CN114980090A - Secondary authentication method, network element and system, computer device and storage medium - Google Patents
Secondary authentication method, network element and system, computer device and storage medium Download PDFInfo
- Publication number
- CN114980090A CN114980090A CN202110189053.2A CN202110189053A CN114980090A CN 114980090 A CN114980090 A CN 114980090A CN 202110189053 A CN202110189053 A CN 202110189053A CN 114980090 A CN114980090 A CN 114980090A
- Authority
- CN
- China
- Prior art keywords
- secondary authentication
- user
- password
- session
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 230000006870 function Effects 0.000 claims description 81
- 230000005641 tunneling Effects 0.000 claims description 23
- 238000013475 authorization Methods 0.000 claims description 9
- 238000012795 verification Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 20
- 238000004590 computer program Methods 0.000 description 7
- 238000012545 processing Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 238000011161 development Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000005538 encapsulation Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Power Engineering (AREA)
- Telephonic Communication Services (AREA)
Abstract
The present disclosure relates to a secondary authentication method, a network element and system, a computer apparatus, and a storage medium. The secondary authentication method comprises the following steps: under the condition that a user terminal initiates a virtual private dialing network authentication request, judging whether the user terminal carries a user name and a password of secondary authentication; under the condition that the virtual private dialing network authentication request does not carry a user name and a password of secondary authentication, acquiring session data network name information and user permanent identifier information; inquiring a user name and a password of secondary authentication corresponding to the session from a virtual private dialing network authentication database based on the session data network name information and the user permanent identifier information; and issuing the user name and the password of the secondary authentication corresponding to the session to a user plane function network element so as to perform secondary authentication on a second layer tunnel protocol network server according to the user name and the password of the secondary authentication. The method and the device realize secondary authentication in an L2TP mode, and improve the compatibility and the safety of the network.
Description
Technical Field
The present disclosure relates to the field of mobile communications, and in particular, to a secondary authentication method, a network element, a system, a computer device, and a storage medium.
Background
With the commercialization of 5G, 5G technology will make a significant contribution to the promotion of economic growth and the upgrading of industry transformation. In the 5G era, the boundaries of the government and enterprise businesses are wider, and more business forms and products are derived. Meanwhile, with the development of enterprise internet, the requirement for communication service in the 5G period is more comprehensive, and the fusion between the traditional service and the novel service is more compact.
In view of security, in the mobile Network, in order to meet business requirements of government and enterprise customers, a VPDN (Virtual Private Dial Network) secondary authentication mode is adopted. Under normal conditions, the terminal carries a user name and a Password for secondary Authentication in an Evolved Protocol Configuration Options (esco)/Protocol Configuration Options (PCO) and applies for Authentication and Authorization from an Authentication, Authorization, Accounting, verification, Authorization and Accounting (AAA) in a PAP (Password Authentication Protocol) or Challenge Handshake Authentication Protocol (CHAP) manner. However, due to differences in terminal brands, chips, and the like, some terminals do not support user names and passwords required by the PAP or CHAP modes, and authentication can only be performed in a GRE (Generic Routing Encapsulation) mode, but the GRE mode cannot be performed based on user names and passwords of different users in the same VPDN, so that security is reduced, and development of operation business is affected.
Disclosure of Invention
In view of at least one of the above technical problems, the present disclosure provides a secondary authentication method, a network element, a system, a computer device, and a storage medium, which implement L2TP (Layer Two Tunneling Protocol) mode secondary authentication and improve network compatibility and security.
According to an aspect of the present disclosure, there is provided a secondary authentication method including:
under the condition that a user terminal initiates a virtual private dialing network authentication request, a session management function network element judges whether the user terminal carries a user name and a password of secondary authentication;
under the condition that the virtual private dial-up network authentication request does not carry a user name and a password of secondary authentication, the session management function network element acquires session data network name information and user permanent identifier information;
the session management function network element inquires a user name and a password of secondary authentication corresponding to the session from a virtual private dialing network authentication database based on the session data network name information and the user permanent identifier information;
and the session management function network element issues the user name and the password of the secondary authentication corresponding to the session to the user plane function network element, so that the user plane function network element performs secondary authentication to the second layer tunnel protocol network server according to the user name and the password of the secondary authentication corresponding to the session.
