[go: up one dir, main page]

CN1642076A - A method for obtaining user identification by packet data gateway in wireless local area network - Google Patents

A method for obtaining user identification by packet data gateway in wireless local area network Download PDF

Info

Publication number
CN1642076A
CN1642076A CNA2004100005849A CN200410000584A CN1642076A CN 1642076 A CN1642076 A CN 1642076A CN A2004100005849 A CNA2004100005849 A CN A2004100005849A CN 200410000584 A CN200410000584 A CN 200410000584A CN 1642076 A CN1642076 A CN 1642076A
Authority
CN
China
Prior art keywords
user
identification information
pdg
permanent
tunnel
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2004100005849A
Other languages
Chinese (zh)
Other versions
CN100411335C (en
Inventor
黄迎新
张文林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CNB2004100005849A priority Critical patent/CN100411335C/en
Priority to PCT/CN2005/000061 priority patent/WO2005069533A1/en
Publication of CN1642076A publication Critical patent/CN1642076A/en
Application granted granted Critical
Publication of CN100411335C publication Critical patent/CN100411335C/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/04Network layer protocols, e.g. mobile IP [Internet Protocol]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention provides a method for obtaining user ID at packet data gateway in wireless local area network, which is characterized in that AAA server obtains the permanent user ID information of the user according to the request authentication information containing temporary user ID information sent by PDG, and sends the authorization information containing the permanent user ID information to PDG, thus PDG obtains the permanent user ID information of WLAN user. And then, the PDG stores the obtained permanent user identity identification information and the tunnel identification information of the user terminal in a correlation manner, so that the PDG manages the WLAN user terminal, such as charging and/or access control for the user. The invention is simple to realize and has good compatibility with the prior related flow.

Description

一种无线局域网中分组数据关口获取用户身份标识的方法A method for obtaining user identification by packet data gateway in wireless local area network

技术领域technical field

本发明涉及无线接入技术领域,特别是指一种无线局域网中分组数据关口(PDG,Packet Data Gateway)获取用户身份标识的方法。The present invention relates to the field of wireless access technology, in particular to a method for a packet data gateway (PDG, Packet Data Gateway) in a wireless local area network to obtain a user identity.

背景技术Background technique

随着社会的发展,用户对无线接入速率的要求越来越高,由于无线局域网(WLAN,Wireless Local Area Network)能够在较小范围内提供高速的无线数据接入,因而其被广泛应用。无线局域网包括多种不同技术,目前应用较为广泛的一个技术标准是IEEE 802.11b,它采用2.4GHz频段,最高数据传输速率可达11Mbps,使用该频段的还有IEEE 802.11g和蓝牙(Bluetooth)技术,其中,802.11g最高数据传输速率可达54Mbps。其它无线局域网技术,诸如IEEE 802.11a和ETSI BRAN Hiperlan2都使用5GHz频段,最高传输速率也可达到54Mbps。With the development of society, users have higher and higher requirements for wireless access rate. Since WLAN (Wireless Local Area Network) can provide high-speed wireless data access in a small area, it is widely used. Wireless local area network includes a variety of different technologies. A technical standard that is widely used at present is IEEE 802.11b, which uses the 2.4GHz frequency band, and the maximum data transmission rate can reach 11Mbps. IEEE 802.11g and Bluetooth (Bluetooth) technology are also used in this frequency band. , Among them, the highest data transmission rate of 802.11g can reach 54Mbps. Other wireless LAN technologies, such as IEEE 802.11a and ETSI BRAN Hiperlan2, use the 5GHz frequency band, and the highest transmission rate can reach 54Mbps.

虽然有多种不同的WLAN无线接入技术,但大部分WLAN都采用因特网协议(IP)分组数据包进行数据传输。对于一个无线IP网络,其所采用的具体WLAN接入技术对于上层IP一般是透明的,其基本结构都是利用接入点(AP)完成用户终端的无线接入,并通过网络控制和连接设备组成的IP传输网络进行数据传输。Although there are many different WLAN radio access technologies, most WLANs use Internet Protocol (IP) packet data packets for data transmission. For a wireless IP network, the specific WLAN access technology adopted is generally transparent to the upper layer IP, and its basic structure is to use the access point (AP) to complete the wireless access of the user terminal, and control and connect the device through the network The composed IP transmission network carries on the data transmission.

