HK1260371B - Support of emergency services over wlan access to 3gpp evolved packet core for unauthenticated users - Google Patents

Description

Supports emergency services for unauthenticated users accessing the 3GPP Evolved Packet Core via WLAN.

Technical Field

The present invention generally relates to mobile communication networks and systems.

Background Art

Descriptions of mobile networks and systems can be found in the literature, for example in particular in technical specifications published by standardization bodies such as 3GPP (3rd Generation Partnership Project).

An example of a 3GPP mobile system is the EPS (Evolved Packet System). The EPS network includes a core network called the Evolved Packet Core (EPC), which is accessible via 3GPP access (such as E-UTRAN) or via trusted or untrusted non-3GPP access (such as trusted or untrusted WLAN). 3GPP access to the EPC is specifically specified in 3GPP TS 23.401 for E-UTRAN access. Non-3GPP access to the EPC is specifically specified in 3GPP TS 23.402. An example of the architecture for 3GPP and non-3GPP (trusted and untrusted) access to the EPC is reviewed in Figure 1 (excerpted from 3GPP TS 23.402).

In systems such as EPS, UEs can connect to various external networks (called packet data networks (PDNs), an example of which is an operator's IMS network) via an EPC that provides connectivity (called PDN connectivity) services. Authentication is typically performed before access is granted and connectivity services are provided. However, for unauthenticated user equipment, it may also be necessary to support certain services, such as emergency services. In this context, an unauthenticated user equipment means a user equipment designed without the need for authentication of the user identity (e.g., no user identity is provided to the network (e.g., the user equipment does not contain a USIM) or the user identity (e.g., IMSI) is not authenticated by the network).

Improved support for emergency services in such systems is needed, particularly for unauthenticated user devices that currently do not support emergency services accessing the 3GPP EPC via trusted or untrusted WLANs.

Summary of the Invention

Embodiments of the present invention address this need, among other things.

In one aspect, these and other objects are achieved by a user equipment (UE) configured to support emergency services for unauthenticated user equipment accessing a 3GPP Evolved Packet Core (EPC) via a WLAN, the UE being configured to:

- In response to a request to provide a user identity for access authentication, providing a specific NAI (Network Access Identity) based user identity having a realm portion indicating unauthenticated access to emergency services.

In another aspect, these and other objects are achieved by an authentication device, such as a TWAN entity for trusted WLAN access to EPC or an ePDG for untrusted WLAN access to EPC, for supporting emergency services for unauthenticated user equipment accessing 3GPP Evolved Packet Core (EPC) via WLAN, configured to:

- Routing the message from the user equipment UE towards a specific 3GPP AAA server serving a domain dedicated to unauthenticated access to emergency services according to the domain part indicating unauthenticated access to emergency services based on the user identity of NAI (Network Access Identity).

In another aspect, these and other objects are achieved by a 3GPP AAA server for supporting emergency services for unauthenticated user equipment accessing a 3GPP Evolved Packet Core (EPC) via WLAN, configured to:

- a domain dedicated to unauthenticated access to emergency services;

- Grant access to unauthenticated user equipment UE;

- Providing the UE with specific authorization data allowing network access for emergency services.

In another aspect, these and other objects are achieved by a 3GPP AAA proxy for supporting emergency services for unauthenticated user equipment accessing a 3GPP Evolved Packet Core (EPC) over WLAN, configured to:

- Upon detecting that it is impossible to contact the 3GPP AAA server in the HPLMN for an access authentication attempt associated with an emergency situation of the user equipment, redirecting the access authentication request to a local AAA server serving a domain dedicated to unauthenticated access to emergency services, based on local policy.

In other aspects, these and other objects are achieved by various methods including steps performed at one or more of various entities such as the user equipment, authentication device, 3GPP AAA server, 3GPP AAA proxy as described above.

BRIEF DESCRIPTION OF THE DRAWINGS

Some embodiments of apparatus and/or methods according to embodiments of the present invention will now be described, by way of example only, with reference to the accompanying drawings, in which:

Figure 1 is intended to review examples of 3GPP and non-3GPP (trusted or untrusted) access architectures to the EPC.

- Figure 2 is intended to illustrate an example of a signaling flow according to an embodiment of the present invention.

DETAILED DESCRIPTION

Abbreviations

AAA authentication, authorization, and accounting

AKA Authentication and Key Agreement

APN Access Point Name

AVP attribute-value pair

CK encryption key

DEA Diameter EAP Response

DER Diameter EAP Request

EAP Extensible Authentication Protocol

EPC Evolved Packet Core

ePDG Evolved Packet Data Gateway

EPS Evolved Packet System

E-UTRAN Evolved Universal Terrestrial Radio Access Network

HPLMN Home Public Land Mobile Network

HSS Home Subscriber Server

IK Integrity Key

IMSI International Mobile Subscriber Identity

IMEI International Mobile Equipment Identity

IMS IP Multimedia Subsystem

LTE Long Term Evolution

MCM Multi-Connection Mode

MK Master Key

MSK Master Session Key

NAI Network Access Identifier

PDN Packet Data Network

PDN GW PDN Gateway

PLMN Public Land Mobile Network

PRF pseudorandom function

SCM single connection mode

SIM Subscriber Identity Module

TSCM transparent single connection mode

TWAN Trusted WLAN Access Network

UWAN Untrusted WLAN Access Network

UE User Equipment

USIM Universal Subscriber Identity Module

WLAN Wireless Local Area Network

WLCP WLAN Control Protocol

Technical Background

- 3GPP TS 33.402 Section 6.1 specifies the general rule: "Access authentication for non-3GPP access in EPS shall be based on EAP-AKA (RFC 4187[7]) or EAP-AKA' (RFC 5448[23])".

- As defined in 3GPP TS 23.402 section 16.2, in order to access the TWAN, the UE shall first authenticate using EAP ("The EAP authentication procedure is initiated and performed involving the UE, TWAN and 3GPP AAA server").

- As defined in 3GPP TS 33.402 section 8.2 "Mechanisms for establishing UE-initiated IPsec tunnels", "EAP-AKA (as specified in RFC 4187 [7]) within IKEv2 (as specified in RFC 5996 [30]) SHOULD be used to authenticate the UE."

- 3GPP TS 29.273 currently does not support authentication and authorization procedures for unauthenticated UEs through the AAA interface.

Description of various aspects and/or embodiments of the present invention

In some countries, mobile networks (called PLMNs) are required by local regulations to support emergency sessions for unauthenticated UEs (e.g., mobile phones for UEs that do not contain a USIM). This feature means that both the network access layer and the service layer support unauthenticated UEs initiating emergency sessions.

3GPP has provided this functionality for:

- CS (Circuit Switched) domain, for both access and service stratum. This is defined, for example, in 3GPP TS 24.008.

- IMS domain, a service layer for IP-based session establishment. This is defined in 3GPP TS 23.167.

- EUTRAN (LTE) access, 3GPP access stratum for IP-based session establishment. This is defined in 3GPP TS 23.401.

3GPP specifications lack support for emergency sessions over WLAN for unauthenticated UEs. Such support should be provided in both trusted access (TWAN) and untrusted access (UWAN) EPC (Evolved Packet Core) scenarios as defined in 3GPP TS 23.402.

Various aspects and/or embodiments of the present invention that enable such support are described below.

In some embodiments, for a UE that needs to establish EPC access over WLAN to initiate an emergency session, when it receives a request to provide its identity from an authentication device (as part of an EAP identity request),

- Even if the UE does not have credentials to access the EPC (UE does not have a USIM), the UE will send a specific identity that supports the NAI format and is based on its IMEI (International Mobile Station Equipment Identity defined in 3GPP TS 23.003) and is built based on a specific field dedicated to supporting emergency services within the 3GPP network.

- When the UE has credentials (USIM) but knows that it cannot get authenticated, the UE sends a specific identity that supports the NAI format and is built based on its IMSI and based on a specific domain dedicated to supporting emergency services within the 3GPP network.

In some embodiments, the access request is routed based on the realm of the NAI to a specific 3GPP AAA server function, which grants access but provides specific authorization data that only allows network access for emergency services.

In some operational examples, when the UE should be authenticated normally, but the 3GPP AAA proxy discovers that certain network issues prevent the normal authentication of the UE initiating the emergency request, the 3GPP AAA proxy may (based on local policy) forward the AAA signaling related to the UE's authentication/authorization to the same specific 3GPP AAA server function. This requires a specific indication sent back by the specific 3GPP AAA server to the UE informing it that the access cannot be authenticated normally (e.g., EAP-AKA/EAP-AKA authentication cannot be performed normally).

In some embodiments, EAP-AKA/EAP-AKA' and AAA procedures proceed as for a normally authenticated UE, except for special cases related to authentication and MSK determination. The EAP procedure provides the UE and network with an MSK (Master Session Key) for security on the wireless interface. The MSK is determined based on different criteria than for an actually authenticated UE.

Benefits of embodiments of the present invention include:

- Reuse of the criteria for access to regular UEs for access to emergency services (and the information exchange between the UE and the network, especially in the case of TWAN access(*)): Using EAP procedures, the UE is authorized to access the EPC network by the 3GPP AAA server. Further security material is provided:

o(*) For example, a specific EAP procedure for accessing emergency services without authentication is run to allow the UE and the network to exchange parameters that they would exchange via EAP-AKA' in the case of normal authentication.

- Does not need to be supported by the HPLMN in case of roaming.

In some embodiments, when the UE needs to initiate emergency services and does not have credentials to access the network (e.g., the UE does not have a (U)SIM), the UE sends a specific identity with some or all of the following characteristics as a response to the EAP Identity Request from the authentication device (*):

- Supported NAI format: The identity shall be in the form of a NAI and shall have the "username@realm" format as specified in IETF RFC 4282 section 2.1.

-Has IMEI in the username portion of the NAI.

- Having a specific value in the domain part of the NAI indicating support for unauthenticated emergency services for 3GPP terminals. This domain part (part of an embodiment of the present invention) will be defined by a standard such as 3GPP.

(*) The authentication device is the entity that controls UE access to the network based on authorization information from the (3GPP) AAA server. In the case of TWAN (Trusted WLAN Access EPC), the authentication device is in the TWAN, while in the case of UWAN (Untrusted WLAN Access EPC), it is the ePDG.

In some embodiments, the authentication device then attempts to contact the AAA server responsible for the domain portion of the NAI. In some embodiments, when the domain portion is dedicated to supporting emergency services, the authentication device contacts a dedicated AAA server. This dedicated AAA server should be located in the same country/region as the authentication device. Since the UE does not have a USIM, there is no AAA server entity to contact in the "HPLMN", and therefore the local network cannot determine the HPLMN for the UE.

In some embodiments, some or all of the following steps may be provided in a trusted WLAN access instance.

In the case of normal authentication, a specific EAP procedure for accessing emergency services without authentication is run to allow the UE and the network to exchange parameters that they exchanged via EAP-AKA' (e.g., the request for IP version from the UE in the SCM; the TWAN control plane address in the MCM). This procedure reuses EAP-AKA', but is modified because there is no mutual authentication between the UE and the network. However, it reuses all the mechanisms defined so far in EAP-AKA' to negotiate the TWAN mode (SCM/MCM) between the UE and the network and to negotiate the parameters of the PDN connection in the SCM.

- In both Single Connectivity Mode (SCM) and Multiple Connectivity Mode (MCM), the UE also includes new emergency indication information to indicate to the AAA server that an emergency PDN connection is established in EAP-AKA' (for normal authentication, this indication is already mentioned in 3GPP TR 23.771, but some embodiments of the present invention include it as part of EAP-AKA'). For trusted WLAN access in Multiple Connectivity Mode (MCM), the UE also includes a new emergency indication (already mentioned in 3GPP TR 23.771) as part of the WLCP PDN Connection Request after attaching to the network.

In some embodiments, when local rules allow unauthenticated emergency sessions, the AAA server serving the dedicated domain for emergency services accepts the access request (without any security material such as authentication vectors obtained from the HSS, without any subscription data downloaded from the HSS) and provides authorization data that allows the UE to continue with the emergency session but prohibits any other services: the AAA server bypasses the usual authorization checks (e.g., for subscribed APNs, for the location of the EPC where the UE can request non-3GPP access, for whether the user has a non-3GPP access subscription, etc.). For trusted WLAN access, the AAA server sends a new Emergency Indication AVP (already mentioned in 3GPP TR 23.771) to the TWAN over STa to indicate that this is an emergency attach, and therefore (already mentioned in 3GPP TR 23.771):

• In SCM, TWAG shall establish a PDN connection for emergency services.

• In MCM, TWAG shall only accept WLCP requests from UE for PDN connections for emergency services.

In both cases (SCM/MCM), the TWAG uses its locally configured emergency configuration data (instead of using the connectivity parameters provided by the UE) to determine the parameters of the PDN connection to be established.

In some embodiments, since the dedicated AAA server is located in the same country/region as the authentication device, only entities local to the country/region are involved in supporting emergency services for unauthenticated UEs in the case of roaming. This allows roaming users from countries/regions that do not allow or deploy emergency sessions for unauthenticated UEs to initiate unauthenticated emergency sessions in countries/regions that allow unauthenticated emergency sessions.

As an implementation option, the dedicated AAA server can be co-located with the authentication device (ePDG) or located in an AAA proxy contacted by the authentication device (TWAP).

In some embodiments of the present invention, existing procedures are allowed to be used at the UE, TWAN and ePDG levels for accessing the EPC via trusted/untrusted WLAN, namely:

- Use EAP (i.e., procedure) to initiate UE access to the network, and the network informs the UE that it can proceed with network access for unauthenticated emergency services. When such access is not allowed, the local AAA entity should reject the EAP request; it is necessary to reuse EAP to support emergency PDN connectivity for unauthenticated UEs over trusted WLAN access (in SCM and MCM), because EAP is used in SCM to transfer parameters from UE to TWAN, and in MCM to transfer TWAN parameters (e.g., TWAN control plane IPv4 or IPv6 address) to UE.

- Using AAA server, control UE access to the network (for trusted and untrusted WLAN access).

In some embodiments, when EAP is used (as part of the existing process of accessing the EPC over WLAN), the authentication device (TWAN/EPDG) and the UE expect the EAP process to output an MSK (Master Session Key, which is calculated at the 3GPP AAA server and in the UE) to be used for security on the wireless interface. In some embodiments, similar principles are reused:

In the case of trusted WLAN access, the UE and the 3GPP AAA server determine the MSK locally based on a key derivation function using the user part of the NAI as input. This differs from the MSK determination for normal 3GPP access (according to IETF RFC 5448) in that the encryption keys CK/IK output from the AKA-based authentication process cannot be used because there is no authentication in the case of unauthenticated access to the EPC. This MSK is transferred from the 3GPP AAA server to the TWAP and then to the WLAN AN, allowing the unmodified WLAN AN to be used.

○ In IETF RFC 5448, key derivation is implemented as follows (MK is derived and used as follows):

MK = PRF'(IK'|CK', "EAP-AKA'"|Identity) (PRF = pseudorandom function defined in RFC 5448)

K_encr＝MK[0..127]

K_aut＝MK[128..383]

K_re＝MK[384..639]

MSK=MK[640..1151]”

o In some embodiments, MK is derived and used as follows:

MK＝PRF'("EAP-AKA'|identity)

Here, the "identity" is based on what the UE has provided via EAP: IMEI (for SIM-less access) or IMSI (the UE has a SIM but it is not possible to authenticate it).

K_encr, K_aut, K_re and MSK are determined based on MK as described in IETF RFC 5448.

In some embodiments, when allowed locally in the country/region of the authentication device, the same mechanism as described above is applied to support the situation where the UE has a USIM but cannot obtain authentication (there is no AAA relationship (direct or indirect) between the local network and the UE's HPLMN, so authentication of the UE cannot proceed).

In this case, the UE creates a NAI with a specific realm, but provides the IMSI (instead of the IMEI) in the username portion of the NAI provided as a response to the EAP Identity initiated by the authentication device.

This corresponds to a UE having a USIM that needs to establish an emergency session but has not found any applicable WLAN network that allows it to get authenticated with the HPLMN.

The rest of the process is the same as for a SIM-less UE, except that IMSI is used instead of IMEI as the subscriber identity (e.g., IMSI is used instead of IMEI to derive the MK, and hence the MSK). In this case, the UE knows in advance that it cannot obtain authentication, so the MSK is not determined based on the outcome of the EAP-AKA' authentication.

In some embodiments, when the AAA proxy (e.g., a 3GPP AAA proxy in the roaming case) detects that it is not possible to contact the 3GPP AAA server in the HPLMN and the access attempt is associated with an emergency, based on local policy it can redirect the access request (EAP-AKA signaling) to a local AAA server serving the same domain as used to support unauthenticated emergency services for 3GPP terminals.

For example, this may be because the regular 3GPP server is out of service, congested, or unreachable.

Local policy determines whether unauthenticated emergency sessions are accepted or not, depending on local rules.

In this case, the same procedure applies: the UE is not actually authenticated and the MSK is determined based on a pseudo-random function that takes into account a fixed sequence of characters and the user identity (IMSI) instead of the encryption keys CK/IK output of the AKA-based authentication procedure; moreover, in this case the UE should not attempt to authenticate the network.

In some embodiments, since the UE cannot know in advance that no authentication will be performed for EPC access to emergency services, the network indicates in the EAP-AKA' signaling sent to the UE and in the AAA signaling sent to the authentication device that this is access for limited services without authentication.

In order to make the procedure more robust and more general, the indication may also be provided to the UE (and the authentication device) in the two other cases mentioned above.

- SIM-less access for emergency services (UE provides its IMEI as identity).

- The UE provides its IMSI (UE has a SIM) but knows that it cannot get authenticated.

FIG2 shows an example of a call flow for the TWAN authentication and authorization process for an SCM unauthenticated emergency session.

The following steps may be provided, wherein the differences from the calling flow of Appendix A.2-1 of 3GPP TS 29.273 are highlighted in the following description.

1. Establish a connection between the UE and the TWAN using specific procedures based on IEEE 802.11[40].

2. TWAN sends EAP request/identity to UE.

3. The UE sends an EAP Response/Identity message to the TWAN, which contains the IMEI (SIM-less UE) in the user part (or IMSI if the UE cannot be authenticated), and a specific domain for unauthenticated access to emergency services .

4. TWAN forwards the EAP payload received from the UE to the 3GPP AAA server ( serving a specific domain for unauthenticated access to emergency services) and also indicates the supported TWAN connection modes in the DER message.

5. Vacant.

6. The 3GPP AAA server sends an EAP-Request/AKA'-Challenge to the UE, in which it indicates to the UE the TWAN connection modes supported by the network (e.g., TSCM, SCM, and MCM) and that this is for access to limited services without authentication . The Result-Code AVP in the DEA message is set to "DIAMETER_MULTI_ROUND_AUTH". The TWAN-S2a Connection Indicator is not set in the DEA-Flags AVP. The DEA message also includes an indication that this is for access to limited services without authentication .

7. TWAN forwards the EAP payload to the UE. The UE should not attempt to authenticate with the network .

8. The UE sends an EAP response/AKA' challenge, which indicates the requested connection mode. If the UE requests an SCM, the UE also indicates the parameters of the requested session: indicator for emergency services, PDN type (in this case no APN is provided), PDN type (IPv4 or IPv6), initial attach/handover indication, and/or PCO.

9. TWAN forwards the EAP payload to the 3GPP AAA server.

10. Vacant.

11. In this case (emergency), the 3GPP AAA server shall accept any challenge response that the UE may send and authorize the mode requested by the UE (here, SCM). The 3GPP AAA server includes the parameters of the session requested by the UE: indicator for emergency services, PDN type, initial attach/handover indication, and/or PCO in the DEA message, where the Result Code AVP is set to "DIAMETER_MULTI_ROUND_AUTH". The 3GPP AAA server also sets the TWAN-S2a Connection Indicator in the DEA Flags AVP to request that TWAN continue to establish the S2a connection.

12. The TWAN sends a Create Session Request/PBU message to the PDN GW to initiate the S2a tunnel establishment. The TWAG provides the IMEI as the UE identity (for SIM-less UEs) (or IMSI if the UE cannot obtain it) . [In the case of emergency calls established for SIM-less UEs over 3GPP access, the IMEI is provided to the PGW over the GTP-c interface]

13. The PDN GW notifies the 3GPP AAA server (S6b Authorization Request) of its PDN GW identity and the APN corresponding to the UE's PDN connection, as well as the permanent user identity ( NAI includes the IMEI in the user part when the PGW has not yet received the IMSI from the ePDG/TWAG ). The AAA server authorizes the request for the emergency PDN connection without any further checks. The 3GPP AAA server does not update the HSS with the PGW address .

14. The PDN GW returns a Create Session Response/PBA message to the TWAN, including the IP address allocated to the UE.

15. The TWAN includes the provided connectivity parameters received from the PDN GW and sets the TWAN-S2a Connection Indicator in the DER Flags AVP in the DER message sent to the 3GPP AAA server. The 3GPP AAA server ignores the EAP payload included in the DER message.

16. The 3GPP AAA server includes the PDN connectivity parameters in the AKA' notification and sends a DEA message to the TWAN. The Result-Code AVP in the DEA message is set to "DIAMETER_MULTI_ROUND_AUTH". The TWAN-S2a connection indicator is not set in the DEA Flags AVP.

17. TWAN forwards the EAP payload to the UE.

18-19. The UE responds with the EAP-RSP/AKA' notification message forwarded by TWAN to the 3GPP AAA server.

20-21. The 3GPP AAA server sends an EAP Success message, which is forwarded by TWAN to the UE. The Result-Code AVP in the DEA message is set to "DIAMETER_SUCESS".

In some embodiments, considering TWAN accessing EPC as an example, in the case of an unauthenticated UE (e.g., SIM-less UE), the AAA server may (this is just an illustrative example) provide the following information to the TWAN in the authentication and authorization answer message (see 3GPP TS 29.273):

Aspects of the present invention include (but are not limited to) the following.

One aspect is a user equipment (UE) configured to support emergency services for unauthenticated user equipment accessing a 3GPP evolved packet core (EPC) via a WLAN.

Various embodiments may be provided according to various combinations, including but not limited to the following embodiments, which may be employed alone or in combination.

In an embodiment, the user equipment is configured to:

- in response to a request to provide a user identity for access authentication, providing a specific user identity based on a Network Access Identity (NAI), said specific user identity having a realm part indicating unauthenticated access to emergency services.

In an embodiment, the user equipment is configured to:

- providing the specific user identity in one of the following situations:

The UE does not have an IMSI;

• The UE has an IMSI but knows that it cannot get authenticated.

In an embodiment, the user equipment is configured to:

- If the UE does not have an IMSI, a specific NAI based user identity with a username part based on the IMEI is provided.

In an embodiment, the user equipment is configured to:

- performing a special EAP-based procedure for accessing emergency services without authentication, wherein the special EAP-based procedure includes at least one of the following relative to a normal EAP-based procedure:

Do not attempt to authenticate the network;

The master key MK is derived without using the encryption key CK and the integrity key IK.

Another aspect is an authentication device, such as a TWAN entity for trusted WLAN access to an EPC or an ePDG for untrusted WLAN access to an EPC, configured to support emergency services for unauthenticated user equipment accessing a 3GPP Evolved Packet Core (EPC) via WLAN:

Various embodiments may be provided according to various combinations, including but not limited to the following embodiments, which may be employed alone or in combination.

In an embodiment, the authentication device is configured to:

- Routing the message from the user equipment UE to a specific 3GPP AAA server serving a domain dedicated to unauthenticated access to emergency services according to the domain part indicating unauthenticated access to emergency services based on the user identity of the network access identity NAI.

In an embodiment, the authentication device is configured to:

- processing the indication from the 3GPP AAA server that the access is for limited service;

- Process the indication from the 3GPP AAA server that the user identity has not been authenticated and relay this information to the PDN GW.

Another aspect is a 3GPP AAA server configured to support emergency services for unauthenticated user equipment accessing a 3GPP Evolved Packet Core (EPC) via a WLAN.

Various embodiments may be provided according to various combinations, including but not limited to the following embodiments, which may be employed alone or in combination.

In an embodiment, the 3GPP AAA server is configured to:

- a domain dedicated to unauthenticated access to emergency services;

- Grant access to unauthenticated user equipment UE;

- Providing the UE with specific authorization data allowing network access for emergency services.

In an embodiment, the 3GPP AAA server is configured to:

- performing a special EAP-based procedure for accessing emergency services without authentication, wherein the special EAP-based procedure includes at least one of the following relative to a normal EAP-based procedure:

- not obtaining the authentication vector for the UE from the HSS;

- providing an indication that the access is to a limited service that does not require authentication;

- accept any challenge response sent by the UE;

- not downloading the user's subscription information from the HSS;

- accept the request for an emergency PDN connection without any further checks;

- derive the master key MK without using the encryption key CK and the integrity key IK;

- At the same time it supports some features of a regular 3GPP AAA server, such as negotiating the mode of said access or relaying information between EAP-based signaling and authentication means in case of TWAN access.

In an embodiment, the 3GPP AAA server is configured to:

- Signaling to the UE and the authentication device involved in the access authentication that the access is for limited services that do not require authentication.

In an embodiment, the 3GPP AAA server is configured to:

- Signalling to the authentication device involved in the access authentication that the IMSI provided to the authentication device in the signalling has not been authenticated.

Another aspect is a 3GPP AAA proxy configured to support emergency services for unauthenticated user equipment accessing a 3GPP Evolved Packet Core (EPC) via a WLAN.

Various embodiments may be provided, including but not limited to the following.

In an embodiment, the 3GPP AAA proxy is configured to:

- Upon detecting that it is impossible to contact the 3GPP AAA server in the HPLMN for an access authentication attempt associated with an emergency situation of the user equipment, redirecting the access authentication request to a local AAA server serving a domain dedicated to unauthenticated access to emergency services, based on local policy.

Another aspect is a method for supporting emergency services for unauthenticated user equipment accessing a 3GPP Evolved Packet Core (EPC) over a WLAN.

Various embodiments may be provided according to various combinations, including but not limited to the following embodiments, which may be employed alone or in combination.

In an embodiment, the method comprises:

- A specific 3GPP AAA server serves a domain dedicated to unauthenticated access to emergency services; grants access to unauthenticated user equipment; and provides the UE with specific authorization data allowing network access to emergency services.

In an embodiment, the method comprises:

- in response to a request to provide a user identity for access authentication, the user equipment UE provides a specific NAI-based user identity having a realm part indicating unauthenticated access to emergency services;

- An authentication means such as a TWAN entity for trusted WLAN access or an ePDG for untrusted WLAN access routes the message from the UE towards the specific 3GPP AAA server based on the realm part.

In an embodiment, the method comprises:

- Upon detecting that it is impossible to contact the 3GPP AAA server in the HPLMN for an access authentication attempt associated with an emergency situation of a user equipment, the 3GPP AAA proxy redirects the access authentication request for said UE to a local AAA server serving a domain dedicated to unauthenticated access to emergency services based on local policy.

In an embodiment, the method comprises:

- The 3GPP AAA server indicates to the UE and the authentication means that the access corresponds to access to emergency services for unauthenticated devices and is therefore restricted to supporting emergency services.

According to various embodiments of the above-mentioned user equipment, authentication device, 3GPP AAA server, and 3GPP AAA agent, various other embodiments of the method may be provided.

Those skilled in the art will readily recognize that the steps of the various methods described above can be performed by a programmed computer. Some embodiments herein are also intended to encompass program storage devices, such as digital data storage media, which are machine or computer readable and encode a program of machine-executable or computer-executable instructions, wherein the instructions perform some or all of the steps of the methods described above. The program storage device can be, for example, a digital memory, a magnetic storage medium such as a disk or tape, a hard drive, or an optically readable digital data storage medium. These embodiments are also intended to encompass computers programmed to perform the steps of the methods described above.

Claims (12)

1. An apparatus comprising: Processor; and A memory that stores instructions, which, when executed, cause the device to: • Perform a specific process based on an extensible authentication protocol between the user equipment and the network without mutual authentication, for the user equipment to access emergency services by accessing the evolved packet core network via a trusted wireless LAN; • During the process, receiving the access from the network is an indication for limited services that do not require authentication; • During the process, negotiate the connection mode for the access with the network. 2. The apparatus of claim 1, wherein the instruction, when executed, causes the apparatus to: • If the user's identity based on the International Mobile Subscriber Identity (IMSI) cannot be authenticated by the network, then the instruction is received. 3. The apparatus according to claim 1, wherein the connection mode includes one of a single connection mode and a multiple connection mode. 4. The apparatus according to any one of claims 1 to 3, wherein, when the instruction is executed, the apparatus: • Export the master session key used for the access without using the encryption key and integrity key, but using the identity provided by the user equipment. 5. A method for communication, comprising: • Perform a specific process based on an extensible authentication protocol between the user equipment and the network without mutual authentication, for the user equipment to access emergency services by accessing the evolved packet core network via a trusted wireless LAN; • During the process, receiving the access from the network is an indication for limited services that do not require authentication; • During the process, negotiate the connection mode for the access with the network. 6. The method according to claim 5, comprising: • If the user's identity based on the International Mobile Subscriber Identity (IMSI) cannot be authenticated by the network, then the instruction is received. 7. The method according to claim 6, wherein the connection mode includes one of a single connection mode and a multiple connection mode. 8. The method according to any one of claims 5 to 7, comprising: • Export the master session key used for the access without using the encryption key and integrity key, but using the identity provided by the user equipment. 9. An apparatus comprising: Processor; and A memory that stores instructions, which, when executed, cause the device to: • Perform a specific process based on an extensible authentication protocol between the user equipment and the network without mutual authentication, for the user equipment to access emergency services by accessing the evolved packet core network via a trusted wireless LAN; • During the process, an indication is sent to the user equipment that the access is for a limited service that does not require authentication; • During the process, negotiate the connection mode for the access with the user equipment. 10. The apparatus of claim 9, wherein the instruction, when executed, causes the apparatus to: • If the user's identity based on the International Mobile Subscriber Identity (IMSI) cannot be authenticated by the network, then the instruction is sent. 11. The apparatus of claim 9, wherein the connection mode includes one of a single connection mode and a multiple connection mode. 12. The apparatus according to any one of claims 9 to 11, wherein the instructions, when executed, cause the apparatus to: • Export the master session key used for the access without using the encryption key and integrity key, but using the identity provided by the user equipment.