[go: up one dir, main page]

CN116321166A - Hierarchical deployment method and device for enterprise-level MEC authentication system - Google Patents

Hierarchical deployment method and device for enterprise-level MEC authentication system Download PDF

Info

Publication number
CN116321166A
CN116321166A CN202111563014.0A CN202111563014A CN116321166A CN 116321166 A CN116321166 A CN 116321166A CN 202111563014 A CN202111563014 A CN 202111563014A CN 116321166 A CN116321166 A CN 116321166A
Authority
CN
China
Prior art keywords
enterprise
level
authentication
configuration
mec
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111563014.0A
Other languages
Chinese (zh)
Inventor
郝立光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Unihub China Information Technology Co Ltd
Original Assignee
Unihub China Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Unihub China Information Technology Co Ltd filed Critical Unihub China Information Technology Co Ltd
Priority to CN202111563014.0A priority Critical patent/CN116321166A/en
Publication of CN116321166A publication Critical patent/CN116321166A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/088Access security using filters or firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/67Risk-dependent, e.g. selecting a security level depending on risk profiles

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明公开一种企业级MEC认证系统分级部署方法及装置,其中,该方法包括:在运营商部署一级系统,提供SMF配置、企业级认证系统配置、信令防火墙配置以及Radius报文转发功能;在企业部署二级系统,提供APN配置、用户账号配置、客户端配置和认证服务功能;两级系统分工协作,通过Radius报文转发功能进行交互。该方法及装置实现两级控制,一级系统实现运营商网络接入设备管理和安全策略,二级系统实现企业内部控制,有效解决了运营商和企业用户配置的复杂性和安全性问题。

Figure 202111563014

The invention discloses a hierarchical deployment method and device for an enterprise-level MEC authentication system, wherein the method includes: deploying a first-level system in an operator, providing SMF configuration, enterprise-level authentication system configuration, signaling firewall configuration, and Radius message forwarding functions ; Deploy the secondary system in the enterprise to provide APN configuration, user account configuration, client configuration and authentication service functions; the two-level system cooperates with each other through the Radius message forwarding function. The method and device realize two-level control, the first-level system implements operator network access equipment management and security policies, and the second-level system implements enterprise internal control, effectively solving the complexity and security problems of operator and enterprise user configuration.

Figure 202111563014

Description

一种企业级MEC认证系统分级部署方法及装置A hierarchical deployment method and device for an enterprise-level MEC authentication system

技术领域technical field

本发明涉及MEC应用领域,尤其是一种企业级MEC认证系统分级部署方法及装置。The invention relates to the field of MEC applications, in particular to a hierarchical deployment method and device for an enterprise-level MEC authentication system.

背景技术Background technique

运营商大力拓展MEC(移动边缘计算)应用,助力企业数字化转型。在MEC应用中,当5G用户移动终端接入时,首先在运营商做第一次认证,获得入网许可;然后,在企业认证系统做二次认证。目前主流的实现方案是企业认证系统直接对接运营商NAS(网络接入设备),通过Radius(一种远程接入认证协议)协议实现入网认证。随着5G业务发展,当SMF(会话管理功能,一种NAS设备)设备变更时,需要在每个企业认证系统上进行配置修改,给运营商和企业带来较大的工作量以及伴随而来的安全性问题。Operators vigorously expand MEC (Mobile Edge Computing) applications to help enterprises digitally transform. In the MEC application, when a 5G user's mobile terminal accesses, the operator first performs the first authentication to obtain a network access permission; then, the enterprise authentication system performs the second authentication. The current mainstream implementation solution is that the enterprise authentication system directly connects to the operator's NAS (network access device), and realizes network access authentication through the Radius (a remote access authentication protocol) protocol. With the development of 5G services, when the SMF (session management function, a kind of NAS device) device is changed, it is necessary to modify the configuration on each enterprise authentication system, which brings a large workload to operators and enterprises and the accompanying security issues.

发明内容Contents of the invention

为了解决运营商和企业用户配置的复杂性和安全性问题,本发明提供一种企业级MEC认证系统分级部署方法及装置,在运营商部署一级系统,做好基础配置以及安全防护,为企业减负,使得企业能够专心做好自己的内部账号管控工作。In order to solve the complexity and security problems of operator and enterprise user configuration, the present invention provides a hierarchical deployment method and device for an enterprise-level MEC authentication system, deploying a first-level system in the operator, and doing a good job in basic configuration and security protection, providing services for enterprises Reduce the burden, so that enterprises can concentrate on their own internal account management and control work.

为实现上述目的,本发明采用下述技术方案:To achieve the above object, the present invention adopts the following technical solutions:

在本发明一实施例中,提出了一种企业级MEC认证系统分级部署方法,该方法包括:In an embodiment of the present invention, a hierarchical deployment method of an enterprise-level MEC authentication system is proposed, the method comprising:

在运营商部署一级系统,提供SMF配置、企业级认证系统配置、信令防火墙配置以及Radius报文转发功能;Deploy a first-level system in the carrier, providing SMF configuration, enterprise-level authentication system configuration, signaling firewall configuration and Radius message forwarding functions;

在企业部署二级系统,提供APN配置、用户账号配置、客户端配置和认证服务功能;Deploy a secondary system in the enterprise to provide APN configuration, user account configuration, client configuration and authentication service functions;

两级系统分工协作,通过Radius报文转发功能进行交互。The two-level system works in division and cooperation, and interacts through the Radius message forwarding function.

进一步地,企业级认证系统配置功能是系统根据APN标识向企业转发Radius认证报文。Furthermore, the configuration function of the enterprise-level authentication system is that the system forwards the Radius authentication message to the enterprise according to the APN identifier.

进一步地,信令防火墙配置功能是允许设定单个企业的最大并发限制以及账号黑名单,账号黑名单的匹配条件支持对用户名/密码、用户号码和设备标识的正则表达式匹配规则。Furthermore, the signaling firewall configuration function allows setting the maximum concurrency limit and account blacklist of a single enterprise. The matching conditions of the account blacklist support regular expression matching rules for username/password, user number and device ID.

进一步地,Radius报文转发功能是接收SMF发送过来的认证请求,根据APN标识转发给对应企业的认证服务器。Further, the Radius message forwarding function is to receive the authentication request sent by the SMF, and forward it to the authentication server of the corresponding enterprise according to the APN identifier.

进一步地,认证服务功能是接收一级系统转发过来的认证请求报文,进行企业内部认证,返回认证结果给一级系统。Furthermore, the function of the authentication service is to receive the authentication request message forwarded by the first-level system, perform internal authentication of the enterprise, and return the authentication result to the first-level system.

在本发明一实施例中,还提出了一种企业级MEC认证系统分级部署装置,该装置包括:In an embodiment of the present invention, a hierarchical deployment device for an enterprise-level MEC authentication system is also proposed, which includes:

一级系统功能模块,用于在运营商部署一级系统,提供SMF配置、企业级认证系统配置、信令防火墙配置以及Radius报文转发功能;The first-level system function module is used to deploy the first-level system in the operator, providing SMF configuration, enterprise-level authentication system configuration, signaling firewall configuration and Radius message forwarding functions;

二级系统功能模块,用于在企业部署二级系统,提供APN配置、用户账号配置、客户端配置和认证服务功能;The secondary system function module is used to deploy the secondary system in the enterprise, providing APN configuration, user account configuration, client configuration and authentication service functions;

转发功能模块,用于两级系统分工协作,通过Radius报文转发功能进行交互。The forwarding function module is used for the division and cooperation of the two-level system, and interacts through the Radius message forwarding function.

进一步地,企业级认证系统配置功能是系统根据APN标识向企业转发Radius认证报文。Furthermore, the configuration function of the enterprise-level authentication system is that the system forwards the Radius authentication message to the enterprise according to the APN identification.

进一步地,信令防火墙配置功能是允许设定单个企业的最大并发限制以及账号黑名单,账号黑名单的匹配条件支持对用户名/密码、用户号码和设备标识的正则表达式匹配规则。Furthermore, the signaling firewall configuration function allows setting the maximum concurrency limit and account blacklist of a single enterprise. The matching conditions of the account blacklist support regular expression matching rules for username/password, user number and device ID.

进一步地,Radius报文转发功能是接收SMF发送过来的认证请求,根据APN标识转发给对应企业的认证服务器。Further, the Radius message forwarding function is to receive the authentication request sent by the SMF, and forward it to the authentication server of the corresponding enterprise according to the APN identifier.

进一步地,认证服务功能是接收一级系统转发过来的认证请求报文,进行企业内部认证,返回认证结果给一级系统。Furthermore, the function of the authentication service is to receive the authentication request message forwarded by the first-level system, perform internal authentication of the enterprise, and return the authentication result to the first-level system.

在本发明一实施例中,还提出了一种计算机设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,处理器执行计算机程序时实现前述企业级MEC认证系统分级部署方法。In an embodiment of the present invention, a computer device is also proposed, including a memory, a processor, and a computer program stored on the memory and operable on the processor. When the processor executes the computer program, the aforementioned enterprise-level MEC authentication system is realized. Hierarchical deployment method.

在本发明一实施例中,还提出了一种计算机可读存储介质,计算机可读存储介质存储有执行企业级MEC认证系统分级部署方法的计算机程序。In an embodiment of the present invention, a computer-readable storage medium is also provided, and the computer-readable storage medium stores a computer program for executing a hierarchical deployment method of an enterprise-level MEC authentication system.

有益效果:Beneficial effect:

1、本发明设计了一种企业级MEC认证系统分级部署方案,并在5G物联网业务中得到了有效运用。1. The present invention designs a hierarchical deployment scheme of an enterprise-level MEC authentication system, which has been effectively used in 5G Internet of Things services.

2、本发明通过两级部署的方式,基于Radius转发协议,采用了信令防火墙等技术,实现了运营商与企业的分工协作,提供了一种安全高效的企业级认证服务。2. The present invention realizes the division of labor and cooperation between operators and enterprises through two-level deployment, based on the Radius forwarding protocol, and adopts technologies such as signaling firewalls, and provides a safe and efficient enterprise-level authentication service.

附图说明Description of drawings

图1是本发明企业级MEC认证系统分级部署方法流程示意图;Fig. 1 is a schematic flow chart of the hierarchical deployment method of the enterprise-level MEC authentication system of the present invention;

图2是本发明一实施例的SMF配置页面示意图;Fig. 2 is a schematic diagram of the SMF configuration page of an embodiment of the present invention;

图3是本发明一实施例的企业认证系统配置页面示意图;Fig. 3 is a schematic diagram of an enterprise authentication system configuration page according to an embodiment of the present invention;

图4是本发明一实施例的信令防火墙配置页面示意图;Fig. 4 is a schematic diagram of a signaling firewall configuration page according to an embodiment of the present invention;

图5是本发明一实施例的APN配置页面示意图;Fig. 5 is a schematic diagram of an APN configuration page according to an embodiment of the present invention;

图6是是本发明一实施例的用户账号配置页面示意图;Fig. 6 is a schematic diagram of a user account configuration page according to an embodiment of the present invention;

图7是本发明一实施例的客户端配置页面示意图;Fig. 7 is a schematic diagram of a client configuration page according to an embodiment of the present invention;

图8是本发明企业级MEC认证系统分级部署装置结构示意图;Fig. 8 is a schematic structural diagram of the hierarchical deployment device of the enterprise-level MEC authentication system of the present invention;

图9是本发明计算机设备结构示意图。Fig. 9 is a schematic structural diagram of the computer equipment of the present invention.

具体实施方式Detailed ways

下面将参考若干示例性实施方式来描述本发明的原理和精神,应当理解,给出这些实施方式仅仅是为了使本领域技术人员能够更好地理解进而实现本发明,而并非以任何方式限制本发明的范围。相反,提供这些实施方式是为了使本公开更加透彻和完整,并且能够将本公开的范围完整地传达给本领域的技术人员。The principle and spirit of the present invention will be described below with reference to several exemplary embodiments. It should be understood that these embodiments are provided only to enable those skilled in the art to better understand and realize the present invention, but not to limit the present invention in any way. the scope of the invention. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.

本领域技术人员知道,本发明的实施方式可以实现为一种系统、装置、设备、方法或计算机程序产品。因此,本公开可以具体实现为以下形式,即:完全的硬件、完全的软件(包括固件、驻留软件、微代码等),或者硬件和软件结合的形式。Those skilled in the art know that the embodiments of the present invention can be implemented as a system, device, device, method or computer program product. Therefore, the present disclosure may be embodied in the form of complete hardware, complete software (including firmware, resident software, microcode, etc.), or a combination of hardware and software.

根据本发明的实施方式,提出了一种企业级MEC认证系统分级部署方法及装置,实现两级控制,一级系统实现运营商网络接入设备管理和安全策略,二级系统实现企业内部控制,有效解决了运营商和企业用户配置的复杂性和安全性问题。According to the embodiment of the present invention, a hierarchical deployment method and device for an enterprise-level MEC authentication system is proposed, which realizes two-level control, the first-level system implements operator network access equipment management and security policies, and the second-level system implements enterprise internal control. It effectively solves the complexity and security problems of operator and enterprise user configuration.

下面参考本发明的若干代表性实施方式,详细阐释本发明的原理和精神。The principle and spirit of the present invention will be explained in detail below with reference to several representative embodiments of the present invention.

图1是本发明企业级MEC认证系统分级部署方法流程示意图。如图1所示,该方法分两级实现,包括:Fig. 1 is a schematic flow chart of the hierarchical deployment method of the enterprise-level MEC authentication system of the present invention. As shown in Figure 1, the method is implemented in two stages, including:

S1、在运营商部署一级系统,提供SMF配置、企业级认证系统配置、信令防火墙配置以及Radius报文转发功能;S1. Deploy a first-level system in the operator to provide SMF configuration, enterprise-level authentication system configuration, signaling firewall configuration and Radius message forwarding functions;

S2、在企业部署二级系统,提供APN(接入点名称)配置、用户账号配置、客户端配置和认证服务功能;S2. Deploy a secondary system in the enterprise to provide APN (Access Point Name) configuration, user account configuration, client configuration and authentication service functions;

S3、两级系统分工协作,通过Radius报文转发功能进行交互,共同为企业MEC业务保驾护航,实现安全高效的业务体验。S3, two-level system division of labor and cooperation, interact through the Radius message forwarding function, jointly escort the enterprise MEC business, and achieve a safe and efficient business experience.

需要说明的是,尽管在上述实施例及附图中以特定顺序描述了本发明方法的操作,但是,这并非要求或者暗示必须按照该特定顺序来执行这些操作,或是必须执行全部所示的操作才能实现期望的结果。附加地或备选地,可以省略某些步骤,将多个步骤合并为一个步骤执行,和/或将一个步骤分解为多个步骤执行。It should be noted that although the operations of the method of the present invention are described in a specific order in the above-mentioned embodiments and accompanying drawings, this does not require or imply that these operations must be performed in this specific order, or that all shown operations must be performed. operation to achieve the desired result. Additionally or alternatively, certain steps may be omitted, multiple steps may be combined into one step for execution, and/or one step may be decomposed into multiple steps for execution.

为了对上述企业级MEC认证系统分级部署方法进行更为清楚的解释,下面结合一个具体的实施例来进行说明,然而值得注意的是该实施例仅是为了更好地说明本发明,并不构成对本发明不当的限定。In order to explain the hierarchical deployment method of the above-mentioned enterprise-level MEC authentication system more clearly, a specific embodiment will be described below. However, it should be noted that this embodiment is only for better illustrating the present invention and does not constitute a Improper limitation of the invention.

本方案在中国联通的MEC项目中得以应用,大大提高了企业级认证系统的易用性,降低了网络安全风险,对MEC业务的发展起到了很大的促进作用。中国联通MEC承接了三一重工、美的等多个企业客户,在每个企业客户内部都部署了认证服务器,最初这些服务器都与核心网SMF设备直接对接,带来很大的网络配置工作量,也存在很大的安全隐患。后面,建立了运营商一级系统做认证转发,配置核心网SMF设备IP和密钥,企业二级系统只需要配置运营商一级系统的IP和密钥。一方面,核心网SMF设备和防火墙不再需要频繁配置;另一方面,在全国认证中心也可以做好安全防护,防止对核心网造成不利影响。This solution is applied in China Unicom's MEC project, which greatly improves the usability of the enterprise-level authentication system, reduces network security risks, and greatly promotes the development of MEC services. China Unicom MEC has undertaken multiple enterprise customers such as Sany Heavy Industry and Midea, and deployed authentication servers inside each enterprise customer. At first, these servers were directly connected to the core network SMF equipment, which brought a lot of network configuration workload. There are also great security risks. Later, the operator's first-level system is established for authentication and forwarding, and the core network SMF device IP and key are configured. The enterprise's second-level system only needs to be configured with the IP and key of the operator's first-level system. On the one hand, the core network SMF equipment and firewall no longer need to be frequently configured; on the other hand, the national certification center can also do a good job of security protection to prevent adverse effects on the core network.

具体实现方法如下:The specific implementation method is as follows:

1、运营商一级系统功能介绍1. Introduction to carrier-level system functions

(1)SMF配置功能,如图2所示,用于配置SMF设备的信息,系统只接收录入设备发起的认证请求。(1) The SMF configuration function, as shown in Figure 2, is used to configure the information of the SMF device, and the system only accepts the authentication request initiated by the input device.

说明:带“*”的是必填项,其它可选。密钥按照密文输入,传输加密处理。Note: Items marked with "*" are required, others are optional. The key is input according to the ciphertext, and the transmission is encrypted.

(2)企业认证系统配置功能,如图3所示,系统根据APN标识向企业转发Radius认证报文。(2) Enterprise authentication system configuration function, as shown in Figure 3, the system forwards the Radius authentication message to the enterprise according to the APN identification.

说明:带“*”的是必填项,其它可选。密钥按照密文输入,传输加密处理。主备服务器使用相同的密钥。Note: Items marked with "*" are required, others are optional. The key is input according to the ciphertext, and the transmission is encrypted. The active and standby servers use the same key.

(3)信令防火墙配置功能,如图4所示,用于抵御攻击,可以设定单个企业的最大并发限制以及账号黑名单,账号黑名单的匹配条件支持对用户名/密码、用户号码和设备标识的正则表达式匹配规则。(3) The signaling firewall configuration function, as shown in Figure 4, is used to resist attacks. It can set the maximum concurrency limit and account blacklist of a single enterprise. The matching conditions of the account blacklist support user name/password, user number and Regular expression matching rules for device identification.

说明:带“*”的是必填项,其它可选。“匹配条件”中的“用户属性”下拉选项包括:用户名/密码、用户号码和设备标识。Note: Items marked with "*" are required, others are optional. The "User Attribute" drop-down options in "Match Condition" include: Username/Password, User Number, and Device ID.

(4)Radius报文转发功能,接收SMF发送过来的认证请求,根据APN标识转发给对应企业的认证服务器。(4) The Radius message forwarding function receives the authentication request sent by the SMF and forwards it to the authentication server of the corresponding enterprise according to the APN identifier.

2、企业二级系统2. Enterprise secondary system

(1)APN配置功能,如图5所示,用户维护企业的APN信息。(1) APN configuration function, as shown in Figure 5, the user maintains the APN information of the enterprise.

说明:带“*”的是必填项,其它可选。“认证方式”下拉选项:用户名/密码、用户号码和设备标识。Note: Items marked with "*" are required, others are optional. "Authentication Method" drop-down options: Username/Password, User ID and Device ID.

(2)用户账号配置功能,如图6所示,用于企业5G账号信息的维护。(2) The user account configuration function, as shown in Figure 6, is used for the maintenance of enterprise 5G account information.

说明:查询条件“APN”下拉选择,智能联想。带“*”的是必填项,其它可选。根据所选APN对应的认证方式,设定必填项,必填项靠前摆放:Explanation: The query condition "APN" drop-down selection, intelligent association. Items with "*" are required, others are optional. According to the authentication method corresponding to the selected APN, set the required items, and place the required items first:

认证方式为“用户名/密码”时,用户名/密码必填。When the authentication method is "Username/Password", the username/password must be filled.

认证方式为“用户号码”时,用户号码必填。When the authentication method is "User ID", the user ID is required.

认证方式为“设备标识”时,设备标识必填。When the authentication method is "Device ID", the device ID is required.

(3)客户端配置功能,如图7所示,用于设定运营商一级系统的信息维护。(3) The client configuration function, as shown in Figure 7, is used to set the information maintenance of the operator's first-level system.

说明:带“*”的是必填项,其它可选。密钥按照密文输入,传输加密处理。Note: Items marked with "*" are required, others are optional. The key is input according to the ciphertext, and the transmission is encrypted.

(4)认证服务功能,接收运营商一级系统转发过来的认证请求报文,进行企业内部认证,返回认证结果给运营商一级系统。(4) Authentication service function, receiving the authentication request message forwarded by the operator's first-level system, performing internal authentication of the enterprise, and returning the authentication result to the operator's first-level system.

基于同一发明构思,本发明还提出一种企业级MEC认证系统分级部署装置。该装置的实施可以参见上述方法的实施,重复之处不再赘述。以下所使用的术语“模块”,可以是实现预定功能的软件和/或硬件的组合。尽管以下实施例所描述的装置较佳地以软件来实现,但是硬件,或者软件和硬件的组合的实现也是可能并被构想的。Based on the same inventive concept, the present invention also proposes a hierarchical deployment device for an enterprise-level MEC authentication system. For the implementation of the device, reference may be made to the implementation of the above method, and repeated descriptions will not be repeated. The term "module" used hereinafter may be a combination of software and/or hardware that realizes predetermined functions. Although the devices described in the following embodiments are preferably implemented in software, implementations in hardware, or a combination of software and hardware are also possible and contemplated.

图8是本发明企业级MEC认证系统分级部署装置结构示意图。如图8所示,该装置包括:FIG. 8 is a schematic structural diagram of a hierarchical deployment device for an enterprise-level MEC authentication system according to the present invention. As shown in Figure 8, the device includes:

一级系统功能模块101,用于在运营商部署一级系统,提供SMF配置、企业级认证系统配置、信令防火墙配置以及Radius报文转发功能;The first-level system function module 101 is used to deploy the first-level system in the operator, providing SMF configuration, enterprise-level authentication system configuration, signaling firewall configuration and Radius message forwarding functions;

企业级认证系统配置功能是系统根据APN标识向企业转发Radius认证报文;The configuration function of the enterprise-level authentication system is that the system forwards the Radius authentication message to the enterprise according to the APN identification;

信令防火墙配置功能是允许设定单个企业的最大并发限制以及账号黑名单,账号黑名单的匹配条件支持对用户名/密码、用户号码和设备标识的正则表达式匹配规则;The signaling firewall configuration function allows setting the maximum concurrency limit and account blacklist of a single enterprise. The matching conditions of the account blacklist support regular expression matching rules for user name/password, user number and device identification;

Radius报文转发功能是接收SMF发送过来的认证请求,根据APN标识转发给对应企业的认证服务器。The Radius message forwarding function is to receive the authentication request sent by the SMF and forward it to the authentication server of the corresponding enterprise according to the APN ID.

二级系统功能模块102,用于在企业部署二级系统,提供APN配置、用户账号配置、客户端配置和认证服务功能;The secondary system function module 102 is used to deploy the secondary system in the enterprise, providing APN configuration, user account configuration, client configuration and authentication service functions;

认证服务功能是接收一级系统转发过来的认证请求报文,进行企业内部认证,返回认证结果给一级系统。The authentication service function is to receive the authentication request message forwarded by the first-level system, conduct internal authentication of the enterprise, and return the authentication result to the first-level system.

转发功能模块103,用于两级系统分工协作,通过Radius报文转发功能进行交互。The forwarding function module 103 is used for the division and cooperation of the two-level system, and interacts through the Radius message forwarding function.

应当注意,尽管在上文详细描述中提及了企业级MEC认证系统分级部署装置的若干模块,但是这种划分仅仅是示例性的并非强制性的。实际上,根据本发明的实施方式,上文描述的两个或更多模块的特征和功能可以在一个模块中具体化。反之,上文描述的一个模块的特征和功能可以进一步划分为由多个模块来具体化。It should be noted that although several modules of the hierarchical deployment device of the enterprise-level MEC certification system are mentioned in the above detailed description, this division is only exemplary and not mandatory. Actually, according to the embodiment of the present invention, the features and functions of two or more modules described above may be embodied in one module. Conversely, the features and functions of one module described above may be further divided to be embodied by a plurality of modules.

基于前述发明构思,如图8所示,本发明还提出一种计算机设备200,包括存储器210、处理器220及存储在存储器210上并可在处理器220上运行的计算机程序230,处理器220执行计算机程序230时实现前述企业级MEC认证系统分级部署方法。Based on the foregoing inventive concepts, as shown in FIG. 8 , the present invention also proposes a computer device 200, including a memory 210, a processor 220, and a computer program 230 stored on the memory 210 and operable on the processor 220. The processor 220 When the computer program 230 is executed, the above-mentioned hierarchical deployment method of the enterprise-level MEC authentication system is realized.

基于前述发明构思,本发明还提出一种计算机可读存储介质,计算机可读存储介质存储有执行前述企业级MEC认证系统分级部署方法的计算机程序。Based on the aforementioned inventive concept, the present invention also proposes a computer-readable storage medium, which stores a computer program for executing the aforementioned enterprise-level MEC authentication system hierarchical deployment method.

在电信运营商MEC(移动边缘计算)应用场景中,除了运营商的入网认证以外,还由企业级认证系统提供二次鉴权,为企业提供更灵活的权限控制。本发明提出的企业级MEC认证系统分级部署方法及装置,在5G物联网业务中得到了有效运用;通过两级部署的方式,基于Radius转发协议,采用了信令防火墙等技术,实现了运营商与企业的分工协作,提供了一种安全高效的企业级认证服务。In the MEC (Mobile Edge Computing) application scenario of a telecom operator, in addition to the operator's network access authentication, the enterprise-level authentication system also provides secondary authentication, providing enterprises with more flexible authority control. The hierarchical deployment method and device of the enterprise-level MEC authentication system proposed by the present invention have been effectively used in the 5G Internet of Things business; through the two-level deployment method, based on the Radius forwarding protocol, technologies such as signaling firewalls are used to realize the operator's The division of labor and cooperation with enterprises provides a safe and efficient enterprise-level authentication service.

虽然已经参考若干具体实施方式描述了本发明的精神和原理,但是应该理解,本发明并不限于所公开的具体实施方式,对各方面的划分也不意味着这些方面中的特征不能组合以进行受益,这种划分仅是为了表述的方便。本发明旨在涵盖所附权利要求的精神和范围内所包含的各种修改和等同布置。Although the spirit and principles of the invention have been described with reference to a number of specific embodiments, it should be understood that the invention is not limited to the specific embodiments disclosed, nor does division of aspects imply that features in these aspects cannot be combined to achieve optimal performance. Benefit, this division is only for the convenience of expression. The present invention is intended to cover various modifications and equivalent arrangements encompassed within the spirit and scope of the appended claims.

对本发明保护范围的限制,所属领域技术人员应该明白,在本发明的技术方案的基础上,本领域技术人员不需要付出创造性劳动即可做出的各种修改或变形仍在本发明的保护范围以内。For the limitation of the protection scope of the present invention, those skilled in the art should understand that on the basis of the technical solution of the present invention, various modifications or deformations that those skilled in the art can make without creative labor are still within the protection scope of the present invention within.

Claims (12)

1.一种企业级MEC认证系统分级部署方法,其特征在于,该方法包括:1. A method for hierarchical deployment of an enterprise-level MEC authentication system, characterized in that the method comprises: 在运营商部署一级系统,提供SMF配置、企业级认证系统配置、信令防火墙配置以及Radius报文转发功能;Deploy a first-level system in the carrier, providing SMF configuration, enterprise-level authentication system configuration, signaling firewall configuration and Radius message forwarding functions; 在企业部署二级系统,提供APN配置、用户账号配置、客户端配置和认证服务功能;Deploy a secondary system in the enterprise to provide APN configuration, user account configuration, client configuration and authentication service functions; 两级系统分工协作,通过Radius报文转发功能进行交互。The two-level system works in division and cooperation, and interacts through the Radius message forwarding function. 2.根据权利要求1所述的企业级MEC认证系统分级部署方法,其特征在于,所述企业级认证系统配置功能是系统根据APN标识向企业转发Radius认证报文。2. The hierarchical deployment method of the enterprise-level MEC authentication system according to claim 1, wherein the enterprise-level authentication system configuration function is that the system forwards the Radius authentication message to the enterprise according to the APN mark. 3.根据权利要求1所述的企业级MEC认证系统分级部署方法,其特征在于,所述信令防火墙配置功能是允许设定单个企业的最大并发限制以及账号黑名单,账号黑名单的匹配条件支持对用户名/密码、用户号码和设备标识的正则表达式匹配规则。3. The hierarchical deployment method of the enterprise-level MEC authentication system according to claim 1, wherein the signaling firewall configuration function is to allow setting the maximum concurrency limit and account blacklist of a single enterprise, and the matching conditions of the account blacklist Supports regular expression matching rules for username/password, user number, and device ID. 4.根据权利要求1所述的企业级MEC认证系统分级部署方法,其特征在于,所述Radius报文转发功能是接收SMF发送过来的认证请求,根据APN标识转发给对应企业的认证服务器。4. The hierarchical deployment method of the enterprise-level MEC authentication system according to claim 1, wherein the Radius message forwarding function is to receive the authentication request sent by the SMF, and forward it to the authentication server of the corresponding enterprise according to the APN mark. 5.根据权利要求1所述的企业级MEC认证系统分级部署方法,其特征在于,所述认证服务功能是接收一级系统转发过来的认证请求报文,进行企业内部认证,返回认证结果给一级系统。5. The hierarchical deployment method of the enterprise-level MEC authentication system according to claim 1, wherein the authentication service function is to receive the authentication request message forwarded by the first-level system, carry out internal authentication of the enterprise, and return the authentication result to a level system. 6.一种企业级MEC认证系统分级部署装置,其特征在于,该装置包括:6. A hierarchical deployment device for an enterprise-level MEC authentication system, characterized in that the device comprises: 一级系统功能模块,用于在运营商部署一级系统,提供SMF配置、企业级认证系统配置、信令防火墙配置以及Radius报文转发功能;The first-level system function module is used to deploy the first-level system in the operator, providing SMF configuration, enterprise-level authentication system configuration, signaling firewall configuration and Radius message forwarding functions; 二级系统功能模块,用于在企业部署二级系统,提供APN配置、用户账号配置、客户端配置和认证服务功能;The secondary system function module is used to deploy the secondary system in the enterprise, providing APN configuration, user account configuration, client configuration and authentication service functions; 转发功能模块,用于两级系统分工协作,通过Radius报文转发功能进行交互。The forwarding function module is used for the division and cooperation of the two-level system, and interacts through the Radius message forwarding function. 7.根据权利要求6所述的企业级MEC认证系统分级部署装置,其特征在于,所述企业级认证系统配置功能是系统根据APN标识向企业转发Radius认证报文。7. The enterprise-level MEC authentication system hierarchical deployment device according to claim 6, wherein the enterprise-level authentication system configuration function is that the system forwards the Radius authentication message to the enterprise according to the APN identification. 8.根据权利要求6所述的企业级MEC认证系统分级部署装置,其特征在于,所述信令防火墙配置功能是允许设定单个企业的最大并发限制以及账号黑名单,账号黑名单的匹配条件支持对用户名/密码、用户号码和设备标识的正则表达式匹配规则。8. The enterprise-level MEC authentication system hierarchical deployment device according to claim 6, wherein the signaling firewall configuration function is to allow setting the maximum concurrency limit and account blacklist of a single enterprise, and the matching conditions of the account blacklist Supports regular expression matching rules for username/password, user number, and device ID. 9.根据权利要求6所述的企业级MEC认证系统分级部署装置,其特征在于,所述Radius报文转发功能是接收SMF发送过来的认证请求,根据APN标识转发给对应企业的认证服务器。9. The hierarchical deployment device of the enterprise-level MEC authentication system according to claim 6, wherein the Radius message forwarding function is to receive the authentication request sent by the SMF, and forward it to the authentication server of the corresponding enterprise according to the APN mark. 10.根据权利要求6所述的企业级MEC认证系统分级部署装置,其特征在于,所述认证服务功能是接收一级系统转发过来的认证请求报文,进行企业内部认证,返回认证结果给一级系统。10. The enterprise-level MEC authentication system hierarchical deployment device according to claim 6, wherein the authentication service function is to receive the authentication request message forwarded by the first-level system, carry out internal authentication of the enterprise, and return the authentication result to a level system. 11.一种计算机设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其特征在于,所述处理器执行所述计算机程序时实现权利要求1-5任一项所述方法。11. A computer device, comprising a memory, a processor, and a computer program stored on the memory and operable on the processor, characterized in that, when the processor executes the computer program, any one of claims 1-5 is realized. method described in the item. 12.一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储有执行权利要求1-5任一项所述方法的计算机程序。12. A computer-readable storage medium, wherein a computer program for executing the method according to any one of claims 1-5 is stored in the computer-readable storage medium.
CN202111563014.0A 2021-12-20 2021-12-20 Hierarchical deployment method and device for enterprise-level MEC authentication system Pending CN116321166A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111563014.0A CN116321166A (en) 2021-12-20 2021-12-20 Hierarchical deployment method and device for enterprise-level MEC authentication system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111563014.0A CN116321166A (en) 2021-12-20 2021-12-20 Hierarchical deployment method and device for enterprise-level MEC authentication system

Publications (1)

Publication Number Publication Date
CN116321166A true CN116321166A (en) 2023-06-23

Family

ID=86813611

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111563014.0A Pending CN116321166A (en) 2021-12-20 2021-12-20 Hierarchical deployment method and device for enterprise-level MEC authentication system

Country Status (1)

Country Link
CN (1) CN116321166A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10798617B1 (en) * 2019-01-23 2020-10-06 Cisco Technology, Inc. Providing low latency traffic segregation for mobile edge computing network environments
CN111937425A (en) * 2018-04-06 2020-11-13 瑞典爱立信有限公司 UE controlled security policy handling for user plane protection in 5G systems
CN112492602A (en) * 2020-11-19 2021-03-12 武汉武钢绿色城市技术发展有限公司 5G terminal safety access device, system and equipment
CN112752306A (en) * 2020-12-31 2021-05-04 西安抱朴通信科技有限公司 Service distribution method, terminal, system and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111937425A (en) * 2018-04-06 2020-11-13 瑞典爱立信有限公司 UE controlled security policy handling for user plane protection in 5G systems
US10798617B1 (en) * 2019-01-23 2020-10-06 Cisco Technology, Inc. Providing low latency traffic segregation for mobile edge computing network environments
CN112492602A (en) * 2020-11-19 2021-03-12 武汉武钢绿色城市技术发展有限公司 5G terminal safety access device, system and equipment
CN112752306A (en) * 2020-12-31 2021-05-04 西安抱朴通信科技有限公司 Service distribution method, terminal, system and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
CATT: "S3-202500 "Solution on Authentication and Authorization between the Edge Enabler Client and the Edge Configuration Server"", 3GPP TSG_SA\\WG3_SECURITY, no. 3, 2 October 2020 (2020-10-02) *
ERICSSON: "C3-176099 "Correction to interworking with external DN, Authentication and Authorization"", 3GPP TSG_CN\\WG3_INTERWORKING_EX-CN3, no. 3, 20 November 2017 (2017-11-20) *

Similar Documents

Publication Publication Date Title
CN109564527B (en) Security Configuration of Cloud Computing Nodes
CN101515927B (en) Isolation mode supportive internet access control method, system and equipment
US10735405B2 (en) Private simultaneous authentication of equals
CN110191007A (en) Node administration method, system and computer readable storage medium
US9413772B2 (en) Managing rogue devices through a network backhaul
CN110958111A (en) A blockchain-based power mobile terminal identity authentication mechanism
US8925066B2 (en) Provisioning proxy for provisioning data on hardware resources
WO2015065594A1 (en) Extensible framework for communicating over a fire wall with a software application regarding a user account
CN107181720A (en) A kind of method and device of software definition networking SDN secure communications
WO2021063129A1 (en) Core network capability calling method and system
KR102533536B1 (en) A method, an apparatus, an electronic device and a storage medium for communicating between private networks
CN103036732A (en) Method, system and device for network monitoring process
CN113613279B (en) Routing policy generation method and related equipment
CN104065514A (en) Home network management method based on network configuration protocol (NETCONF) relay
CN115396229A (en) Cross-domain resource isolation sharing system based on block chain
CN115296866B (en) Access method and device for edge node
WO2012119340A1 (en) Method and apparatus for implementing north interface
CN107465633A (en) Method for managing resource and device based on software defined network
CN116545875B (en) Safety communication control system based on Internet of things
US20240348505A1 (en) Network system, network packet processing method and apparatus, and storage medium
WO2023280369A1 (en) Authorization of a user equipment to access a resource
CN116321166A (en) Hierarchical deployment method and device for enterprise-level MEC authentication system
CN107608768A (en) Resource access method, electronic equipment and storage medium based on command mode
US20250311016A1 (en) Proxy enterprise cellular access network visibility
JP2003318898A (en) Dynamic SNMP network device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination