[go: up one dir, main page]

CN120640283A - Terminal access authentication method and system - Google Patents

Terminal access authentication method and system

Info

Publication number
CN120640283A
CN120640283A CN202510982334.1A CN202510982334A CN120640283A CN 120640283 A CN120640283 A CN 120640283A CN 202510982334 A CN202510982334 A CN 202510982334A CN 120640283 A CN120640283 A CN 120640283A
Authority
CN
China
Prior art keywords
snpn
management server
network management
target
eap
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202510982334.1A
Other languages
Chinese (zh)
Inventor
俞一帆
石磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Ailing Network Co ltd
Original Assignee
Shenzhen Ailing Network Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Ailing Network Co ltd filed Critical Shenzhen Ailing Network Co ltd
Priority to CN202510982334.1A priority Critical patent/CN120640283A/en
Publication of CN120640283A publication Critical patent/CN120640283A/en
Pending legal-status Critical Current

Links

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The application provides a terminal access authentication method and a system, wherein, UE sends an access request to a first SNPN, the first SNPN determines the subscription data of the UE and establishes a PDU session according to the access request, the UE sends an EAP request message to a first SNPN, the first SNPN creates a local data record according to the EAP request message and sends the EAP request message to a network management server, the network management server sends the EAP request message to an AAA server, the AAA server determines that the EAP request is legal, the network management server creates context information, acquires SUPI based on an MAC address, determines the identification of a target SNPN, and the network management server writes the subscription data of the UE into a data table corresponding to the target SNPN in the network management server and synchronizes the subscription data to a unified data management function UDM in the target SNPN.