In some embodiments of the present disclosure, the determining whether the user terminal carries a user name and a password for the secondary authentication includes:
and judging whether the evolution protocol configuration options or the protocol configuration options of the user terminal carry the user name and the password of the secondary authentication.
In some embodiments of the disclosure, the obtaining session data network name information and user permanent identifier information includes:
and acquiring the session data network name information and the user permanent identifier information from the subscription information.
According to another aspect of the present disclosure, there is provided a secondary authentication method including:
the method comprises the steps that a user plane function network element receives a user name and a password of secondary authentication corresponding to a session, wherein the user name and the password of the secondary authentication are sent by a session management function network element, the session management function network element judges whether the user terminal carries the user name and the password of the secondary authentication under the condition that a user terminal initiates a virtual private dialing network authentication request, the session management function network element obtains session data network name information and user permanent identifier information under the condition that the user name and the password of the secondary authentication are not carried in the virtual private dialing network authentication request, and the session management function network element inquires the user name and the password of the secondary authentication corresponding to the session from a virtual private dialing network authentication database on the basis of the session data network name information and the user permanent identifier information;
and the user plane functional network element performs secondary authentication on the second layer tunneling protocol network server according to the user name and the password of the secondary authentication corresponding to the session.
In some embodiments of the present disclosure, the secondary authentication method further comprises:
the user plane functional network element acquires the second layer tunnel protocol network server information from the verification, authorization and accounting server;
and the user plane functional network element carries a user name and a password of secondary authentication corresponding to the session by combining the information of the second layer tunnel protocol network server, and performs secondary authentication on the second layer tunnel protocol network server.
According to another aspect of the present disclosure, there is provided a session management function network element, including:
the judging module is configured to judge whether the user terminal carries a user name and a password for secondary authentication under the condition that the user terminal initiates a virtual private dialing network authentication request;
the information acquisition module is configured to acquire the name information of the session data network and the permanent identifier information of the user under the condition that the authentication request of the virtual private dial-up network does not carry the user name and the password of the secondary authentication;
the query module is configured to query a user name and a password of secondary authentication corresponding to the session from the virtual private dialing network authentication database based on the session data network name information and the user permanent identifier information;
and the issuing module is configured to issue the user name and the password of the secondary authentication corresponding to the session to the user plane function network element, so that the user plane function network element performs the secondary authentication to the second layer tunneling protocol network server according to the user name and the password of the secondary authentication corresponding to the session.
In some embodiments of the present disclosure, the determining module is configured to determine whether an evolved protocol configuration option or a protocol configuration option of the user terminal carries a user name and a password for secondary authentication, when the user terminal initiates a virtual private dialing network authentication request.
In some embodiments of the present disclosure, the information obtaining module is configured to obtain the session data network name information and the user permanent identifier information from the subscription information in a case that the user name and the password of the secondary authentication are not carried in the virtual private dialing network authentication request.
According to another aspect of the present disclosure, there is provided a user plane function network element, including:
the session management function network element acquires session data network name information and user permanent identifier information under the condition that the user terminal does not carry the user name and the password of the secondary authentication, and inquires the user name and the password of the secondary authentication corresponding to the session from a virtual private dialing network authentication database on the basis of the session data network name information and the user permanent identifier information;
and the secondary authentication module is configured to perform secondary authentication on the second layer tunneling protocol network server according to the user name and the password of the secondary authentication corresponding to the session.
In some embodiments of the disclosure, the user plane function network element further includes:
a server information acquisition module configured to acquire layer two tunneling protocol network server information from the authentication, authorization and accounting server;
and the secondary authentication module is configured to carry a user name and a password of secondary authentication corresponding to the session in combination with the information of the second layer tunnel protocol network server, and perform secondary authentication on the second layer tunnel protocol network server.
According to another aspect of the present disclosure, there is provided a computer apparatus comprising:
a memory configured to store instructions;
a processor configured to execute the instructions to cause the computer device to perform operations to implement the secondary authentication method as in any of the above embodiments.