随着WLAN技术的兴起和发展,WLAN与各种无线移动通信网,诸如:全球移动通信(GSM)系统、码分多址(CDMA)系统、宽带码分多址(WCDMA)系统、时分双工-同步码分多址(TD-SCDMA)系统、CDMA2000系统的互通正成为当前研究的重点。在第三代合作伙伴计划(3GPP)标准化组织中,用户终端既可以通过WLAN的接入网络与因特网(Internet)、企业内部互联网(Intranet)相连,还可以经由WLAN接入网络与3GPP系统的归属网络或3GPP系统的访问网络相连。With the rise and development of WLAN technology, WLAN and various wireless mobile communication networks, such as: global mobile communication (GSM) system, code division multiple access (CDMA) system, wideband code division multiple access (WCDMA) system, time division duplex -The intercommunication between synchronous code division multiple access (TD-SCDMA) system and CDMA2000 system is becoming the focus of current research. In the 3rd Generation Partnership Project (3GPP) standardization organization, user terminals can be connected to the Internet (Internet) and intranet (Intranet) through the WLAN access network, and can also be connected to the 3GPP system through the WLAN access network. network or the access network of the 3GPP system.

图1所示为漫游情况下WLAN系统与3GPP系统互通的组网结构示意图。WLAN用户终端在漫游接入时,经由WLAN接入网络与3GPP的访问网络相连,由于3GPP访问网络中的部分实体分别与3GPP归属网络中的相应实体互连,比如:3GPP访问网络中的3GPP认证授权计费(AAA)代理和3GPP归属网络中的3GPP认证授权计费(AAA)服务器;3GPP访问网络中的无线局域网接入关口(WAG)与3GPP归属网络中的分组数据关口(PDG)等等,因此,实现了WLAN用户终端接入3GPP的归属网络。图中阴影部分为3GPP分组交换(PS)域业务,即3GPP网络中的互通场景3(Scenario3)业务。FIG. 1 is a schematic diagram of a networking structure for intercommunication between a WLAN system and a 3GPP system in a roaming situation. When a WLAN user terminal is roaming, it is connected to the 3GPP access network via the WLAN access network. Since some entities in the 3GPP access network are interconnected with corresponding entities in the 3GPP home network, for example: 3GPP authentication in the 3GPP access network Authorization and accounting (AAA) proxy and 3GPP authentication, authorization and accounting (AAA) server in the 3GPP home network; wireless LAN access gateway (WAG) in the 3GPP access network and packet data gateway (PDG) in the 3GPP home network, etc. , therefore, the access of the WLAN user terminal to the home network of the 3GPP is realized. The shaded part in the figure is the 3GPP Packet Switching (PS) domain service, that is, the interworking scenario 3 (Scenario3) service in the 3GPP network.

图2所示为非漫游情况下WLAN系统与3GPP系统互通的组网结构示意图。WLAN用户终端在本地接入时,经由WLAN接入网络与3GPP的归属网络直接相连。图中阴影部分为3GPP分组交换(PS)域业务,即3GPP归属网络中的Scenario3业务。FIG. 2 is a schematic diagram of a networking structure for intercommunication between a WLAN system and a 3GPP system in a non-roaming condition. When a WLAN user terminal accesses locally, it is directly connected to a 3GPP home network via a WLAN access network. The shaded part in the figure is the 3GPP Packet Switching (PS) domain service, that is, the Scenario3 service in the 3GPP home network.

参见图1、图2所示,在3GPP系统中,主要包括归属签约用户服务器(HSS)/归属位置寄存器(HLR)、3GPP AAA服务器、3GPP AAA代理、WAG、分组数据关口、计费关口(CGw)/计费信息收集系统(CCF)及在线计费系统(OCS)。用户终端、WLAN接入网络与3GPP系统的所有实体共同构成了3GPP-WLAN交互网络,该3GPP-WLAN交互网络可作为一种无线局域网服务系统。其中,3GPP AAA服务器负责对用户的鉴权、授权和计费,对WLAN接入网络送来的计费信息收集并传送给计费系统;分组数据关口(PDG)负责将用户数据从WLAN接入网络传输到3GPP网络或其他分组网络;计费系统主要接收和记录网络传来的用户计费信息,OCS根据在线计费用户的费用情况指示网络周期性的传送在线费用信息,并进行统计和控制。Referring to Figure 1 and Figure 2, in the 3GPP system, it mainly includes Home Subscriber Server (HSS)/Home Location Register (HLR), 3GPP AAA Server, 3GPP AAA Agent, WAG, Packet Data Gateway, Charging Gateway (CGw )/Charging Information Collection System (CCF) and Online Charging System (OCS). The user terminal, the WLAN access network and all entities of the 3GPP system together constitute a 3GPP-WLAN interactive network, which can be used as a wireless local area network service system. Among them, the 3GPP AAA server is responsible for user authentication, authorization and billing, collects billing information sent by the WLAN access network and transmits it to the billing system; Packet Data Gateway (PDG) is responsible for accessing user data from the WLAN The network is transmitted to the 3GPP network or other packet networks; the billing system mainly receives and records the user billing information from the network, and the OCS instructs the network to periodically transmit the online billing information according to the billing situation of the online billing user, and performs statistics and control .

如果WLAN用户终端希望接入Internet/Intranet,则必须通过WLAN接入网将包含自身永久用户身份标识信息,如国际移动用户识别码(IMSI)的接入请求消息发送到AAA服务器(AS),进行基本接入认证授权,通过AS的接入认证授权后,该WLAN用户终端才能通过WLAN接入网接入到Internet/Intranet。所述永久用户身份标识对每个用户是唯一的。If a WLAN user terminal wishes to access the Internet/Intranet, it must send an access request message containing its own permanent user identity information, such as the International Mobile Subscriber Identity (IMSI), to the AAA server (AS) through the WLAN access network for Basic access authentication and authorization. After passing the access authentication and authorization of the AS, the WLAN user terminal can access the Internet/Intranet through the WLAN access network. The permanent user identity is unique to each user.

在基本接入认证授权过程中,AS给待申请接入的WLAN用户终端指定临时用户身份标识,通过认证授权的WLAN用户使用临时用户身份标识替代永久用户身份标识进行通信。或者,AS也可以在以后的再认证过程或业务认证过程中给用户指定临时用户身份标识,或者,在以后的再认证过程或业务认证过程来更新临时用户身份标识。During the basic access authentication and authorization process, the AS assigns a temporary user ID to the WLAN user terminal to be applied for access, and the WLAN user who passes the authentication uses the temporary user ID instead of the permanent user ID to communicate. Alternatively, the AS may also assign a temporary user ID to the user in the subsequent re-authentication process or service authentication process, or update the temporary user ID in the subsequent re-authentication process or service authentication process.

如果该通过基本接入认证授权的WLAN用户终端希望接入3GPP的PS域业务,则可进一步向3GPP归属网络申请互通场景3(Scenario3)的业务,即:If the WLAN user terminal authorized by the basic access authentication wishes to access the PS domain service of 3GPP, it can further apply to the 3GPP home network for the service of interworking scenario 3 (Scenario3), namely:

WLAN用户终端从域名解析服务器(DNS),获得3GPP分组网络中可以提供用户请求业务的PDG地址,并向该PDG发送包含临时用户身份标识信息的隧道建立请求消息,PDG将接收到的请求消息转发给AS进行认证处理。AS完成对该WLAN用户终的认证处理后,则授权该用户可以通过该PDG访问3GPP的PS域业务。此时,该接收请求的PDG负责分配隧道标识、建立隧道连接,并给发起申请的WLAN用户终端提供其所需的业务。The WLAN user terminal obtains the PDG address that can provide the service requested by the user in the 3GPP packet network from the domain name resolution server (DNS), and sends a tunnel establishment request message containing temporary user identity information to the PDG, and the PDG forwards the received request message Perform authentication processing for AS. After completing the authentication process on the WLAN user terminal, the AS authorizes the user to access the PS domain service of 3GPP through the PDG. At this time, the PDG that receives the request is responsible for allocating the tunnel identifier, establishing the tunnel connection, and providing the required services to the WLAN user terminal that initiated the application.

现有方案的缺陷在于:PDG没有获取WLAN用户的永久用户身份标识的过程。因此,PDG在与WLAN终端进行通信的时候并不知道用户的真实身份,因而也就不能实现与用户永久身份标识有关的控制业务,如对用户进行计费,或对用户进行访问控制等。The defect of the existing solution is that: the PDG has no process of obtaining the permanent user identity of the WLAN user. Therefore, when the PDG communicates with the WLAN terminal, it does not know the real identity of the user, so it cannot realize the control services related to the permanent identity of the user, such as billing the user or performing access control on the user.

发明内容Contents of the invention

有鉴于此,本发明的目的在于提供一种无线局域网中PDG获取用户身份标识的方法,使PDG能够获取WLAN用户的永久用户身份标识信息。In view of this, the purpose of the present invention is to provide a method for the PDG in a wireless local area network to obtain the user identity, so that the PDG can obtain the permanent user identity information of the WLAN user.

为达到上述目的,本发明的技术方案是这样实现的:In order to achieve the above object, technical solution of the present invention is achieved in that way:

一种无线局域网中分组数据关口获取用户身份标识的方法,该方法包括以下步骤:A method for obtaining a user identity by a packet data gateway in a wireless local area network, the method comprising the following steps:

a、AAA服务器给用户分配临时用户身份标识信息,同时保存该用户的永久用户身份标识与临时用户身份标识的对应关系;a. The AAA server assigns temporary user identity information to the user, and simultaneously saves the corresponding relationship between the user's permanent user identity and the temporary user identity;

b、当AAA服务器接收到来自PDG的包含申请业务用户临时用户身份标识信息的请求对该用户进行身份认证的消息后,对该用户终端进行认证处理,如果认证成功,则根据步骤a所述对应关系获取该用户的永久用户身份标识信息,并向PDG发送包含永久用户身份标识信息的成功授权消息后,执行步骤c,如果认证不成功,则AAA服务器直接向PDG发送失败的消息;b. When the AAA server receives the message from the PDG that includes the temporary user identity information of the user applying for the service and requests the user to authenticate the user, it will perform authentication processing on the user terminal. If the authentication is successful, then according to step a The relationship obtains the permanent user identity information of the user, and after sending a successful authorization message containing the permanent user identity information to the PDG, step c is performed, and if the authentication is unsuccessful, the AAA server directly sends a failure message to the PDG;

c、PDG接收到步骤b所述消息后,保存该用户的永久用户身份标识信息。c. After receiving the message in step b, the PDG saves the permanent user identity information of the user.

较佳地,步骤c所述PDG接收到步骤b所述消息后,进一步包括:PDG给该通过认证的用户终端分配隧道标识信息,并保存该用户的永久用户身份标识信息与所述隧道标识信息的关联信息后,建立与用户终端进行通信的隧道。Preferably, after the PDG in step c receives the message in step b, it further includes: the PDG allocates tunnel identification information to the authenticated user terminal, and saves the user's permanent user identity information and the tunnel identification information After the association information of the user terminal is established, a tunnel for communication with the user terminal is established.

较佳地,步骤c所述PDG接收到步骤b所述消息后,进一步包括:PDG给该通过认证的用户终端分配隧道标识信息后,判断本地是否有该用户的永久用户身份标识信息,如果有,则直接保存该用户的永久用户身份标识信息与所述隧道标识信息的关联信息后,建立与用户终端进行通信的隧道,否则,先将该用户的永久用户身份标识信息进行保存,再保存该用户的永久用户身份标识信息与所述隧道标识信息的关联信息后,建立与用户终端进行通信的隧道。Preferably, after the PDG in step c receives the message in step b, it further includes: after the PDG assigns tunnel identification information to the authenticated user terminal, it determines whether there is permanent user identity information of the user locally, and if there is , then directly save the permanent user identity information of the user and the associated information of the tunnel identity information, and then establish a tunnel for communication with the user terminal; otherwise, first save the permanent user identity information of the user, and then save the After associating information between the permanent user identity information of the user and the tunnel identification information, a tunnel for communication with the user terminal is established.

较佳地,当所述与用户终端进行通信的隧道被拆除后,该方法进一步包括:PDG删除永久用户身份标识信息与所述隧道标识信息的关联信息。Preferably, when the tunnel communicating with the user terminal is removed, the method further includes: the PDG deletes the association information between the permanent user identity information and the tunnel identity information.

较佳地,该方法进一步包括:PDG判断永久用户身份标识信息是否与一个或一个以上隧道标识信息之间有关联信息,如果是,则不做任何处理,否则删除该永久用户身份标识信息。Preferably, the method further includes: PDG judging whether there is associated information between the permanent user identification information and one or more tunnel identification information, if so, not doing any processing, otherwise deleting the permanent user identification information.

较佳地,该方法进一步包括:PDG根据隧道标识信息获取用户的永久用户身份标识信息,实现对该用户终端的计费,或访问控制。Preferably, the method further includes: the PDG obtains the permanent user identity information of the user according to the tunnel identification information, and implements charging or access control for the user terminal.

较佳地,所述永久用户身份标识信息为国际移动用户识别码IMSI。Preferably, the permanent user identity information is an International Mobile Subscriber Identity (IMSI).

在本发明中,AAA服务器根据PDG发来的包含临时用户身份标识信息的请求认证消息中,获取该用户的永久用户身份标识信息,并将包含永久用户身份标识信息的授权消息发送给PDG,从而使PDG获取了WLAN用户的永久用户身份标识信息。进而,PDG将获取的永久用户身份标识信息与该用户终端的隧道标识信息进行关联保存,使得PDG对WLAN用户终端实现了管理,如对该用户实现计费和或访问控制等。本发明实现简单,且与现有的相关流程具有很好的兼容性。In the present invention, the AAA server obtains the permanent user identity information of the user according to the request authentication message containing the temporary user identity information sent by the PDG, and sends the authorization message containing the permanent user identity information to the PDG, thereby The PDG is made to acquire the permanent user identity information of the WLAN user. Furthermore, the PDG associates and saves the acquired permanent user identity information with the tunnel identity information of the user terminal, so that the PDG implements management on the WLAN user terminal, such as implementing charging and/or access control for the user. The invention is simple to implement and has good compatibility with the existing related processes.

附图说明Description of drawings

图1所示为漫游情况下WLAN系统与3GPP系统互通的组网结构示意图;FIG. 1 is a schematic diagram of a networking structure for intercommunication between a WLAN system and a 3GPP system in the case of roaming;

图2所示为非漫游情况下WLAN系统与3GPP系统互通的组网结构示意图;FIG. 2 is a schematic diagram of the networking structure of the intercommunication between the WLAN system and the 3GPP system in the case of non-roaming;

图3所示为应用本发明的PDG获取永久用户身份标识信息的流程图;Fig. 3 shows the flowchart of applying the PDG of the present invention to obtain permanent user identity information;

图4所示为永久用户标识信息与一个以上隧道标识信息相关联的示意图。Fig. 4 is a schematic diagram showing the association of permanent user identification information with more than one tunnel identification information.

具体实施方式Detailed ways

为使本发明的技术方案更加清楚,下面结合附图对本发明再做进一步详细说明。In order to make the technical solution of the present invention clearer, the present invention will be further described in detail below in conjunction with the accompanying drawings.

本发明的思路是:AAA服务器给用户分配临时用户身份标识信息,同时保存该用户的永久用户身份标识与临时用户身份标识的对应关系;当AAA服务器接收到来自PDG的包含申请业务用户临时用户身份标识信息的请求对该用户进行身份认证的消息后,对该用户终端进行认证处理,如果认证成功,则根据步骤a所述对应关系获取该用户的永久用户身份标识信息,并向PDG发送包含永久用户身份标识信息的成功授权消息后,由PDG保存该用户的永久用户身份标识信息,如果认证不成功,则AAA服务器直接向PDG发送失败的消息;The idea of the present invention is: the AAA server assigns the temporary user identity information to the user, and saves the corresponding relationship between the permanent user identity and the temporary user identity of the user at the same time; After the request for identification information authenticates the user's identity, the user terminal is authenticated. If the authentication is successful, the permanent user identity information of the user is obtained according to the corresponding relationship in step a, and the permanent user identity information is sent to the PDG containing the permanent After the successful authorization message of the user identity information, the permanent user identity information of the user is saved by the PDG, if the authentication is unsuccessful, the AAA server directly sends a failure message to the PDG;

图3所示为应用本发明的PDG获取永久用户身份标识信息的流程图。Fig. 3 is a flow chart of obtaining permanent user identity information by applying the PDG of the present invention.

步骤301,WLAN用户通过WLAN接入网将包含自身永久用户身份标识信息,如IMSI的接入请求消息发送到AAA服务器,进行基本接入认证,AS给通过基本接入认证的用户终端分配临时用户身份标识信息,同时保存该用户的永久用户身份标识与临时用户身份标识的对应关系;Step 301, the WLAN user sends an access request message containing its own permanent user identity information, such as IMSI, to the AAA server through the WLAN access network to perform basic access authentication, and the AS assigns a temporary user to the user terminal that has passed the basic access authentication Identity information, and save the corresponding relationship between the user's permanent user identity and temporary user identity;

AS可以在基本接入认证的过程中给用户指定临时用户身份标识,或者,AS在以后的再认证过程或业务认证过程中给用户指定临时用户身份标识,或者,在以后的再认证过程或业务认证过程来更新临时用户身份标识。The AS may assign a temporary user ID to the user during the basic access authentication process, or, the AS may assign a temporary user ID to the user during the subsequent re-authentication process or service authentication process, or, in the subsequent re-authentication process or service authentication process authentication process to update the temporary user identity.

步骤302,通过基本接入认证授权的WLAN用户从DNS获取提供请求业务PDG的地址后,向该PDG发送包含自身临时用户身份标识信息的隧道建立请求消息;Step 302, after the WLAN user authorized by the basic access authentication obtains the address of the PDG providing the requested service from the DNS, it sends a tunnel establishment request message containing its own temporary user identity information to the PDG;

步骤303,PDG向AAA服务器发送包含申请用户临时用户身份标识信息的请求认证消息,以请求AAA服务器对该用户终端进行认证授权;Step 303, the PDG sends to the AAA server an authentication request message containing the temporary user identity information of the applicant, so as to request the AAA server to authenticate and authorize the user terminal;

步骤304,AAA服务器对PDG指定的用户终端进行认证处理,如果认证成功,则执行步骤305,如果认证不成功,则AAA服务器直接向PDG发送失败的响应消息,并结束本流程;Step 304, the AAA server performs authentication processing on the user terminal specified by the PDG, if the authentication is successful, then execute step 305, if the authentication is not successful, the AAA server directly sends a failure response message to the PDG, and ends the process;

步骤305,AAA服务器根据步骤301所保存的对应关系,获取该用户的永久用户身份标识信息,并向PDG发送包含永久用户身份标识信息的成功授权消息,允许该申请用户终端通过其所申请的PDG访问业务;Step 305, the AAA server obtains the permanent user identity information of the user according to the corresponding relationship saved in step 301, and sends a successful authorization message containing the permanent user identity information to the PDG, allowing the applying user terminal to pass through the PDG applied for. access business;

步骤306,PDG接收到来自AAA服务器的授权消息后,给该用户终端分配隧道标识等与建立隧道相关信息,并判断本地是否保存有该用户的永久用户身份标识信息,如果有,则直接保存该用户的永久用户身份标识信息与所述隧道标识信息的关联信息后,执行步骤307,否则,先将该用户的永久用户身份标识信息进行保存,再保存该用户的永久用户身份标识信息与所述隧道标识信息的关联信息后,执行步骤307;Step 306, after the PDG receives the authorization message from the AAA server, it distributes tunnel identification and other information related to tunnel establishment to the user terminal, and judges whether the permanent user identity information of the user is saved locally, and if so, directly saves the user terminal After the associated information of the user's permanent user identity information and the tunnel identity information, execute step 307; otherwise, first save the user's permanent user identity information, and then save the user's permanent user identity information and the After the associated information of the tunnel identification information, execute step 307;

由于一个PDG可能支持多种业务,因此,某个WLAN用户终端可能与一个PDG存在多个隧道连接,即一个WLAN用户的永久用户身份标识可能同时与多个隧道标识相关联;如图4所示,一个用户的永久用户身份标识1与某个PDG的隧道标识为1、2、3的隧道同时关联,另一个用户的永久用户身份标识2与该PDG的隧道标识为4、5的隧道同时关联;Since a PDG may support multiple services, a WLAN user terminal may have multiple tunnel connections with a PDG, that is, a WLAN user's permanent user ID may be associated with multiple tunnel IDs at the same time; as shown in Figure 4 , the permanent user ID 1 of one user is associated with the tunnels whose tunnel IDs are 1, 2, and 3 of a certain PDG at the same time, and the permanent user ID 2 of another user is associated with the tunnels whose tunnel IDs are 4 and 5 of the PDG at the same time ;

步骤307,PDG建立其与该用户终端进行通信的隧道;Step 307, the PDG establishes a tunnel for communicating with the user terminal;

步骤308,在业务通信过程中,PDG根据该用户终端业务信息内的隧道标识信息,获取该用户的永久用户身份标识信息,实现与该永久用户身份标识有关的业务,如对用户终端进行计费,和或访问控制等。Step 308, during the service communication process, the PDG obtains the permanent user identity information of the user according to the tunnel identification information in the service information of the user terminal, and implements services related to the permanent user identity, such as charging the user terminal , and or access control etc.

所谓实现计费是指,当某个用户终端使用了某个PDG的一个或一个以上业务,即一个或一个以上隧道时,PDG根据隧道标识和用户永久身份标识的对应关系,实现对该用户终端所有应用业务的计费。The so-called realization of charging means that when a user terminal uses one or more services of a certain PDG, that is, one or more tunnels, the PDG realizes the corresponding relationship between the tunnel ID and the user's permanent identity. Billing for all application services.

所谓实现访问控制是指针对某一类业务,由PDG来实现更详细的控制。通常,运营商提供的AAA服务器仅限于检查用户终端是否定购了该业务,而不做更详细的检查,应用本发明,可使PDG对用户终端进行更详细信息的检查。比如,WLAN用户终端定购了某个游戏业务,AAA服务器在检查用户确实定购了游戏业务后就会授权该用户访问提供游戏业务的PDG,一个PDG通常提供多种游戏业务,而用户一般只定购其中的一个或几个,PDG通过用户的永久用户身份标识,即可判断该WLAN用户是否可以参加某个游戏,并实现控制。The so-called implementation of access control refers to the realization of more detailed control by the PDG for a certain type of business. Usually, the AAA server provided by the operator is limited to checking whether the user terminal has subscribed to the service, and does not perform a more detailed check. The application of the present invention enables the PDG to check more detailed information on the user terminal. For example, when a WLAN user terminal subscribes to a certain game service, the AAA server will authorize the user to access the PDG that provides the game service after checking that the user has indeed ordered the game service. A PDG usually provides multiple game services, and the user generally only orders one of them. One or several of the WLAN users, the PDG can judge whether the WLAN user can participate in a certain game through the user's permanent user identity, and realize the control.

另外,当用户使用某个隧道完毕并拆除后,PDG将删除该隧道标识和永久用户身份标识之间的关联信息,当PDG发现某个永久用户身份标识已经没有相关联的隧道标识信息时,PDG将删除该永久用户身份标识信息。In addition, when a user finishes using a tunnel and removes it, the PDG will delete the association information between the tunnel ID and the permanent user ID. When the PDG finds that a permanent user ID has no associated tunnel ID information, the PDG The permanent user identification information will be deleted.

以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included in the scope of the present invention. within the scope of protection.

Claims (7)

1, the method for obtaining user identification sign of packet data interface in a kind of WLAN (wireless local area network) is characterized in that this method may further comprise the steps:
A, aaa server distribute casual user's identification information to the user, preserve the permanent user identity sign of this user terminal and the corresponding relation of casual user's identify label simultaneously;
B, when aaa server receive from the request that comprises application service-user casual user identification information of PDG this user is carried out the message of authentication after, this user terminal is carried out authentication processing, if authentication success, then obtain this user's permanent user identity identification information according to the described corresponding relation of step a, and after the PDG transmission comprises the successful authorization messages of permanent user identity identification information, execution in step c, if authentication is unsuccessful, then aaa server directly sends failure to PDG;
After c, PDG receive the described message of step b, preserve this user's permanent user identity identification information.
2, method according to claim 1, it is characterized in that, after the described PDG of step c receives the described message of step b, further comprise: PDG distributes tunnel identification information to this user terminal by authentication, and after preserving the related information of this user's permanent user identity identification information and described tunnel identification information, set up the tunnel that communicates with user terminal.
3, method according to claim 1, it is characterized in that, after the described PDG of step c receives the described message of step b, further comprise: after PDG distributes tunnel identification information to this user terminal by authentication, judge the local permanent user identity identification information whether this user is arranged, if have, after then directly preserving the related information of this user's permanent user identity identification information and described tunnel identification information, set up the tunnel that communicates with user terminal, otherwise, earlier this user's permanent user identity identification information is preserved, after preserving the related information of this user's permanent user identity identification information and described tunnel identification information again, set up the tunnel that communicates with user terminal.
According to claim 2 or 3 described methods, it is characterized in that 4, after the described tunnel that communicates with user terminal was removed, this method further comprised: the related information of PDG deletion permanent user identity identification information and described tunnel identification information.
5, method according to claim 4, it is characterized in that, this method further comprises: PDG judges permanent user identity identification information relevant information whether and between one or more tunnel identification informations, if, then be left intact, otherwise delete this permanent user identity identification information.
6, according to claim 2 or 3 described methods, it is characterized in that this method further comprises: PDG obtains user's permanent user identity identification information according to tunnel identification information, realizes the charging to this user, or access control.
7, method according to claim 1 is characterized in that, described permanent user identity identification information is international mobile subscriber identity IMSI.
CNB2004100005849A 2004-01-14 2004-01-14 Method for obtaining user identity identification by packet data gateway in wireless local area network Expired - Lifetime CN100411335C (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CNB2004100005849A CN100411335C (en) 2004-01-14 2004-01-14 Method for obtaining user identity identification by packet data gateway in wireless local area network
PCT/CN2005/000061 WO2005069533A1 (en) 2004-01-14 2005-01-14 A method of acquiring permanent user identification by the packet data gateway (pdg) in the wlan

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2004100005849A CN100411335C (en) 2004-01-14 2004-01-14 Method for obtaining user identity identification by packet data gateway in wireless local area network

Related Child Applications (1)

Application Number Title Priority Date Filing Date
CNA2007101677264A Division CN101159679A (en) 2004-01-14 2004-01-14 A method for obtaining user identification by packet data gateway in wireless local area network

Publications (2)

Publication Number Publication Date
CN1642076A true CN1642076A (en) 2005-07-20
CN100411335C CN100411335C (en) 2008-08-13

Family

ID=34763035

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2004100005849A Expired - Lifetime CN100411335C (en) 2004-01-14 2004-01-14 Method for obtaining user identity identification by packet data gateway in wireless local area network

Country Status (2)

Country Link
CN (1) CN100411335C (en)
WO (1) WO2005069533A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100414889C (en) * 2005-12-29 2008-08-27 中山大学 An intermediate system to differentiate and track users
CN101459904B (en) * 2008-06-17 2010-12-29 中兴通讯股份有限公司 Method and system for obtaining AAA server, P-GW, PCRF, and user equipment identification
CN101998444A (en) * 2009-08-14 2011-03-30 中国电信股份有限公司 Proxy mobile IPv4 processing method and system
CN102595406A (en) * 2012-02-15 2012-07-18 电信科学技术研究院 Management method and equipment for subscription information
CN101127629B (en) * 2006-08-18 2012-08-22 华为技术有限公司 Policy and billing execution device, online billing system and method for communication system
US8477731B2 (en) 2005-07-25 2013-07-02 Qualcomm Incorporated Method and apparatus for locating a wireless local area network in a wide area network
US8483704B2 (en) 2005-07-25 2013-07-09 Qualcomm Incorporated Method and apparatus for maintaining a fingerprint for a wireless network
WO2017016473A1 (en) * 2015-07-30 2017-02-02 华为技术有限公司 Tunnel detection method, apparatus, and system

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101969643B (en) * 2010-09-21 2014-04-16 国家无线电监测中心检测中心 Combined wireless network crosslinking method
EP2621203B1 (en) * 2010-09-24 2019-07-31 Nec Corporation Gateway, server, method of communication control for same, and gateway system
CN106685889B (en) * 2015-11-05 2020-09-01 阿里巴巴集团控股有限公司 Service implementation method and device based on user identity
CN114581054B (en) * 2022-03-04 2025-11-28 泉州砾鹰石科技有限公司 Internet-based mutual-hooking intelligent office system and method

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2367213B (en) * 2000-09-22 2004-02-11 Roke Manor Research Access authentication system
EP1317159A1 (en) * 2001-11-30 2003-06-04 Motorola, Inc. Authentication, authorisation and accounting for a roaming user terminal
US20030139180A1 (en) * 2002-01-24 2003-07-24 Mcintosh Chris P. Private cellular network with a public network interface and a wireless local area network extension

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9060380B2 (en) 2005-07-25 2015-06-16 Qualcomm Incorporated Method and apparatus for locating a wireless local area network in a wide area network
US8477731B2 (en) 2005-07-25 2013-07-02 Qualcomm Incorporated Method and apparatus for locating a wireless local area network in a wide area network
US8483704B2 (en) 2005-07-25 2013-07-09 Qualcomm Incorporated Method and apparatus for maintaining a fingerprint for a wireless network
US8798008B2 (en) 2005-07-25 2014-08-05 Qualcomm Incorporated Method and apparatus for locating a wireless local area network in a wide area network
CN100414889C (en) * 2005-12-29 2008-08-27 中山大学 An intermediate system to differentiate and track users
CN101127629B (en) * 2006-08-18 2012-08-22 华为技术有限公司 Policy and billing execution device, online billing system and method for communication system
CN101459904B (en) * 2008-06-17 2010-12-29 中兴通讯股份有限公司 Method and system for obtaining AAA server, P-GW, PCRF, and user equipment identification
CN101998444A (en) * 2009-08-14 2011-03-30 中国电信股份有限公司 Proxy mobile IPv4 processing method and system
CN101998444B (en) * 2009-08-14 2014-02-05 中国电信股份有限公司 Proxy mobile IPv4 processing method and system
CN102595406A (en) * 2012-02-15 2012-07-18 电信科学技术研究院 Management method and equipment for subscription information
CN102595406B (en) * 2012-02-15 2014-08-20 电信科学技术研究院 Management method and equipment for subscription information
WO2017016473A1 (en) * 2015-07-30 2017-02-02 华为技术有限公司 Tunnel detection method, apparatus, and system
CN106713057A (en) * 2015-07-30 2017-05-24 华为技术有限公司 Method for performing tunnel detection and device and system thereof
CN106713057B (en) * 2015-07-30 2019-11-29 华为技术有限公司 For carrying out the method, apparatus and system of Tunnel testing

Also Published As

Publication number Publication date
CN100411335C (en) 2008-08-13
WO2005069533A1 (en) 2005-07-28

Similar Documents

Publication Publication Date Title
CN1277393C (en) A method for wireless local area network user terminal to select packet data gateway
CN1266891C (en) Method for user cut-in authorization in wireless local net
CN1283072C (en) Method for processing user terminal network selection information in WLAN
AU2005236981B2 (en) Improved subscriber authentication for unlicensed mobile access signaling
CN100499536C (en) Resolving switch-in processing method for selecting business in radio local area network
CN1813457A (en) Apparatus and method for a single sign-on authentication through a non-trusted access network
CN1672451A (en) Method and system for providing access via a first network to a service of a second network
CN101645814B (en) A method, device and system for accessing a mobile core network by an access point
CN1283062C (en) Cut-in identification realizing method for wireless local network
CN1271822C (en) Method of interactive processing of user terminal network selection information in WLAN
CN1277380C (en) Interaction method for user terminal to determine network selection information in wireless local area network
CN1642076A (en) A method for obtaining user identification by packet data gateway in wireless local area network
CN1567846A (en) A method for transmitting service data to WLAN user
CN1720691A (en) A communication system and method of authentication therefor
CN101984724B (en) Method and system for building tunnel in converged network
CN100337444C (en) A method for redirecting packet data gateway in wireless LAN
JP4634445B2 (en) Method and system for storing temporary I-WLAN identities - Patents.com
CN1612539A (en) Method for establishing service connection in wireless LAN
US9043473B1 (en) Methods and systems for authenticating a device with multiple network access identifiers
CN101159679A (en) A method for obtaining user identification by packet data gateway in wireless local area network
CN101166134A (en) A method for de-registration of services based on IP access
CN100341341C (en) Method for user terminal to obtain group data gate address in wireless local network
CN1567860A (en) A method for transmitting service data to WLAN user
CN1604549A (en) Method for acquiring WLAN accessing one-time password
CN1642121A (en) Method for obtaining packet data gate information by user terminal for wireless LAN

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CX01 Expiry of patent term

Granted publication date: 20080813

CX01 Expiry of patent term