Description

Terminal access authentication method and system
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and a system for terminal access authentication.
Background
In the field of enterprise network security, access authentication requirements for wired/wireless local area networks are becoming increasingly stringent. In the conventional scheme, the 802.1x authentication technology combines an extensible authentication protocol (Extensible Authentication Protocol, EAP) to realize fine access control through a client-authenticator-authentication server architecture, for example, an EAP-TLS digital certificate mechanism is adopted to improve security. The technology has become a standard scheme of enterprise intranet security by centrally managing user credentials and independently configuring access rights for each client. However, with the deployment of the fifth generation mobile communication technology (5 th Generation Mobile Communication Technology, 5G) in the private network of the enterprise, the terminal needs to consider the fusion of the 5G native security mechanism and the conventional 802.1x authentication when accessing through the 5G, so as to meet the high security requirements of the scenes such as industrial control, park network and the like.
In the prior art, authentication is performed in a first mode, 802.1x authentication logic is introduced into a 5G core Network, and EAP messages are encapsulated in independent Non-Public Network (SNPN) signaling for transmission, so that a 5G terminal can trigger secondary authentication for a data Network after accessing the core Network. In a second way, terminal access Authentication is implemented in SNPN by cooperation of a user plane function (User Plane Function, UPF) and a session management function (Session Management Function, SMF), in which the UPF forwards EAP requests to an Authentication, authorization, and Accounting (AAA) server according to an initial forwarding rule of the SMF, generates a security rule according to an Authentication result, and the SMF is responsible for generating and updating the forwarding rule to control user plane traffic.
However, in the first mode in the prior art, the 802.1x authentication in the existing 5G network needs to transmit EAP messages in NAS messages, and requires a terminal protocol stack to support encapsulation and analysis of the EAP messages, but the current 5G terminal has no built-in related function, and needs to modify protocol stack codes, which results in poor terminal compatibility and high deployment cost. In the second approach, the scenario where the terminal switches between the plurality SNPN is not considered. When the terminal is switched by SNPN, 802.1x authentication is required to be repeatedly performed, so that the operation complexity of a user is increased, the processing load of an AAA server is also increased, and the network efficiency and stability are affected.
Disclosure of Invention
The application aims to provide a terminal access authentication method and a terminal access authentication system aiming at the defects in the prior art, so as to solve the problems of high deployment threshold and complex authentication in the scene of SNPN in the prior art.
In order to achieve the above purpose, the technical scheme adopted by the application is as follows:
In a first aspect, the present application provides a terminal access authentication method, applied to a terminal access authentication system, where the terminal access authentication system includes a network management server, an authentication, authorization and accounting AAA server, a first independent non-public network SNPN, and at least one second SNPN, where the network management server, the AAA server, and the first SNPN are deployed in the same security domain, and the method includes:
The user equipment UE in the first SNPN sends an access request to the first SNPN, the first SNPN determines subscription data of the UE according to the access request, and establishes a PDU session in the first SNPN according to the subscription data of the UE, where the access request includes a user identity identifier SUPI of the UE;
The first SNPN creates a local data record according to the EAP request message, and sends the EAP request message of the UE to the network management server, wherein the local data record comprises a Media Access Control (MAC) address of the UE and a PDU session identifier of the UE;
The network management server forwards the EAP request message of the UE to the AAA server, the AAA server determines whether the EAP request is legal, if yes, the network management server creates the context information of the UE, and the context information of the UE comprises the MAC address of the UE;
The network management server obtains the SUPI of the UE from the first SNPN based on the MAC address of the UE, determines the identifier of the target SNPN according to the SUPI of the UE, where the target SNPN is SNPN accessible to the UE, and the target SNPN is one of the second SNPN, and writes the subscription data of the UE into a data table corresponding to the target SNPN in the network management server, and synchronizes the data table corresponding to the target SNPN in the network management server to the unified data management function UDM in the target SNPN.
Optionally, before the terminal UE in the first SNPN sends the access request to the first SNPN, the method further includes:
the network management server receives subscription data of a plurality of UE input by a user;
the network management server writes the subscription data of the UEs into the data table corresponding to the first SNPN in the network management server, synchronizes the data table corresponding to the first SNPN in the network management server into the UDM in the first SNPN, and synchronizes the data table corresponding to each second SNPN in the network management server into the UDM in each second SNPN.
Optionally, the first SNPN determines the subscription data of the UE according to the access request, and establishes the PDU session in the first SNPN according to the subscription data of the UE, including:
The SMF in the first SNPN generates a first subscription data query request according to SUPI, sends the first subscription data query request to the UDM in the first SNPN, and receives subscription data of the UE returned by the UDM in the first SNPN;
The SMF determines a target data forwarding engine UPF according to the subscription data of the UE;
the SMF establishes a PDU session of the UE in the first SNPN based on the target UPF.
Optionally, the first SNPN creates a local data record according to the EAP request message, including:
The target UPF in the first SNPN determines whether the EAP request message includes a target field;
if yes, the target UPF creates a local data record based on the EAP request message.
Optionally, the network management server forwards the EAP request message of the UE to the AAA server, and the AAA server determines whether the EAP request is legal, if so, the network management server creates context information of the UE, including:
The network management server judges whether a target field exists in the EAP request message, if yes, an authenticator in the network management server sends the EAP request message to an AAA server;
The AAA server judges whether the EAP request is legal or not according to the EAP request message, if so, generates an EAP response message and sends the EAP response message to the authenticator;
The authenticator creates context information for the UE from the EAP response message.
Optionally, the network management server obtains the SUPI of the UE from the first SNPN based on the MAC address of the UE, including:
The network management server reads the MAC address from the authenticator, generates a first query request, and sends the first query request to the NEF in the first SNPN, wherein the first query request comprises the MAC address;
The NEF in the first SNPN forwards the first query request to a target UPF, so that the target UPF retrieves the corresponding PDU session identifier in the local data record based on the MAC address;
The target UPF sends the PDU session identifier to the network management server through the NEF;
the network management server generates a second query request and sends the second query request to an SMF through the NEF, wherein the second query request comprises the PDU session identifier;
And the SMF determines SUPI corresponding to the PDU session identifier according to the PDU session identifier, and sends the SUPI to the network management server through the NEF.
Optionally, the method further comprises:
The UE initiates an access request in the to-be-accessed SNPN, and establishes a PDU session in the to-be-accessed SNPN according to a response result of the access request, where the to-be-accessed SNPN is one of the second SNPN.
Optionally, the UE initiates an access request in a to-be-accessed SNPN, and establishes a PDU session in the target SNPN according to a response result of the access request, including:
The UE initiates an access request to SMF in SNPN to be accessed, wherein the access request comprises SUPI of the UE;
And the SMF judges whether the subscription data of the UE exists in the UDM in the to-be-accessed SNPN according to the SUPI, if so, the target UPF of the UE in the to-be-accessed SNPN is determined, and a PDU session of the UE in the to-be-accessed SNPN is established.
Optionally, the determining the identification of the target SNPN according to the SUPI of the UE includes:
The network management server takes SUPI as an index, and searches whether subscription data of UE corresponding to the SUPI exists in a data table corresponding to a first SNPN in the network management server;
if yes, the identifier of the accessible network in the subscription data of the UE is used as the identifier of the target SNPN.
In a second aspect, the application provides a terminal access authentication system comprising a network management server, an AAA server, a first SNPN and at least one second SNPN, wherein the network management server, the AAA server and the first SNPN are deployed in the same security domain, and the terminal access authentication system is used for executing the terminal access authentication method according to the first aspect.