According to another aspect of the present disclosure, there is provided a secondary authentication system, including a session management function network element as described in any of the above embodiments and a user plane function network element as described in any of the above embodiments.
In some embodiments of the present disclosure, the secondary authentication system further comprises:
and the virtual private dialing network authentication database is configured to store the user name and the password of the secondary authentication and provide a query result.
According to another aspect of the present disclosure, a non-transitory computer-readable storage medium is provided, wherein the non-transitory computer-readable storage medium stores computer instructions, which when executed by a processor, implement the secondary authentication method as in any one of the above embodiments.
The method and the device realize secondary authentication in an L2TP mode, and improve network compatibility and security.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings used in the embodiments or the prior art descriptions will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present disclosure, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a schematic diagram of some embodiments of a secondary authentication method of the present disclosure.
Fig. 2 is a schematic diagram of another embodiment of a secondary authentication method according to the present disclosure.
Fig. 3 is a schematic diagram of further embodiments of the disclosed secondary authentication method.
Fig. 4 is a schematic diagram of some embodiments of a session management function network element according to the present disclosure.
Fig. 5 is a schematic diagram of some embodiments of a user plane functional network element according to the present disclosure.
Fig. 6 is a schematic diagram of some embodiments of a secondary authentication system of the present disclosure.
FIG. 7 is a schematic block diagram of some embodiments of a computer apparatus according to the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present disclosure will be clearly and completely described below with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are only a part of the embodiments of the present disclosure, and not all of the embodiments. The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
The relative arrangement of the components and steps, the numerical expressions, and numerical values set forth in these embodiments do not limit the scope of the present disclosure unless specifically stated otherwise.
Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
Fig. 1 is a schematic diagram of some embodiments of a secondary authentication method of the present disclosure. Preferably, this embodiment may be executed by the disclosed secondary authentication system or the disclosed session management function network element. The method comprises the following steps:
In some embodiments of the present disclosure, step 11 may comprise: under the condition that a user terminal initiates a virtual private dialing network authentication request, a session management function network element judges whether an evolution protocol configuration option or a protocol configuration option of the user terminal carries a user name and a password of secondary authentication.
In some embodiments of the present disclosure, step 12 may comprise: and under the condition that the virtual private dial-up network authentication request does not carry the user name and the password of the secondary authentication, the session management function network element acquires the session data network name information and the user permanent identifier information from the subscription information.
And step 13, the session management function network element inquires a user name and a password of secondary authentication corresponding to the session from the virtual private dial-up network authentication database based on the session data network name information and the user permanent identifier information.
In some embodiments of the present disclosure, step 12 may comprise: and the session management function network element issues the user name and the password of the secondary authentication corresponding to the session to the user plane function network element through an N4 interface, wherein the N4 interface is an interface between the SMF and the UPF and is used for transmitting control plane information between the SMF and the UPF.
Based on the secondary authentication method provided by the embodiment of the disclosure, aiming at the technical problems of the related technology, the VPDN secondary authentication can be realized, the problem that some products do not support carrying of user names and passwords for the VPDN secondary authentication due to differences of brands, chips and the like of terminals under market is solved, the network compatibility is improved, and the service requirements of government and enterprise customers are met.
Fig. 2 is a schematic diagram of another embodiment of a secondary authentication method according to the present disclosure. Preferably, this embodiment may be executed by the secondary authentication system of the present disclosure or the user plane function network element of the present disclosure. The method comprises the following steps:
And step 22, the user plane functional network element performs secondary authentication to the second layer tunnel protocol network server according to the user name and the password of the secondary authentication corresponding to the session.
In some embodiments of the present disclosure, step 22 may include step 221 and step 222, wherein:
step 221, the user plane function network element obtains the second layer tunneling protocol network server information from AAA (authentication, authorization and accounting server).
Step 222, the user plane functional network element performs secondary authentication to the second layer tunneling protocol network server by combining the second layer tunneling protocol network server information and carrying the user name and the password of the secondary authentication corresponding to the session.
