可以是物联网用户设备,如传感器设备、移动电话(或称为“蜂窝”电话)和具有物联网用户设备的计算机,例如,可以是固定式、便携式、袖珍式、手持式、计算机内置的或者车载的装置。例如,站(Station,STA)、订户单元(subscriber unit)、订户站(subscriber station),移动站(mobile station)、移动台(mobile)、远程站(remote station)、接入点、远程终端(remote terminal)、接入终端(access terminal)、用户终端(user terminal)、用户代理(user agent)、用户设备(user device)、或用户设备(user equipment)。或者,用户设备110也可以是无人飞行器的设备。或者,用户设备110也可以是车载设备,比如,可以是具有无线通信功能的行车电脑,或者是外接行车电脑的无线用户设备。或者,用户设备110也可以是路边设备,比如,可以是具有无线通信功能的路灯、信号灯或者其它路边设备等。
基站120可以是无线通信系统中的网络侧设备。其中,该无线通信系统可以是第四代移动通信技术(the 4th generation mobile communication,4G)系统,又称长期演进(Long Term Evolution,LTE)系统;或者,该无线通信系统也可以是5G系统,又称新空口系统或5G NR系统。或者,该无线通信系统也可以是5G系统的再下一代系统。其中,5G系统中的接入网可以称为新一代无线接入网(New Generation-Radio Access Network,NG-RAN)。
其中,基站120可以是4G系统中采用的演进型基站(eNB)。或者,基站120也可以是5G系统中采用集中分布式架构的基站(gNB)。当基站120采用集中分布式架构时,通常包括集中单元(central unit,CU)和至少两个分布单元(distributed unit,DU)。集中单元中设置有分组数据汇聚协议(Packet Data Convergence Protocol,PDCP)层、无线链路层控制协议(Radio Link Control,RLC)层、媒体接入控制(Medium Access Control,MAC)层的协议栈;分布单元中设置有物理(Physical,PHY)层协议栈,本公开实施例对基站120的具体实现方式不加以限定。
基站120和用户设备110之间可以通过无线空口建立无线连接。在不同的实施方式中,该无线 空口是基于第四代移动通信网络技术(4G)标准的无线空口;或者,该无线空口是基于第五代移动通信网络技术(5G)标准的无线空口,比如该无线空口是新空口;或者,该无线空口也可以是基于5G的更下一代移动通信网络技术标准的无线空口。
在一些实施例中,用户设备110之间还可以建立E2E(End to End,端到端)连接。比如车联网通信(vehicle to everything,V2X)中的车对车(vehicle to vehicle,V2V)通信、车对路边设备(vehicle to Infrastructure,V2I)通信和车对人(vehicle to pedestrian,V2P)通信等场景。
这里,上述用户设备可认为是下面实施例的终端设备。
在一些实施例中,上述无线通信系统还可以包含网络管理设备130。
若干个基站120分别与网络管理设备130相连。其中,网络管理设备130可以是无线通信系统中的核心网设备,比如,该网络管理设备130可以是演进的数据分组核心网(Evolved Packet Core,EPC)中的移动性管理实体(Mobility Management Entity,MME)。或者,该网络管理设备也可以是其它的核心网设备,比如服务网关(Serving GateWay,SGW)、公用数据网网关(Public Data Network GateWay,PGW)、策略与计费规则功能单元(Policy and Charging Rules Function,PCRF)或者归属签约用户服务器(Home Subscriber Server,HSS)等。对于网络管理设备130的实现形态,本公开实施例不做限定。
为了便于本领域内技术人员理解,本公开实施例列举了多个实施方式以对本公开实施例的技术方案进行清晰地说明。当然,本领域内技术人员可以理解,本公开实施例提供的多个实施例,可以被单独执行,也可以与本公开实施例中其他实施例的方法结合后一起被执行,还可以单独或结合后与其他相关技术中的一些方法一起被执行;本公开实施例并不对此作出限定。
需要说明的是,本公开实施例中涉及到多个执行主体时,当一个执行主体向另一个执行主体发送某一传输时,可以是指一个执行主体直接向另一个执行主体发送传输,也可以是指一个执行主体通过其他任意设备向另一个执行主体发送传输;本公开实施例中并不对此进行限定。
如图2所示,本公开实施例提供一种EAP认证处理方法,由SMF执行,包括:
步骤S21:发送EAP响应消息,其中,EAP响应消息用于DN-AAA服务器启动基于EAP的认证。
在一个实施例中,步骤S21可以是:接收UE发送的EAP响应消息。
这里,UE可以是各种移动终端或固定终端。例如,该UE可以是但不限于是手机、计算机、服务器、可穿戴设备、车载终端、路侧单元(RSU,Road Side Unit)、游戏控制平台或多媒体设备等。
这里,SMF、DN-AAA服务器及以下涉及的UPF等均可以是通信网络中灵活部署的逻辑节点或者功能等。例如,SMF、DN-AAA服务器及UPF均可以是核心网侧的逻辑节点或者功能;又如,DN-AAA服务器是与核心网连接的数据网络中的逻辑节点或者功能。
在一个实施例中,EAP响应消息可以是EAP response-identity消息或者EAP response/identity消 息。这里,该EAP response-identity消息或者EAP response/identity消息是一种封装格式的消息。
在一个实施例中,若UE处于非漫游情况下或者本地分流(Local Breakout,LBO)漫游情况下,SMF为单个SMF。
在另一个实施例中,若UE处于归属地路由(home-routed roaming,HR)漫游情况下,SMF包括:拜访地会话管理功能(V-SMF)及归属地会话管理功能(H-SMF);其中,H-SMF向DN-AAA服务器发送EAP响应消息。
在一个实施例中,步骤S21中发送EAP响应消息,包括:通过UPF向DN-AAA服务器发送EAP响应消息。
本公开实施例提供一种EAP认证处理方法,由SMF执行,包括:通过UPF向DN-AAA服务器发送EAP响应消息。
在本公开实施例中,SMF向DN-AAA服务器发送EAP响应消息,该EAP响应消息用于DN-AAA服务器启动基于EAP的认证;如此,可以无需在接收到DN-AAA服务器的EAP请求时,就可以通过SMF向DN-AAA服务发送EAP响应消息,进而有利于实现基于EAP的认证。
并且,可以通过UPF转发SMF发送的EAP响应消息给DN-AAA服务器,实现了成功将EAP响应消息发送给DN-AAA服务器。
在一些实施例中,EAP响应消息,包括:UE的身份信息;EAP响应消息用于DN-AAA服务器启动基于EAP的身份信息的认证。
本公开实施例提供一种EAP认证处理方法,由SMF执行,包括:发送EAP响应消息,其中,EAP响应消息包括UE的身份信息;EAP响应消息用于DN-AAA服务器启动基于EAP的身份信息的认证。
这里,UE的身份信息,可以用于唯一标识UE。
示例性的,UE的身份信息可以是UE的标识信息。例如,UE的标识信息可以是但不限于是签约用户永久标识(Subscriber Permanent Identifier,SUPI)、通用公共订阅标识(Generic Public Subscription Identifier,GPSI)及用户隐藏标识(Subscription Concealed Identifier,SUCI)等的其中之一。又如,UE的标识信息可以是网络设备与UE协商的或者通信协议规定的编号或者索引等。
这里,SMF可以获取UE的身份信息。例如,可以接收接入与移动性管理功能(Access and Mobility Management Function,AMF)发送的UE的身份信息。
如此,在本公开实施例中,可以直接通过SMF发送携带UE的身份信息的EAP响应消息,从而有利于实现对基于EAP对UE的身份信息的认证。
需要说明的是,本领域内技术人员可以理解,本公开实施例提供的方法,可以被单独执行,也可以与本公开实施例中一些方法或相关技术中的一些方法一起被执行。
在一些实施例中,步骤S21中发送EAP响应消息,包括:基于接收到UE的身份信息,向DN-AAA 服务器发送EAP响应消息。
如图3所示,本公开实施例提供一种EAP认证处理方法,由SMF执行,包括:
步骤S31:基于接收到UE的身份信息,向DN-AAA服务器发送EAP响应消息。
在本公开的一些实施例中,EAP响应消息可以是步骤S21中EAP响应消息;UE的身份信息可以是上述实施例中UE的身份信息。
在本公开的一些实施例中,SMF可以为上述实施例中SMF;例如SMF可以为单个SMF;又如,SMF可以为V-SMF及H-SMF。
本公开实施例提供一种EAP认证处理方法,由SMF执行,包括:接收AMF发送的UE的身份信息;其中,UE的身份信息是AMF从UE中获取的。
在一些实施例中,步骤S31,包括:基于接收到EAP响应消息,向DN-AAA服务器发送EAP响应消息,其中,EAP响应消息包括UE的身份信息。
如此,在本公开实施例中,SMF可以获取UE主动发送给SMF的UE的身份信息,就可以向DN-AAA服务器发送的EAP响应消息以触发基于EAP的认证。
在一些实施例中,SMF包括H-SMF;
方法包括:通过V-SMF接收UE发送的UE的身份信息。
本公开实施例提供一种EAP认证处理方法,由H-SMF执行,包括:通过V-SMF接收UE发送的UE的身份信息。这里,V-SMF可以从AMF中获取UE的身份信息。
如此,在HR漫游的情况下时,可以H-SMF可以基于V-SMF获取UE发送的UE的身份信息。
在一些实施例中,步骤S21之前,包括:向UE发送EAP请求消息,其中,EAP请求消息,用于请求UE的身份信息。
本公开实施例提供一种EAP认证处理方法,由SMF执行,包括:
向UE发送EAP请求消息,其中,EAP请求消息,用于请求UE的身份信息;
基于接收到UE的身份信息,向DN-AAA服务器发送EAP响应消息。
在一个实施例中,EAP请求消息可以是EAP Request-Identity消息或者EAP Request/Identity消息。这里,EAP Request-Identity消息或者EAP Request/Identity消息是一种分装格式的消息。
这里,SMF向UE发送EAP请求消息后,也可以是:接收到UE发送的EAP响应消息,其中,EAP响应消息包括UE的身份信息。
这里,SMF向UE发送EAP请求消息可以是:SMF向AMF发送EAP请求消息,AMF将EAP请求消息发送给UE。SMF接收UE发送的UE的身份信息可以是:AMF接收UE发送的UE的身份信息,并将UE的身份信息转发给SMF。这里,SMF与UE之间的交互可以通过AMF实现。
如此,在本公开实施例中,SMF可以通过主动向UE发送EAP请求消息,以请求UE发送的UE的身份信息或者包括UE的身份信息的EAP请求消息。
需要说明的是,本领域内技术人员可以理解,本公开实施例提供的方法,可以被单独执行,也可以与本公开实施例中一些方法或相关技术中的一些方法一起被执行。
在一些实施例中,步骤S21中发送EAP响应消息,包括:响应于SMF支持Diameter协议,向DN-AAA服务器发送DER消息,其中,DER消息包括EAP响应消息。
如图4所示,本公开实施例提供一种EAP认证处理方法,由SMF执行,包括:
步骤S41:响应于SMF支持Diameter协议,向DN-AAA服务器发送DER消息,其中,DER消息包括EAP响应消息。
在本公开的一些实施例中,EAP响应消息可以是步骤S21中EAP响应消息;UE的身份信息可以是上述实施例中UE的身份信息。
在本公开的一些实施例中,SMF可以为上述实施例中SMF;例如SMF可以为单个SMF;又如,SMF可以为V-SMF及H-SMF的其中至少之一。
在一个实施例中,DER消息可以是Diameter-EAP-Request消息。
在一个实施例中,DER消息的EAP有效载荷(via EAP payload)携带EAP响应消息;EAP响应消息包括身份信息。
在一个实施例中,UPF支持的协议可与SMF支持的协议保持一致。示例性的,若SMF支持Diameter协议,则UPF支持Diameter协议。
在另一个实施例中,UPF支持的协议也可与SMF支持的协议不保持一致。示例性的,若SMF支持Diameter协议,UPF也可以不支持Diameter协议;这里,UPF可用于转发消息。
如此,在本公开实施例中,当SMF支持Diameter协议时,可以通过Diameter协议承载该EAP响应消息,从而使得DN-AAA服务器能够读懂EAP响应消息。例如读懂EAP响应消息中包括的UE的身份信息等。
并且,在本公开实施例中,可以直接通过SMF给DN-AAA服务器发送EAP响应消息,以触发UE与DN-AAA服务器基于EAP的UE的身份信息的验证;如此可以减少信令的交互。
在一些实施例中,步骤S21中发送EAP响应消息,包括:响应于SMF支持RADIUS协议,向DN-AAA服务器发送第一访问请求包,其中,第一访问请求包,包括:EAP响应消息。
如图5所示,本公实施例提供一种EAP认证处理方法,由SMF执行,包括:
步骤S51:响应于SMF支持RADIUS协议,向DN-AAA服务器发送第一访问请求包,其中,第一访问请求包,包括:EAP响应消息。
在一些实施例中,第一访问请求包,包括EAP消息属性;EAP消息属性包括EAP响应消息。
这里,第一访问请求包可以是Access-Request packet;EAP消息属性可以是EAP-Message attribute。
在一些实施例中,方法包括:向DN-AAA服务器发送第二访问请求包;其中,第二访问请求包,用于触发DN-AAA服务器请求EAP响应消息;
步骤S51中向DN-AAA服务器发送第一访问请求包,包括:若接收到基于第二访问请求确定的第一访问挑战包,向DN-AAA服务器发送第一访问请求包;其中,第一访问挑战包,用于请求EAP响应消息。
本公实施例提供一种EAP认证处理方法,由SMF执行,包括:
向DN-AAA服务器发送第二访问请求包;其中,第二访问请求包,用于触发DN-AAA服务器请求EAP响应消息;
若接收到基于第二访问请求确定的第一访问挑战包,向DN-AAA服务器发送第一访问请求包;其中,第一访问挑战包,用于请求EAP响应消息。
在一些实施例中,第二访问请求包,包括指示EAP开始消息的EAP消息属性,其中,EAP开始消息用于触发DN-AAA服务器请求EAP响应消息。
这里,第二访问请求包可以是Access-Request packet;EAP开始消息可以是EAP-Start消息。
这里,第一访问挑战包可以是Access-Challenge packet。这里,第一访问挑战包,可用于请求UE的身份信息。
示例性的,SMF向DN-AAA服务器发送第二访问请求包(Access-Request packet),该第二访问请求包,包括指示EAP开始(EAP-Start)消息的EAP消息属性(EAP-Message attribute(s));该第二访问请求包用于触发DN-AAA服务器请求UE的身份信息。DN-AAA服务器接收到SMF发送第二访问请求包后,向SMF发送第一访问挑战包(Access-Challenge packet),其中,第一访问挑战包括分装了EAP请求消息的EAP消息属性,且第一访问挑战包用于请求EAP响应消息。SMF接收到到该第一访问挑战包后,向DN-AAA服务器发送第一访问请求包(Access-Request packet),该第一访问请求包,包括EAP消息属性;EAP消息属性包括EAP响应消息(EAP Response/Identity message)。这里,EAP响应消息包括UE的身份信息。
当然,在其它实施例中,第一访问请求包和第二访问请求包均可以是其它任意可实现格式的请求包;第一访问挑战包及第二访问挑战包均可以是其它任意可实现格式挑战包;在此不对第一访问请求包、第二访问请求包、第一访问挑战包及第二访问挑战包作限制。
在其它的实施例中,EAP响应消息也可以封装在第一访问请求包中的任意单元中,在此不对EAP响应消息被携带在第一访问请包的具体形式作限制。
在一个实施例中,UPF支持的协议可与SMF支持的协议保持一致。示例性的,若SMF支持Radius协议,则UPF支持Radius协议。
在另一个实施例中,UPF支持的协议也可与SMF支持的协议不保持一致。示例性的,若SMF支持Radius协议,UPF也可以不支持Radius协议;这里,UPF可用于转发消息。
如此,在本公开实施例中,当SMF支持RADIUS协议时,可以通过RADIUS协议承载该EAP响应消息,从而使得DN-AAA服务器能够读懂EAP响应消息。例如读懂EAP响应消息中包括的UE的身份信息等。
并且,在通常情况下是不允许UE触发基于EAP的UE的身份信息的认证;但由于本公开实施例中可使用RADIUS协议,从而可以使得该RADIUS协议可以通过发送EAP-Start消息以触发DN-AAA服务器请求EAP响应消息。如此可以通过EAP-Start消息触发基于EAP的认证,进而实现了UE主动触发基于EAP的UE的身份信息的认证。
需要说明的是,本领域内技术人员可以理解,本公开实施例提供的方法,可以被单独执行,也可以与本公开实施例中一些方法或相关技术中的一些方法一起被执行。
本公实施例提供一种EAP认证处理方法,由SMF执行,包括:接收EAP成功消息,其中,EAP成功消息是DN-AAA服务器确定与UE的EAP认证成功后发送的。
在一些实施例中,接收EAP成功消息,包括:
接收DN-AAA发送的DEA消息,其中,DEA消息包括EAP成功消息;和/或,
接收DN-AAA发送的第二访问挑战包,其中,第二访问挑战包,包括EAP成功消息。
这里,EAP成功消息,用于指示基于EAP的UE的身份信息认证成功。这里,DN-AAA服务器与UE的EAP认证成功是指:DN-AAA服务器基于EAP的UE的身份信息认证成功。这里,UE的身份信息是被授权的身份信息。
在一个实施例中,DEA消息可以是Diameter-EAP-Answer消息。
在一个实施例中,DEA消息的有效载荷(via EAP payload)携带EAP成功消息。
在一个实施例中,第二访问挑战包可以是Access-Challenge packet。
在一个实施例中,第二访问挑战包的EAP消息属性携带EAP成功消息。
示例性的,SMF若支持Diameter协议,SMF接收DN-AAA服务器发送的DEA消息,该DEA消息包括EAP成功消息;SMF基于该EAP成功消息确定基于EAP的UE的身份信息认证成功。
示例性的,SMF若支持RADIUS协议,SMF接收DN-AAA服务器发送的第二访问挑战包,该第二访问挑战包的EAP消息属性包括EAP成功消息;SMF基于该EAP成功消息确定基于EAP的UE的身份信息认证成功。
如此,在本公开实施例中,SMF若支持Diameter协议和/或RADIUS协议时,可以通过接收Diameter协议分装的DEA消息和/或RADIUS协议分装第二访问包,从而确定获得并读懂DEA消息和/或第二访问挑战包中的内容。
在一些实施例中,接收EAP成功消息,包括:通过UPF接收DN-AAA服务器发送的EAP成功消息。
本公开实施例提供一种EAP认证处理方法,由SMF执行,包括:通过UPF接收DN-AAA服务器发送的EAP成功消息。
本公开实施例提供一种EAP认证处理方法,由SMF执行,包括:通过UPF接收DN-AAA发送的DEA消息,其中,DEA消息包括EAP成功消息;和/或,接收DN-AAA发送的第二访问挑战包,其中,第二访问挑战包,包括EAP成功消息。
在本公开实施例中,可以通过UPF转发DN-AAA服务器发送的EAP成功消息给SMF,以使得SMF可以成功接收到该EAP成功消息。
需要说明的是,本领域内技术人员可以理解,本公开实施例提供的方法,可以被单独执行,也可以与本公开实施例中一些方法或相关技术中的一些方法一起被执行。
本公开实施例提供一种EAP认证处理方法,由SMF执行,包括:存储EAP成功认证的UE的 身份信息。
这里,SMF还可以存储以下至少之一:
EAP成功认证的UE的身份信息及对应的数据网络(DN)的标识信息;
EAP成功认证的UE的身份信息及对应的DN-AAA服务器的标识信息。
如此,本公开实施例可以通过存储EAP成功认证的UE的身份信息,以利于后续基于UE的身份信息的相关操作。
本公开实施例提供一种EAP认证处理方法,由SMF执行,包括:将EAP成功认证的UE的身份信息发送给UDM,其中,UE的身份信息用于存储在UDM中。
示例性的,SMF可以将EAP成功认证的UE的身份信息发送给UDM;UDM接收到UE的身份信息后将该UE的身份信息存储在授权信息中。若SMF还发送与UE的身份信息对应的DN的标识信息及DN-AAA服务器的标识信息等给UDM,UDM也可以将DN的标识信息和/或DN-AAA服务器的标识信息与UE的身份信息对应存储。
在本公开实施例中,SMF可以将EAP成功认证的UE的身份信息及与UE的身份信息相关的DN标识信息和/或DN-AAA服务器的标识信息等发送给UDM,以使得UDM可以存储该些信息;如此有利于后续基于UE的身份信息的相关操作。
需要说明的是,本领域内技术人员可以理解,本公开实施例提供的方法,可以被单独执行,也可以与本公开实施例中一些方法或相关技术中的一些方法一起被执行。
以下一种基于EAP认证处理方法,是由DN-AAA服务器执行的,与上述由SMF执行的EAP认证处理方法的描述是类似的;且,对于由DN-AAA服务器执行的EAP认证处理方法实施例中未披露的技术细节,请参照由SMF执行的EAP认证处理方法示例的描述,在此不做详细描述说明。
如图6所示,本公开实施例提供一种EAP认证处理方法,由DN-AAA服务器执行,包括:
步骤S61:接收EAP响应消息;
步骤S62:基于EAP响应消息,启动基于EAP的认证。
在本公开的一些实施例中,EAP响应消息可以为步骤S21中EAP响应消息;UE的身份信息可以是上述实施例中UE的身份信息。
示例性的,EAP响应消息可以是EAP response-identity消息或者EAP response/identity消息。
示例性的,UE的身份信息可以是UE的标识信息。例如,UE的标识信息可以是但不限于是SUPI、GPSI及SUCI等的其中之一。又如,UE的标识信息可以是网络设备与UE协商的或者通信协议规定的编号或者索引等。
在一个实施例中,S61可以是接收SMF发送的EAP响应信息。
在本公开的一些实施例中,SMF可以是上述实施例中SMF。示例性的,SMF可以为单个SMF。示例性的,SMF可以为V-SMF及H-SMF的其中至少之一。
在一些实施例中,EAP响应消息,包括:UE的身份信息;
步骤S62,包括:基于EAP响应消息,启动基于EAP的身份信息的认证。
本公开实施例提供一种EAP认证处理方法,由DN-AAA服务器执行,包括:基于EAP响应消息,启动基于EAP的身份信息的认证。
在一些实施例中,步骤S61,包括:接SMF发送的DER消息,其中,DER消息包括EAP响应消息。
本公开实施例提供一种EAP认证处理方法,由DN-AAA服务器执行,包括:接SMF发送的DER消息,其中,DER消息包括EAP响应消息。
在本公开的一些实施例中,DER消息可以是上述实施例中DER消息。示例性的,DER消息可以是Diameter-EAP-Request消息。示例性的,DER消息的EAP有效载荷(via EAP payload)携带EAP响应消息;EAP响应消息包括身份信息。
在一些实施例中,步骤S61,包括:接收SMF发送的第一访问请求包,其中,第一访问请求包,包括:EAP响应消息。
本公开实施例提供一种EAP认证处理方法,由DN-AAA服务器执行,包括:接收SMF发送的第一访问请求包,其中,第一访问请求包,包括:EAP响应消息。
在一些实施例中,第一访问请求包,包括EAP消息属性;EAP消息属性包括EAP响应消息。
在本公开的一些实施例中,第一访问请求包、第二访问请求包分别可以是上述实施例中第一请求包、第二访问请求包;EAP消息属性可以是上述实施例中EAP消息属性。示例性的,第一访问请求包、第二访问请求包均可以是Access-Request packet。示例性的,EAP消息属性可以是EAP-Message attribute。
在一些实施例中,接收SMF发送的第一访问请求包之前,包括:
接收SMF发送的第二访问请求包;其中,第二访问请求包,用于触发DN-AAA服务器请求EAP响应消息;
向SMF发送第一访问挑战包,其中,第一访问挑战包,用于请求EAP响应消息。
本公开实施例提供一种EAP认证处理方法,由DN-AAA服务器执行,包括:
接收SMF发送的第二访问请求包;其中,第二访问请求包,用于触发DN-AAA服务器请求EAP响应消息;
向SMF发送第一访问挑战包,其中,第一访问挑战包,用于请求EAP响应消息。
在一些实施例中,第二访问请求包,包括指示EAP开始消息的EAP消息属性,其中,EAP开始消息用于触发DN-AAA服务器请求EAP响应消息。
在本公开的一些实施例中,第一访问挑战包、第二访问挑战包分别可以是上述实施例中第一访问挑战包、第二访问挑战包;EAP开始消息可以是上述实施例中EAP开始消息。示例性的,第一访问挑战包、第二访问挑战包均可以是Access-Challenge packet。示例性的EAP开始消息可以是EAP-Start消息。
本公开实施例提供一种EAP认证处理方法,由DN-AAA服务器执行,包括:响应于确定与UE 的EAP认证成功,发送EAP成功消息。
在一些实施例中,发送EAP成功消息,包括:
向SMF发送的DEA消息,其中,DEA消息包括EAP成功消息;或者,向SMF发送的第二访问挑战包,其中,第二访问挑战包,包括EAP成功消息。
本公开实施例提供一种EAP认证处理方法,由DN-AAA服务器执行,包括:向SMF发送的DEA消息,其中,DEA消息包括EAP成功消息;或者,向SMF发送的第二访问挑战包,其中,第二访问挑战包,包括EAP成功消息。
在一些实施例中,接收EAP响应消息,包括:通过UPF接收SMF发送的EAP响应消息。
本公开实施例提供一种EAP认证处理方法,由DN-AAA服务器执行,包括:通过UPF接收SMF发送的EAP响应消息。
在一些实施例中,发送EAP成功消息,包括:通过UPF向SMF发送EAP成功消息。
本公开实施例提供一种EAP认证处理方法,由DN-AAA服务器执行,包括:通过UPF向SMF发送EAP成功消息。
以上实施方式,具体可以参见第一UE侧的表述,在此不再赘述。
需要说明的是,本领域内技术人员可以理解,本公开实施例提供的方法,可以被单独执行,也可以与本公开实施例中一些方法或相关技术中的一些方法一起被执行。
为了进一步解释本公开任意实施例,以下提供一个具体实施例。
在一些应用场景中,基于DN-AAA服务器的二次认证,可以是除了5G的初次认证,5G网络还支持由外部DN-AAA服务器进行基于EAP的二次认证。基于DN-AAA服务器的二次认证的过程涉及漫游和非漫游两种情况;在非漫游情况下,不涉及V-SMF;在归属地路由(HR)漫游情况下,V-SMF将代理VPLMN中AFM和HPLMN中H-SMF之间的信令;在本地分流(LBO)漫游情况下,只涉及VPLMN的一个SMF。注意:以下实施例中步骤S701至步骤S706可参见协议中4.2.2.2.2和4.3.2.2.1TS 23.502[3]。
以下实施例中涉及的H-SMF与H-UPF之间的交互,可通过N4消息来实现;和/或,以下涉及的UE或者UE客户端与AMF之间的交互,可通过N1消息来实现;和/或,以下涉及的AMF与SMF之间的交互,可通过N11消息来实现;和/或,以下涉及的H-UPF与DN-AAA服务器之间的交互,可通过N6消息来实现。当然,在本公开的其它实施例中,各网元或者逻辑节点或者功能,与其它网络或者逻辑节点或者功能之间的交互可以通过任意可实现的消息或者信令等交互,在此不作限制。
如图7所示,本公开实施例提供一种EAP认证处理方法,由通信设备执行,通信设备包括:SMF、DN-AAA服务器、AMF、V-SMF、H-SMF、归属地用户面功能(H-UPF)、及认证服务器功能(authentication server function,AUSF)的其中至少之一;方法包括以下步骤:
步骤S701:发送注册请求;
在一个可选实施例中,UE(EAP客户端)向AMF发送注册请求。
这里,UE(EAP客户端)可以是指UE或者UE对应的EAP客户端。
步骤S702:初次认证;
在一个可选实施例中,UE(EAP客户端)与AUSF执行初级认证(或者主认证)。
步骤S703:建立NAS安全模式;
在一个可选实施例中,UE(EAP客户端)与AMF建立非接入层(NAS)安全上下文。
步骤S704:发送PDU会话建立请求;
在一个可选实施例中,UE(EAP客户端)向AMF发送NAS消息,其中,NAS消息用于发起新的会话协议数据单元(Protocol Data Unit,PDU)会话的建立;该NAS消息包括N1_SM容器内的PDU会话建立请求、切片信息、PDU会话ID及PDN的其中至少之一。这里,切片信息可以由单网络切片选择辅助信息(single network slice selection assistance information,S-NSSAI)标识确定;PDN为UE想要连接的分组数据网络(packet data network,PDN),且PDN由数据网络名(Data Network Name,DNN)标识确定。这里,N1_SM容器为一个荷载。
这里,PDU会话请求可包括SM_PDU DN请求容器IE,SM_PDU DN请求容器IE包括外部DN对PDU会话授权的信息。
步骤S705a:发送Nsmf_PDUSession_CreateSMCContext请求;
在一个可选实施例中,AMF确定一个V-SMF,并将Nsmf PDUSession CreateSMContext请求或Nsmf PDUSession UpdateSMContext请求发送给V-SMF。
步骤S705b:接收Nsmf_PDUSession_CreateSMCContext响应;
在一个可选实施例中,AMF接收V-SMF发送的Nsmf PDUSession CreateSMContext响应或Nsmf PDUSession UpdateSMContext响应。
这里,在单个SMF参与PDU会话建立的情况下,例如在非漫游或者LBO漫游时,单个SMF担当V-SMV和H-SMF情况。在这里情况下,跳过步骤S706或者步骤S717。
在步骤S705b后,还包括:继续PDU会话建立请求流程(cf.4.3.2.2.2 TS 23.502);
步骤S706:发送Nsmf_PDUSession_Create请求;
在一个可选实施例中,V-SMF向H-SMF发送Nsmf_PDUSession_Create请求。
步骤S707:SMF从UDM获取订阅信息,并验证UE的请求是否合规;
在一个可选实施例中,对于步骤S705中从AMF获得的给定SUPI,H-SMF从UDM获得订阅数据。SMF检测订阅数据是否需要二次认证,以及根据用户订阅和本地策略是否允许UE请求。如果不允许,H-SMF将通过SM–NAS信令拒绝UE的请求,并跳过该步骤的剩余步骤。如果需要二次验证,则SMF还可已检测UE是否已经被相对DN认证和/或授权;例如,被步骤S705中DNN所指示,或者在先前的PDU会话建立中被相同的AAA服务器认证和/或授权;若是,SMF可跳过步骤S708至S715。
在一个可选实施例中,UE和SMF局之间成功认证和/或授权的信息可以保存在SMF和/或UDM。
步骤S708:启动EAP身份验证;
在一个可选实施例中,H-SMF将触发EAP的认证以从DN-AAA服务器获得授权信息。如果不存在的现有的NA4会话,H-SMF选择一个UPF与之建立N4会话。H-SMF向DN-AAA服务器通知GPSI;且若PDU会话是IP_PDU类型,则通知分配该PDU会话的UE的IP地址;或者若PDU会话是以太网PDU类型,则通知分配该PDU会话的MAC地址。
步骤S709:发送EAP-请求/认证;
这里,EAP-请求/认证,可以为上述实施例中EAP请求消息。
在一个可选实施例中,H-SMF向UE发送EAP-请求/认证(EAP Request/Identity)。
步骤S710:接收EAP-响应/认证;
这里,EAP-响应/认证,可以为上述实施例中EAP响应消息;
在一可选实施例中,UE(EAP客户端)H-SMF接收UE发送的EAP-响应/认证(EAP Response/Identit)。
这里,特定DN的身份应符合网络接入标识符(NAI)格式。
这里,为了避免步骤S709和步骤S710的额外往返,可在步骤S704中由UE发送次级认证DN特定身份。在这种情况下,H-SMF形成包含身份信息的EAP响应消息(EAP Response/Identity message)。
步骤S711:N4会话建立;
在一个可选实施例中,若不存在现有的N4会话,H-SMF选择一个UPF,并与该UPF建立N4会话。这里,H-SMF选择的UPF可以为H-UPF。这里,H-SMF与H-UPF之间的交互可通过N4会话来传输。
在一个可选实施例中,若H-SMF支持Diameter协议,则H-UPF至少支持Diameter协议;和/或,若H-SMF支持Radius协议,则H-UPF至少支持Radius协议。
在另一个可选实施例中,若H-SMF支持Diameter协议和/或Radius协议,则H-UPF可不支持Diameter协议和/或Radius协议。这里,H-UPF可用于转发消息,例如转发DER消息或者访问包等。
这里,步骤S712包括步骤S712a;或者,步骤S712包括步骤S712b至步骤S712d。
步骤S712a:N4传输DER消息,其中,DER消息包括EAP响应消息;
在一个可选实施例中,若UE的身份信息由UE提供,UE的身份信息(DN特定身份)被转发到UPF。H-SMF基于UE提供的身份信息和本地配置来识别DN-AAA服务器。若H-SMF支持Diameter协议,通过H-UPF向DN-AAA服务器发送DER(Diameter-EAP-Request)消息;其中,DER消息的EAP有效载荷(via EAP payload)携带EAP响应消息;EAP响应消息包括身份信息。这里,H-SMF支持Diameter协议,可以是:Diameter协议可应用在EAP中且EAP响应消息可被H-SMF(或者SMF)接收。这里,可跳过步骤S712b至S712c。
这里,H-SMF通过H-UPF向DN-AAA服务器发送DER消息,包括:H-SMF向H-UPF发送DER消息,H-UPF向DN-AAA服务器发送DER消息。
步骤S712b:发送第二访问请求包,其中,第二访问请求包,包括指示EAP开始消息的EAP消 息属性;
在一个可选实施例中,若H-SMF支持RADIUS协议,通过H-UPF向DN-AAA服务器发送第二访问请求包(Access-Request packet);第二访问请求包,包括指示EAP开始(EAP-Start)消息的EAP消息属性(EAP-Message attribute);EAP-Start消息用于触发DN-AAA服务器请求EAP响应消息。
这里,H-SMF通过H-UPF向DN-AAA服务器发送第二访问请求包,包括:H-SMF向H-UPF发送第二访问请求包,H-UPF向DN-AAA服务器发送第二访问请求包。
步骤S712c:接收第一访问挑战包,其中,第一访问挑战包,用于请求EAP响应消息;
在一个可选实施例中,H-SMF通过H-UPF接收DN-AAA服务器发送的第一访问挑战包(Access-Challenge packet);第一访问挑战包括封装了EAP请求消息的EAP消息属性;EAP请求消息包用于请求EAP响应消息。
这里,H-SMF通过H-UPF接收DN-AAA服务器发送的第一访问挑战包,可以是:H-UPF接收DN-AAA服务器的第一访问挑战包,并将第一访问挑战包发送给H-SMF。
步骤S712d:发送第一访问请求包,其中,第一访问请求包,包括EAP响应消息;
在一个可选实施例中,H-SMF通过H-UPF向DN-AAA服务器发送第一访问请求包(Access-Request packet),其中,第一访问请求包,包括EAP消息属性;EAP消息属性包括EAP响应信息,EAP响应信息包括UE的身份信息。
这里,H-SMF通过H-UPF向DN-AAA服务器发送第一访问请求包,可以是:H-SMF向H-UPF发送第一访问请求包,H-UPF向DN-AAA服务器发送第一访问请求包。
步骤S713:通过N4和/或NAS交互EAP请求消息或者EAP响应消息;
在一个可选实施例中,UE与DN-AAA服务器之间可通过N4和/或NAS交互EAP消息,其中,EAP消息包括EAP请求消息或者EAP响应消息。这里,UE与DN-AAA服务器之间还可交互协议的条款5.6.6中定义的附加授权信息。
这里,步骤S714包括步骤S714a或者步骤S714b。
步骤S714a:接收DEA消息,其中,DEA消息包括EAP成功消息;
在一个可选实施例中,若H-SMF支持Diameter协议,通过H-UPF接收DEA(Diameter-EAP-Answer)消息;其中,DEA消息的有效载荷携带EAP成功消息;EAP成功消息用于指示EAP认证成功。
这里,H-SMF通过H-UPF接收DEA消息,可以是:H-UPF接收DEA消息,并将DEA消息发送给H-SMF。
步骤S714b:接收第二访问挑战包,其中,第二访问挑战包,包括EAP成功消息;
在一个可选实施例中,若H-SMF支持RADIUS协议,通过H-UPF接收第二访问挑战包;其中,第二访问挑战包,包括EAP成功消息;EAP成功消息用于指示EAP认证成功。
这里,H-SMF通过H-UPF接收第二访问挑战包,可以是:H-UPF接收第二访问挑战包,并将第二访问挑战包发送给H-SMF。
步骤S715:EAP身份验证结束;
在一个可选实施例中,H-SMF确定基于EAP的认证结束。H-SMF将UE的身份信息、DNN、DN及DN-AAA服务器的标识信息的其中之一存储在H-SMF中,以用于UE与H-SMF之间的成功认证或者授权。或者,H-SMF还可以将UE的身份信息、DNN、DN及DN-AAA服务器的标识信息的其中之一发送给UDM,以供UDM进行存储。
这里,H-SMF可以是上述实施例中SMF。
在步骤S715后,还包括:继续PDU会话建立请求流程(cf.4.3.2.2.2 TS 23.502)。
这里,H-SMF确定UE的身份信息授权成功后,确定继续PDU会话建立请求流程。
步骤S716a:发送N4会话修改请求;
在一个可选实施例中,H-SMF向H-UPF发送N4会话修改请求,以请求发起与H-UPF的N4会话修改过程。
步骤S716b:接收N4会话修改响应;
在一个可选实施例中,H-SMF接收H-UPF发送的N4会话修改响应,以确定发起与H-UPF的N4会话修改过程。
步骤S717:发送Nsmf_PDUSession_Create响应,Nsmf_PDUSession_Create响应携带EAP成功消息;
在一个可选实施例中,H-SMF向V-SMF发送Nsmf_PDUSession_Create响应,Nsmf_PDUSession_Create响应携带EAP成功消息。
步骤S718:发送Namf_Communication_N1N2消息,Namf_Communication_N1N2消息携带EAP成功消息;
在一个可选实施例中,V-SMF向AMF发送Namf_Communication_N1N2消息,Namf_Communication_N1N2消息携带EAP成功消息。
步骤S719:PDU建立接受,EAP成功;
在一个可选实施例中,AMF向UE(客户端)发送NAS_SM_PDU会话建立接受消息,该NAS_SM_PDU会话建立接受消息包括EAP成功消息。
在一个可选实施例中,步骤S719之后,包括:执行如Figure 4.3.2.2.2-1 of TS 23.502的步骤。
需要说明的是,本领域内技术人员可以理解,本公开实施例提供的方法,可以被单独执行,也可以与本公开实施例中一些方法或相关技术中的一些方法一起被执行。
如图8所示,本公开实施例提供一种EAP认证处理装置,包括:
第一发送模块51,被配置为发送EAP响应消息,其中,EAP响应消息用于DN-AAA服务器启动基于EAP的认证。
本公开实施例提供的EAP认证处理装置,可应用于SMF中。
在一些实施例中,EAP响应消息,包括:UE的身份信息;EAP响应消息用于DN-AAA服务器 启动基于EAP的身份信息的认证。
本公开实施例提供一种EAP认证处理装置,包括:第一发送模块51,被配置为发送EAP响应消息,包括:UE的身份信息;其中,EAP响应消息用于DN-AAA服务器启动基于EAP的身份信息的认证。
本公开实施例提供一种EAP认证处理装置,包括:第一发送模块51,被配置为基于接收到UE的身份信息,向DN-AAA服务器发送EAP响应消息。
本公开实施例提供一种EAP认证处理装置,包括:第一发送模块51,被配置为向UE发送EAP请求消息,其中,EAP请求消息,用于请求UE的身份信息;
本公开实施例提供一种EAP认证处理装置,包括:第一发送模块51,被配置为响应于SMF支持Diameter协议,向DN-AAA服务器发送DER消息,其中,DER消息包括EAP响应消息。
本公开实施例提供一种EAP认证处理装置,包括:第一发送模块51,被配置为响应于SMF支持RADIUS协议,向DN-AAA服务器发送第一访问请求包,其中,第一访问请求包,包括:EAP响应消息。
在一些实施例中,第一访问请求包,包括EAP消息属性;EAP消息属性包括EAP响应消息。
本公开实施例提供一种EAP认证处理装置,包括:
第一发送模块51,被配置为向DN-AAA服务器发送第二访问请求包;其中,第二访问请求包,用于触发DN-AAA服务器请求EAP响应消息;
第一发送模块51,被配置为若接收到基于第二访问请求确定的第一访问挑战包,向DN-AAA服务器发送第一访问请求包;其中,第一访问挑战包,用于请求EAP响应消息。
在一些实施例中,第二访问请求包,包括指示EAP开始消息的EAP消息属性,其中,EAP开始消息用于触发DN-AAA服务器请求EAP响应消息。
本公开实施例提供一种EAP认证处理装置,包括:第一接收模块,被配置为接收EAP成功消息,其中,EAP成功消息是DN-AAA服务器确定与UE的EAP认证成功后发送的。
本公开实施例提供一种EAP认证处理装置,包括:第一接收模块,被配置为接收DN-AAA发送的DEA消息,其中,DEA消息包括EAP成功消息。
本公开实施例提供一种EAP认证处理装置,包括:第一接收模块,被配置为接收DN-AAA发送的第二访问挑战包,其中,第二访问挑战包,包括EAP成功消息。
本公开实施例提供一种EAP认证处理装置,包括:第一处理模块,被配置为存储EAP成功认证的UE的身份信息。
本公开实施例提供一种EAP认证处理装置,包括:第一处理模块,被配置为将EAP成功认证的UE的身份信息发送给UDM,其中,UE的身份信息用于存储在UDM中。
本公开实施例提供一种EAP认证处理装置,包括:第一发送模块51,被配置为通过UPF向DN-AAA服务器发送EAP响应消息;和/或,
第一接收模块,被配置为通过UPF接收DN-AAA服务器发送的EAP成功消息。
在一些实施例中,SMF包括H-SMF。
本公开实施例提供一种EAP认证处理装置,包括:第一接收模块,被配置为通过V-SMF接收UE发送的UE的身份信息。
如图9所示,本公开实施例提供一种EAP认证处理装置,包括:
第二接收模块61,被配置为接收EAP响应消息;
第二处理模块62,被配置为基于EAP响应消息,启动基于EAP的认证。
本公开实施例提供一种EAP认证处理装置,可应用于DN-AAA服务器中。
在一些实施例中,EAP响应消息,包括:UE的身份信息;
第二处理模块62,被配置为基于EAP响应消息,启动基于EAP的身份信息的认证。
本公开实施例提供一种EAP认证处理装置,包括:第二处理模块62,被配置为基于EAP响应消息,启动基于EAP的身份信息的认证。
本公开实施例提供一种EAP认证处理装置,包括:第二接收模块61,被配置为接SMF发送的DER消息,其中,DER消息包括EAP响应消息。
本公开实施例提供一种EAP认证处理装置,包括:第二接收模块61,被配置为接收SMF发送的第一访问请求包,其中,第一访问请求包,包括:EAP响应消息。
在一些实施例中,第一访问请求包,包括EAP消息属性;EAP消息属性包括EAP响应消息。
本公开实施例提供一种EAP认证处理装置,包括:
第二接收模块61,被配置为接收SMF发送的第二访问请求包;其中,第二访问请求包,用于触发DN-AAA服务器请求EAP响应消息;
第二发送模块,被配置为向SMF发送第一访问挑战包,其中,第一访问挑战包,用于请求EAP响应消息。
在一些实施例中,第二访问请求包,包括指示EAP开始消息的EAP消息属性,其中,EAP开始消息用于触发DN-AAA服务器请求EAP响应消息。
本公开实施例提供一种EAP认证处理装置,包括:第二发送模块,被配置为响应于确定与UE的EAP认证成功,发送EAP成功消息。
本公开实施例提供一种EAP认证处理装置,包括:第二发送模块,被配置为向SMF发送的DEA消息,其中,DEA消息包括EAP成功消息。
本公开实施例提供一种EAP认证处理装置,包括:第二发送模块,被配置为向SMF发送的第二访问挑战包,其中,第二访问挑战包,包括EAP成功消息。
本公开实施例提供一种EAP认证处理装置,包括:第二接收模块61,被配置为通过UPF接收SMF发送的EAP响应消息。
本公开实施例提供一种EAP认证处理装置,包括:第二发送模块,被配置为通过UPF向SMF发送EAP成功消息。
需要说明的是,本领域内技术人员可以理解,本公开实施例提供的装置,可以被单独执行,也 可以与本公开实施例中一些装置或相关技术中的一些装置一起被执行。
关于上述实施例中的装置,其中各个模块执行操作的具体方式已经在有关该方法的实施例中进行了详细描述,此处将不做详细阐述说明。
本公开实施例提供一种通信设备,包括:
处理器;
用于存储处理器可执行指令的存储器;
其中,处理器被配置为:用于运行可执行指令时,实现本公开任意实施例的EAP认证处理方法。
在一个实施例中,通信设备可以包括但不限于至少之一:UE、SMF、DN-AAA服务器及UPF。
其中,处理器可包括各种类型的存储介质,该存储介质为非临时性计算机存储介质,在用户设备掉电之后能够继续记忆存储其上的信息。
处理器可以通过总线等与存储器连接,用于读取存储器上存储的可执行程序,例如,如图2至图7示的方法的至少其中之一。
本公开实施例还提供一种计算机存储介质,计算机存储介质存储有计算机可执行程序,可执行程序被处理器执行时实现本公开任意实施例的EAP认证处理方法。例如,如图2至图7所示的方法的至少其中之一。
关于上述实施例中的装置或者存储介质,其中各个模块执行操作的具体方式已经在有关该方法的实施例中进行了详细描述,此处将不做详细阐述说明。
图10是根据一示例性实施例示出的一种用户设备800的框图。例如,用户设备800可以是移动电话,计算机,数字广播用户设备,消息收发设备,游戏控制台,平板设备,医疗设备,健身设备,个人数字助理等。
参照图10,用户设备800可以包括以下一个或多个组件:处理组件802,存储器804,电源组件806,多媒体组件808,音频组件810,输入/输出(I/O)的接口812,传感器组件814,以及通信组件816。
处理组件802通常控制用户设备800的整体操作,诸如与显示,电话呼叫,数据通信,相机操作和记录操作相关联的操作。处理组件802可以包括一个或多个处理器820来执行指令,以完成上述的方法的全部或部分步骤。此外,处理组件802可以包括一个或多个模块,便于处理组件802和其他组件之间的交互。例如,处理组件802可以包括多媒体模块,以方便多媒体组件808和处理组件802之间的交互。
存储器804被配置为存储各种类型的数据以支持在用户设备800的操作。这些数据的示例包括用于在用户设备800上操作的任何应用程序或方法的指令,联系人数据,电话簿数据,消息,图片,视频等。存储器804可以由任何类型的易失性或非易失性存储设备或者它们的组合实现,如静态随机存取存储器(SRAM),电可擦除可编程只读存储器(EEPROM),可擦除可编程只读存储器 (EPROM),可编程只读存储器(PROM),只读存储器(ROM),磁存储器,快闪存储器,磁盘或光盘。
电源组件806为用户设备800的各种组件提供电力。电源组件806可以包括电源管理系统,一个或多个电源,及其他与为用户设备800生成、管理和分配电力相关联的组件。
多媒体组件808包括在所述用户设备800和用户之间的提供一个输出接口的屏幕。在一些实施例中,屏幕可以包括液晶显示器(LCD)和触摸面板(TP)。如果屏幕包括触摸面板,屏幕可以被实现为触摸屏,以接收来自用户的输入信号。触摸面板包括一个或多个触摸传感器以感测触摸、滑动和触摸面板上的手势。所述触摸传感器可以不仅感测触摸或滑动动作的边界,而且还检测与所述触摸或滑动操作相关的持续时间和压力。在一些实施例中,多媒体组件808包括一个前置摄像头和/或后置摄像头。当用户设备800处于操作模式,如拍摄模式或视频模式时,前置摄像头和/或后置摄像头可以接收外部的多媒体数据。每个前置摄像头和后置摄像头可以是一个固定的光学透镜系统或具有焦距和光学变焦能力。
音频组件810被配置为输出和/或输入音频信号。例如,音频组件810包括一个麦克风(MIC),当用户设备800处于操作模式,如呼叫模式、记录模式和语音识别模式时,麦克风被配置为接收外部音频信号。所接收的音频信号可以被进一步存储在存储器804或经由通信组件816发送。在一些实施例中,音频组件810还包括一个扬声器,用于输出音频信号。
I/O接口812为处理组件802和外围接口模块之间提供接口,上述外围接口模块可以是键盘,点击轮,按钮等。这些按钮可包括但不限于:主页按钮、音量按钮、启动按钮和锁定按钮。
传感器组件814包括一个或多个传感器,用于为用户设备800提供各个方面的状态评估。例如,传感器组件814可以检测到设备800的打开/关闭状态,组件的相对定位,例如所述组件为用户设备800的显示器和小键盘,传感器组件814还可以检测用户设备800或用户设备800一个组件的位置改变,用户与用户设备800接触的存在或不存在,用户设备800方位或加速/减速和用户设备800的温度变化。传感器组件814可以包括接近传感器,被配置用来在没有任何的物理接触时检测附近物体的存在。传感器组件814还可以包括光传感器,如CMOS或CCD图像传感器,用于在成像应用中使用。在一些实施例中,该传感器组件814还可以包括加速度传感器,陀螺仪传感器,磁传感器,压力传感器或温度传感器。
通信组件816被配置为便于用户设备800和其他设备之间有线或无线方式的通信。用户设备800可以接入基于通信标准的无线网络,如WiFi,4G或5G,或它们的组合。在一个示例性实施例中,通信组件816经由广播信道接收来自外部广播管理系统的广播信号或广播相关信息。在一个示例性实施例中,所述通信组件816还包括近场通信(NFC)模块,以促进短程通信。例如,在NFC模块可基于射频识别(RFID)技术,红外数据协会(IrDA)技术,超宽带(UWB)技术,蓝牙(BT)技术和其他技术来实现。
在示例性实施例中,用户设备800可以被一个或多个应用专用集成电路(ASIC)、数字信号处理器(DSP)、数字信号处理设备(DSPD)、可编程逻辑器件(PLD)、现场可编程门阵列(FPGA)、 控制器、微控制器、微处理器或其他电子元件实现,用于执行上述方法。
在示例性实施例中,还提供了一种包括指令的非临时性计算机可读存储介质,例如包括指令的存储器804,上述指令可由用户设备800的处理器820执行以完成上述方法。例如,所述非临时性计算机可读存储介质可以是ROM、随机存取存储器(RAM)、CD-ROM、磁带、软盘和光数据存储设备等。
如图11所示,本公开一实施例示出一种基站的结构。例如,基站900可以被提供为一网络侧设备。参照图11,基站900包括处理组件922,其进一步包括一个或多个处理器,以及由存储器932所代表的存储器资源,用于存储可由处理组件922的执行的指令,例如应用程序。存储器932中存储的应用程序可以包括一个或一个以上的每一个对应于一组指令的模块。此外,处理组件922被配置为执行指令,以执行上述方法前述应用在所述基站的任意方法。
基站900还可以包括一个电源组件926被配置为执行基站900的电源管理,一个有线或无线网络接口950被配置为将基站900连接到网络,和一个输入输出(I/O)接口958。基站900可以操作基于存储在存储器932的操作系统,例如Windows Server TM,Mac OS XTM,UnixTM,LinuxTM,FreeBSDTM或类似。
本领域技术人员在考虑说明书及实践这里公开的发明后,将容易想到本发明的其它实施方案。本公开旨在涵盖本发明的任何变型、用途或者适应性变化,这些变型、用途或者适应性变化遵循本发明的一般性原理并包括本公开未公开的本技术领域中的公知常识或惯用技术手段。说明书和实施例仅被视为示例性的,本发明的真正范围和精神由下面的权利要求指出。
应当理解的是,本发明并不局限于上面已经描述并在附图中示出的精确结构,并且可以在不脱离其范围进行各种修改和改变。本发明的范围仅由所附的权利要求来限制。
Claims (28)
- 一种EAP认证处理方法,其中,由会话管理功能实体SMF执行,包括:发送可扩展认证协议EAP响应消息,其中,所述EAP响应消息用于数据网络认证授权计费DN-AAA服务器启动基于EAP的认证。
- 根据权利要求1所述的方法,其中,所述EAP响应消息,包括:用户设备UE的身份信息;所述EAP响应消息用于所述DN-AAA服务器启动基于EAP的所述身份信息的认证。
- 根据权利要求2所述的方法,其中,所述发送可扩展认证协议EAP响应消息,包括:基于接收到所述UE的所述身份信息,向所述DN-AAA服务器发送所述EAP响应消息。
- 根据权利要求3所述的方法,其中,所述方法包括:向所述UE发送EAP请求消息,其中,所述EAP请求消息,用于请求所述UE的所述身份信息。
- 根据权利要求2至4任一项所述的方法,其中,所述发送可扩展认证协议EAP响应消息,包括:响应于所述SMF支持Diameter协议,向DN-AAA服务器发送DER消息,其中,所述DER消息包括EAP响应消息。
- 根据权利要求2至4任一项所述的方法,其中,所述发送可扩展认证协议EAP响应消息,包括:响应于所述SMF支持RADIUS协议,向DN-AAA服务器发送第一访问请求包,其中,所述第一访问请求包,包括:所述EAP响应消息。
- 根据权利要求6所述的方法,其中,所述第一访问请求包,包括EAP消息属性;所述EAP消息属性包括所述EAP响应消息。
- 根据权利要求6所述的方法,其中,所述方法包括:向所述DN-AAA服务器发送第二访问请求包;其中,所述第二访问请求包,用于触发所述DN-AAA服务器请求所述EAP响应消息;所述向所述DN-AAA服务器发送第一访问请求包,包括:若接收到基于第二访问请求确定的第一访问挑战包,向所述DN-AAA服务器发送所述第一访问请求包;其中,所述第一访问挑战包,用于请求所述EAP响应消息。
- 根据权利要求8所述的方法,其中,所述第二访问请求包,包括指示EAP开始消息的EAP消息属性,其中,所述EAP开始消息用于触发所述DN-AAA服务器请求所述EAP响应消息。
- 根据权利要求1至4任一项所述的方法,其中,所述方法包括:接收EAP成功消息,其中,所述EAP成功消息是所述DN-AAA服务器确定与UE的EAP认证成功后发送的。
- 根据权利要求10所述的方法,其中,所述接收EAP成功消息,包括:接收所述DN-AAA发送的DEA消息,其中,所述DEA消息包括所述EAP成功消息;和/或,接收所述DN-AAA发送的第二访问挑战包,其中,所述第二访问挑战包,包括所述EAP成功消息。
- 根据权利要求10所述的方法,其中,所述方法还包括:存储EAP成功认证的UE的身份信息;或者,将EAP成功认证的UE的身份信息发送给UDM,其中,所述UE的身份信息用于存储在所述UDM中。
- 根据权利要求10所述的方法,其中,所述发送可扩展认证协议EAP响应消息,包括:通过用户面功能UPF向所述DN-AAA服务器发送所述EAP响应消息;和/或,所述接收EAP成功消息,包括:通过UPF接收所述DN-AAA服务器发送的所述EAP成功消息。
- 根据权利要求3或4所述的方法,其中,所述SMF包括归属会话功能实体H-SMF;所述方法包括:通过拜访地移动会话功能实体V-SMF接收所述UE发送的所述UE的所述身份信息。
- 一种EAP认证处理方法,其中,由数据网络认证授权计费DN-AAA服务器执行,包括:接收可扩展认证协议EAP响应消息;基于所述EAP响应消息,启动基于EAP的认证。
- 根据权利要求15所述的方法,其中,所述EAP响应消息,包括:用户设备UE的身份信息;所述基于所述EAP响应消息,启动EAP认证,包括:基于所述EAP响应消息,启动基于EAP的所述身份信息的认证。
- 根据权利要求15或16所述的方法,其中,所述接收可扩展认证协议EAP响应消息,包括:接收会话管理功能实体SMF发送的DER消息,其中,所述DER消息包括EAP响应消息。
- 根据权利要求15或16所述的方法,其中,所述接收可扩展认证协议EAP响应消息,包括:接收SMF发送的第一访问请求包,其中,所述第一访问请求包,包括:所述EAP响应消息。
- 根据权利要求18所述的方法,其中,所述第一访问请求包,包括EAP消息属性;所述EAP消息属性包括所述EAP响应消息。
- 根据权利要求18所述的方法,其中,所述接收SMF发送的第一访问请求包之前,包括:接收所述SMF发送的第二访问请求包;其中,所述第二访问请求包,用于触发所述DN-AAA服务器请求所述EAP响应消息;向所述SMF发送第一访问挑战包,其中,所述第一访问挑战包,用于请求所述EAP响应消息。
- 根据权利要求20所述的方法,其中,所述第二访问请求包,包括指示EAP开始消息的EAP消息属性,其中,所述EAP开始消息用于触发所述DN-AAA服务器请求所述EAP响应消息。
- 根据权利要求15或16所述的方法,其中,所述方法包括:响应于确定与UE的EAP认证成功,发送EAP成功消息。
- 根据权利要求22所述的方法,其中,所述发送EAP成功消息,包括:向SMF发送的DEA消息,其中,所述DEA消息包括所述EAP成功消息;或者,向所述SMF发送的第二访问挑战包,其中,所述第二访问挑战包,包括所述EAP成功消息。
- 根据权利要求22所述的方法,其中,所述接收可扩展认证协议EAP响应消息,包括:通过UPF接收SMF发送的所述EAP响应消息;和/或,所述发送EAP成功消息,包括:通过UPF向所述SMF发送所述EAP成功消息。
- 一种EAP认证处理装置,包括:第一发送模块,被配置为发送可扩展认证协议EAP响应消息,其中,所述EAP响应消息用于数据网络认证授权计费DN-AAA服务器启动基于EAP的认证。
- 一种EAP认证处理装置,包括:第二接收模块,被配置为接收可扩展认证协议EAP响应消息;处理模块,被配置为基于所述EAP响应消息,启动基于EAP的认证。
- 一种通信设备,其中,所述通信设备,包括:处理器;用于存储所述处理器可执行指令的存储器;其中,所述处理器被配置为:用于运行所述可执行指令时,实现权利要求1至14、或者权利要求15至24任一项所述的EAP认证处理方法。
- 一种计算机存储介质,其中,所述计算机存储介质存储有计算机可执行程序,所述可执行程序被处理器执行时实现权利要求1至14、或者权利要求15至24任一项所述的EAP认证处理方法。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2022/104718 WO2024007325A1 (zh) | 2022-07-08 | 2022-07-08 | Eap认证方法、装置、通信设备及存储介质 |
CN202280002554.8A CN117678254A (zh) | 2022-07-08 | 2022-07-08 | Eap认证方法、装置、通信设备及存储介质 |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2022/104718 WO2024007325A1 (zh) | 2022-07-08 | 2022-07-08 | Eap认证方法、装置、通信设备及存储介质 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2024007325A1 true WO2024007325A1 (zh) | 2024-01-11 |
Family
ID=89454626
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2022/104718 WO2024007325A1 (zh) | 2022-07-08 | 2022-07-08 | Eap认证方法、装置、通信设备及存储介质 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN117678254A (zh) |
WO (1) | WO2024007325A1 (zh) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110291803A (zh) * | 2017-05-09 | 2019-09-27 | 英特尔Ip公司 | 蜂窝网络中的隐私保护和可扩展认证协议认证和授权 |
WO2021034093A1 (ko) * | 2019-08-19 | 2021-02-25 | 엘지전자 주식회사 | 릴레이를 위한 인증 |
US20210218744A1 (en) * | 2020-01-15 | 2021-07-15 | Cisco Technology, Inc. | Extending secondary authentication for fast roaming between service provider and enterprise network |
CN113472724A (zh) * | 2020-03-31 | 2021-10-01 | 中国联合网络通信集团有限公司 | 一种网络认证方法、设备及系统 |
WO2021228932A1 (en) * | 2020-05-13 | 2021-11-18 | Telefonaktiebolaget Lm Ericsson (Publ) | Secondary or slice-specific access control in a wireless communication network |
WO2021233362A1 (zh) * | 2020-05-22 | 2021-11-25 | 华为技术有限公司 | 认证授权的方法和装置 |
-
2022
- 2022-07-08 CN CN202280002554.8A patent/CN117678254A/zh active Pending
- 2022-07-08 WO PCT/CN2022/104718 patent/WO2024007325A1/zh active Application Filing
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110291803A (zh) * | 2017-05-09 | 2019-09-27 | 英特尔Ip公司 | 蜂窝网络中的隐私保护和可扩展认证协议认证和授权 |
WO2021034093A1 (ko) * | 2019-08-19 | 2021-02-25 | 엘지전자 주식회사 | 릴레이를 위한 인증 |
US20210218744A1 (en) * | 2020-01-15 | 2021-07-15 | Cisco Technology, Inc. | Extending secondary authentication for fast roaming between service provider and enterprise network |
CN113472724A (zh) * | 2020-03-31 | 2021-10-01 | 中国联合网络通信集团有限公司 | 一种网络认证方法、设备及系统 |
WO2021228932A1 (en) * | 2020-05-13 | 2021-11-18 | Telefonaktiebolaget Lm Ericsson (Publ) | Secondary or slice-specific access control in a wireless communication network |
WO2021233362A1 (zh) * | 2020-05-22 | 2021-11-25 | 华为技术有限公司 | 认证授权的方法和装置 |
Non-Patent Citations (2)
Title |
---|
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Security Aspects of Proximity based Services (ProSe) in the 5G System (5GS) (Release 17)", 3GPP STANDARD; TECHNICAL SPECIFICATION; 3GPP TS 33.503, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, no. V0.3.0, 7 March 2022 (2022-03-07), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, pages 1 - 42, XP052144442 * |
QUALCOMM INCORPORATED: "Open issues for control plane authentication/authorisation and secondary authentication for L3 UE-NW Relays", 3GPP DRAFT; S2-2201999, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. e-meeting; 20220406 - 20220412, 29 March 2022 (2022-03-29), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, XP052132853 * |
Also Published As
Publication number | Publication date |
---|---|
CN117678254A (zh) | 2024-03-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2023184195A1 (zh) | 支持增强现实业务能力协商方法及装置、网元、ue及存储介质 | |
WO2024007325A1 (zh) | Eap认证方法、装置、通信设备及存储介质 | |
RU2760872C1 (ru) | Способ управления службой локальной вычислительной сети и устройство связи | |
WO2023231018A1 (zh) | 个人物联网pin基元凭证配置方法、装置、通信设备及存储介质 | |
WO2024164337A1 (zh) | 定位服务的授权方法、装置、通信设备及存储介质 | |
WO2024092735A1 (zh) | 通信控制方法、系统及装置、通信设备及存储介质 | |
WO2024092801A1 (zh) | 认证方法、装置、通信设备及存储介质 | |
WO2024055329A1 (zh) | 邻近服务ProSe的无线通信方法、装置、通信设备及存储介质 | |
WO2024092467A1 (zh) | 信息传输方法、装置、通信设备和存储介质 | |
WO2024000124A1 (zh) | 寻呼协商方法、装置、通信设备及存储介质 | |
WO2024000121A1 (zh) | Ims会话方法、装置、通信设备及存储介质 | |
WO2024164340A1 (zh) | Qos监控结果的订阅方法、装置、通信设备及存储介质 | |
WO2024031399A1 (zh) | Ue加入pin的方法及装置、通信设备及存储介质 | |
WO2023070685A1 (zh) | 中继通信的方法、装置、通信设备及存储介质 | |
WO2024031640A1 (zh) | 一种信息传输方法、装置、通信设备及存储介质 | |
WO2023220893A1 (zh) | 中继通信方法、装置、通信设备及存储介质 | |
WO2023070509A1 (zh) | 信息处理方法及装置、通信设备及存储介质 | |
WO2023245354A1 (zh) | 安全保护方法、装置、通信设备及存储介质 | |
WO2024207382A1 (zh) | 信息处理方法以及装置、通信设备及存储介质 | |
WO2024164203A1 (zh) | Pdu会话方法及装置、通信设备及存储介质 | |
WO2024031565A1 (zh) | 信息处理方法以及装置、通信设备及存储介质 | |
WO2024000115A1 (zh) | Ims会话方法、装置、通信设备及存储介质 | |
WO2023216276A1 (zh) | 认证方法、装置、通信设备及存储介质 | |
WO2024164345A1 (zh) | 信息处理方法、系统及装置、通信设备及存储介质 | |
WO2024192638A1 (zh) | 信息处理方法及装置、通信设备及存储介质 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 202280002554.8 Country of ref document: CN |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 22949906 Country of ref document: EP Kind code of ref document: A1 |