The method has the advantages that the first SNPN determines the subscription data of the UE according to the access request sent by the UE, and establishes the PDU session in the first SNPN according to the subscription data of the UE. Then the first SNPN creates a local data record according to the EAP request message sent by the UE, and sends the EAP request message of the UE to the network management server, the network management server forwards the EAP request message to the AAA server, after the AAA server feedback confirms that the EAP request is legal, the network management server creates context information of the UE, obtains the SUPI of the UE from the first SNPN based on the MAC address of the UE, determines the identity of the target SNPN according to the SUPI of the UE, then writes the subscription data of the UE into a data table corresponding to the target SNPN in the network management server, and synchronizes the data table corresponding to the target SNPN in the network management server into the UDM in the target SNPN. In the application, the UE enters the security domain of the first SNPN in advance and completes authentication, and then enters the security domain of the target SNPN without the AAA server for re-authentication, thereby reducing the operation of the UE and reducing the processing load of the AAA server. In addition, the authentication based on the 802.1x protocol can be realized without changing the 5G protocol stack of the UE, the deployment threshold is low, and the compatibility is high.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of an architecture of a terminal access authentication system according to an embodiment of the present application;
fig. 2 is a flow chart of a terminal access authentication method according to an embodiment of the present application;
Fig. 3 is a schematic flow chart of establishing a PDU session in the first SNPN according to an embodiment of the present application;
Fig. 4 is a schematic flow chart of creating context information of a UE by a network management server according to an embodiment of the present application;
Fig. 5 is a flowchart of obtaining a SUPI of a UE according to an embodiment of the present application;
fig. 6 is a flowchart of another method for authenticating access to a terminal according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described with reference to the accompanying drawings in the embodiments of the present application, and it should be understood that the drawings in the present application are for the purpose of illustration and description only and are not intended to limit the scope of the present application. In addition, it should be understood that the schematic drawings are not drawn to scale. A flowchart, as used in this disclosure, illustrates operations implemented according to some embodiments of the present application. It should be understood that the operations of the flow diagrams may be implemented out of order and that steps without logical context may be performed in reverse order or concurrently. Moreover, one or more other operations may be added to or removed from the flow diagrams by those skilled in the art under the direction of the present disclosure.
In addition, the described embodiments are only some, but not all, embodiments of the application. The components of the embodiments of the present application generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the application, as presented in the figures, is not intended to limit the scope of the application, as claimed, but is merely representative of selected embodiments of the application. All other embodiments, which can be made by a person skilled in the art without making any inventive effort, are intended to be within the scope of the present application.
It should be noted that the term "comprising" will be used in embodiments of the application to indicate the presence of the features stated hereafter, but not to exclude the addition of other features.
In the prior art, through encapsulating EAP messages in SNPN signaling for transmission, a mode of triggering secondary authentication for a data network after a 5G terminal is accessed to a core network requires a terminal protocol stack to support encapsulation and analysis of EAP messages, but the current 5G terminal has no built-in related functions, and protocol stack codes need to be modified, so that the terminal has poor compatibility and high deployment cost.
The mode of implementing terminal access authentication in SNPN through the cooperation of the UPF and the SMF does not consider the scene of terminal conversion among a plurality of SNPN. When the terminal is switched by SNPN, 802.1x authentication is required to be repeatedly performed, so that the operation complexity of a user is increased, the processing load of an AAA server is also increased, and the network efficiency and stability are affected.
Based on this, the present application proposes a terminal access authentication method, after a user device initiates an EAP request in a security domain deployed with a network management server, an AAA server and SNPN, after establishing a PDU session, the network management server confirms that the EAP request is legal through the AAA server, searches for subscription data corresponding to the user device in UDMs corresponding to SNPN, takes SNPN accessible to the user device corresponding to the subscription data as a target SNPN, fills the subscription data of the user device into the UDMs corresponding to the target SNPN, and synchronizes a data table corresponding to the target SNPN to the UDMs in the target SNPN, so that the user device initiates the access request in the target SNPN, and can establish the PDU session in the target SNPN without authenticating through the AAA server again. The method does not need to change the 5G protocol stack of the user equipment, so that the compatibility is high and the deployment cost is low. In addition, the method supports coexistence of a plurality of SNPN, the user equipment only needs to perform 802.1x authentication once, and does not need to perform 802.1x authentication again when accessing other SNPN, so that the operation of the user equipment is reduced, and the processing load of an AAA server is reduced.
Before introducing the terminal access authentication method provided by the application, a few terms designed in the application are briefly described.
802.1X is a framework for centrally configuring, managing and controlling access rights for wired and wireless local area networks, as well as providing network services and applications. 802.1x may set access credentials for each client individually. Specifically, the authentication of 802.1x adopts an EAP framework of the internet engineering task Force (INTERNET ENGINEERING TASK Force, IETF), and defines 4 main functional components, including a client, an authenticator, an authentication server, and a user directory, where the client may be a user equipment or a user terminal, etc., for attempting to access a network, the authenticator may be a network access point, such as an access and mobility management function (ACCESS AND Mobility Management Function, AMF), the authentication server may be an AAA server, and the user directory may be a database or a data table corresponding to the network, etc. When the client needs to access the network, the user credentials are sent to an authenticator, the authenticator forwards the user credentials to an authentication server, and the authentication server is used for inquiring a user directory to confirm whether the user credentials forwarded by the authenticator are legal or not and judging whether the client is allowed to access the network or not according to a user confirmation result.
The User Equipment (UE) is a terminal device in a mobile communication system, including a mobile phone, a tablet computer, a notebook computer, a PDA, an internet of things device, an intelligent home device, an autopilot, and the like, and the UE can be in communication connection with an industrial device.
SNPN is a network type in the 5G system, SNPN is independent of the network functions provided by the public land mobile network, and only the SNPN is selected and registered during terminal access.
The AAA server is used to perform authentication, authorization, and accounting actions. The authentication can be to verify the identity of the terminal, and ensure that only legal users or devices can access network resources by means of user name passwords, digital certificates, double-factor authentication and the like. Authorization may be to determine the resources it has access to and the operations it performs, such as restricting the terminal's access to a particular file or application, based on the identity and rights of the terminal. Charging may be the case when the recording terminal uses network resources.
The security domain is a logic region and IT element set composed of systems with the same security requirements and mutual trust, SNPN is used as a special network type, and in the security domain division, the security domain can be defined and managed according to the security requirements, access control strategies and the like, for example, the security domain is isolated from other network domains, and the information flow is controlled to enter and exit by means of setting a firewall and the like, so that the security and the independence of the security domain are ensured.
Next, an architecture of a terminal access authentication system to which the terminal access authentication method is applied will be described with reference to fig. 1. Fig. 1 is a schematic diagram of an architecture of a terminal access authentication system according to an embodiment of the present application.
Optionally, the terminal access authentication system includes a network management server, an AAA server, a first SNPN, and at least one second SNPN. Wherein the network management server, the AAA server, and the first SNPN are deployed in the same security domain. In FIG. 1, a second SNPN-1, a second SNPN-2, and a second SNPN-n are used as examples of the plurality of second SNPN.
Optionally, the network management server maintains a data table corresponding to the first SNPN and a data table corresponding to each second SNPN, and deploys the authenticator. Wherein the authenticator is an 802.1x authenticator. The network management server is connected to the AAA server and the first SNPN, and to the second SNPN. The data table corresponding to the first SNPN is synchronized with the Unified data management function (Unified DATA MANAGEMENT, UDM) in the first SNPN and the data table corresponding to each second SNPN is synchronized with the UDM in the corresponding second SNPN. Wherein, a data table can be maintained in the UDM, and the data table can store subscription data of the user equipment.