Based on the secondary authentication method provided by the embodiment of the disclosure, the difference between terminals and chips does not need to be considered in VPDN deployment, and uniform service is convenient to realize. The embodiment of the invention can realize L2TP in a mobile network scene, solves the problem that the core network adopts a GRE mode and can not authenticate based on user names and passwords of different users in the same VPDN, meets the customer requirements and improves the safety.
Fig. 3 is a schematic diagram of further embodiments of the disclosed secondary authentication method. Preferably, this embodiment can be performed by the secondary authentication system of the present disclosure. The method comprises the following steps:
and step 31, the user terminal initiates a VPDN authentication request.
And step 32, finding that the ePCO does not carry the user name and the password of the secondary authentication, and inquiring a VPDN authentication database based on the DNN information and the SUPI information of the session.
And step 33, the VPDN authentication database returns the corresponding user name and password.
And step 34, the SMF sends the user name and the password to the UPF.
And step 35, combining the LNS information obtained from the AAA with the UPF, carrying the user name and the password, and performing secondary authentication on the LNS (second layer tunneling protocol network server).
Based on the secondary authentication method provided by the embodiment of the disclosure, the core network can provide the user name and the password of VPDN secondary authentication, thereby reducing the requirement on the user terminal and improving the network compatibility and the security.
Fig. 4 is a schematic diagram of some embodiments of a session management function network element of the present disclosure. As shown in fig. 4, the session management functional network element of the present disclosure may include a determining module 41, an information obtaining module 42, an inquiring module 43, and a sending module 44, where:
a judging module 41, configured to judge whether the user terminal carries a user name and a password for secondary authentication under the condition that the user terminal initiates a virtual private dialing network authentication request;
in some embodiments of the present disclosure, the determining module 41 may be configured to determine whether an evolved protocol configuration option or a protocol configuration option of the user terminal carries a user name and a password for secondary authentication, in a case that the user terminal initiates a virtual private dialing network authentication request.
And the information acquisition module 42 is configured to acquire the session data network name information and the user permanent identifier information when the user name and the password of the secondary authentication are not carried in the virtual private dial-up network authentication request.
In some embodiments of the present disclosure, the information obtaining module 42 may be configured to obtain the session data network name information and the user permanent identifier information from the subscription information in a case that the username and password for the secondary authentication are not carried in the virtual private dialing network authentication request.
And the query module 43 is configured to query the virtual private dial-up network authentication database for the username and the password of the secondary authentication corresponding to the session based on the session data network name information and the user permanent identifier information.
And the issuing module 44 is configured to issue the user name and the password of the secondary authentication corresponding to the session to the user plane function network element, so that the user plane function network element performs the secondary authentication to the second layer tunneling protocol network server according to the user name and the password of the secondary authentication corresponding to the session.
In some embodiments of the present disclosure, the issuing module 44 may be configured to issue the user name and the password of the secondary authentication corresponding to the session to the user plane function network element through an N4 interface, where the N4 interface is an interface between the SMF and the UPF, and is used to transmit control plane information between the SMF and the UPF.
Based on the session management function network element provided by the embodiment of the disclosure, the situation that VPDN service cannot be developed due to the fact that part of mobile terminals do not support user names and passwords required by PAP or CHAP modes is solved, thereby improving the compatibility and the safety of the network and meeting the service requirements. The embodiment of the disclosure can realize the deployment and application of the VPDN service of the mobile network, and solve the problem of secondary authentication.
Fig. 5 is a schematic diagram of some embodiments of a user plane functional network element according to the present disclosure. As shown in fig. 5, the session management function network element of the present disclosure may include an information receiving module 51 and a secondary authentication module 52, where:
the information receiving module 51 is configured to receive a user name and a password of secondary authentication corresponding to a session issued by a session management function network element, where in a case where a user terminal initiates a virtual private dialing network authentication request, the session management function network element determines whether the user terminal carries the user name and the password of the secondary authentication, in a case where the virtual private dialing network authentication request does not carry the user name and the password of the secondary authentication, the session management function network element obtains session data network name information and user permanent identifier information, and the session management function network element queries the user name and the password of the secondary authentication corresponding to the session from a virtual private dialing network authentication database based on the session data network name information and the user permanent identifier information.
And the secondary authentication module 52 is configured to perform secondary authentication to the second layer tunneling protocol network server according to the user name and the password of the secondary authentication corresponding to the session.
In some embodiments of the present disclosure, as shown in fig. 5, the user plane function network element may further include a server information obtaining module 53, where:
a server information obtaining module 53 configured to obtain the layer two tunneling protocol network server information from the authentication, authorization, and accounting server.
The secondary authentication module 52 may be configured to perform secondary authentication to the second layer tunneling protocol network server by combining the information of the second layer tunneling protocol network server, and carrying the user name and the password of the secondary authentication corresponding to the session.
Based on the user plane functional network element provided by the embodiment of the disclosure, the problem that some products do not support carrying of user names and passwords for VPDN secondary authentication due to differences of brands, chips and the like of terminals under marketization is solved, so that network compatibility is improved, and business requirements of government and enterprise customers are met.
Fig. 6 is a schematic diagram of some embodiments of a secondary authentication system of the present disclosure. As shown in fig. 6, the disclosed secondary authentication system may include an SMF (session management function network element) 61 and a UPF (user plane function network element) 62, where:
and the session management function network element 61 is configured to detect that the user terminal does not carry a user name and a password for secondary authentication, trigger and query the user name and the password for secondary authentication based on the session DNN information and the SUPI information in the subscription information, and issue the user name and the password for secondary authentication to the UPF network element through an N4 interface.
And the user plane function network element 62 is configured to initiate secondary authentication to the LNS according to the secondary authentication user name and the password issued by the SMF.
In some embodiments of the present disclosure, as shown in fig. 6, the secondary authentication system may further include a VPDN (virtual private dial-up network) authentication database 63, wherein:
and a virtual private dial-up network authentication database 63 configured to store the user name and password for the secondary authentication, and provide the query result.
In some embodiments of the present disclosure, the virtual private dial-up network authentication database 63 may be constructed by a capability open platform.
In some embodiments of the present disclosure, as shown in fig. 6, the secondary authentication system may further include an LNS (layer two tunneling protocol network server) 64 and a 5G base station (gNB)65, wherein:
the second layer tunneling protocol network server 64 is configured to perform secondary authentication on the session according to the secondary authentication user name and password reported by the user plane function network element 62.
In some embodiments of the present disclosure, 5G base station 65 may include gNB-1, gNB-2, …, gNB-n, as shown in FIG. 6.
In some embodiments of the present disclosure, the 5G base station 65 is configured to forward the VPDN authentication request of the user terminal to the user plane function network element 62 of the core network.
Based on the secondary authentication system provided by the embodiment of the present disclosure, in a VPDN secondary authentication scenario, an SMF in a core network detects that a terminal does not carry a User name and a password for secondary authentication, and based on session DNN information and SUPI information in subscription information, triggers and queries a VPDN authentication database to obtain the User name and the password corresponding to the session, and issues the User name and the password to a UPF User plane function, a User plane function network element, as information for authentication to an LNS, through an N4 interface. By applying the embodiment of the disclosure, the problem that some products do not support carrying of user names and passwords for VPDN secondary authentication due to differences of brands, chips and the like of terminals under marketization can be solved, the compatibility of a network is improved, and the business requirements of government and enterprise customers are met.
The embodiment of the disclosure provides a communication method, a device and a system for realizing secondary authentication in a mobile network. The SMF in the core network of the embodiment of the present disclosure detects that the terminal does not carry the user name and password for secondary authentication in the ePCO, and based on the session DNN information and the SUPI information in the subscription information, the SMF can acquire the user name and password corresponding to the session and issue them to the UPF network element, thereby implementing secondary authentication in the L2TP manner, and improving network compatibility and security.
FIG. 7 is a schematic block diagram of some embodiments of a computer apparatus according to the present disclosure. As shown in fig. 7, the computer apparatus includes a memory 71 and a processor 72.
The memory 71 is used for storing instructions, the processor 72 is coupled to the memory 71, and the processor 72 is configured to execute a method related to implementing the above-mentioned embodiment of the present disclosure (for example, any one of the embodiments of fig. 1 to 3) based on the instructions stored in the memory.
As shown in fig. 7, the computer apparatus further comprises a communication interface 73 for information interaction with other devices. The computer device also includes a bus 74, and the processor 72, the communication interface 73, and the memory 71 communicate with each other via the bus 74.
The memory 71 may comprise high-speed RAM memory, and may also include non-volatile memory, such as at least one disk memory. The memory 71 may also be a memory array. The storage 71 may also be partitioned and the blocks may be combined into virtual volumes according to certain rules.
Further, the processor 72 may be a central processing unit CPU, or may be an application specific integrated circuit ASIC, or one or more integrated circuits configured to implement embodiments of the present disclosure.
In some embodiments of the present disclosure, the computer apparatus of the present disclosure may be implemented as a session management function network element (e.g., the session management function network element in the embodiment of fig. 4 or fig. 6) of the present disclosure in the case of executing the secondary authentication method in the above-described embodiment (e.g., the embodiment of fig. 1) of the present disclosure.
In other embodiments of the present disclosure, a computer apparatus of the present disclosure may be implemented as a user plane function network element (e.g., a user plane function network element in the embodiment of fig. 5 or fig. 6) of the present disclosure in the case of executing the secondary authentication method in the above-described embodiment (e.g., the embodiment of fig. 2) of the present disclosure.
According to another aspect of the present disclosure, a non-transitory computer-readable storage medium is provided, wherein the non-transitory computer-readable storage medium stores computer instructions, which when executed by a processor, implement the secondary authentication method according to any of the above embodiments (e.g., any of fig. 1-3).
The VPDN deployment of the embodiment of the disclosure does not need to consider the difference of terminals and chips, and is convenient for realizing unified service.
The embodiment of the disclosure can realize L2TP in a mobile network scene, solves the problem that authentication cannot be performed based on user names and passwords of different users in the same VPDN by adopting a GRE mode in a core network, meets the customer requirements, and can improve the security.
The core network of the embodiment of the disclosure provides the user name and the password of VPDN secondary authentication, reduces the requirement on the user terminal, and improves the network compatibility and the security.
As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, apparatus, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable non-transitory storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The session management function network elements and the user plane function network elements described above may be implemented as a general purpose processor, a Programmable Logic Controller (PLC), a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any suitable combination thereof, for performing the functions described herein.
Thus far, the present disclosure has been described in detail. Some details that are well known in the art have not been described in order to avoid obscuring the concepts of the present disclosure. It will be fully apparent to those skilled in the art from the foregoing description how to practice the presently disclosed embodiments.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware to implement the above embodiments, where the program may be stored in a non-transitory computer readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic or optical disk, and the like.
The description of the present disclosure has been presented for purposes of illustration and description, and is not intended to be exhaustive or limited to the disclosure in the form disclosed. Many modifications and variations will be apparent to practitioners skilled in this art. The embodiment was chosen and described in order to best explain the principles of the disclosure and the practical application, and to enable others of ordinary skill in the art to understand the disclosure for various embodiments with various modifications as are suited to the particular use contemplated.
Claims (13)
1. A secondary authentication method, comprising:
under the condition that a user terminal initiates a virtual private dialing network authentication request, a session management function network element judges whether the user terminal carries a user name and a password of secondary authentication;
under the condition that the virtual private dial-up network authentication request does not carry a user name and a password of secondary authentication, the session management function network element acquires session data network name information and user permanent identifier information;
the session management function network element inquires a user name and a password of secondary authentication corresponding to the session from a virtual private dialing network authentication database based on the session data network name information and the user permanent identifier information;
and the session management function network element issues the user name and the password of the secondary authentication corresponding to the session to the user plane function network element, so that the user plane function network element performs secondary authentication to the second layer tunnel protocol network server according to the user name and the password of the secondary authentication corresponding to the session.
2. The secondary authentication method according to claim 1, wherein the determining whether the user terminal carries a user name and a password for secondary authentication comprises:
and judging whether the evolution protocol configuration options or the protocol configuration options of the user terminal carry the user name and the password of the secondary authentication.
3. The secondary authentication method according to claim 1 or 2, wherein the acquiring session data network name information and user permanent identifier information comprises:
and acquiring the session data network name information and the user permanent identifier information from the subscription information.
4. A secondary authentication method, comprising:
the method comprises the steps that a user plane function network element receives a user name and a password of secondary authentication corresponding to a session, wherein the user name and the password of the secondary authentication are sent by a session management function network element, the session management function network element judges whether the user terminal carries the user name and the password of the secondary authentication under the condition that a user terminal initiates a virtual private dialing network authentication request, the session management function network element obtains session data network name information and user permanent identifier information under the condition that the user name and the password of the secondary authentication are not carried in the virtual private dialing network authentication request, and the session management function network element inquires the user name and the password of the secondary authentication corresponding to the session from a virtual private dialing network authentication database on the basis of the session data network name information and the user permanent identifier information;
and the user plane functional network element performs secondary authentication on the second layer tunnel protocol network server according to the user name and the password of the secondary authentication corresponding to the session.
5. The secondary authentication method according to claim 4, further comprising:
the user plane functional network element acquires the second layer tunnel protocol network server information from the verification, authorization and accounting server;
and the user plane functional network element carries a user name and a password of secondary authentication corresponding to the session by combining the information of the second layer tunneling protocol network server, and performs secondary authentication on the second layer tunneling protocol network server.
6. A session management function network element, comprising:
the judging module is configured to judge whether the user terminal carries a user name and a password for secondary authentication under the condition that the user terminal initiates a virtual private dialing network authentication request;
the information acquisition module is configured to acquire session data network name information and user permanent identifier information under the condition that a user name and a password of secondary authentication are not carried in the virtual private dialing network authentication request;
the query module is configured to query a user name and a password of secondary authentication corresponding to the session from the virtual private dialing network authentication database based on the session data network name information and the user permanent identifier information;
and the issuing module is configured to issue the user name and the password of the secondary authentication corresponding to the session to the user plane function network element, so that the user plane function network element performs secondary authentication to the second layer tunnel protocol network server according to the user name and the password of the secondary authentication corresponding to the session.
7. The session management function network element of claim 6,
the judging module is configured to judge whether an evolution protocol configuration option or a protocol configuration option of the user terminal carries a user name and a password of secondary authentication under the condition that the user terminal initiates a virtual private dial-up network authentication request;
and/or the presence of a gas in the atmosphere,
and the information acquisition module is configured to acquire the session data network name information and the user permanent identifier information from the subscription information under the condition that the virtual private dialing network authentication request does not carry the user name and the password of the secondary authentication.
8. A user plane functional network element, comprising:
the session management function network element acquires session data network name information and user permanent identifier information under the condition that the user terminal does not carry the user name and the password of the secondary authentication, and inquires the user name and the password of the secondary authentication corresponding to the session from a virtual private dialing network authentication database on the basis of the session data network name information and the user permanent identifier information;
and the secondary authentication module is configured to perform secondary authentication on the second layer tunneling protocol network server according to the user name and the password of the secondary authentication corresponding to the session.
9. The user plane functional network element of claim 8, further comprising:
a server information acquisition module configured to acquire layer two tunneling protocol network server information from the authentication, authorization and accounting server;
and the secondary authentication module is configured to carry a user name and a password of secondary authentication corresponding to the session by combining the information of the second layer tunneling protocol network server, and perform secondary authentication on the second layer tunneling protocol network server.
10. A computer apparatus, comprising:
a memory configured to store instructions;
a processor configured to execute the instructions to cause the computer apparatus to perform operations to implement the secondary authentication method of any of claims 1-5.
11. A secondary authentication system, comprising: a session management function network element according to claim 6 or 7 and a user plane function network element according to claim 8 or 9.
12. The secondary authentication system as recited in claim 11, further comprising:
and the virtual private dialing network authentication database is configured to store the user name and the password of the secondary authentication and provide a query result.
13. A non-transitory computer readable storage medium storing computer instructions which, when executed by a processor, implement the secondary authentication method of any one of claims 1-5.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110189053.2A CN114980090A (en) | 2021-02-19 | 2021-02-19 | Secondary authentication method, network element and system, computer device and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110189053.2A CN114980090A (en) | 2021-02-19 | 2021-02-19 | Secondary authentication method, network element and system, computer device and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN114980090A true CN114980090A (en) | 2022-08-30 |
Family
ID=82954377
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110189053.2A Pending CN114980090A (en) | 2021-02-19 | 2021-02-19 | Secondary authentication method, network element and system, computer device and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114980090A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116017456A (en) * | 2023-01-05 | 2023-04-25 | 天翼物联科技有限公司 | 5G L2TPVPDN authentication-free implementation method, device and computer equipment |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110519775A (en) * | 2018-05-22 | 2019-11-29 | 华为技术有限公司 | Conversation managing method, device and system |
CN110999356A (en) * | 2017-07-20 | 2020-04-10 | 华为国际有限公司 | Network security management method and device |
WO2020253408A1 (en) * | 2019-06-17 | 2020-12-24 | 华为技术有限公司 | Secondary authentication method and apparatus |
CN112218287A (en) * | 2019-07-12 | 2021-01-12 | 华为技术有限公司 | Communication method and device |
-
2021
- 2021-02-19 CN CN202110189053.2A patent/CN114980090A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110999356A (en) * | 2017-07-20 | 2020-04-10 | 华为国际有限公司 | Network security management method and device |
CN110519775A (en) * | 2018-05-22 | 2019-11-29 | 华为技术有限公司 | Conversation managing method, device and system |
WO2020253408A1 (en) * | 2019-06-17 | 2020-12-24 | 华为技术有限公司 | Secondary authentication method and apparatus |
CN112218287A (en) * | 2019-07-12 | 2021-01-12 | 华为技术有限公司 | Communication method and device |
Non-Patent Citations (1)
Title |
---|
CHINATELECOM: "MEC002_VPDNon MEC_Use_Case", MEC(20)000289R1, 5 August 2020 (2020-08-05), pages 3 - 5 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116017456A (en) * | 2023-01-05 | 2023-04-25 | 天翼物联科技有限公司 | 5G L2TPVPDN authentication-free implementation method, device and computer equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US12022571B2 (en) | Profile between devices in wireless communication system | |
CN111865598B (en) | Identity verification method and related device for network function service | |
CN114363891B (en) | Method capable of migrating subscriptions | |
KR101802264B1 (en) | Method for sharing virtual sim card by multiple terminals, terminals, server, and system | |
US20170161721A1 (en) | Method and system for opening account based on euicc | |
US10079913B2 (en) | Transmission method, terminal and system for application software | |
US20150024688A1 (en) | Automatic Pairing of a Vehicle and a Mobile Communications Device | |
EP3389295A1 (en) | Multi-terminal mapping system and method for virtual sim card | |
US11284335B2 (en) | Method, a device and a medium for obtaining and providing access information of a wireless access point | |
CN113766485B (en) | Pre-personalizing esims to support large-scale eSIM delivery | |
CN105873055B (en) | Wireless network access authentication method and device | |
WO2017041562A1 (en) | Method and device for identifying user identity of terminal device | |
CN106375995A (en) | Information processing method and system, and vehicle-mounted communication apparatus | |
CN111132305A (en) | Method for 5G user terminal to access 5G network, user terminal equipment and medium | |
CN110401951B (en) | Method, device and system for authenticating terminal in wireless local area network | |
CN114980090A (en) | Secondary authentication method, network element and system, computer device and storage medium | |
US20240214817A1 (en) | Method for remote provisioning of software modules in integrated circuit cards, corresponding apparatus and computer program product | |
CN114339622B (en) | Communication method, device and storage medium of ProSe communication group | |
EP2849470B1 (en) | Function sharing in wireless access hotspot device | |
CN113541981B (en) | Member management method and system for network slice | |
CN106878099B (en) | Traffic management method, terminal equipment, server and system | |
CN113055884B (en) | Network access method, network access device and terminal | |
CN110602024A (en) | Secondary authentication method and system for user terminal, access and mobility management device | |
CN114727246A (en) | Emergency call method and system, access and mobile management function entity | |
CN106454807B (en) | A kind of terminal Activiation method and mobile terminal |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |