CN103379494B - The non-moving certification that mobile network gateway connects - Google Patents

Abstract

The invention relates to non-mobile authentication of mobile network gateway connections. In general, a technique is described for emulating a mobile authentication method to establish an authenticated connection between a mobile services gateway and a wireless device attached to an alternate access network. For example, a system operating in accordance with the described techniques includes a mobile service provider network, a backup access network with an access gateway, and an authentication server of the mobile service provider network that receives network access requests. The client database responds to the network access request with dummy mobility information, wherein the network access request does not include an International Mobile Subscriber Identity (IMSI), wherein the dummy mobility information includes the dummy IMSI. The access gateway utilizes the virtual mobility information to signal a mobile network gateway of the mobile service provider network to establish a service session for the wireless device on an alternate access network anchored by the mobile network gateway.

Description

Non-Mobile Authentication for Mobile Network Gateway Connections

priority statement

This application claims priority to U.S. Patent Application No. 13/553,543, filed July 19, 2012, which claims priority to U.S. Provisional Application No. 61/639,008, filed April 26, 2012, The entire contents of each prior application are hereby incorporated by reference.

technical field

The present disclosure relates to mobile networks and, more particularly, to authentication for mobile networks.

Background technique

The use of wireless devices for accessing computer data networks has increased significantly in recent times. These wireless devices provide a platform for both cellular telephone calls and cellular-based access to computer data services. For example, a typical cellular wireless access network is a collection of cells, each cell including at least one base station capable of transmitting and forwarding signals to the wireless devices of customers. A "cell" generally refers to a specific area of a mobile network that utilizes a specific frequency or frequency range for data transmission. A typical base station is a tower to which multiple antennas transmit and receive data over a specific frequency. Wireless devices such as cellular or mobile phones, smart phones, camera phones, personal digital assistants (PDAs), and laptop computers can originate or transmit signals at specified frequencies to a base station to initiate a call or data session and begin transmitting data.

The mobile service provider network converts cellular signals (for example, Time Division Multiple Access (TDMA), Orthogonal Frequency Division Multiplexing (OFDM) or Code Division Multiple Access (CDMA) signals received at the base station from wireless devices) into For Internet Protocol (IP) packets broadcast over packet-based networks. Several standards have been proposed to facilitate this conversion and transmission of cellular signals to IP packets, such as the General Packet Radio Service (GPRS) standardized by the Global System for Mobile Communications (GSM) Association, the Universal Mobile Telecommunications System (UMTS) Architecture, an evolution of UMTS known as Long Term Evolution (LTE), Mobile IP standardized by the Internet Engineering Task Force (IETF), and by the 3rd Generation Partnership Project (3GPP), 3rd Generation Partnership Project 2 (3GPP /2) and other standards proposed by the Worldwide Interoperability for Microwave Access (WiMAX) Forum.

A typical 3GPP mobile service provider network (also a "mobile network" or "cellular network") includes a core packet-switched network, a transport network, and one or more radio access networks. The core packet-switched network of a mobile network establishes logical connections (called bearers, bearer). The service node thus utilizes the bearer to convey customer traffic exchanged between the wireless device and a PDN (which may include, for example, the Internet, a corporate intranet, a Layer 3 VPN, and a service provider's private network). Various PDNs provide various packet-based data services to wireless devices to enable wireless devices to exchange client data with applications or other servers of the PDN. The increasing number of services available to the increasing number of mobile client devices is putting pressure on available mobile network resources.

A mobile network gateway is a serving node of a mobile service provider network that operates as a gateway to the PDN and acts as an anchor for wireless device mobility. The mobile network gateway applies policies and charging rules to customer data traffic between the PDN and wireless devices to perform charging functions and manage service connections to ensure efficient utilization of core, transport and wireless network resources. Different services such as Internet, e-mail, voice, and multimedia have different Quality of Service (QoS) requirements, which may also vary according to the user.

The ubiquitous use of wireless devices and the increasing expectations of users from around the world for fast network access have presented many challenges. For example, the ubiquitous use of cellular wireless devices has placed high demands on data services over the service provider's mobile network, often straining the mobile network and causing delayed or lost data communications. Certain wireless devices support the wireless capability to exchange data via an alternate access network (non-mobile network) separate from the mobile service provider's cellular network, in addition to a connection to a PDN via a wireless interface to a cellular mobile network. For example, many wireless devices include a wireless local area network (WLAN) interface that provides data services when a WiFi "hotspot" or other wireless access point (WAP) is present. Other examples of such wireless capabilities may include Bluetooth or Near Field Communication (NFC). When WLANs are present, users may wish to switch wireless data services to WLANs, thereby speeding up data transfers, reducing costs, and avoiding any delays associated with mobile service provider networks.

Contents of the invention

Mobile networks typically rely on Subscriber Identity Module (SIM) based authentication whereby the mobile network receives the International Mobile Subscriber Identity (IMSI) stored on the SIM module of the wireless device to look up the customer account information and status of the customer using the wireless device , the service subscribed to, and the service level. In general, methods for emulating SIM or mobile based authentication using an alternate customer identifier to establish an authenticated connection between a mobile service provider gateway and a wireless device attached to an alternate access network are described. Technology.

For example, a Wireless Access Gateway (WAG) of the alternate access network operates as a SaMOG to enable GTP-based connections with the Mobile Network Gateway of the mobile network. Using the non-mobile authentication method, the wireless device sends a client certificate that does not include the ISMI to the SaMOG-based WAG. The WAG forwards the client credentials to an Authentication, Authorization and Accounting (AAA) server, which uses the client credentials to query a client database other than the mobile network's Home Location Register (HLR). The customer database looks up with the customer credentials and returns the customer's IMSI and MSISDN to the AAA server, which forwards the IMSI and MSISDN to the WAG to emulate an HLR-based lookup of customer account information. In the mobile network HLR, the IMSI and MSISDN may or may not be associated with the customer.

The WAG sends the IMSI and MSISDN to the mobile network gateway to request a GTP tunnel between the WAG and the mobile network gateway. Upon receiving a reply from the Mobile Network Gateway including the end-user IP address of the customer's wireless device, the WAG creates a Packet Data Protocol (PDP) context to connect the customer-facing connection between the WAG and the wireless device's alternate access network with the WAG and Uplink and downlink GTP tunnels are associated between mobile network gateways. The WAG utilizes the PDP context to enable the PDP bearer for the service session between the wireless device and the mobile network gateway, which can thus apply mobility policies and charge for the customer data traffic of the service session.

In some instances, the techniques described herein enable a mobile service provider to utilize a virtual IMSI (i.e., an IMSI that is not obtained from a wireless device SIM) to apply policies and plans to customer data traffic of a wireless device attached to a mobile network gateway. fee function. Since some types of non-cellular, alternate access networks do not provide (or tend not to provide) SIM-based authentication (such as EAP-SIM or EAP-AKA), non-mobile authentication methods that do not require IMSI may allow SaMOG-based WAGs The wireless device is thus still authenticated and a GTP-based service session is established with the mobile network gateway. As a result, in some cases using unmodified Gx, Gy, and Rx interfaces, this technique may allow mobile and fixed (i.e., via an alternate access network) customer data traffic for wireless devices, thereby providing for unified policy and charging Control is centralized at the mobile network gateway. In some cases, the technique may also enable IP address reservation for seamless, uninterrupted transmission of the wireless device between the mobile network and the alternate access network. In one aspect, a method includes receiving, with an authentication server of a mobile service provider network, a network access request for a wireless device from an access gateway of an alternate access network, wherein the network access request does not include an International Mobile Subscriber Identity (IMSI) ( IMSI). The method also includes obtaining virtual mobility information from a customer database of the mobile service provider network in response to the network access request, wherein the virtual mobility information includes a virtual International Mobile Subscriber Identity (IMSI). The method also includes sending virtual mobility information from the authentication server to the access gateway. The method also includes signaling, with the access gateway using the virtual mobility information, to a mobile network gateway of the mobile service provider network to establish a service session for the wireless device on an alternate access network anchored by the mobile network gateway.

In another aspect, a method is performed by an access gateway of a backup access network. The method includes receiving a network access request from the wireless device, wherein the network access request does not include an International Mobile Subscriber Identity (IMSI). The method also includes extracting the wireless device identity from the network access request, and sending the wireless device identity to the authorization server to request mobility information of the wireless device. The method also includes receiving virtual mobility information of the wireless device and using the virtual mobility information to signal a mobile network gateway of a mobile service provider network to establish a connection of the wireless device on an alternate access network anchored by the mobile network gateway service session.

In another aspect, an authentication system for a mobile service provider network includes: a Home Location Register (HomeLocation Register, HLR), a customer database separate from the Home Location Register, and an authentication system for receiving a wireless device from an access gateway of a backup access network. an authentication server for a network access request, wherein the network access request does not include an International Mobile Subscriber Identity (IMSI), wherein the authentication server sends a representation of the network access request to a client database, wherein the client database passes the virtual mobility information In response to said representation of a network access request, wherein the virtual mobility information includes a virtual International Mobile Subscriber Identity (IMSI), wherein the authentication server sends the virtual mobility information to the access gateway.

In another aspect, a non-transitory computer readable storage medium comprising instructions for causing one or more programmable processors of an access gateway of a mobile service provider network to: receive a network The access request, wherein the network access request does not include an International Mobile Subscriber Identity (IMSI), extracts the wireless device identity from the network access request, and sends the wireless device identity to the authorization server to request mobility information of the wireless device. The instructions further cause the programmable processor to receive virtual mobility information for the wireless device in response to the request, wherein the virtual mobility information includes a virtual International Mobile Subscriber Identity (IMSI), and to send the virtual mobility information to the mobile service provider network The mobile network gateway signals the wireless device to establish a service session on an alternate access network anchored by the mobile network gateway.

In another aspect, a system includes a mobile service provider network including a cellular access network and a backup access network including an access gateway. The authentication server of the mobile service provider network receives the network access request of the wireless device from the access gateway. The system also includes a customer database for the mobile service provider network, wherein the customer database responds to network access requests with virtual mobility information, wherein the network access requests do not include an International Mobile Subscriber Identity (IMSI), wherein the virtual The mobility information includes a virtual IMSI, wherein the access gateway uses the virtual mobility information to signal a mobile network gateway of the mobile service provider network to establish a service session with the wireless device on an alternate access network anchored through the mobile network gateway .

In another aspect, a method includes utilizing a customer identifier that does not include an International Mobile Subscriber Identity (IMSI) to establish a mobile service provider gateway and an alternate access network for a wireless device attached to the alternate access network Authenticated connections between access gateways to emulate mobile-based authentication methods.

The details of one or more examples are set forth in the accompanying drawings and the description below. Other features, objects, and advantages will be apparent from the description and drawings, and from the claims.

Description of drawings

1A-1C are block diagrams illustrating example network systems that include network components operating in accordance with the described techniques.

2A-2B depict sequence diagrams illustrating examples of operation of a network device to perform access services for a PDN between a wireless device and a mobile network gateway in a manner consistent with the techniques described herein Non-mobile authentication to establish a service session.

3A-3B depict sequence diagrams illustrating example operation of a network device to perform access services for a PDN between a wireless device and a mobile network gateway in a manner consistent with the techniques described herein Non-mobile authentication for service sessions.

4 is a block diagram illustrating an example network system in which a client device is attached to a broadband access network utilizing non-mobile authentication to establish a service session with a mobile service provider network according to the techniques described herein.

FIGS. 5A-5B depict sequence diagrams illustrating example operations of a network system in which a client device attaches to a broadband access network utilizing non-mobile authentication to establish a connection with the technology in accordance with some aspects of the techniques described herein. A service session for a mobile service provider network.

Throughout the drawings and text, the same reference signs indicate similar elements.

detailed description

FIG. 1A is a block diagram of an example network system 2 illustrating various network components therein operating in accordance with the described techniques. In the example of FIG. 1A , network system 2 includes network components that provide non-mobile authentication of wireless device 4 attached to a backup interface external to mobile service provider network 8 (hereinafter, "SP network 8"). into the network 10. The network system 2 includes an example SP network 8 with a cellular network 6 that allows data communication between wireless devices 4 and a packet data network (PDN) 12 , such as the Internet. The SP network 8 is an example of a Public Land Mobile Network (PLMN), which in the example shown may be a Home PLMN (Home PLMN) for customers associated with the wireless device 4 .

This disclosed technique allows for establishing a connection between a wireless device (when attached to an alternate access network 10 ) and the SP network 8 utilizing a non-mobile authentication method. As described in further detail below, techniques of the present disclosure may enable a mobile service provider operating an SP network 8 to apply policies to customer data traffic of a wireless device 4 using a virtual IMSI (i.e., an IMSI not obtained from the wireless device 4's SIM) and billing functions.

The wireless device 4 represents, for example, any mobile communication device that supports local area wireless (for example, “WiFi”) network access through a wireless LAN interface method using any IEEE802.11 communication protocol. The wireless device 4 may optionally support cellular radio access for communication with a base station 14 (in conjunction with a radio network controller (RNC) 18 to represent the radio access network of the SP network 8 ). The wireless device 4 may represent, for example, a mobile phone; a laptop, tablet or other mobile computer optionally including, for example, a 3G/4G wireless card; or a personal digital assistant (PDA) with WLAN communication and optionally cellular communication capabilities ( PDAs). Wireless device 4 may run one or more software applications, such as VoIP clients, video games, video conferencing, email, and Internet browsers, among others. PDN 12 supports one or more packet-based services available through wireless device 4's request and use. Certain applications running on wireless device 4 may require access to services provided by PDN 12 such as mobile telephony, video games, video conferencing, and email, among others. Wireless device 4 may also be referred to as a user equipment (UE) or a mobile station (MS) in various architectural examples. One example of a wireless device is described in US Patent Application Serial No. 12/967,977, filed December 14, 2010 and incorporated herein by reference, entitled "MULTI-SERVICE VPN NETWORK CLIENT FOR WIRELESS DEVICE." The wireless device 4 may optionally store information such as a stored International Mobile Subscriber Identity (IMSI) or International Mobile Equipment Identity (IMEI), for example in a Subscriber Identity Module (SIM) or in a memory or integrated circuit of the wireless device 4. unique identifier.

The service provider operates the SP network 8 to provide network access, data transfer, and other services to the wireless devices 4 . The SP network 8 includes a base station 14 and a service network 6 . In some cases, SP network 8 includes PDN 12, in which case PDN 12 provides user services such as IP Multimedia Subsystem (IMS), Packet Switched Streaming (PSS) and/or Multimedia Broadcast/Multicast Service (MBMS) The service provider IP service. Wireless device 4 may communicate with base station 14 over a wireless link to access SP network 8 .

The service provider supplies and operates the cellular network 6 to provide network access, data transfer, and other services to cellular mobile devices. Typically, cellular networks 6 may be implemented including through standards bodies such as the Global System for Mobile Communications (GSM) Association, 3rd Generation Partnership Project (3GPP), 3rd Generation Partnership Project 2 (3GPP/2), Internet Engineering Task Force (IETF) and those defined by the Worldwide Interoperability for Microwave Access (WiMAX) Forum) any commonly defined cellular network architecture. For example, the cellular network 6 may represent one or more of the GSM architecture, the General Packet Radio Service (GPRS) architecture, the Universal Mobile Telecommunications System (UMTS) architecture, and an evolution of UMTS known as Long Term Evolution (LTE), Each of these is standardized by 3GPP. Cellular network 6 may alternatively or in combination with one of the above implement a Code Division Multiple Access 2000 ("CDMA2000") architecture. The cellular network 6 again implements, alternatively or in combination with one or more of the above, the WiMAX architecture defined by the WiMAX format.

In the example of FIG. 1A , SP network 8 comprises a Universal Mobile Telecommunications System (UMTS) network according to Third Generation Partnership Project (3GPP) standards and operating according to the techniques described herein. For purposes of illustration, the techniques herein will be described with respect to a UMIT network. However, these techniques can be applied to other communication network types in other instances. For example, these techniques are similarly applicable to network architectures employing technologies and standards based on 3GPP/2, LTE, CDMA2000, WiMAX, and Mobile IP.

In this example, the cellular network 6 includes a radio network controller (RNC) 18 coupled to a base station 14 . RNC 18 and base station 14 may provide wireless access to cellular network 6 through wireless device 4 . Base station 14 may be a Node B base transceiver station that communicates with user devices using an air interface in a geographic area (or "cell") served by base station 14 . In some examples, base station 14 is a femtocell. Wireless device 4 may be located within a cell served by base station 14 . In some instances, SP network 8 may include additional base stations, each of which may serve one of several cells. In some instances, base station 14 may be another type of wireless transceiver station, such as a site controller or a WiMAX access point.

In the example shown, the cellular network 6 includes a Serving GPRS Support Node 20 ("SGSN 20") and a Gateway GPRS Support Node 22 ("GGSN 22"). SGSN20 handovers the mobile service to an available GGSN, such as GGSN22. Cellular network 6 also includes RNC 18 which manages and routes data to/from base stations 14 to and from SGSN 20 . RNC18 can establish and support the GTP tunnel to SGSN20. In some instances, RNC 18 includes an IP router. In some instances, SP network 8 may include additional RNCs and related base stations in various arrangements. In the example where the SP network 8 comprises an LTE network, the eNodeB, Serving Gateway (SGW) and PDN Gateway (PGW) perform the functions of elements of the SP network 8 in the example shown.

SGSN20 and GGSN22 provide packet switched (PS) services to RNC18. For example, SGSN 20 and GGSN 22 provide packet routing and switching, as well as mobility management, authentication, and session management for wireless devices 4 served by RNC 18 . Packet switched services provided by SGSN 20 and GGSN 22 may include mobility management such as authentication and roaming services, as well as call processing services, signaling, billing and internetworking between cellular network 6 and external networks such as PDN 12 ). For example, SGSN20 serves RNC18. Wireless device 4 is connectable to SGSN 20 , which sends identification credentials via RNC 18 from a SIM card within wireless device 4 (eg, IMSI) to SGSN 20 for cooperating with Home Location Register (HLR) 24 to authenticate the wireless device. In some instances, HLR 24 may be connected to AAA server 40 as shown.

GGSN 22 is a mobile network gateway that connects cellular network 6 to PDN 12 via a Gi interface 28 operating over a physical communication link (not shown). SGSN20 obtains uplink data traffic (eg, traffic initiated by wireless device 4) from RNC18, and routes the data traffic to GGSN22. GGSN22 decapsulates the data service, and initiates IP service towards PDN12 on Gi interface 28 . Similarly, GGSN 22 may receive IP traffic destined for wireless device 4 over Gi interface 28, encapsulate the IP for transmission in a GPRS Tunneling Protocol (GTP) tunnel, and send encapsulated traffic downlink to SGSN 10 over Gn interface 30A . GGSN22 can access one or more services provided by the server via PDN12, and GGSN22 maps the accessible services to access points.

In some cases, a customer associated with a wireless device 4 may wish to receive data services via the alternate access network 10 rather than the cellular network 6 of the SP network 8 . The backup access network 10 is considered by the SP network 8 to be a reliable non-3GPP access network and may represent, for example, a WLAN or Wi-Fi network. In the example of FIG. 1A , alternate access network 10 includes access point 32 to which wireless device 4 can attach to access services obtained through PDN 12 . Alternate access network 10 also includes a SaMOG-based wireless (or Wi-Fi) access gateway 16 that interfaces to SP network 8 and AAA server 40 to provide wireless devices 4 with authenticated access to SP network 8 (infra Illustrated herein as and referred to as "SaMOG WAG16").

In the example shown, SaMOG WAG 16 interfaces to GGSN 22 and AAA server 40 via S2a interface 31 and STa interface 41 respectively. The STa interface 41 (also referred to as STa reference point) connects the backup access network 10 with the AAA server 41 and transmits access authentication, authorization and optionally mobility parameters and charging related information. The S2a interface 31 and the STa interface 41 may operate through a backhaul IP network connecting the SaMOG WAG 16 and the GGSN 22 . The SaMOG WAG 16 may thus incorporate and perform the Trusted WLAN AAA Proxy (TWAP) and Trusted WLAN Access Gateway (TWAG) functions of the backup access network 10 .

The S2a interface 31 is a GTP or Proxy Mobile IP (PMIP: Proxy Mobile IP) based interface and is thus similar to the Gn interface (eg Gn interface 30 ) of the UMTS network or the S5/S8 interface of the LTE network. The S2a interface 31 is described below as being based on GTP. SaMOG technology in the third generation partnership project, Technical Specification Group Services and System Aspects (Technical Specification Group Services and System Aspects), the second phase (version 11) "Study on S2a Mobility based On GTP&WLAN access to EPC (SaMOG)" is further described in , the entire contents of which are hereby incorporated by reference. This disclosed technique allows communication between a wireless device 4 attached to an alternate access network 10 via the SaMOG WAG 16 with AAA server 40 and client Non-mobile authentication of database 26 cooperation. These techniques can be applied without change to the HLR 24 and cellular network 6 devices in some cases.

FIG. 1B shows a network system for exchanging control information to authenticate a wireless device 4 attached to an alternate access network 10 in order to establish a service session between the wireless device 4 and the GGSN 22 via the alternate access network 10 to carry customer data traffic. 2 elements. According to this disclosed technique, the wireless device 4 sends a message 50A to the SaMOG WAG 16 as a network access request (with a client certificate or wireless device 4 identification code (which does not include the wireless device 4's IMSI)). SaMOG WAG 16 forwards the representation of the network access request (ie, message 50A) to AAA server 40 .

The AAA server 40 is a device that receives and processes a connection request from the SP network 12 . As shown and described with reference to FIGS. 2-5 , the message 50A received by the AAA server 40 may indicate a client credential or wireless device 4 identification code (such as a client username and password, wireless device 4 Layer 2 (L2) MAC Address or Extensible Authentication Protocol identifier (Extensible Authentication Protocol identifier) RADIUS protocol access request, authentication request or corresponding diameter request. In the example shown, AAA server 40 outsources some AAA functions to client database 26. Customer database 26 represents non-HLR devices (such as StructuredQuery Language) that store and/or generate mobile information used by elements of network system 2 to establish service sessions for carrying customer data traffic between wireless device 4 and GGSN 22. Language) or Lightweight Directory Access Protocol (LDAP, Lightweight Directory Access Protocol) database server). In some cases, some aspects of customer database 26 functions can be integrated with AAA server 40. Although customer database 26 represents a non-HLR device, Customer database 26 can be integrated in some cases in the multifunctional device that carries out HLR function.Customer database 26 can realize additional authentication and address reservation technology, as referring to the 13/247, the 357th of the combined U.S. patent application below and in US Patent Application No. 13/247,308, filed September 28, 2011, entitled "CREDENTIALGENERATION FOR AUTOMATIC AUTHENTICATION ON WIRELESS ACCESS NETWORK," the entire contents of which are hereby incorporated by reference.

As shown and described in further detail below with reference to FIGS. The default APN and IP address. A customer can be a "real customer" (where the customer has a pre-existing subscription to SP network 8 services) or a "virtual customer" of the SP network 8 (where a customer accesses the SP network 8 on an ad-hoc basis). The MSISDN number (also referred to herein simply as "MSISDN") is sometimes extended to refer to a "Mobile Subscriber Integrated Services Digital Network Number" or a "Mobile Station Integrated Services Digital Network Number". Network Number)".

Because the AAA server 40 does not have the IMSI of the wireless device 4, the AAA server 40 queries the customer database 26 via message 50B instead of querying the HLR 24 of the SP network 8. Message 50B may include the client certificate or wireless device 4 identification code received in message 50A. As shown and described in further detail below with reference to FIGS. 2-5 , customer database 26 uses message 50B to look up or generate movement information for wireless device 4 , which customer database 26 returns to AAA server 40 in message 50C. In this manner, customer database 26 returns virtual mobility information in the form of IMSI and MSISDN that appear to SaMOG WAG 16 to represent a given customer, but may not actually be associated with wireless device 6 . In other words, the customer database 26 forges mobility information to allow the SaMOG WAG 16 to establish a service session with the GGSN 22 to implement centralized policy and charging control using entities such as Policy Charging and Rules Function (PCRF: Policy Charging and Rules Function). In some cases, due to authentication in non-EAP-SIM or EAP-AKA based, the wireless device 4 may have access to the IMSI but not to the encryption vector on the SIM card. In this case, the wireless device 4 may obtain and send its SIM card's IMSI as a client credential rather than a username, although authentication itself is still password-based according to the techniques described herein.

AAA server 40 returns message 50D to SaMOG WAG 16 . Message 50D is a reply to message 50A and may represent a RADIUS Access-Accept, Authorization-Accept or a corresponding Diameter message. Message 50D may include some or all of the movement information received by the AAA server in message 50C.

Upon receiving message 50D, SaMOG WAG 16 sends Create Session Request message 50E to GGSN 22. Create Session Request message 50E includes the IMSI and MSISDN queried or generated through customer database 26 . In the illustrated case, the Session Request message 50E represents a Create PDP-Context Request (Create PDP-Context Request) message. In the case that the cellular network 6 represents an Evolved Packet Core (EPC, Evolved Packet Core) of an LTE network, the create session request message 50E represents a create session request message.

Among other operations, the GGSN 22 receives the Create Session Request message 50E and establishes a client session with the wireless device 4 by executing the control protocol to receive the PDP address configuration and communicates with the SaMOG WAG 16 to establish a bearer to carry the client data for the service session with the wireless device 4 Business (alternatively referred to as "Service Business", "Customer Business" or "User Business"). Specifically, GGSN22 sends a create session response message 50F to SaMOG WAG16. Create Session Reply message 50F may represent Create PDP-Context Reply (UMTS) or Create Session Response (LTE) message (Create PDP-Context Reply (UMTS) or Create Session Response (LTE)). The GTP Tunnel Identifier (TEID) in the Create Session Request message 50E and Create Session Response message 50F defines the GTP-U (ser data) on the S2a interface 31 . The GTP-U tunnel carries uplink or downlink service traffic (or called "customer data traffic", "customer traffic", or "user traffic") between the GGSN 22 and the wireless device 4 .

FIG. 1C shows a GTP-U tunnel 60 established by elements of network system 2 using a non-mobile authentication method consistent with the techniques described in this disclosure. Wireless device 4 exchanges service data traffic 62 with PDN 12 over wireless link 64 with access point 32 , backup access network 10 and GTP-U tunnel 60 .

FIGS. 2A-2B depict a sequence diagram 200 illustrating an example of the operation of a network device to perform a service session for establishing a service session between a wireless device 4 and a GGSN 22 in a manner consistent with the techniques described herein to access Non-mobile authentication of PDN services. Sequence diagram 200 incorporates a "customer database" that is not HLR based (eg, customer database 26 ) and manages customers according to the techniques of this disclosure.

In some instances, customer database 26 obtains the customer's mobility information (eg, IMSI/MSISDN values) from HLR 24 and associates the respective mobility information with customer credentials (eg, username/password). In such an example, when the wireless device 4 attempts to authenticate to the SaMOG WAG 16 via the client certificate, the AAA server 40 utilizes the client certificate to look up mobility information. The SaMOG WAG 16 can then utilize the actual mobility information of the "real client" to establish a service session with the GGSN 22 for accessing the PDN 12 service. In this regard, these examples provide a true 1:1 mapping between the HLR 24 and the customer database 26 .

In some instances, HLR24 defines a range of IMSIs that are not used by HLR24. Instead, customer database 24 assigns these "idle" IMSIs to wireless devices attempting to establish service sessions to PDN 12 via SaMOG WAG 16 . The wireless device 4 in this case may not include a SIM card, and the wireless device 4 may not send a client certificate to the SaMOG WAG 16 during the authentication process. A specific MSISDN may be associated with or used by the real customer in the HLR 24 (meaning that the GGSN 22 will apply charging/billing to the real customer), although a different IMSI will be used. Alternatively, the specific MSISDN may not be located in the HLR 24, so charging/billing is only temporarily applied to the service session. As a result, the wireless device 4 will not receive access to additional services.

In some instances, the IMSI/MSISDN is dynamic and thus transient, and the IMSI/MSISDN mapping is on a per-connection/authentication basis. However, the user of the wireless device 4 may provide a credit card number or other billing identification code during the authentication process, so that the service provider may use the service session to bill for the service session and/or service data traffic. The customer management example above can be used in alternatives or in any combination of all customers or any subset thereof.

Sequence diagram 200 shows the technique when customer database 26 maps customer credentials (in this case username and password) to virtual IMSI/MSISDN pairs for use in GTP-C signaling. The example of Fig. 2 shows User Equipment (UE) (e.g. in the case of wireless device 4 with a SIM card), WLAN (e.g. backup access network 10, specifically access point 32), SaMOG WAG 16, AAA server 40. Operation of HLR24 and GGSN22. As shown in FIG. 2, wireless device 4 associated with access point 32 performs EAP-based authentication to AAA server 40 initiated through a RADIUS access request. Network elements may use a form of EAP such as EAP-TTLS or PEAP as part of WLAN 802.1x authentication.

Sequence diagram 200 illustrates techniques in the context of WLAN 802.1x authentication, which may include EAP-TTLS or PEAP. As noted above, in an example operating according to sequence diagram 200 , client credentials and mobility information may be obtained from and pre-placed in client database 26 . Mobility information may or may not be related to real or existing customers in HLR 24 . Additionally, in these instances, customer database 26 may signal various (ie, non-default) APNs for incoming session requests.

Initially, the access point 32 asks the wireless device 4 to identify itself with an EAP over LAN (EAPoL) request identification frame (202). The wireless device 4 responds with an EAP response identification frame that includes an identifier of the wireless device 4 (eg, username). Access point 32 encapsulates the identifier in a RADIUS Access Request message and sends the message (encapsulated in an L2 frame including the UE MAC address) to AAA server 40 via SaMOG WAG 16 (202). At this point, the SaMOG 16 knows the UE MAC address of the wireless device 4 from L2 from the header of the L2 frame.

AAA server 40 issues an EAP START message to wireless device 4 (210), which prompts the exchange of additional EAP messages between wireless device 4 (212) and AAA server 40 (214). AAA server 40 requests additional credentials for wireless device 4 from client database 26 (pre-placed in client database 26 prior to authentication) based on the identifier of wireless device 4 (216).

Customer database 26 maps usernames to passwords (collectively, "client credentials") and customers 26 map customer credentials to "virtual" IMSI/MSISDNs, which may or may not represent the real customer's IMSI/MSISDN associated with the client certificate. MSISDN (218). Customer database 26 returns virtual IMSI/MSISDN (and optionally APN) to AAA server 40 (220), which sends them in a RADIUS Access-Accept message (which includes Forwarded to the SaMOG WAG16 (222) in a Chargeable User ID (CUID, ChargeableUserID) consisting of a Master Key (PMK) derived from a key (eg, Microsoft's Point-to-Point Encryption (MPPE) key). In order to establish a service session including a GTP-U tunnel for the service (which can be identified in the Create PDP-Context Request message by an optional APN or a default APN), the SaMOG WAG16 uses GTP-C signaling and will create a PDP-Context The Context Request message is sent to GGSN 22 (224), which responds (226) by creating a PDP-Context Response message. In the context of the LTE architecture, GTP-C signaling may utilize Create Session Response/Request messages between the SaMOG WAG 16 and the PGW.

The SaMOG WAG 16 stores the correlation between the UE MAC address and the IP address returned in the Create PDP-Context Response message (228). SaMOG WAG 16 also forwards the RADIUS Access Accept message to access point 32 , which sends an EAP-SUCCESS message ( 232 ) and performs an EAP four-way handshake with wireless device 4 .

Wireless device 4 may then obtain an IP address assigned by GGSN 22 . In this example, the wireless device 4 sends a Dynamic Host Configuration Protocol (DHCP)-Discover message using the UE MAC address to the SaMOG WAG 16 (236), which reads the stored A correlation between the IP address returned in the PDP-Context Response message is created and returned to the wireless device 4 . SaMOG WAG 16 and wireless device 4 complete DHCP processing to complete the connection and establish IP connectivity (240). Additionally, SaMOGWAG 16 may establish policies in its forwarding or data plane that identify traffic received from the IP address of wireless device 4 and forward that traffic over GTP-U tunnel 60 to the GGSN for the service session (242). SaMOG WAG16 can create similar policies for downstream customer data traffic.

FIGS. 3A-3B depict a sequence diagram 300 illustrating example operations of a network device to perform for establishing a service session between wireless device 4 and GGSN 22 to access Non-mobile authentication of PDN services. Sequence diagram 300 shows a technique for using DHCP based on UE MAC address when SaMOG WAG 16 is not receiving a client certificate from wireless device 4 . That is, the wireless device 4 first attaches to the access point 32 to turn on the SSID (302), then the SaMOG WAG 16 once detects the new MAC address of the wireless device 4 associated with the client in a DHCP-DISCOVER message ("UE MAC address" ) to establish a service session, the DHCP-DISCOVER message is encapsulated in an L2 frame including the UE MAC address. At this point, the SaMOG 16 knows the UE MAC address of the wireless device 4 from the L2 frame header.

The SaMOG WAG 16 issues a RADIUS Access Request message with the MAC address to the AAA server 40 (306), which queries the client database 26 to select the mobility information for the MAC address (308). If it is a new MAC address for customer database 26 (NO branch of 310 ), then customer database 26 may associate a free IMSI/MSISDN and optionally APN with the MAC address ( 312 ). Not only does customer database 26 return the mobility information to AAA server 40, customer database 26 also associates the mobility information with the MAC address and stores the association in a table or other data structure (312). If the MAC address has been pre-stored in this manner (yes branch in 310), customer database 26 may use the MAC address to look up associated mobility information to return to AAA server 40 (314). Customer database 26 returns the IMSI/MSISDN and optional APE to AAA server 40 (316), which forwards them in a RADIUS Access Accept message including the ChargeableUserID (CUID) consisting of the IMSI/MSISDN and optional APN to SaMOG WAG16. To establish a service session including a GTP-U tunnel for the service (which can be identified in the Create PDP-Context Request message by an optional APN or a default APN), SaMOGWAG16 uses GTP-C signaling and will create a PDP-Context Request The message is sent to GGSN22 (320), which responds (322) by creating a PDP-Context Response message. In the context of the LTE architecture, GTP-C signaling may use Create Session Response/Request messages between the SaMOG WAG 16 and the PGW.

The SaMOG WAG 16 stores the correlation between the UE MAC address and the IP address returned in the Create PDP-Context Response message (324). The SaMOG WAG 16 in this regard initiates DHCP by issuing a DHCP-Offer to the wireless device 4 with the IP address assigned by the GGSN 22 ( 326 ). The SaMOG WAG 16 and wireless device 4 complete the DHCP process to complete the connection and establish IP connectivity (328). Additionally, the SaMOG WAG 16 establishes policies in its forwarding or data plane that identify traffic received from the IP address of the wireless device 4 and forward that traffic over the GTP-U tunnel 60 to the GGSN for the service session (330). SaMOG WAG16 can create similar policies for downstream customer data traffic.

4 is a block diagram illustrating an example network system in which a client device is attached to a broadband access network utilizing non-mobile authentication to establish a service session with a mobile service provider network according to the techniques described herein. In this example of the network system 2 , the backup access network 10 is replaced by a wired broadband access network (BAN) 302 . The client device 306 may represent an example of the user device 4 in FIGS. 1A-1C and wired devices/customer premises equipment (CPE: customerpremises equipment), such as computers, TV set-top boxes, video game systems, conferencing systems, or digital subscriber lines (DSL) or cable modem.

Client device 306 is attached to Broadband Remote Access Server (BRAS) 304 through BAN 302 (eg, which may represent a DSL or Cable Modem Termination System (CMTS) network). As one example, client device 306 may establish a Point-to-Point Protocol (PPP) session through BRAS 304 (layer three (L3) device). BRAS 304 is coupled to SaMOG WAG 16 , which obtains the client credentials of client device 306 and applies the techniques described herein in conjunction with other elements of network system 2 to establish a service session with SP network 8 . In some instances, elements of network system 2 operate through sequence diagram 400 to establish a service session. As a result, service providers operating the SP network 8 can apply uniform policy and billing controls to customer data traffic exchanged by the wireline BAN 302 . In some instances, BAN 302 and BRAS 304 may represent L2 network devices, such as MetroEthernet Network and access switches. Example Metro Ethernet and access switches for connection to mobile service provider networks are described in U.S. Patent Application No. 13/247,357, filed September 28, 2011, entitled "NETWORK ADDRESSPRESERVATION IN MOBILE NETWORKS," Its entire contents are incorporated herein by reference.

FIGS. 5A-5B depict a sequence diagram 400 illustrating example operation of a network device performing a method for establishing the client device 306 ("UE") in FIG. 4 in a manner consistent with the techniques described herein. Non-mobile authentication of service sessions between GGSN22 to access PDN services. According to an example of the operation of sequence diagram 400, client credentials and mobility signals may be obtained from and pre-placed in client database 26, as described above. Mobility information may or may not be related to real or existing customers in HLR 24 . Additionally, in these instances, customer database 26 may signal various (ie, non-default) APNs for incoming session requests.

Initially, wireless device 4 initiates PPP authentication (402). For example, the wireless device 4 may send a Point-to-Point Protocol (PPP) Link Control Protocol (LCP) frame of Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP). BRAS 304 (with username and password ("client credentials") obtained from wireless device 4 during PPP authentication initiation) sends RADIUS access request with client credentials to SaMOG WAG 16, which forwards RADIUS access request to AAA server 40 ( 404).

AAA server 40 queries client database 26 with the certificate (406). Customer database 26 maps the customer certificate to a "virtual" IMSI/MSISDN, which may or may not represent the real customer's IMSI/MSISDN associated with the customer certificate (408). Customer database 26 returns the virtual IMSI/MSISDN and optional APN back to AAA server 40 (410), which places them in a RADIUS Forwarded to SaMOG WAG16 in Access-Accept message. In order to establish a service session including a GTP-U tunnel for the service (which can be identified in the Create PDP-Context Request message by an optional APN or a default APN), the SaMOG WAG16 uses GTP-C signaling and will create a PDP - A Context Request message is sent to the GGSN22 (414), which responds (416) by creating a PDP-Context Response message. In the context of the LTE embodied architecture, GTP-C signaling may utilize Create Session Response/Request messages between the SaMOG WAG 16 and the PGW.

The SaMOG WAG 16 forwards the IP address received in the Create PDP-Text Response message to the BRAS 304 in a RADIUS Access Accept message. BRAS 304 sends a PPP acknowledgment message (422) and wireless device 4 and BRAS 304 complete the PPP session establishment process such that wireless device 4 receives an IP address serving the session (424). Additionally, the SaMOG WAG 16 creates policies to direct traffic to the GGSN 22 over the new GTP-U tunnel for the service session based on the framed IP address of the customer data traffic in the BAN 302 (428). SaMOG WAG16 can create similar policies for downstream customer data traffic.

A method similar to that shown by sequence diagram 400 can be used to manage customer-based virtual private network tunnels (Virtual Private Networking (VPN) tunnels). In this case, the VPN hub replaces the BRAS 304 and the SaMOG WAG 16 opens a Secure Socket Layer (SSL) VPN tunnel or IPsec tunnel from the wireless device 4 towards the VPN hub. The SaMOG WAG receives the framed IP address and assigns the IP address to the wireless device 4 . At this point, the data tunnel for the service session is piggybacked on top of the VPN tunnel. Therefore, instead of utilizing PPP-based authentication, the technique can similarly be applied to non-mobile based username/password based authentication methods to establish VPN tunnels.

The techniques described in this disclosure may be implemented at least in part in hardware, software, firmware, or any combination thereof. For example, various aspects of the described technology may be implemented on one or more processors, including one or more microprocessors, digital signal processors (DSPs), application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs) ) or any other equivalent integrated or discrete logic circuit, and any combination of these components). The terms "processor" or "processing circuitry" may generally refer to any of the foregoing circuitry, alone or in combination with other logic circuitry, or any other equivalent circuitry. A control unit including hardware may also perform one or more of the techniques of this disclosure.

Such hardware, software, and firmware may be implemented within the same device or within separate devices to support the various techniques described in this disclosure. In addition, any of the described units, modules or components may be implemented together or separately as separate but interoperable logic devices. Depiction of different features as modules or units is intended to emphasize different functional aspects and does not necessarily imply that these modules or units must be realized by separate hardware, firmware or software components. Rather, the functions associated with one or more modules or units may be performed by separate hardware, firmware or software components or integrated within common or separate hardware, firmware or software components.

The techniques described in this disclosure may also be embodied or encoded in an article of manufacture that includes a computer-readable medium encoded with instructions. Instructions embedded or encoded in an article of manufacture that includes an encoded computer-readable medium may cause one or more programmable processors or other processors to implement one or more of the techniques described herein, such as when a computer When the instructions contained or encoded in the readable medium are executed by one or more processors, the computer readable storage medium may include random access memory (RAM), read only memory (ROM), programmable read only memory (PROM) , Erasable Programmable Read-Only Memory (EPROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), flash memory, hard disk, compact disc (CD-ROM), floppy disk, magnetic tape, magnetic media, optical media or other computer Read media. In some instances, a product may include one or more computer-readable storage media. In some instances, computer readable storage media may include non-volatile media. The term "non-volatile" may refer to a storage medium that is not embodied in a carrier wave or propagated signal. In some instances, non-volatile storage media can store data that changes over time (for example, in RAM or cache memory)

Additionally or alternatively to the above, the following embodiments are described. Features described in any of the following embodiments may be utilized by any of the other embodiments described herein.

An embodiment is directed to a method comprising receiving, via an authentication server of a mobile service provider network, a network access request for a wireless device from an access gateway of an alternate access network, wherein the network access request does not include an International Mobile Subscriber Identity code (IMSI). The method also includes obtaining virtual mobility information from a customer database for the mobile service provider network in response to the network access request, wherein the virtual mobility information includes a virtual International Mobile Subscriber Identity (IMSI). The method also includes sending virtual mobility information from the authentication server to the access gateway. The method also includes signaling, with the access gateway using the virtual mobility information, to a mobile network gateway of the mobile service provider network to establish a service session for the wireless device on an alternate access network anchored by the mobile network gateway.

In some embodiments, the customer database does not operate as a home location register (HLR) for the mobile service provider network.

In some embodiments, the virtual IMSI is not associated with the customer of the wireless device in the home location register for the mobile service provider network.

In some embodiments, the alternate access network includes one of a Wi-Fi network, a WiMAX network, or a wireless local area network (WLAN) network, and the access gateway includes a Wi-Fi access gateway, a WiMAX access gateway, a WLAN access one of the ingress gateways.

In some embodiments, the access gateway comprises a SaMOG gateway interfaced to the mobile network gateway using the S2a interface.

In some embodiments, signaling to the mobile network gateway with the access network using the virtual mobility information includes sending a create session request including the virtual IMSI to the mobile network gateway.

In certain embodiments, signaling the mobile network gateway with the access network using the virtual mobility information includes receiving a create session reply through the access gateway including an Internet Protocol (IP) address for the wireless device.

In some embodiments, the mobile service provider network includes one of Long Term Evolution (LTE) or Universal Mobile Telecommunications System (UMTS) architectures.

In some embodiments, the method may further include sending and receiving customer data traffic from the wireless device with the access gateway using the service session with the mobile network gateway.

In some implementations, the method may further include pre-storing the client certificate in the client database and associating the client certificate with each virtual mobility information of the corresponding client.

In some embodiments, the network access request includes client credentials, and the client database maps the client credentials to corresponding virtual mobility information.

In some embodiments, the method further includes obtaining each virtual mobility information of the corresponding customer from the home location register of the mobile service provider network through the customer database, wherein the virtual mobility information of the corresponding customer includes the actual mobility of the corresponding customer information.

In some embodiments, the network access request includes a MAC address of the wireless device, and the method may further include assigning a virtual mobile device to the wireless device through the customer database when the customer database does not include an association between the MAC address and the virtual mobility information. mobility information and associates MAC addresses with virtual mobility information. The method may further include assigning, by the customer database, the virtual mobility information associated with the MAC address when the customer database includes an association between the virtual mobility information and the MAC address.

In some embodiments, the method may further include establishing a GTP-U tunnel connecting the access gateway and the mobile network gateway for the service session. The method may also include mapping, through the access gateway, the GTP-U tunnel to a Layer 2 (L2) connection with the wireless device in the alternate access network.

In some implementations, the virtual mobility information includes a non-default access point name (APN) for the service session.

In some implementations, the authorization server authenticates the wireless device using a non-mobile authentication method that does not require an IMSI.

In some embodiments, the virtual mobility information includes an MSISDN number associated with the customer of the wireless device in a home location register for the mobile service provider network, and the method further includes utilizing the MSISDN number to communicate via the mobile network gateway Bill customers.

In some embodiments, the virtual mobility information includes a temporary MSISDN number, and the method may further include using the temporary MSISDN number to bill for the service session through the mobile network gateway.

One embodiment is directed to a method performed by an access gateway of an alternate access network, the method comprising receiving a network access request from a wireless device, wherein the network access request does not include an International Mobile Subscriber Identity (IMSI). The method also includes extracting the wireless device identity from the network access request, sending the wireless device identity to the authorization server to request mobility information of the wireless device, and receiving virtual mobility information of the wireless device. The method also includes signaling a mobile network gateway of the mobile service provider network with the virtual mobility information to establish a service session for the wireless device on an alternate access network anchored by the mobile network gateway.

In some implementations, the wireless device identifier includes one of a MAC address of the wireless device or a client certificate of a client associated with the wireless device.

In some embodiments, the authorization server does not include a home location register of the mobile service provider network.

An embodiment is directed to an authentication system for a mobile service provider network, the authentication system comprising: a home location register, a customer database separate from the home location register, and receiving a network access request from a wireless device from an access gateway of an alternate access network , wherein the network access request does not include an International Mobile Subscriber Identity (IMSI), wherein the authentication server sends a representation of the network access request to a client database, wherein the client database responds to the network access with virtual mobility information The representation of the incoming request, wherein the dummy mobility information includes a dummy International Mobile Subscriber Identity (IMSI), wherein the authentication server sends the dummy mobility information to the access gateway.

One embodiment is directed to a non-transitory computer readable storage medium comprising instructions for causing one or more programmable processors of an access gateway of a mobile service provider network to receive a network access request from a wireless device, wherein The network access request does not include the International Mobile Subscriber Identity (IMSI). The instructions further cause the processor to extract a wireless device identification code from the network access request, send the wireless device identification code to the authorization server to request mobility information for the wireless device, and receive virtual mobility information for the wireless device in response to the request, wherein, The virtual mobility information includes a virtual International Mobile Subscriber Identity (IMSI). The instructions also cause the processor to signal a mobile network gateway of the mobile service provider network with the virtual mobility information to establish a service session for the wireless device on an alternate access network anchored by the mobile network gateway.

One embodiment is directed to a mobile service provider network, including a cellular access network and an alternate access network with an access gateway. The mobile service provider network also includes an authentication server of the mobile service provider network that receives the wireless device's network access request from the access gateway. The mobile service provider network further includes a customer database of the mobile service provider network, wherein the customer database responds to network access requests with dummy mobility information, wherein the network access requests do not include an International Mobile Subscriber Identity (IMSI), wherein, The virtual mobility information includes a virtual IMSI, wherein the access gateway uses the virtual mobility information to signal a mobile network gateway of the mobile service provider network to establish service for the wireless device on an alternate access network anchored through the mobile network gateway session.

One embodiment is directed to a method comprising utilizing a customer identifier that does not include an International Mobile Subscriber Identity (IMSI) to establish a mobile service provider gateway with an alternate access network for a wireless device attached to the alternate access network. Authenticated connections between access gateways in the network to emulate mobility-based authentication methods.

Furthermore, any of the specific features presented in any of the above embodiments may be incorporated into beneficial embodiments of the described technology. That is, any one of specific features is generally applicable to all embodiments of the invention. Various embodiments of the invention have been described.

Claims (23)

CLAIMS 1. A method for establishing a service session using non-mobile authentication, the method comprising: receiving a network access request for the wireless device from an access gateway of the alternate access network via an authentication server of the mobile service provider network, wherein the network access request does not include an International Mobile Subscriber Identity (IMSI); authenticating, with the authentication server, the wireless device for access to the mobile service provider network in response to receiving the network access request; dynamically assigning, by the authentication server, virtual mobility information for the wireless device and in response to the authentication, the virtual mobility information including a Home Location Register (HLR), Home Subscriber Server, (HSS) or the virtual International Mobile Subscriber Identity (IMSI) stored in the Home Authorization, Authentication and Accounting Server (H-AAA); sending the virtual mobility information from the authentication server to the access gateway; and Signaling by the access gateway using the virtual mobility information to a mobile network gateway of the mobile service provider network to establish the The service session for the wireless device. 2. The method of claim 1, Wherein, dynamically allocating the virtual mobility information includes: obtaining the virtual mobility information from a customer database of the mobile service provider network through the authentication server, Wherein said customer database does not operate as a home location register for said mobile service provider network. 3. The method of any one of claims 1 to 2, wherein the virtual IMSI is not associated with a customer of the wireless device in a Home Location Register of the mobile service provider network. 4. The method of claim 1 , wherein the alternate access network comprises one of a Wi-Fi network, a WiMAX network, or a wireless local area network (WLAN) network, and the access gateway comprises a Wi-Fi access network. One of an ingress gateway, a WiMAX access gateway, and a WLAN access gateway. 5. The method of claim 1, wherein the access gateway comprises a S2a Mobility over General Packet Radio Tunneling Protocol (SaMOG) gateway utilizing an S2a interface to interface to the mobile network gateway. 6. The method of claim 1, wherein signaling to the mobile network gateway by the access gateway using the virtual mobility information comprises sending a create session request including the virtual IMSI to the The mobile network gateway described above. 7. The method of claim 6, wherein signaling, by the access gateway using the virtual mobility information, to the mobile network gateway comprises receiving, by the access gateway, a Create Session Reply for the Internet Protocol (IP) address. 8. The method of claim 1, wherein the mobile service provider network comprises one of a Long Term Evolution (LTE) or Universal Mobile Telecommunications System (UMTS) architecture. 9. The method of claim 1, further comprising sending and receiving customer data traffic for the wireless device by the access gateway using a service session with the mobile network gateway. 10. The method of claim 1, further comprising pre-storing client credentials in the client database and associating the client credentials with respective virtual mobility information of corresponding clients. 11. The method of claim 10, Wherein, the network access request includes a client certificate, and Wherein, the customer database maps the customer certificate to the corresponding virtual mobility information. 12. The method of claim 10, further comprising: The respective virtual mobility information of the corresponding customers is obtained from the HLR of the mobile service provider network through the customer database, wherein the virtual mobility information of the corresponding customers includes the actual mobility information of the corresponding customers. 13. A method for establishing a service session using non-mobile authentication, the method comprising: Receiving a network access request for the wireless device from an access gateway of an alternate access network via an authentication server of a mobile service provider network, wherein the network access request does not include an International Mobile Subscriber Identity (IMSI), wherein the the network access request includes the MAC address of the wireless device; obtaining virtual mobility information from a customer database of the mobile service provider network in response to the network access request, wherein the virtual mobility information includes a virtual International Mobile Subscriber Identity (IMSI); When the customer database does not include an association between the MAC address and the virtual mobility information, assigning virtual mobility information for the wireless device through the customer database and associating the MAC address with the virtual mobility information associated with the virtual mobility information; when the customer database includes an association between the virtual mobility information and the MAC address, assigning the virtual mobility associated with the MAC address through the customer database information; sending the virtual mobility information from the authentication server to the access gateway; and Signaling by the access gateway using the virtual mobility information to a mobile network gateway of the mobile service provider network to establish the The service session for the wireless device. 14. The method of claim 13, further comprising: establishing a General Packet Radio Service Tunneling Protocol-User GTP-U tunnel connecting the access gateway and the mobile network gateway for the service session; and The GTP-U tunnel is mapped by the access gateway to a Layer 2 (L2) connection with the wireless device in the alternate access network. 15. The method of claim 13, wherein the virtual mobility information includes a non-default access point name (APN) for the service session. 16. The method of claim 13, wherein the authentication server authenticates the wireless device using a non-mobile authentication method that does not require an IMSI. 17. The method of claim 13, wherein the virtual mobility information comprises an MSISDN number associated with a customer of the wireless device in a home location register of the mobile service provider network, the method further include: The customer is billed through the mobile network gateway using the MSISDN number. 18. The method of claim 13, wherein the virtual mobility information includes a temporary MSISDN number, the method further comprising: The service session is billed by the mobile network gateway using the temporary MSISDN number. 19. A method performed by an access gateway of a backup access network, the method comprising: receiving a network access request from a wireless device, wherein the network access request does not include an International Mobile Subscriber Identity (IMSI); extracting a wireless device identification code from the network access request; sending the wireless device identification code to an authentication server to request mobility information of the wireless device; receiving virtual mobility information for the wireless device from the authentication server, the virtual mobility information being used by the authentication server for access to a mobile service provider network in response to receiving the wireless device identification code, in response to authentication dynamically allocated for the wireless device, wherein the virtual mobility information includes a Home Location Register (HLR), Home Subscriber Server (HSS), or Home Authorization , the virtual International Mobile Subscriber Identity (IMSI) of the Authentication and Accounting Server (H-AAA); and A mobile network gateway of the mobile service provider network is signaled with the virtual mobility information to establish a service session for the wireless device on the alternate access network anchored by the mobile network gateway. 20. The method of claim 19, wherein the wireless device identification code comprises one of a MAC address of the wireless device or a client certificate of a client associated with the wireless device. 21. The method of claim 19, wherein the authentication server does not include a home location register of the mobile service provider network. 22. An authentication system for a mobile service provider network, the authentication system comprising: Home Location Register; a customer database, separate from said home location register; and an authentication server, receiving a network access request of the wireless device from an access gateway of the standby access network, wherein the network access request does not include an International Mobile Subscriber Identity (IMSI), wherein the authentication server authenticates the wireless device for access to the mobile service provider network in response to receiving the network access request, and wherein the authentication server sends a representation of the network access request to the customer database to request dynamic allocation of virtual mobility information including the attribution not provided by the mobile service provider network Virtual International Mobile Subscriber Identity (IMSI) stored in location register, Home Subscriber Server (HSS) or Home Authorization, Authentication and Accounting Server (H-AAA), wherein said client database responds to said representation of said network access request with said virtual mobility information, Wherein, the virtual mobility information includes a virtual International Mobile Subscriber Identity (IMSI), and Wherein, the authentication server sends the virtual mobility information to the access gateway. 23. A system for establishing a service session using non-mobile authentication, the system comprising: Mobile service provider networks, including cellular access networks and home location registers; Alternate access networks, including access gateways; a customer database of said mobile service provider network; an authentication server of the mobile service provider network receiving a network access request from the wireless device from the access gateway, wherein the authentication server authenticates the wireless device for access to the mobile service provider network in response to receiving the network access request, and wherein the authentication server sends a representation of the network access request to the customer database to request dynamic allocation of virtual mobility information including the attribution not provided by the mobile service provider network Virtual International Mobile Subscriber Identity (IMSI) stored in location register, Home Subscriber Server (HSS) or Home Authorization, Authentication and Accounting Server (H-AAA), wherein said customer database responds to a request for dynamic allocation of said virtual mobility information with said virtual mobility information, wherein the representation of the network access request does not include an International Mobile Subscriber Identity (IMSI), Wherein, the virtual mobility information includes a virtual IMSI, and wherein the access gateway uses the virtual mobility information to signal a mobile network gateway of the mobile service provider network to establish the The service session for the wireless device.