Alternatively, the first SNPN and each second SNPN may be used in industry and other vertical industries, including access layers, control layers, user planes, and support functions. The Access layer comprises a UE and a (Radio) Access Network (R) AN, wherein the (R) AN is used for providing wireless connection between the UE and a core Network. The control layer includes AMF, SMF, policy control function (Policy Control Function, PCF) and authentication service function (Authentication Server Function, AUSF), and the user plane includes UPF for forwarding traffic data. The support functions include a network storage function (Network Repository Function, NRF), a network opening function (Network Exposure Function, NEF), and a Unified data management function (Unified DATA MANAGEMENT, UDM).
The interface in figure 1 is identified as "N + network element" as conforming to the 3gpp 5g standard. Specifically, in the control plane interface, the interfaces of the AMF and the SMF are Namf and Nsmf, the interface of the PCF and the SMF is Npcf, in the user plane interface, N1 is the interface of the UE and the AMF, N2 is the interface of the (R) AN and the AMF, N3 is the interface of the (R) AN and the UPF, N4 is the interface of the SMF and the UPF, and N6 is the interface of the UPF and AN external Data Network (DN), where DN is not shown in the figure.
Alternatively, each second SNPN may be deployed in a secure domain, as shown in fig. 1. The range of the security domain of the first SNPN may cover the security domain of the second SNPN.
Having described the terminal access authentication system, specific steps of the terminal access authentication method will be described with reference to fig. 2. Fig. 2 is a schematic flow chart of a terminal access authentication method according to an embodiment of the present application.
The UE in the first SNPN sends an access request to the first SNPN, the first SNPN determines subscription data of the UE according to the access request, and establishes a PDU session in the first SNPN according to the subscription data of the UE, where the access request includes SUPI of the UE.
Optionally, when the UE first enters the security domain, it needs to first enter the security domain in which the first SNPN is located and complete authentication. At this point, the first SNPN acts as a bootstrap network.
Optionally, the Subscription data of the UE includes a user identity (Subscription PERMANENT IDENTIFIER, SUPI) of the UE and an identity of a network accessible to the UE. For example, the subscription data for the UE includes the SUPI of the UE, an identification of the first SNPN to which the UE may access, and an identification of the second SNPN-1.
Alternatively, in the data table corresponding to the first SNPN maintained by the network management server, subscription data of a plurality of UEs may be stored in advance, and the data table corresponding to the first SNPN may be synchronized into the UDM in the first SNPN, such as the UDM in fig. 1. The UEs may be user-input, and may access UEs in each SUPI.
Alternatively, the user may send AN access request to the (R) AN as well as the SMF.
Optionally, the first SNPN may search the data table according to the SUPI in the access request of the UE, and if there is the SUPI in the access request in the prestored subscription data, take the subscription data corresponding to the SUPI as the subscription data of the UE.
Optionally, the first SNPN selects a target UPF according to the subscription data of the UE and basic information of each candidate UPF, and establishes an ethernet type PDU session based on the target UPF. The UPF to be selected is the UPF in the first SNPN, and the basic information of the UPF includes information such as position information and current load.
Optionally, after establishing the PDU session in the first SNPN, the access rights of the UE are then authenticated.
S202, the UE sends an EAP request message to the first SNPN. The first SNPN creates a local data record according to the EAP request message, and sends the EAP request message of the UE to the network management server, where the local data record includes the MAC address of the UE and the PDU session identifier of the UE.
Alternatively, the EAP request message may be encapsulated by an extended authentication protocol (Extensible Authentication Protocol over LAN, EAPoL) protocol. The EAP request message may include an 802.1x authentication frame with a PAE ETHERNET TYPE field having a value of 0x888E.
Alternatively, the local data record may be expressed in the form of < MAC, PDU Session ID >, where MAC is the MAC address of the UE, which may be the source MAC address of the EAP request message, and PDU Session ID may be the PDU Session identity established between the UE and the UPF.
S203, the network management server forwards the EAP request message of the UE to the AAA server, and the AAA server determines whether the EAP request is legal or not, if yes, the network management server creates the context information of the UE, wherein the context information of the UE comprises the MAC address of the UE.
Optionally, the network management server receives the EAP request message sent by the first SNPN. As an alternative implementation manner, the network management server may determine whether the message contains an 802.1x authentication frame by detecting whether the value of PAE ETHERNET TYPE field is 0x888E in the received message, and if so, forward the EAP request message to the AAA server.
As an alternative embodiment, the EAP request message may further include a user name and a password, where the user name and the password may be encrypted. After receiving the EAP request message, the AAA server decrypts the user name and the password, searches in a pre-stored database based on the decrypted user name and password, and if the user name and the password can be searched, the EAP request of the UE is legal. If not, the EAP request of the UE is illegal.
Alternatively, the AAA server may generate an EAP response message according to the validity of the EAP request and send the EAP response message to the network management server.
S204, the network management server obtains SUPI of the UE from the first SNPN based on the MAC address of the UE, determines the identification of the target SNPN according to the SUPI of the UE, wherein the target SNPN is SNPN accessible to the UE, the target SNPN is a second SNPN, and the network management server writes the subscription data of the UE into a data table corresponding to the target SNPN in the network management server and synchronizes the data table corresponding to the target SNPN in the network management server into the UDM in the target SNPN.
Optionally, after synchronizing the target SNPN data table into the UDM in target SNPN, the UE may initiate an access request in target SNPN and establish a PDU session in target SNPN.
Alternatively, the data table corresponding to the target SNPN in the network management server may be synchronized into the UDM in the target SNPN by a data synchronization mechanism. Wherein the data synchronization mechanism may be a replication set mechanism.
As an optional implementation manner, the network management server may first obtain, based on the MAC address of the UE, the PDU session identifier corresponding to the MAC address from the first SNPN, and then obtain, based on the PDU session identifier of the UE, the SUPI corresponding to the PDU session identifier.
As an alternative embodiment, the network management server may retrieve in the first SNPN based on the obtained SUPI, and use the retrieved identity of the network corresponding to the SUPI as the identity of the target SNPN.
Optionally, after determining the target SNPN, the subscription data of the UE is written into a data table corresponding to the target SNPN in the network management server, and the data table corresponding to the target SNPN in the network management server is synchronized into the UDM in the target SNPN. Since the UE has completed 802.1x authentication at this point, the UDM in the target SNPN in the network management server will be synchronized to the UDM in the target SNPN, so that when the UE enters the security domain in which the target SNPN is located, the subscription data of the UE is stored in the SNPN, so that the PDU session can be established without performing 802.1x authentication again, and the UE is accessed to the target SNPN.
In this embodiment, the first SNPN determines the subscription data of the UE according to the access request sent by the UE, and establishes the PDU session in the first SNPN according to the subscription data of the UE. Then the first SNPN creates a local data record according to the EAP request message sent by the UE, and sends the EAP request message of the UE to the network management server, the network management server forwards the EAP request message to the AAA server, after the AAA server feedback confirms that the EAP request is legal, the network management server creates context information of the UE, obtains the SUPI of the UE from the first SNPN based on the MAC address of the UE, determines the identity of the target SNPN according to the SUPI of the UE, then writes the subscription data of the UE into a data table corresponding to the target SNPN in the network management server, and synchronizes the data table corresponding to the target SNPN in the network management server into the UDM in the target SNPN. In this embodiment, the UE enters the security domain of the first SNPN in advance and completes authentication, and then enters the security domain of the target SNPN without the AAA server to authenticate again. In addition, the authentication based on the 802.1x protocol can be realized without changing the 5G protocol stack of the UE, the deployment threshold is low, and the compatibility is high.
Next, a method that can be performed before step S201 will be described.
Optionally, the network management server receives subscription data of a plurality of UEs input by the user.
Optionally, the network management server writes subscription data of the plurality of UEs into a data table corresponding to a first SNPN in the network management server, synchronizes the data table corresponding to the first SNPN in the network management server into the UDM in the first SNPN, and synchronizes the data table corresponding to each second SNPN in the network management server into the UDM in each second SNPN.
Optionally, before the network management server authenticates the UE, the subscription data of the UE is not stored in the data table corresponding to each second SNPN in the network management server.
Optionally, in the data table corresponding to the first SNPN in the network management server, the subscription data of the UE includes, in addition to the SUPI of the UE, the identifier of the first SNPN, and the identifier of the second SNPN accessible to the UE, the identifier to be authenticated of the second SNPN. The second SNPN to-be-authenticated identifier is used to indicate that the UE needs to perform 802.1x authentication when entering the security domain where the second SNPN is located.
Optionally, the data table corresponding to the first SNPN in the network management server and the data table corresponding to each second SNPN in the network management server may be used as a master node, and the UDM in the first SNPN and the UDM in each second SNPN may be used as a slave node. The master node and the slave node establish a data synchronization relationship.
In this embodiment, subscription data of a plurality of UEs are written in a data table corresponding to the first SNPN in the network management server in advance, so that the UEs complete 802.1x authentication when accessing the first SNPN.
Next, referring to fig. 3, specific steps of determining the subscription data of the UE according to the access request by the first SNPN in S201, and establishing the PDU session in the first SNPN according to the subscription data of the UE will be described. Fig. 3 is a schematic flow chart of establishing a PDU session in the first SNPN according to an embodiment of the present application.
S301, the SMF in the first SNPN generates a first subscription data query request according to the SUPI, sends the first subscription data query request to the UDM in the first SNPN, and receives subscription data of the UE returned by the UDM in the first SNPN.
Optionally, after entering the security domain of the first SNPN, the UE sends an access request to the first SNPN and sends the SUPI to the SMF of the first SNPN.
Optionally, the first subscription data query request includes a SUPI of the UE.
Optionally, the UDM in the first SNPN retrieves from the data table according to the SUPI, and if subscription data corresponding to the SUPI can be retrieved, returns the subscription data as subscription data of the UE to the SMF.
S302, the SMF determines a target UPF according to the subscription data of the UE.
Specifically, the subscription data of the UE may further include information such as service attribute, network policy, and geographic limitation. And the SMF determines a local target UPF according to the service attribute, the network strategy, the geographic limitation and other information in the subscription data of the UE and combining the network topology and the load condition.
As an alternative implementation manner, the SMF may generate a qualified UPF list according to subscription data and network status, and then select an optimal UPF from the UPF list based on policies such as capability matching, topology optimization, load balancing, and the like, and use the optimal UPF as a target UPF.
S303, the SMF establishes a PDU session of the UE in the first SNPN based on the target UPF.
Optionally, the SMF establishes a connection with the target UPF through the N4 interface, so as to implement user plane path configuration.
In this embodiment, the SMF sends a first subscription data query request to the UDM in the first SNPN, and receives subscription data of the UE returned by the UDM, so as to determine a target UPF and establish a PDU session of the UE in the first SNPN, and the process of determining the target UPF has flexible scheduling resources and high customizable degree.
Next, a specific procedure for creating the local data record according to the EAP request message in the first SNPN in step S202 will be described.
Optionally, the target UPF in the first SNPN determines whether the EAP request message includes a target field.
Specifically, the target UPF in the first SNPN determines whether the "EtherType" field is 0x888E in the EAP request message.
Optionally, if so, the target UPF creates a local data record based on the EAP request message.
If yes, the EAP request message contains an 802.1x authentication frame, and the target UPF creates a local data record.
If not, the EAP request message does not contain the 802.1x authentication frame, and the UE is not continuously authenticated by 802.1 x.
In this embodiment, whether the EAP request message includes the target field is determined by the target UPF in the first SNPN, and if so, the target UPF creates a local data record based on the EAP request message, so that the network management server can conveniently call the PDU session identifier.
Next, a specific step of the network management server creating the context information of the UE in the above-described step S203 will be described with reference to fig. 4. Fig. 4 is a schematic flow chart of creating context information of a UE by a network management server according to an embodiment of the present application.
S401, the network management server judges whether a target field exists in the EAP request message, if so, an authenticator in the network management server sends the EAP request message to the AAA server.
Specifically, after receiving the EAP request message, the network management server determines whether the EtherType field in the EAP request message is 0x888E, and if yes, the EAP request message includes an 802.1x authentication frame. The authenticator in the network management server sends an EAP request message to the AAA server.
S402, the AAA server judges whether the EAP request is legal according to the EAP request message, if so, generates an EAP response message, and sends the EAP response message to the authenticator.
Optionally, the AAA server may first check whether the format of the EAP request message is legal, then query the locally stored database for the user name password, and determine whether the password in the EAP request message is consistent with the queried password, if so, the EAP request is legal. If the EAP request is legal, an EAP response message is generated and sent to an authenticator in the network management server.
Optionally, the AAA server may encrypt the EAP response message, and the authenticator in the network management server may decrypt the encrypted message after receiving it, thereby obtaining the legal condition of the EAP request.
S403, the authenticator creates the context information of the UE according to the EAP response message.
Optionally, after creating the context information of the UE, a port may be developed according to the context information, allowing the UE to access the first SNPN.
Optionally, the context information of the UE may further include an authentication time and an authorization policy. The authorization policy may include bandwidth limitations, among others.
Optionally, the UE's MAC address is recorded in the UE's context information, and even if the UE replaces the IP address, the MAC address is always used as a physical layer identifier, so as to ensure that the context is strongly bound with the device.
In this embodiment, the AAA server determines whether the EAP request is legal according to the EAP request message, and if yes, the authenticator creates context information of the UE, thereby completing 802.1x authentication of the UE, so that the UE can access the first SNPN.
Next, a specific procedure for the network management server to acquire the SUPI of the UE from the first SNPN based on the MAC address of the UE in step S204 will be described with reference to fig. 5. Fig. 5 is a schematic flow chart of obtaining a SUPI of a UE according to an embodiment of the present application.
S501, the network management server reads the MAC address from the authenticator, generates a first query request, and sends the first query request to the NEF in the first SNPN, wherein the first query request comprises the MAC address.
Specifically, the network management server reads the MAC address from the context information of the UE in the authenticator and generates a first inquiry request.
And S502, forwarding the first query request to the target UPF by the NEF in the first SNPN so that the target UPF retrieves the corresponding PDU session identifier in the local data record based on the MAC address.
Optionally, the NEF in the first SNPN receives the first query request in the network management server and forwards the first query request to the target UPF.
Wherein the target UPF is determined in step S302 described above.
Specifically, the target UPF traverses the local data record based on the MAC address, and uses the PDU session identifier corresponding to the same MAC address in the local data record as the PDU session identifier of the UE.
S503, the target UPF sends the PDU session identifier to the network management server through the NEF.
Optionally, the target UPF sends the PDU session identifier to the NEF, and after the NEF receives the PDU session identifier, the NEF sends the PDU session identifier to the first SNPN.
S504, the network management server generates a second inquiry request and sends the second inquiry request to the SMF through the NEF, wherein the second inquiry request comprises PDU session identification.
Optionally, after receiving the PDU session identifier of the UE, the network management server generates a second query request based on the PDU session identifier, and sends the second query request to the NEF in the first SNPN. After receiving the second query request, the NEF forwards the second query request to the SMF.
Optionally, the second query request is used for requesting to acquire the SUPI of the UE corresponding to the PDU session identifier.
S505, the SMF determines SUPI corresponding to the PDU session identification according to the PDU session identification, and sends the SUPI to the network management server through the NEF.
Optionally, when creating the PDU session of the UE, the SMF may record the SUPI of the UE and the PDU session identifier for corresponding recording. In step S505, the SMF may retrieve based on the PDU session identifier, determine a correspondence between the PDU session identifier and the SUPI, and determine the SUPI corresponding to the PDU session identifier. And sends SUPI to NEF.
Optionally, after receiving the SUPI sent by the SMF, the NEF forwards the SUPI to the network management server.
In this embodiment, the network management server sequentially obtains the PDU session identifier and the SUPI of the UE in the first SNPN, so as to determine the subscription data of the UE based on the SUPI, and open the authority of the user to directly access the second SNPN.
Next, a procedure of accessing a second SNPN by the UE is described, where the second SNPN is taken as to-be-accessed SNPN.
Optionally, the UE initiates an access request in the to-be-accessed SNPN, and establishes a PDU session in the to-be-accessed SNPN according to a response result of the access request, where the to-be-accessed SNPN is one of the second SNPN.
Alternatively, the access request initiated by the UE in the pending access SNPN may be the same as the access request initiated by the UE in the first SNPN. The access request initiated in the pending access SNPN includes the SUPI of the UE.
Optionally, the UE initiates an access request in the to-be-accessed SNPN, after the to-be-accessed SNPN receives the access request, it is determined whether subscription data of the UE exists in the UDM according to the SUPI, if yes, a PDU session of the to-be-accessed SNPN may be established, and the UE is allowed to access the to-be-accessed SNPN.
In this embodiment, after the UDM of the network management server in the target SNPN of the UE synchronizes the subscription data of the UE, the AAA server is not required to perform authentication again when the UE accesses to-be-accessed SNPN, so that the workload of the AAA server is reduced.
Next, a case-by-case discussion is made on the procedure of the UE accessing to be accessed SNPN.
Optionally, the UE initiates an access request to the SMF in the to-be-accessed SNPN, where the access request includes the SUPI of the UE.
Optionally, the SMF determines, according to the SUPI, whether subscription data of the UE exists in the UDM in the to-be-accessed SNPN, if so, determines a target UPF of the UE in the to-be-accessed SNPN, and establishes a PDU session of the UE in the to-be-accessed SNPN.
Optionally, when the subscription data of the UE exists in the UDM in the to-be-accessed SNPN, it indicates that the UE has been subjected to 802.1x authentication when accessing the first SNPN, so that the to-be-accessed SNPN can be accessed without re-authentication.
Specifically, the SMF generates a second subscription data query request according to the SUPI, and sends the second subscription data query request to the UDM. The UDM searches the subscription data of each UE in the data table according to the SUPI in the second subscription data query request, and if the corresponding SUPI is searched, the subscription data corresponding to the SUPI is used as the subscription data of the UE. The UDM sends the subscription data to the SMF. After the SMF receives the subscription data, determining a target UPF in the to-be-accessed SNPN based on the subscription data, and establishing a PDU session of the UE in the to-be-accessed SNPN based on the target UPF.
Optionally, if the UDM cannot retrieve subscription data corresponding to the SUPI of the UE in the data table, which indicates that the UE fails the 802.1x authentication, a retrieval response is returned to the SMF, so that the SMF receives the retrieval response and refuses the UE to access SNPN.
In this embodiment, the subscription data of the UE is determined by the UDM in the to-be-accessed SNPN, so that the SMF establishes a PDU session of the UE, so that the UE can access to the to-be-accessed SNPN without re-authentication.
As an alternative embodiment, a specific step of determining the identity of the target SNPN according to the SUPI of the UE in step S204 described above is described next.
Optionally, the network management server uses the SUPI as an index to search whether the subscription data of the UE corresponding to the SUPI exists in the data table corresponding to the first SNPN in the network management server.
As an optional implementation manner, the network management server traverses the SUPI in each subscription data in the data table corresponding to the first SNPN, and regarding the traversed current SUPI, if the current SUPI is the same as the SUPI of the UE, the subscription data corresponding to the current SUPI is used as the subscription data of the UE.
Optionally, if so, the identifier of the accessible network in the subscription data of the UE is used as the identifier of the target SNPN.
Optionally, if the subscription data of the UE corresponding to the SUPI exists in the data table corresponding to the first SNPN in the network management server, the UE may access the network as the target SNPN in the subscription data of the UE, and the identifier of the target SNPN is used as the identifier of the target SNPN.
In this embodiment, the identifier of the network accessible to the UE in the subscription data of the UE is used as the identifier of the target SNPN in the data table corresponding to the first SNPN in the network management server, so that the subscription data is synchronized to the UDM in the target SNPN, and the UE does not need to be authenticated again when accessing to the target SNPN.
Next, the overall flow of the terminal access authentication method will be described with reference to fig. 6. Fig. 6 is a schematic flow chart of another method for authenticating access to a terminal according to an embodiment of the present application.
S601, receiving subscription data of a plurality of UEs.
Optionally, the network management server receives subscription data of a plurality of UEs.
S602, writing subscription data of each UE in a data table corresponding to the first SNPN.
Optionally, the network management server writes the subscription data of each UE in the data table corresponding to the first SNPN.
S603, synchronizing the data table corresponding to the first SNPN into the UDM.
Optionally, the network management server synchronizes the data table corresponding to the first SNPN into the UDM in the first SNPN.
S604, the UE enters a security domain where the first SNPN is located.
S605, sending an access request.
Optionally, the UE sends an access request to the SMF in the first SNPN.
S606, a first subscription data query request is sent.
Optionally, the SMF sends a first subscription data query request to the UDM.
S607, retrieving the subscription data of the UE.
Optionally, the UDM retrieves subscription data of the UE according to the SUPI in the first subscription data query request.
S608, sending the subscription data of the UE.
Optionally, the UDM sends the subscription data of the UE to the SMF.
S609, determining a target UPF, and establishing a PDF session.
Optionally, the SMF determines a target UPF according to subscription data of the UE, and establishes a PDF session based on the UPF.
S610, an EAP request message is sent.
Optionally, the UE sends an EAP request message to the target UPF.
S611, detecting a target field.
Optionally, the target UPF detects whether the EAP request message includes the target field, and if so, S613 is performed.
S612, creating a local data record.
Optionally, the target UPF creates the local data record from the EAP request message.
S613, an EAP request message is sent.
Optionally, the target UPF sends an EAP request message to the network management server.
S614, detecting a target field.
Optionally, the network management server detects whether the EAP request message includes the target field, and if so, performs S615.
S615, an EAP request message is sent.
Optionally, the network management server sends an EAP request message to the authenticator.
S616, confirm whether the EAP request is legal.
Optionally, the AAA server confirms whether the EAP request is legal according to the EAP request message, and if so, performs S617.
S617, generating an EAP response message and sending.
Optionally, the AAA server generates an EAP response message and sends the EAP response message to the authenticator.
S618, create the context information of the UE.
Optionally, the authenticator creates context information for the UE.
S619, the MAC address is read from the authenticator, and a first query request is generated and sent through the NEF.
Optionally, the network management server reads the MAC address from the authenticator and generates a first challenge request, and sends the first challenge request to the NEF in the first SNPN, which forwards the first challenge request to the target UPF.
S620, determining the PDU session identifier according to the MAC address, and transmitting the PDU session identifier.
Optionally, the target UPF retrieves from the local data record according to the MAC address, determines a PDU session identifier corresponding to the MAC address, and sends the PDU session identifier to the NEF.
S621, generating and sending a second query request through the NEF according to the PDU session identification.
Optionally, the network management server generates a second query request according to the PDU session identifier, and sends the second query request to the NEF, which sends the second query request to the SMF.
S622, searching and sending SUPI.
Optionally, the SMF retrieves the corresponding SUPI according to the PDU session identifier in the second query request, and sends the SUPI to the NEF.
S623, determining the subscription data of the UE according to the data table corresponding to the SUPI retrieval SNPN.
Optionally, the network management server determines the subscription data of the UE according to the data table corresponding to the SUPI search SNPN.
S624, determining the identification of the target SNPN, writing the subscription data of the UE into a data table corresponding to the target SNPN, and synchronizing the data table corresponding to the target SNPN into the UDM in the target SNPN.
S625, the UE enters a security domain where the to-be-accessed SNPN is located.
S626, an access request is sent.
Optionally, the UE sends an access request to the base station and to the SMF.
And S627, sending a second subscription data query request.
Optionally, the SMF sends a second subscription data query request to the UDM.
S628, query the subscription data of the UE.
Optionally, if the UDM queries the subscription data corresponding to the SUPI, S629 is executed, and if the subscription data corresponding to the SUPI cannot be queried, S631 is executed.
S629, transmitting the subscription data of the UE.
Optionally, the UDM sends the subscription data of the UE to the SMF.
S630, determining a target UPF and establishing a PDU session.
Optionally, the SMF determines the target UPF and establishes the PDU session.
S631, sending a no-result response.
Optionally, the UDM sends an unobtrusive response to the SMF.
S632, refusing the UE to access.
Optionally, the SMF denies the UE access.
The embodiment of the application also provides a terminal access authentication system, which comprises a network management server, an AAA server, a first SNPN and at least one second SNPN, wherein the network management server, the AAA server and the first SNPN are deployed in the same security domain, and the terminal access authentication system is used for executing the terminal access authentication method.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily appreciate variations or alternatives within the scope of the present application.

Claims (10)

1.一种终端接入认证方法,其特征在于,应用于终端接入认证系统,所述终端接入认证系统包括:网络管理服务器、认证、授权和计费AAA服务器、第一独立非公共网络SNPN以及至少一个第二SNPN,其中,所述网络管理服务器、所述AAA服务器及所述第一SNPN部署在同一安全域中;所述方法包括:1. A terminal access authentication method, characterized in that it is applied to a terminal access authentication system, wherein the terminal access authentication system includes: a network management server, an authentication, authorization, and accounting AAA server, a first independent non-public network (SNPN), and at least one second SNPN, wherein the network management server, the AAA server, and the first SNPN are deployed in the same security domain; the method comprises: 所述第一SNPN中的用户设备UE将接入请求发送给第一SNPN,第一SNPN根据所述接入请求,确定所述UE的签约数据,并根据所述UE的签约数据建立所述第一SNPN中的PDU会话,所述接入请求包括所述UE的用户身份标识SUPI;The user equipment UE in the first SNPN sends an access request to the first SNPN, and the first SNPN determines the subscription data of the UE according to the access request, and establishes a PDU session in the first SNPN according to the subscription data of the UE, wherein the access request includes the user identity SUPI of the UE; 所述UE向所述第一SNPN发送可扩展认证协议EAP请求消息;所述第一SNPN根据所述EAP请求消息,创建本地数据记录,并将所述UE的EAP请求消息发送给所述网络管理服务器,所述本地数据记录包括所述UE的媒体访问控制MAC地址以及所述UE的PDU会话标识;The UE sends an Extensible Authentication Protocol (EAP) request message to the first SNPN; the first SNPN creates a local data record based on the EAP request message, and sends the EAP request message of the UE to the network management server, where the local data record includes the media access control (MAC) address of the UE and the PDU session identifier of the UE; 所述网络管理服务器将所述UE的EAP请求消息转发给所述AAA服务器,所述AAA服务器确定EAP请求是否合法,若是,则所述网络管理服务器创建所述UE的上下文信息,所述UE的上下文信息包括UE的MAC地址;The network management server forwards the EAP request message of the UE to the AAA server, and the AAA server determines whether the EAP request is valid. If so, the network management server creates context information of the UE, where the context information of the UE includes a MAC address of the UE; 所述网络管理服务器基于所述UE的MAC地址,从所述第一SNPN中获取所述UE的SUPI,并根据所述UE的SUPI确定目标SNPN的标识,所述目标SNPN为所述UE可接入的SNPN,且所述目标SNPN为一个所述第二SNPN,所述网络管理服务器将所述UE的签约数据写入网络管理服务器中目标SNPN对应的数据表中,并将所述网络管理服务器中目标SNPN对应的数据表同步到所述目标SNPN中的统一数据管理功能UDM中。The network management server obtains the SUPI of the UE from the first SNPN based on the MAC address of the UE, and determines the identifier of the target SNPN according to the SUPI of the UE, where the target SNPN is an SNPN that the UE can access, and the target SNPN is one of the second SNPNs. The network management server writes the contract data of the UE into the data table corresponding to the target SNPN in the network management server, and synchronizes the data table corresponding to the target SNPN in the network management server to the unified data management function UDM in the target SNPN. 2.根据权利要求1所述的终端接入认证方法,其特征在于,在所述第一SNPN中的终端UE将接入请求发送给第一SNPN之前,所述方法还包括:2. The terminal access authentication method according to claim 1, wherein before the terminal UE in the first SNPN sends the access request to the first SNPN, the method further comprises: 所述网络管理服务器接收用户输入的多个UE的签约数据;The network management server receives subscription data of multiple UEs input by a user; 所述网络管理服务器将多个所述UE的签约数据写入所述网络管理服务器中第一SNPN对应的数据表中,将所述网络管理服务器中第一SNPN对应的数据表同步到所述第一SNPN中的UDM中,并将所述网络管理服务器中各第二SNPN对应的数据表同步到各所述第二SNPN中的UDM中。The network management server writes the contract data of multiple UEs into the data table corresponding to the first SNPN in the network management server, synchronizes the data table corresponding to the first SNPN in the network management server to the UDM in the first SNPN, and synchronizes the data tables corresponding to each second SNPN in the network management server to the UDM in each second SNPN. 3.根据权利要求1所述的终端接入认证方法,其特征在于,所述第一SNPN根据所述接入请求,确定所述UE的签约数据,并根据所述UE的签约数据建立所述第一SNPN中的PDU会话,包括:3. The terminal access authentication method according to claim 1, wherein the first SNPN determines the subscription data of the UE according to the access request, and establishes a PDU session in the first SNPN according to the subscription data of the UE, comprising: 所述第一SNPN中的SMF根据SUPI生成第一签约数据查询请求,并将所述第一签约数据查询请求发送给第一SNPN中的UDM,并接收所述第一SNPN中的UDM返回的UE的签约数据;The SMF in the first SNPN generates a first subscription data query request according to the SUPI, sends the first subscription data query request to the UDM in the first SNPN, and receives the subscription data of the UE returned by the UDM in the first SNPN; 所述SMF根据所述UE的签约数据确定目标数据转发引擎UPF;The SMF determines the target data forwarding engine UPF according to the subscription data of the UE; 所述SMF基于所述目标UPF,建立所述UE在所述第一SNPN中的PDU会话。The SMF establishes a PDU session for the UE in the first SNPN based on the target UPF. 4.根据权利要求3所述的终端接入认证方法,其特征在于,所述所述第一SNPN根据所述EAP请求消息,创建本地数据记录,包括:4. The terminal access authentication method according to claim 3, wherein the first SNPN creates a local data record according to the EAP request message, comprising: 所述第一SNPN中的所述目标UPF判断所述EAP请求消息中是否包含目标字段;The target UPF in the first SNPN determines whether the EAP request message includes a target field; 若是,则所述目标UPF基于所述EAP请求消息,创建本地数据记录。If so, the target UPF creates a local data record based on the EAP request message. 5.根据权利要求1所述的终端接入认证方法,其特征在于,所述所述网络管理服务器将所述UE的EAP请求消息转发给所述AAA服务器, 所述AAA服务器确定EAP请求是否合法,若是,则所述网络管理服务器创建所述UE的上下文信息,包括:5. The terminal access authentication method according to claim 1 , wherein the network management server forwards the EAP request message of the UE to the AAA server, the AAA server determines whether the EAP request is valid, and if so, the network management server creates context information of the UE, comprising: 所述网络管理服务器判断EAP请求消息中是否存在目标字段,若是,则所述网络管理服务器中的认证器将所述EAP请求消息发送给AAA服务器;The network management server determines whether a target field exists in the EAP request message, and if so, the authenticator in the network management server sends the EAP request message to the AAA server; 所述AAA服务器根据所述EAP请求消息判断EAP请求是否合法,若是,则生成EAP响应消息,并将所述EAP响应消息发送给所述认证器;The AAA server determines whether the EAP request is valid based on the EAP request message, and if so, generates an EAP response message and sends the EAP response message to the authenticator; 所述认证器根据所述EAP响应消息,创建所述UE的上下文信息。The authenticator creates context information of the UE according to the EAP response message. 6.根据权利要求5所述的终端接入认证方法,其特征在于,所述所述网络管理服务器基于所述UE的MAC地址,从所述第一SNPN中获取所述UE的SUPI,包括:6. The terminal access authentication method according to claim 5, wherein the network management server obtains the SUPI of the UE from the first SNPN based on the MAC address of the UE, comprising: 所述网络管理服务器从所述认证器中读取MAC地址,并生成第一查询请求,将所述第一查询请求发送给所述第一SNPN中的NEF,所述第一查询请求中包括所述MAC地址;The network management server reads the MAC address from the authenticator, generates a first query request, and sends the first query request to the NEF in the first SNPN, wherein the first query request includes the MAC address; 所述第一SNPN中的NEF将所述第一查询请求转发给目标UPF,以使得所述目标UPF基于所述MAC地址,检索得到所述本地数据记录中对应的PDU会话标识;The NEF in the first SNPN forwards the first query request to the target UPF, so that the target UPF retrieves the corresponding PDU session identifier in the local data record based on the MAC address; 所述目标UPF将所述PDU会话标识通过所述NEF发送给所述网络管理服务器;The target UPF sends the PDU session identifier to the network management server through the NEF; 所述网络管理服务器生成第二查询请求,并将所述第二查询请求通过所述NEF发送给SMF,所述第二查询请求包括所述PDU会话标识;The network management server generates a second query request and sends the second query request to the SMF through the NEF, where the second query request includes the PDU session identifier; 所述SMF根据所述PDU会话标识,确定所述PDU会话标识对应的SUPI,并将所述SUPI通过所述NEF发送给所述网络管理服务器。The SMF determines the SUPI corresponding to the PDU session identifier according to the PDU session identifier, and sends the SUPI to the network management server through the NEF. 7.根据权利要求1所述的终端接入认证方法,其特征在于,所述方法还包括:7. The terminal access authentication method according to claim 1, further comprising: 所述UE在待接入SNPN中发起接入请求,并根据所述接入请求的响应结果建立所述待接入SNPN中的PDU会话,所述待接入SNPN为所述第二SNPN中的一个。The UE initiates an access request in the SNPN to be accessed, and establishes a PDU session in the SNPN to be accessed according to a response result of the access request, where the SNPN to be accessed is one of the second SNPNs. 8.根据权利要求7所述的终端接入认证方法,其特征在于,所述所述UE在待接入SNPN中发起接入请求,并根据所述接入请求的响应结果建立所述待接入SNPN中的PDU会话,包括:8. The terminal access authentication method according to claim 7, wherein the UE initiates an access request in the SNPN to be accessed, and establishes a PDU session in the SNPN to be accessed according to a response result of the access request, comprising: 所述UE向所述待接入SNPN中的SMF发起接入请求,所述接入请求中包括所述UE的SUPI;The UE initiates an access request to the SMF in the SNPN to be accessed, where the access request includes the SUPI of the UE; 所述SMF根据所述SUPI判断所述待接入SNPN中的UDM中是否存在所述UE的签约数据,若是,则确定所述UE在待接入SNPN中的目标UPF,并建立所述UE在待接入SNPN中的PDU会话。The SMF determines whether the UE's subscription data exists in the UDM in the SNPN to be accessed according to the SUPI. If so, it determines the target UPF of the UE in the SNPN to be accessed and establishes a PDU session for the UE in the SNPN to be accessed. 9.根据权利要求2所述的终端接入认证方法,其特征在于,所述根据所述UE的SUPI确定目标SNPN的标识,包括:9. The terminal access authentication method according to claim 2, wherein determining the identifier of the target SNPN according to the SUPI of the UE comprises: 所述网络管理服务器以SUPI为索引,检索所述网络管理服务器中第一SNPN对应的数据表中是否存在所述SUPI对应的UE的签约数据;The network management server uses the SUPI as an index to search a data table corresponding to a first SNPN in the network management server to determine whether subscription data of the UE corresponding to the SUPI is present; 若是,则将所述UE的签约数据中可接入网络的标识,作为目标SNPN的标识。If so, the identifier of the accessible network in the subscription data of the UE is used as the identifier of the target SNPN. 10.一种终端接入认证系统,其特征在于,所述终端接入认证系统包括:网络管理服务器、AAA服务器、第一SNPN以及至少一个第二SNPN,其中,所述网络管理服务器、所述AAA服务器及所述第一SNPN部署在同一安全域中,所述终端接入认证系统用于执行如权利要求1-9任一项所述的终端接入认证方法。10. A terminal access authentication system, characterized in that the terminal access authentication system includes: a network management server, an AAA server, a first SNPN and at least one second SNPN, wherein the network management server, the AAA server and the first SNPN are deployed in the same security domain, and the terminal access authentication system is used to execute the terminal access authentication method as described in any one of claims 1-9.
CN202510982334.1A 2025-07-16 2025-07-16 Terminal access authentication method and system Pending CN120640283A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202510982334.1A CN120640283A (en) 2025-07-16 2025-07-16 Terminal access authentication method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202510982334.1A CN120640283A (en) 2025-07-16 2025-07-16 Terminal access authentication method and system

Publications (1)

Publication Number Publication Date
CN120640283A true CN120640283A (en) 2025-09-12

Family

ID=96971570

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202510982334.1A Pending CN120640283A (en) 2025-07-16 2025-07-16 Terminal access authentication method and system

Country Status (1)

Country Link
CN (1) CN120640283A (en)

Similar Documents

Publication Publication Date Title
EP3955538B1 (en) Communication method and communication device
WO2021197347A1 (en) Communication system, method and apparatus
JP3869392B2 (en) User authentication method in public wireless LAN service system and recording medium storing program for causing computer to execute the method
JP4864094B2 (en) Communication control system
US9386004B2 (en) Peer based authentication
US7987360B2 (en) Method for implementing grouping devices and interacting among grouped devices
US7917942B2 (en) System and method for configuring security in a plug-and-play architecture
WO2017120746A1 (en) Method for managing network access rights and related device
JP2008506139A (en) System and method for managing user authentication and service authorization, realizing single sign-on, and accessing multiple network interfaces
BRPI0416563B1 (en) CONTEXT TRANSFER IN COMMUNICATION NETWORK UNDERSTANDING VARIOUS HETEROGENESIS ACCESS NETWORKS
WO2023011630A1 (en) Authorization verification method and apparatus
US9084111B2 (en) System and method for determining leveled security key holder
CN115004742A (en) Method, device and system for anchor key generation and management for encrypted communication with service applications in a communication network
WO2023280194A1 (en) Network connection management method and apparatus, readable medium, program product, and electronic device
TWI827187B (en) Authentication between user equipment and communication network for onboarding process
WO2023115913A1 (en) Authentication method and system, and electronic device and computer-readable storage medium
WO2007045134A1 (en) A communication system and a communication method
WO2022247812A1 (en) Authentication method, communication device, and system
WO2022110836A1 (en) Communication method and communication apparatus
TWI745227B (en) Communication system and communication method for performing third party authentication between home service and foreign service
WO2025025481A1 (en) Terminal home point determination method and apparatus, communication device, storage medium, and product
CN120640283A (en) Terminal access authentication method and system
WO2011003256A1 (en) Method and apparatus for handing over terminal to home base station
JP2021524167A (en) Methods and devices for multiple registrations
US12413429B2 (en) Systems and methods for group messaging using blockchain-based secure key exchange with key escrow fallback

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination