CN102056154A - IKE (Internet Key Exchange) authentication method and system, IKE response equipment and IKE initiating equipment - Google Patents

IKE (Internet Key Exchange) authentication method and system, IKE response equipment and IKE initiating equipment Download PDF

Info

Publication number
CN102056154A
CN102056154A CN2009102077948A CN200910207794A CN102056154A CN 102056154 A CN102056154 A CN 102056154A CN 2009102077948 A CN2009102077948 A CN 2009102077948A CN 200910207794 A CN200910207794 A CN 200910207794A CN 102056154 A CN102056154 A CN 102056154A
Authority
CN
China
Prior art keywords
authentication
ike
free
response
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2009102077948A
Other languages
Chinese (zh)
Other versions
CN102056154B (en
Inventor
蔡安宁
高晓峰
武二华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN200910207794.8A priority Critical patent/CN102056154B/en
Publication of CN102056154A publication Critical patent/CN102056154A/en
Application granted granted Critical
Publication of CN102056154B publication Critical patent/CN102056154B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses an IKE (Internet Key Exchange) authentication method and system, IKE response equipment and IKE initiating equipment. The method comprises the following steps of: receiving a first authentication request sent by the IKE initiating equipment, wherein the first authentication request carries access information; acquiring an authentication-free condition, and determining the IKE initiating equipment as authentication-free equipment when the access information meets the authentication-free condition; and returning a first authentication response to the authentication-free equipment, wherein the first authentication response carries authentication success information. The embodiment of the invention can simplify authentication flow, reduces access delay and mitigates the load of the equipment.

Description

IKE authentication method, system, IKE response equipment and IKE initiating equipment
Technical Field
The present invention relates to mobile communication technologies, and in particular, to an Internet Key Exchange (IKE) authentication method, system, IKE response device, and IKE initiation device.
Background
A Wireless Local Area Network (WLAN) is used as a radio access network of a User Equipment (UE), and can implement interworking between the UE and a core network, so that the UE can access the core network. In the access process, the UE firstly needs to access the WLAN and then accesses the core network. In the prior art, the UE needs to authenticate with an Authentication Authorization and Accounting (AAA) server in both the WLAN and the core network, and usually, the AAA servers of the two authentications are the same AAA server. In order to establish a secure tunnel, an IKE technique may be used in an authentication process of accessing the WLAN UE to the core network, where the WLAN UE serves as an IKE initiator and a Packet Data Gateway (PDG) or a Packet Data Interworking Function (PDIF) serves as an IKE responder.
The prior art has at least the following problems: the authentication process using IKE, for example, the authentication process of WLAN UE accessing to the core network, is complex, which results in long access delay and high requirement on the device performance.
Disclosure of Invention
The embodiment of the invention provides an IKE authentication method, an IKE authentication system, an IKE response device and an IKE initiating device, which solve the problems of long access delay and high requirement on device performance in the prior art.
The embodiment of the invention provides a key exchange IKE authentication method, which comprises the following steps:
receiving a first authentication request sent by IKE initiating equipment, wherein the first authentication request carries access information;
obtaining an authentication-free condition, and determining that the IKE initiating equipment is authentication-free equipment when the access information meets the authentication-free condition;
and returning a first authentication response to the authentication-free equipment, wherein the first authentication response carries authentication success information.
The embodiment of the invention provides a key exchange IKE authentication method, which comprises the following steps:
sending a first authentication request to IKE response equipment, wherein the first authentication request carries access information;
and receiving a first authentication response returned by the IKE response equipment, wherein the first authentication response carries authentication success information, and the first authentication response is sent by the IKE response equipment when the access information meets the authentication-free condition acquired by the IKE response equipment.
An embodiment of the present invention provides an IKE response device for key exchange, including:
a first receiving module, configured to receive a first authentication request sent by an IKE initiating device, where the first authentication request carries access information;
a determining module, configured to obtain an authentication-exempt condition, and determine that the IKE initiating device is an authentication-exempt device when the access information meets the authentication-exempt condition;
and the first sending module is used for returning a first authentication response to the authentication-free equipment, and the first authentication response carries authentication success information.
An embodiment of the present invention provides a key exchange IKE initiation device, including:
a third sending module, configured to send a first authentication request to the IKE response device, where the first authentication request carries access information,
a third receiving module, configured to receive a first authentication response returned by the IKE response device, where the first authentication response carries authentication success information, and the first authentication response is sent by the IKE response device when the access information meets an authentication-free condition obtained by the IKE response device.
The embodiment of the invention provides a key exchange IKE authentication system, which comprises:
the IKE initiating equipment is used for sending a first authentication request to the IKE responding equipment, and the first authentication request carries access information;
and the IKE response equipment is used for acquiring an authentication-free condition, determining that the IKE initiating equipment is the authentication-free equipment when the access information meets the authentication-free condition, and returning a first authentication response to the authentication-free equipment, wherein the first authentication response carries authentication success information.
According to the technical scheme, the authentication-free condition is obtained, so that the IKE initiating equipment meeting the authentication-free condition does not need to be authenticated, the access time delay is reduced, and the burden of the authentication equipment is lightened.
Drawings
FIG. 1 is a schematic flow chart of a method according to a first embodiment of the present invention;
FIG. 2 is a schematic flow chart of a method according to a second embodiment of the present invention;
FIG. 3 is a schematic flow chart of a method according to a third embodiment of the present invention;
FIG. 4 is a schematic flow chart of a method according to a fourth embodiment of the present invention;
FIG. 5 is a schematic flow chart of a method according to a fifth embodiment of the present invention;
FIG. 6 is a schematic flow chart of a method according to a sixth embodiment of the present invention;
FIG. 7 is a schematic flow chart of a method according to a seventh embodiment of the present invention;
FIG. 8 is a schematic diagram of an IKE response apparatus according to an eighth embodiment of the present invention;
figure 9 is a schematic structural diagram of an IKE response apparatus according to a ninth embodiment of the invention;
fig. 10 is a schematic structural diagram of an IKE response apparatus according to a tenth embodiment of the present invention;
figure 11 is a schematic diagram of the structure of an IKE response apparatus according to an eleventh embodiment of the invention;
FIG. 12 is a flowchart illustrating a method according to a twelfth embodiment of the present invention;
fig. 13 is a schematic structural diagram of an IKE initiating device according to a thirteenth embodiment of the present invention;
fig. 14 is a schematic structural diagram of an IKE authentication system according to a fourteenth embodiment of the present invention.
Detailed Description
Fig. 1 is a schematic flow chart of a method according to a first embodiment of the present invention, which includes:
step 11: the method comprises the steps that IKE response equipment receives a first authentication request sent by IKE initiating equipment, wherein the first authentication request carries access information;
the embodiment of the invention takes IKEv2 as an example for explanation. In the IKEv2 flow, the device initiating authentication is an IKE initiating device, and the device responding to authentication is an IKE responding device. The following embodiments will be described with the WLAN UE as the IKE initiating device and the gateway device (e.g., PDG or PDIF) as the IKE responding device. It will be appreciated that embodiments of the invention may also be applied to other devices employing IKEv 2.
In the process of accessing the core network, the UE needs to access the WLAN first and then access the core network. In the prior art, the UE needs to authenticate to the AAA server in the process of accessing the WLAN and the core network. During access to the WLAN, a UE authenticated by the AAA server is referred to as a WLAN UE. Then, in the prior art, the WLAN UE needs to perform authentication of accessing the core network to the AAA server through the gateway device, and the procedures and steps involved in the authentication of accessing the core network are many, which increases the burden of the AAA server. In order to solve the problem that the authentication process is complex when the WLAN UE accesses the core network, the embodiment of the invention improves the process of accessing the WLAN UE into the core network, introduces an authentication-free mechanism, and still adopts the prior art to realize the process of accessing the WLAN UE into the WLAN. It can be understood that the embodiment of the present invention may be applied not only to the authentication process of the WLAN UE accessing the core network, but also to other scenarios using the IKE protocol.
The core network is exemplified by a third Generation mobile communication system (3rd Generation, 3G), and includes 3GPP and 3GPP2, where 3GPP is a standard for Wideband Code Division Multiple Access (WCDMA) and Time Division Synchronous Code Division Multiple Access (TD-SCDMA), and 3GPP2 is a standard for Code Division Multiple Access (CDMA) 2000. Under the two standards, the corresponding gateway devices are PDG under 3GPP and PDIF under 3GPP2, respectively.
The access information includes at least one of: the user Identity (ID) of the WLAN UE, the identity of the Access Point to which the WLAN UE is to Access, that is, the Access Point Name (APN) or the domain identity to which the WLAN UE belongs, are represented by Realm or domain. The Access information may also include other identification information, such as Network Access Identity (NAI) or International Mobile Subscriber Identity (IMSI).
Step 12: the IKE response equipment acquires an authentication-free condition, and when the access information meets the authentication-free condition, the IKE initiating equipment is determined to be authentication-free equipment;
wherein the authentication-exempt condition may be an authentication-exempt set, for example, at least one of the following sets: an authentication-free user ID set, an authentication-free APN set, an authentication-free realm set, or an authentication-free domain set, etc.
And when at least one item of the access information belongs to the corresponding authentication-free set, the corresponding WLAN UE is authentication-free user equipment. For example, when the access information includes a user ID and the user ID belongs to an authentication-free user ID set, the WLAN UE is an authentication-free user equipment; or, when the access information includes the APN and the APN belongs to the authentication-free APN set, the WLAN UE is an authentication-free user equipment; or, when the access information includes a realm and the realm belongs to an authentication-free realm set, the WLAN UE is an authentication-free user equipment; or, when the access information includes domain and the domain belongs to an authentication-exempt domain set, the WLAN UE is an authentication-exempt user equipment.
Alternatively, the authentication-exempt condition may be an authentication-exempt policy, for example, subscription information of the user is stored in the external device for each user ID, and the subscription information includes the authentication-exempt policy of the user. When the gateway device receives the user ID, the corresponding authentication-free strategy is obtained according to the user ID, wherein the authentication-free strategy can be complete authentication-free or conditional authentication-free. When authentication is completely avoided, authentication is not carried out corresponding to the user ID; conditional authentication-free is to set a certain condition for the user ID, for example, a condition that the rest of the access information (e.g., APN and/or realm and/or domain) needs to be satisfied under the user ID, and when the condition is satisfied, the WLAN UE is authenticated-free. For example, when conditional authentication is exempted, an authentication exempted APN set may be further set for the user ID. At this time, when a corresponding authentication-free policy is acquired according to the user ID in the access information, the authentication-free policy includes an authentication-free APN set, and when an APN in the access information belongs to the authentication-free APN set in the authentication-free policy, the WLAN UE is an authentication-free user equipment. It will be appreciated that the remaining access information (realm or domain) may also be set in the manner described above for setting APN. Further, the condition that two or more parameters in the access information need to satisfy may be set corresponding to the user ID, for example, the authentication-free policy includes an authentication-free APN set and an authentication-free realm set, or other manners. The external device may be an AAA Server, a Policy and Charging Rules Function (PCRF), a Home Location Register (HLR), a Home Subscriber Server (HSS), or the like. The authentication-free condition is described above, however, it should be understood by those skilled in the art that the manner of setting the authentication-free condition is not limited to the above, and the embodiment of the present invention focuses on setting the authentication-free condition, and specifically how to set the authentication-free condition may be combined according to actual needs.
The authentication-free condition may be set in the IKE response device, or may be set outside the IKE response device, that is, in an external device. Therefore, "acquiring" in the embodiment of the present invention includes acquiring from itself and also acquiring from an external device.
Step 13: when the IKE response equipment determines that the IKE initiating equipment is authentication-exempt equipment, the IKE response equipment returns a first authentication response to the authentication-exempt equipment (IKE initiating equipment), and the first authentication response carries authentication success information.
That is, taking the process of accessing the core network by the WLAN UE as an example, the authentication-free user equipment does not need to authenticate with the AAA server, and directly returns an authentication success message.
By acquiring the authentication-free condition, the embodiment can not authenticate the authentication-free IKE initiating equipment, thereby reducing the authentication delay and lightening the burden of the authentication equipment.
The embodiment of the invention takes an IKEv2 protocol as an example, and firstly, the IKEv2 protocol is briefly described:
the IKEv2 protocol is designed to establish a secure tunnel between two devices, and functions include establishing a signaling plane secure tunnel between the two endpoints, implementing mutual authentication, negotiating data plane tunnel related parameters (IPsec protocol, algorithms, keys, etc.), and establishing a tunnel to secure data transmissions between the two endpoints. The Authentication method includes public key signature, shared key, and Extensible Authentication Protocol (EAP). The initiator chooses one of them to initiate an authentication request to the responder in the third message of IKEv 2. And when the third message does not carry the AUTH parameter, the EAP authentication mode is adopted.
The IKEv2 standard defines a flow as follows: the 1 st and 2 nd messages are used to negotiate Security Association (SA) parameters (tunnel establishment parameters) for establishing a tunnel used by IKE signaling. Several messages from the third message are used in the Authentication process, if the third message does not carry the Authentication (AUTH) load, it indicates that the initiator wants to use the EAP Authentication process, and the Authentication process is performed until the responder returns an EAP message carrying the Authentication success or Authentication failure. After the EAP authentication process is completed, the initiator initiates a message for authenticating the 1 st and 2 nd messages to the responder, and the responder transmits a tunnel establishment parameter for establishing a secure tunnel between the initiator and the responder to the initiator.
In the embodiment of the present invention, whether the corresponding IKE initiating device is an authentication-exempt device is determined according to the third message of the IKEv2 protocol, and the embodiment of the present invention takes an authentication process of WLAN UE accessing a core network as an example.
Further, in implementation, the embodiment of the present invention may further set whether authentication is required for the 1 st and 2 nd messages of the IKEv2 protocol. When the 1 st message and the 2 nd message do not need to be authenticated, the IKE responder can return tunnel establishment parameters after authenticating the IKE initiator according to the third message; when the 1 st message and the 2 nd message need to be authenticated, after receiving the authentication result that the IKE responder authenticates the IKE initiator according to the third message, the IKE initiator initiates the authentication process of the 1 st message and the 2 nd message to the IKE responder. Fig. 2 in the following embodiments exemplifies that authentication of the 1 st and 2 nd messages is not required, and fig. 3 exemplifies that authentication of the 1 st and 2 nd messages is required.
Fig. 2 is a schematic flow chart of a method according to a second embodiment of the present invention, which includes:
step 21-22: the WLAN UE (initiator) and the PDG/PDIF (responder) exchange messages, wherein the messages are negotiation messages for negotiating tunnel establishment parameters, namely the messages are the 1 st and 2 nd messages in the IKEv2 standard;
the 1 st message and the 2 nd message are represented by IKE _ SA _ INIT in an IKEv2 protocol, parameters carried in the 1 st message include HDR, SAi1, KEi and Ni, and parameters carried in the 2 nd message include HDR, SAr1, KEr and Nr.
This step is a standard step in the IKEv2 standard and can be implemented by using the prior art, wherein the meaning of the parameters carried in the 1 st and 2 nd messages can be referred to the existing IKEv2 standard. The meaning of the parameters not specifically described in the subsequent steps and embodiments can also be referred to the existing IKEv2 standard.
Step 23: the WLAN UE sends a first authentication request IKE _ AUTH to the PDG/PDIF, wherein the carried parameters comprise HDR, SK { IDi, SAi2, [ CP, ] TSi };
in this embodiment, the first authentication request IKE _ AUTH does not carry an AUTH parameter, so the provision of the IKEv2 protocol indicates that an EAP authentication method is to be used.
Step 24: PDG/PDIF judges whether the WLAN UE passes the authentication-free check, if so, step 25 is executed, otherwise, step 26 is executed;
the PDG/PDIF may perform the authentication-free check according to the configured authentication-free set and/or the authentication-free policy, which may be specifically referred to in the following embodiments. The authentication-free set and/or the authentication-free policy may be stored in itself or in an external device, including but not limited to AAA server, PCRF, HLR, HSS, and the like.
Step 25: when the PDG/PDIF is pre-configured without authenticating the 1 st and 2 nd messages, the PDG/PDIF sends a first authentication response (IKE _ AUTH) carrying authentication success information and tunnel establishment parameters to the WLAN UE. Then, ending the authentication process of accessing the WLAN UE to the core network;
wherein, the first authentication response carries the tunnel establishing parameter information, so that the WLAN UE and the PDG/PDIF establish a secure tunnel.
That is, the parameters carried in the authentication response IKE _ AUTH at this time at least include authentication success information and tunnel establishment parameter information, and the authentication response IKE _ AUTH shown in the figure carries parameters HDR, SK { eap (success), (IDr ] }, SAr2, [ CP, ] TSr. SK { eap (success) } indicates authentication success information, IDr is a responder ID, and SAr2 and TSr indicate tunnel establishment parameters.
Step 26: PDG/PDIF sends authentication request to AAA server to process the existing authentication;
namely, the WLAN UE which does not pass the authentication-free check is still processed according to the original standard protocol flow and is compatible with the standard IKEv2 protocol.
The embodiment can realize that the authentication-free WLAN UE is not authenticated to the AAA server in the process of accessing the WLAN UE into the core network by performing the authentication-free check, thereby simplifying the authentication process, reducing the authentication delay and lightening the burden of the AAA server. In this embodiment, the authentication is not performed on the 1 st and 2 nd messages, so that the flow can be further simplified and the performance can be improved.
Fig. 3 is a schematic flow chart of a method according to a third embodiment of the present invention, and is different from the second embodiment in that the responder does not set that authentication is not required for the 1 st and 2 nd messages. Referring to fig. 3, the present embodiment includes:
step 31-33: corresponding to steps 21-23, and are not described again;
step 34: PDG/PDIF judges whether the WLAN UE passes the authentication-free check, if so, step 35 is executed, otherwise, step 36 is executed;
the PDG/PDIF may perform the authentication-free check according to the configured authentication-free set and/or authentication-free policy, where the authentication-free set and/or authentication-free policy may be stored in itself or in an external device, and the external device includes but is not limited to an AAA server, a PCRF, an HLR, and an HSS. See the examples that follow for details.
Step 35: when the PDG/PDIF is preconfigured with the messages 1 and 2 needing to be authenticated, the PDG/PDIF sends a first authentication response (IKE _ AUTH) carrying authentication success information to the WLAN UE; when PDG/PDIF is preconfigured with the information needed to authenticate 1 st and 2 nd messages, the authentication response does not need to carry the tunnel establishment parameter information, that is, the parameter carried in the authentication response IKE _ AUTH at this time includes the authentication success information, and the authentication response IKE _ AUTH shown in the figure carries parameters HDR, SK { eap (success), (IDr) ]. SK { eap (success) } indicates authentication success information, IDr is a responder ID.
Step 36: PDG/PDIF sends authentication request to AAA server to process the existing authentication;
namely, the WLAN UE which does not pass the authentication-free check is still processed according to the original standard protocol flow and is compatible with the standard IKEv2 protocol.
Step 37: the WLAN UE sends a second authentication request IKE _ AUTH aiming at the 1 st and 2 nd messages to the PDG/PDIF, and the carried parameters comprise HDR, SK { AUTH };
step 38: the PDG/PDIF returns a second authentication response IKE _ AUTH to the WLAN UE, and the carried parameters comprise HDR, SK { AUTH, SAr2, [ CP, ] TSr }. Then, ending the authentication process of accessing the WLAN UE to the core network;
in order to distinguish from the above authentication process for the WLAN UE, in the embodiment of the present invention, the authentication request and the authentication response involved in the authentication process for the WLAN UE are referred to as a first authentication request and a first authentication response, and the authentication request and the authentication response involved in the authentication process for the 1 st and 2 nd messages are referred to as a second authentication request and a second authentication response.
Steps 37 to 38 are compatible with the existing authentication procedure for the 1 st and 2 nd messages, and can be implemented by the existing technology.
The embodiment can realize that the authentication-free WLAN UE is not authenticated to the AAA server in the process of accessing the WLAN UE into the core network by performing the authentication-free check, thereby simplifying the authentication process, reducing the authentication delay and lightening the burden of the AAA server. The embodiment can realize the compatibility with the prior art by authenticating the 1 st message and the 2 nd message.
Whether the 1 st and 2 nd messages are authenticated or not, the authentication-free check can be realized by adopting the following embodiments.
Fig. 4 is a schematic flow chart of a method according to a fourth embodiment of the present invention, which includes:
step 41-42: corresponding to steps 21-22, which are not described again;
step 43: PDG/PDIF obtains a pre-configured authentication-free set;
the PDG/PDIF may pre-configure the authentication-exempt set in itself or in the external device, and acquire the authentication-exempt set from itself or the external device. The external device includes, but is not limited to, AAA server, PCRF, HLR, HSS.
Step 44: the WLAN UE sends a first authentication request to the PDG/PDIF, wherein the first authentication request carries access information, and the access information is at least one of the following items: user ID, APN or realm/domain;
step 45: PDG/PDIF judges whether at least one item in the access information belongs to the authentication-free set, if yes, step 46 is executed, otherwise, step 47 is executed;
when at least one item of access information belongs to the authentication-exempt set, the WLAN UE is indicated to pass the authentication-exempt check, otherwise, the WLAN UE does not pass the authentication-exempt check. For example, the authentication-free set of the pre-device is an authentication-free user ID set, an authentication-free APN set, or an authentication-free realm/domain set, the access information includes a user ID, an APN, and realm/domain, and PDG/PDIF may first determine whether an APN carried in the authentication request is in the authentication-free APN set, or whether a realm/domain carried in the authentication request is in the authentication-free realm/domain set, and then determine whether a user ID carried in the authentication request is in the authentication-free user ID set. When at least one item of the access information is in the authentication-free set, the authentication is passed.
Step 46: the PDG/PDIF returns a first authentication response to the WLAN UE, wherein the first authentication response at least carries authentication success information;
step 47: PDG/PDIF sends authentication request to AAA server to process the existing authentication;
namely, the WLAN UE which does not pass the authentication-free check is still processed according to the original standard protocol flow and is compatible with the standard IKEv2 protocol.
When PDG/PDIF is pre-configured and does not need to authenticate the 1 st and 2 nd messages, the first authentication response also carries tunnel establishment parameters; when the PDG/PDIF needs to authenticate the 1 st and 2 nd messages, the first authentication response may carry authentication success information without carrying tunnel establishment parameter information, and then the WLAN further needs to initiate an authentication process for the 1 st and 2 nd messages to the PDG/PDIF. Reference may be made in particular to the embodiment shown in fig. 2 or 3, i.e. steps 46-47 in this case are in particular steps 25-26 in fig. 2, or in particular steps 35-38 in fig. 3.
The embodiment can realize that the authentication-free WLAN UE is not authenticated to the AAA server in the process of accessing the WLAN UE into the core network through the authentication-free check, thereby simplifying the authentication process, reducing the authentication delay and lightening the equipment burden. The embodiment performs the authentication-free check by adopting a mode of pre-configuring the authentication-free set, so that the authentication-free set can be stored in the gateway, and the acquisition of the authentication-free information is accelerated.
Fig. 5 is a schematic flow chart of a method according to a fifth embodiment of the present invention, which includes:
step 51-52: corresponding to steps 21-22, which are not described again;
step 53: WLAN UE sends a first authentication request to PDG/PDIF, wherein the first authentication request carries a user ID;
step 54: PDG/PDIF sends an inquiry request for inquiring the user authentication-exempting policy to an external device (in the figure, an AAA server is taken as an example), where the inquiry request carries a user ID, and the external device stores subscription information corresponding to the user ID, and the subscription information includes the authentication-exempting policy. The external equipment comprises but is not limited to AAA server, PCRF, HLR, HSS;
step 55: the external equipment returns an authentication-free strategy corresponding to the user ID to the PDG/PDIF, wherein the authentication-free strategy is completely authentication-free;
step 56: when the authentication-free strategy is complete authentication-free, the PDG/PDIF returns a first authentication response to the WLAN UE, wherein the authentication response at least carries authentication success information;
when PDG/PDIF is pre-configured and does not need to authenticate the 1 st and 2 nd messages, the first authentication response also carries tunnel establishment parameter information; when the PDG/PDIF needs to authenticate the 1 st and 2 nd messages, the first authentication response may carry authentication success information without carrying tunnel establishment parameter information, and then the WLAN further needs to initiate an authentication process for the 1 st and 2 nd messages to the PDG/PDIF. Reference may be made in particular to the embodiment shown in fig. 2 or 3, i.e. step 56 in this case is in particular step 25 in fig. 2, or in particular steps 35, 37-38 in fig. 3.
The embodiment can realize that the authentication-free WLAN UE is not authenticated to the AAA server in the process of accessing the WLAN UE into the core network through the authentication-free check, thereby simplifying the authentication process, reducing the authentication delay and lightening the equipment burden. The embodiment adopts a mode of pre-configuring the authentication-free strategy to carry out authentication-free check, and can be beneficial to the unified management of operators on users.
Fig. 6 is a schematic flow chart of a method according to a sixth embodiment of the present invention, including:
and (61-62): corresponding to steps 51-52, and are not described again;
and step 63: WLAN UE sends a first authentication request to PDG/PDIF, wherein the first authentication request carries user ID and other access information, such as APN or realm/domain;
step 64: the same as step 54, will not be described again;
step 65: the external equipment returns an authentication-free strategy corresponding to the user ID to the PDG/PDIF, wherein the authentication-free strategy is conditional authentication-free;
and step 66: when the authentication-free strategy is conditional authentication-free, comparing whether the access information carried in the received first authentication request meets the condition in the authentication-free strategy or not by the PDG/PDIF, if so, executing a step 67, otherwise, executing a step 68;
for example, the conditional authentication-exempt policy may be that a WLAN UE that satisfies the following conditions may pass an authentication-exempt check: the APN corresponding to the user ID belongs to a specific APN; or the realm/domain corresponding to the user ID belongs to the specific realm/domain; or the realm/domain corresponding to the user ID belongs to the specific realm/domain, and the APN corresponding to the user ID belongs to the specific APN. The specific information is information configured in advance in an authentication-exempt policy.
Step 67: the PDG/PDIF returns a first authentication response to the WLAN UE, wherein the first authentication response at least carries authentication success information;
step 68: PDG/PDIF sends an authentication request to AAA server to perform existing authentication processing.
When PDG/PDIF is pre-configured and does not need to authenticate the 1 st and 2 nd messages, the first authentication response also carries tunnel establishment parameters; when the PDG/PDIF needs to authenticate the 1 st and 2 nd messages, the first authentication response may carry authentication success information without carrying tunnel establishment parameter information, and then the WLAN further needs to initiate an authentication process for the 1 st and 2 nd messages to the PDG/PDIF. Reference may be made in particular to the embodiment shown in fig. 2 or 3, i.e. steps 67-68 in this case are in particular steps 25-26 in fig. 2, or in particular steps 35-38 in fig. 3.
The embodiment can realize that the authentication-free WLAN UE is not authenticated to the AAA server in the process of accessing the WLAN UE into the core network through the authentication-free check, thereby simplifying the authentication process, reducing the authentication delay and lightening the equipment burden. The embodiment adopts a mode of pre-configuring the authentication-free strategy to carry out authentication-free check, and can be beneficial to the unified management of operators on users. The embodiment can realize the diversity of authentication-free through the authentication-free condition of the equipment.
Fig. 7 is a schematic flow chart of a method according to a seventh embodiment of the present invention, which includes:
step 701-704: corresponding to steps 41-44, and will not be described again;
step 705: PDG/PDIF judges whether at least one item in the access information belongs to the authentication-free set, if yes, step 709 is executed, otherwise, step 706 is executed;
when at least one item of access information belongs to the authentication-exempt set, the WLAN UE is indicated to pass the authentication-exempt check, otherwise, the WLAN UE does not pass the authentication-exempt check. For example, the authentication-free set of the pre-device is an authentication-free user ID set, an authentication-free APN set, or an authentication-free realm/domain set, the access information includes a user ID, an APN, and realm/domain, and PDG/PDIF may first determine whether an APN carried in the authentication request is in the authentication-free APN set, or whether a realm/domain carried in the authentication request is in the authentication-free realm/domain set, and then determine whether a user ID carried in the authentication request is in the authentication-free user ID set. When at least one item of the access information is in the authentication-free set, the authentication is passed.
Step 706: the same as step 54, will not be described again;
step 707: the external equipment returns an authentication-free strategy corresponding to the user ID to the PDG/PDIF, wherein the authentication-free strategy can be complete authentication-free or conditional authentication-free;
step 708: PDG/PDIF judges whether the access information meets the requirement of the authentication-free strategy, if so, step 709 is executed, otherwise, step 710 is executed;
the authentication-free policy may be complete authentication-free or conditional authentication-free, and the judgment is performed according to different authentication-free policies, which may specifically refer to the embodiments shown in fig. 5 or fig. 6.
Step 709-710: corresponding to steps 67-68, and will not be described again.
The embodiment can realize that the authentication-free WLAN UE is not authenticated to the AAA server in the process of accessing the WLAN UE into the core network through the authentication-free check, thereby simplifying the authentication process, reducing the authentication delay and lightening the equipment burden. The embodiment adopts a mode of combining a pre-configured authentication-free set and an authentication-free strategy to carry out authentication-free check, so that the accuracy of authentication-free can be improved.
The above embodiment takes the IKEv2 authentication process in PDG/PDIF as an example, takes the EAP authentication method as an example, and the authentication-free information takes the user ID, APN, realm/domain as an example, and it is understood that the embodiment of the present invention is not limited to the above, and may be applied to other devices, authentication methods, and authentication-free information.
The embodiment of the invention can carry out authentication-free inspection on the UE meeting the authentication-free condition, thereby reducing the signaling interaction in the authentication process and improving the processing capacity of the equipment; and when the authentication-free condition is not met, the compatibility with the standard process is realized. The embodiment of the invention only needs to carry the successful authentication information in the authentication response, thereby reducing the number of messages when interacting with the AAA server. The embodiment of the invention reduces the calculation requirement on the AAA server, reduces the deployment requirement on the AAA server and reduces the operation cost by reducing the number of the interactive messages. The embodiment of the invention realizes the compatibility with the existing standard protocol and supports the processing of the standard protocol flow.
Fig. 8 is a schematic structural diagram of an IKE response apparatus according to an eighth embodiment of the present invention, which includes a first receiving module 81, a determining module 82, and a first sending module 83. The first receiving module 81 is configured to receive a first authentication request sent by a wireless local area network user equipment, where the first authentication request carries access information; the determining module 82 is configured to obtain an authentication-free condition, and determine that the wireless local area network user equipment is authentication-free user equipment when the access information meets the authentication-free condition; the first sending module 83 is configured to return a first authentication response to the authentication-free user equipment, where the first authentication response carries authentication success information.
Specifically, the negotiation process and the authentication-free process executed by each module may refer to the above embodiments, and are not described in detail.
By acquiring the authentication-free condition, the embodiment can not authenticate the authentication-free IKE initiating equipment, thereby reducing the authentication delay and lightening the burden of the authentication equipment.
Fig. 9 is a schematic structural diagram of an IKE response apparatus according to a ninth embodiment of the present invention, and different from the eighth embodiment, this embodiment further includes a first negotiation module 94, and the first sending module 83 includes a first unit 931. The first unit 931 is configured to, when it is preset that authentication of the negotiation message is not needed, return a first authentication response to the authentication-free user equipment, where the first authentication response carries authentication success information and a tunnel establishment parameter; the first negotiation module 94 is configured to interact with the IKE initiating device, where the message is a negotiation message for negotiating tunnel establishment parameters.
Specifically, the negotiation process and the authentication-free process executed by each module may refer to the above embodiments, and are not described in detail.
The embodiment can realize that the authentication-free user is not authenticated by performing the authentication-free check, simplify the authentication process, reduce the authentication delay and reduce the burden of the authentication equipment. In this embodiment, the authentication is not performed on the 1 st and 2 nd messages, so that the flow can be further simplified and the performance can be improved.
Fig. 10 is a schematic structural diagram of an IKE response apparatus according to a tenth embodiment of the present invention, and different from the eighth embodiment, this embodiment further includes a first negotiation module 104, a second receiving module 105, and a second sending module 106, and the first sending module 83 includes a second unit 1032. The second unit 1032 is configured to return a first authentication response to the authentication-free user equipment when it is preset that the negotiation message needs to be authenticated, where the first authentication response carries authentication success information; the first negotiation module 104 is configured to interact with the IKE initiating device, where the message is a negotiation message for negotiating a tunnel establishment parameter; the second receiving module 105 is configured to receive a second authentication request sent by the IKE initiating device for authenticating the negotiation message; the second sending module 106 is configured to send a second authentication response corresponding to the second authentication request to the IKE initiating device, where the second authentication response carries a tunnel establishment parameter.
Specifically, the negotiation process and the authentication-free process executed by each module may refer to the above embodiments, and are not described in detail.
The embodiment can realize that the authentication-free user is not authenticated by performing the authentication-free check, simplify the authentication process, reduce the authentication delay and reduce the authentication burden. The embodiment can realize the compatibility with the prior art by authenticating the 1 st message and the 2 nd message.
Fig. 11 is a schematic structural diagram of an IKE response apparatus according to an eleventh embodiment of the present invention, and different from the eighth embodiment, the determining module 82 of this embodiment includes a third unit 1121, a fourth unit 1122, a fifth unit 1123, a sixth unit 1124, and a seventh unit 1125.
A third unit 1121 is configured to acquire a preset authentication-exempt set from a self or an external device, and determine that the wireless local area network user equipment is an authentication-exempt user equipment when at least one item of the access information belongs to the authentication-exempt set. At this time, the access information includes at least one of the following items: user identification, access point name and domain identification; the authentication-exempt set includes at least one of: the authentication-free user identification set, the authentication-free access point name set and the authentication-free domain identification set.
A fourth unit 1122 is configured to obtain an authentication-exempt policy corresponding to the user identifier from itself or an external device; and when the authentication-free strategy is completely authentication-free, determining that the IKE initiating equipment is authentication-free equipment, and the access information carries the user identification of the IKE initiating equipment.
A fifth unit 1123, configured to acquire, from itself or an external device, an authentication-exempt policy corresponding to the user identifier; when the authentication-free policy is conditional authentication-free and the parameter information contained in the access information meets the condition of the authentication-free policy, determining that the IKE initiating device is the authentication-free device, wherein the condition of the authentication-free policy is used for indicating that at least one of the following items corresponding to the user identifier needs to be met: at this time, the access information includes the user identifier of the IKE initiating device, and also includes at least one of the following parameter information: access point name, domain identification.
A sixth unit 1124 is configured to obtain a preset authentication-exempt set from the self or the external device, and when none of the access information belongs to the authentication-exempt set, obtain an authentication-exempt policy corresponding to the user identifier from the self or the external device; the seventh unit 1125 is configured to determine that the IKE initiating device is an authentication-exempt device when the authentication-exempt policy is a complete authentication exempt, or when the authentication-exempt policy is a conditional authentication exempt and parameter information carried in the access information meets a condition of the authentication-exempt policy, where the condition of the authentication-exempt policy is used to indicate a condition that at least one of the following items corresponding to the user identifier needs to be met: access point name, domain identification. At this time, the access information includes the user identifier of the IKE initiating device, and also includes at least one of the following parameter information: access point name, domain identification.
Specifically, the negotiation process and the authentication-free process executed by each module may refer to the above embodiments, and are not described in detail.
The embodiment can realize the authentication of the equipment without authentication through the authentication-free check, simplify the authentication process, reduce the authentication delay and reduce the equipment burden. The embodiment adopts a mode of pre-configuring the authentication-free set or/and the authentication-free strategy to carry out the authentication-free check, and can realize the diversification of the authentication-free check.
Fig. 12 is a schematic flow chart of a method according to a twelfth embodiment of the present invention, including:
step 121: the method comprises the steps that IKE initiating equipment sends a first authentication request to IKE response equipment, wherein the first authentication request carries access information;
further, this step 121 may be preceded by:
exchanging messages between IKE initiating equipment and the IKE response equipment, wherein the messages are negotiation messages used for negotiating tunnel establishment parameters;
step 122: an IKE initiating device receives a first authentication response returned by the IKE responding device, wherein the first authentication response carries successful authentication information, and the first authentication response is sent by the IKE responding device when the access information meets the authentication-free condition acquired by the IKE responding device;
the IKE response device may determine whether the access information satisfies an authentication exempting condition obtained by the IKE response device according to the method in the above embodiment, which is not described again;
specifically, this step 122 may include:
when the negotiation message is not required to be authenticated in advance, receiving a first authentication response returned by the IKE response equipment, wherein the first authentication response carries authentication success information and tunnel establishment parameters;
or,
when the negotiation message needs to be authenticated in advance, returning a first authentication response to the authentication-free equipment, wherein the first authentication response carries authentication success information; at this time, after step 122, the method further includes: the IKE initiating equipment sends a second authentication request for authenticating the negotiation message to the IKE responding equipment; and receiving a second authentication response corresponding to the second authentication request sent by the IKE response equipment, wherein the second authentication response carries tunnel establishment parameters.
The negotiation process and the authentication-free process can be referred to the above embodiments, and are not described in detail.
The embodiment can realize that the authentication-free IKE initiating equipment is not authenticated in the IKE authentication process by carrying out authentication-free check, thereby simplifying the authentication flow, reducing the authentication delay and lightening the burden of the authentication equipment.
Fig. 13 is a schematic structural diagram of an IKE initiating device according to a thirteenth embodiment of the present invention, including a third sending module 131 and a third receiving module 132, where the third sending module 131 is configured to send a first authentication request to an IKE responding device, where the first authentication request carries access information; the third receiving module 132 is configured to receive a first authentication response returned by the IKE response device, where the first authentication response carries authentication success information, and the first authentication response is sent by the IKE response device when the access information meets an authentication exempting condition obtained by the IKE response device.
Further, the embodiment may further include a second negotiation module 133, where the second negotiation module 133 is configured to interact with the IKE response device, and the message is a negotiation message for negotiating a tunnel establishment parameter.
At this time, the third receiving module 132 may include an eighth unit 1321, where the eighth unit 1321 is configured to receive a first authentication response returned by the IKE response device when it is preset that authentication is not required to be performed on the negotiation message, where the first authentication response carries authentication success information and a tunnel establishment parameter;
or, the third receiving module may include a ninth unit 1322, where the ninth unit 1322 is configured to return a first authentication response to the authentication-free device when it is preset that the negotiation message needs to be authenticated, where the first authentication response carries authentication success information; at this time, the present embodiment further includes a fourth sending module 134 and a fourth receiving module 135, where the fourth sending module 134 is configured to send a second authentication request for authenticating the negotiation message to the IKE response device; the fourth receiving module 135 is configured to receive a second authentication response corresponding to the second authentication request sent by the IKE response device, where the second authentication response carries a tunnel establishment parameter.
Specifically, the negotiation process and the authentication-free process executed by each module may refer to the above embodiments, and are not described in detail.
The embodiment can realize that the authentication-free IKE initiating equipment is not authenticated in the IKE authentication process by carrying out authentication-free check, thereby simplifying the authentication flow, reducing the authentication delay and lightening the burden of the authentication equipment.
Fig. 14 is a schematic structural diagram of an IKE authentication system according to a fourteenth embodiment of the present invention, including an IKE initiating device 141 and an IKE responding device 142, where the IKE initiating device 141 is configured to send a first authentication request to the IKE responding device, where the first authentication request carries access information; the IKE response device 142 is configured to obtain an authentication-free condition, determine that the IKE initiating device is an authentication-free device when the access information meets the authentication-free condition, and return a first authentication response to the authentication-free device, where the first authentication response carries authentication success information
Specifically, the IKE initiating device in this embodiment may be specifically the IKE initiating device shown in fig. 13, and the IKE responding device may be specifically the IKE responding device shown in any one of fig. 8 to 11.
Specifically, the negotiation process and the authentication-free process executed by each module may refer to the above embodiments, and are not described in detail.
The embodiment can realize that the authentication-free IKE initiating equipment is not authenticated in the IKE authentication process by carrying out authentication-free check, thereby simplifying the authentication flow, reducing the authentication delay and lightening the burden of the authentication equipment.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting the same, and although the present invention is described in detail with reference to the preferred embodiments, those of ordinary skill in the art should understand that: modifications and equivalents may be made to the invention without departing from the spirit and scope of the invention.

Claims (24)

1. A method of key exchange IKE authentication, comprising:
receiving a first authentication request sent by IKE initiating equipment, wherein the first authentication request carries access information;
obtaining an authentication-free condition, and determining that the IKE initiating equipment is authentication-free equipment when the access information meets the authentication-free condition;
and returning a first authentication response to the authentication-free equipment, wherein the first authentication response carries authentication success information.
2. The method of claim 1,
before the receiving the first authentication request sent by the IKE initiating device, the method further includes: exchanging messages with the IKE initiating equipment, wherein the messages are negotiation messages used for negotiating tunnel establishment parameters;
the returning of a first authentication response to the authentication-exempt device, where the first authentication response carrying authentication success information includes: and when the negotiation message is not required to be authenticated in advance, returning a first authentication response to the authentication-free equipment, wherein the first authentication response carries authentication success information and tunnel establishment parameters.
3. The method of claim 1,
before the receiving the first authentication request sent by the IKE initiating device, the method further includes: exchanging messages with the IKE initiating equipment, wherein the messages are negotiation messages used for negotiating tunnel establishment parameters;
the returning of a first authentication response to the authentication-exempt device, where the first authentication response carrying authentication success information includes: when the negotiation message needs to be authenticated in advance, returning a first authentication response to the authentication-free equipment, wherein the first authentication response carries authentication success information;
after the returning of the first authentication response to the authentication-exempt device, the method further includes:
receiving a second authentication request sent by the IKE initiating equipment and used for authenticating the negotiation message;
and sending a second authentication response corresponding to the second authentication request to the IKE initiating equipment, wherein the second authentication response carries the tunnel establishment parameters.
4. The method according to any of claims 1-3, wherein the obtaining an authentication-exempt condition, and when the access information satisfies the authentication-exempt condition, the determining that the IKE initiating device is an authentication-exempt device comprises:
and acquiring a preset authentication-free set from the IKE or the external equipment, and determining that the IKE initiating equipment is authentication-free equipment when at least one item of the access information belongs to the authentication-free set.
5. The method of claim 4,
the access information comprises at least one of the following items: a user identification, an access point name, or a domain identification;
the authentication-exempt set includes at least one of: an authentication-free user identification set, an authentication-free access point name set or an authentication-free domain identification set.
6. The method according to any one of claims 1 to 3,
the access information comprises a user identifier of the IKE initiating equipment;
the obtaining of the authentication-free condition, and when the access information meets the authentication-free condition, determining that the IKE initiating device is an authentication-free device includes:
acquiring an authentication-free strategy corresponding to the user identification from the user or an external device;
and when the authentication-free strategy corresponding to the user identification is completely authentication-free, determining that the IKE initiating equipment is authentication-free equipment.
7. The method according to any one of claims 1 to 3,
the access information comprises a user identifier of the IKE initiating equipment and at least one item of the following parameter information: an access point name or domain identity;
the obtaining of the authentication-free condition, and when the access information meets the authentication-free condition, determining that the IKE initiating device is an authentication-free device includes:
acquiring an authentication-free strategy corresponding to the user identification from the user or an external device;
when the authentication-free policy corresponding to the user identifier is conditional authentication-free and the parameter information included in the access information meets the conditions of the authentication-free policy, determining that the IKE initiating device is an authentication-free device, where the conditions of the authentication-free policy are used to indicate that at least one of the following items corresponding to the user identifier needs to be met: access point name or domain identification.
8. The method according to any one of claims 1 to 3,
the access information comprises a user identifier of the IKE initiating equipment and at least one item of the following parameter information: an access point name or domain identity;
the obtaining of the authentication-free condition, and when the access information meets the authentication-free condition, determining that the IKE initiating device is an authentication-free device includes:
acquiring a preset authentication-free set from the self or external equipment, and acquiring an authentication-free strategy corresponding to the user identifier from the self or external equipment when the access information does not belong to the authentication-free set;
when the authentication-free strategy corresponding to the user identifier is completely authentication-free, or when the authentication-free strategy corresponding to the user identifier is conditional authentication-free and the parameter information included in the access information meets the conditions of the authentication-free strategy, determining that the IKE initiating equipment is authentication-free equipment, wherein the conditions of the authentication-free strategy are used for indicating the conditions that at least one of the following items corresponding to the user identifier needs to be met: access point name or domain identification.
9. A method of key exchange IKE authentication, comprising:
sending a first authentication request to IKE response equipment, wherein the first authentication request carries access information;
and receiving a first authentication response returned by the IKE response equipment, wherein the first authentication response carries authentication success information, and the first authentication response is sent by the IKE response equipment when the access information meets the authentication-free condition acquired by the IKE response equipment.
10. The method of claim 9,
before the sending the first authentication request to the IKE response device, the method further includes: exchanging messages with the IKE response equipment, wherein the messages are negotiation messages used for negotiating tunnel establishment parameters;
the receiving of the first authentication response returned by the IKE response device, where the first authentication response carrying authentication success information includes:
and when the negotiation message is not required to be authenticated in advance, receiving a first authentication response returned by the IKE response equipment, wherein the first authentication response carries authentication success information and tunnel establishment parameters.
11. The method of claim 9,
before the sending the first authentication request to the IKE response device, the method further includes: exchanging messages with the IKE response equipment, wherein the messages are negotiation messages used for negotiating tunnel establishment parameters;
the receiving of the first authentication response returned by the IKE response device, where the first authentication response carrying authentication success information includes: when the negotiation message needs to be authenticated in advance, returning a first authentication response to the authentication-free equipment, wherein the first authentication response carries authentication success information;
after receiving the first authentication response returned by the IKE response device, the method further includes:
sending a second authentication request for authenticating the negotiation message to the IKE response device;
and receiving a second authentication response corresponding to the second authentication request sent by the IKE response equipment, wherein the second authentication response carries tunnel establishment parameters.
12. A key exchange IKE response device, comprising:
a first receiving module, configured to receive a first authentication request sent by an IKE initiating device, where the first authentication request carries access information;
a determining module, configured to obtain an authentication-exempt condition, and determine that the IKE initiating device is an authentication-exempt device when the access information meets the authentication-exempt condition;
and the first sending module is used for returning a first authentication response to the authentication-free equipment, and the first authentication response carries authentication success information.
13. The apparatus of claim 12, further comprising:
a first negotiation module, configured to interact with the IKE initiation device to obtain a message, where the message is a negotiation message for negotiating a tunnel establishment parameter;
the first sending module comprises a first unit, and the first unit is used for returning a first authentication response to the authentication-free user equipment when the negotiation message is not required to be authenticated in advance, wherein the first authentication response carries authentication success information and tunnel establishment parameters.
14. The apparatus of claim 12, further comprising:
a first negotiation module, configured to interact with the IKE initiation device to obtain a message, where the message is a negotiation message for negotiating a tunnel establishment parameter;
the first sending module comprises a second unit, and the second unit returns a first authentication response to the authentication-free user equipment when the negotiation message is preset to be authenticated, wherein the first authentication response carries authentication success information;
the apparatus further comprises:
a second receiving module, configured to receive a second authentication request sent by the IKE initiating device and used for authenticating the negotiation message;
and a second sending module, configured to send a second authentication response corresponding to the second authentication request to the IKE initiating device, where the second authentication response carries a tunnel establishment parameter.
15. The apparatus according to any one of claims 12 to 14,
the determining module comprises a third unit, wherein the third unit is used for acquiring a preset authentication-free set from the IKE initiating device or external equipment, and when at least one item of access information belongs to the authentication-free set, the IKE initiating device is determined to be an authentication-free device.
16. The apparatus according to any one of claims 12 to 14,
the access information carries the user identification of the IKE initiating equipment;
the determining module comprises a fourth unit, and the fourth unit is used for acquiring an authentication-free strategy corresponding to the user identifier from the fourth unit or an external device; and when the authentication-free strategy corresponding to the user identification is completely authentication-free, determining that the IKE initiating equipment is authentication-free equipment.
17. The apparatus according to any one of claims 12 to 14,
the access information comprises a user identifier of the IKE initiating equipment and at least one item of the following parameter information: an access point name or domain identity;
the determining module comprises a fifth unit, and the fifth unit is used for acquiring an authentication-free strategy corresponding to the user identifier from the determining module or an external device; when the authentication-free policy corresponding to the user identifier is conditional authentication-free and the parameter information included in the access information meets the conditions of the authentication-free policy, determining that the IKE initiating device is an authentication-free device, where the conditions of the authentication-free policy are used to indicate that at least one of the following items corresponding to the user identifier needs to be met: access point name or domain identification.
18. The apparatus according to any one of claims 12 to 14,
the access information comprises a user identifier of the IKE initiating equipment and at least one item of the following parameter information: an access point name or domain identity;
the determining module comprises a sixth unit and a seventh unit;
the sixth unit is configured to acquire a preset authentication-free set from the sixth unit or an external device, and acquire an authentication-free policy corresponding to the user identifier from the sixth unit or the external device when the access information does not belong to the authentication-free set;
the seventh unit is configured to determine that the IKE initiating device is an authentication-exempt device when the authentication-exempt policy corresponding to the user identifier is a complete authentication exempt policy, or when the authentication-exempt policy corresponding to the user identifier is a conditional authentication exempt policy and parameter information carried in the access information satisfies a condition of the authentication-exempt policy, where the condition of the authentication-exempt policy is used to indicate a condition that at least one of the following items corresponding to the user identifier needs to be satisfied: access point name or domain identification.
19. A key exchange IK initiating device, comprising:
a third sending module, configured to send a first authentication request to the IKE response device, where the first authentication request carries access information;
a third receiving module, configured to receive a first authentication response returned by the IKE response device, where the first authentication response carries authentication success information, and the first authentication response is sent by the IKE response device when the access information meets an authentication-free condition obtained by the IKE response device.
20. The apparatus of claim 19, further comprising:
the second negotiation module is used for interacting information with the IKE response equipment, wherein the information is negotiation information used for negotiating tunnel establishment parameters;
the third receiving module includes an eighth unit, and the eighth unit is configured to receive a first authentication response returned by the IKE response device when it is preset that authentication is not required for the negotiation message, where the first authentication response carries authentication success information and a tunnel establishment parameter.
21. The apparatus of claim 19, further comprising:
the second negotiation module is used for interacting information with the IKE response equipment, wherein the information is negotiation information used for negotiating tunnel establishment parameters;
the third receiving module comprises a ninth unit, and the ninth unit is configured to return a first authentication response to the authentication-free device when it is preset that the negotiation message needs to be authenticated, where the first authentication response carries authentication success information;
the apparatus further comprises:
a fourth sending module, configured to send a second authentication request for authenticating the negotiation message to the IKE response device;
a fourth receiving module, configured to receive a second authentication response corresponding to the second authentication request sent by the IKE response device, where the second authentication response carries a tunnel establishment parameter.
22. A key exchange IKE authentication system, comprising:
the IKE initiating equipment is used for sending a first authentication request to the IKE responding equipment, and the first authentication request carries access information;
and the IKE response equipment is used for acquiring an authentication-free condition, determining that the IKE initiating equipment is the authentication-free equipment when the access information meets the authentication-free condition, and returning a first authentication response to the authentication-free equipment, wherein the first authentication response carries authentication success information.
23. The system according to claim 22, wherein the IKE initiating device is a device according to any one of claims 19-21.
24. A system according to claim 22 wherein the IKE response apparatus is an apparatus according to any one of claims 12 to 18.
CN200910207794.8A 2009-10-30 2009-10-30 IKE (Internet Key Exchange) authentication method and system, IKE response equipment and IKE initiating equipment Active CN102056154B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200910207794.8A CN102056154B (en) 2009-10-30 2009-10-30 IKE (Internet Key Exchange) authentication method and system, IKE response equipment and IKE initiating equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200910207794.8A CN102056154B (en) 2009-10-30 2009-10-30 IKE (Internet Key Exchange) authentication method and system, IKE response equipment and IKE initiating equipment

Publications (2)

Publication Number Publication Date
CN102056154A true CN102056154A (en) 2011-05-11
CN102056154B CN102056154B (en) 2014-05-07

Family

ID=43959970

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200910207794.8A Active CN102056154B (en) 2009-10-30 2009-10-30 IKE (Internet Key Exchange) authentication method and system, IKE response equipment and IKE initiating equipment

Country Status (1)

Country Link
CN (1) CN102056154B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102791016A (en) * 2012-07-04 2012-11-21 大唐移动通信设备有限公司 Access processing method and device
WO2013000285A1 (en) * 2011-06-27 2013-01-03 中兴通讯股份有限公司 Method for access device to access ims network, and agcf and s-cscf
WO2013037273A1 (en) * 2011-09-13 2013-03-21 中兴通讯股份有限公司 User equipment capability processing method and system
CN106060006A (en) * 2016-05-09 2016-10-26 杭州华三通信技术有限公司 Access method and device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101198015A (en) * 2007-12-27 2008-06-11 上海全景数字技术有限公司 Digital television authentication system and encryption method thereof
CN101351019A (en) * 2007-07-20 2009-01-21 华为技术有限公司 Access gateway, terminal as well as method and system for establishing data connection

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101351019A (en) * 2007-07-20 2009-01-21 华为技术有限公司 Access gateway, terminal as well as method and system for establishing data connection
CN101198015A (en) * 2007-12-27 2008-06-11 上海全景数字技术有限公司 Digital television authentication system and encryption method thereof

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013000285A1 (en) * 2011-06-27 2013-01-03 中兴通讯股份有限公司 Method for access device to access ims network, and agcf and s-cscf
WO2013037273A1 (en) * 2011-09-13 2013-03-21 中兴通讯股份有限公司 User equipment capability processing method and system
CN102791016A (en) * 2012-07-04 2012-11-21 大唐移动通信设备有限公司 Access processing method and device
CN102791016B (en) * 2012-07-04 2014-12-10 大唐移动通信设备有限公司 Access processing method and device
CN106060006A (en) * 2016-05-09 2016-10-26 杭州华三通信技术有限公司 Access method and device

Also Published As

Publication number Publication date
CN102056154B (en) 2014-05-07

Similar Documents

Publication Publication Date Title
US20200153830A1 (en) Network authentication method, related device, and system
EP3750342B1 (en) Mobile identity for single sign-on (sso) in enterprise networks
CN101616410B (en) Access method and access system for cellular mobile communication network
US8589675B2 (en) WLAN authentication method by a subscriber identifier sent by a WLAN terminal
EP2445143B1 (en) Method and system for accessing a 3rd generation network
RU2491733C2 (en) Method for user terminal authentication and authentication server and user terminal therefor
CN102396203B (en) According to the urgent call process of the verification process in communication network
EP2087689B1 (en) Authentication in mobile interworking system
AU2020200523B2 (en) Methods and arrangements for authenticating a communication device
US20100064135A1 (en) Secure Negotiation of Authentication Capabilities
CN101983517A (en) Security for a non-3gpp access to an evolved packet system
WO2012068462A2 (en) Method of and system for extending the wispr authentication procedure
US20230275883A1 (en) Parameter exchange during emergency access using extensible authentication protocol messaging
WO2006013150A1 (en) Sim-based authentication
CN102056154B (en) IKE (Internet Key Exchange) authentication method and system, IKE response equipment and IKE initiating equipment
US9532218B2 (en) Implementing a security association during the attachment of a terminal to an access network
US11109219B2 (en) Mobile terminal, network node server, method and computer program
CN102014385A (en) Authentication method for mobile terminal, and mobile terminal
KR101025083B1 (en) Method for identifying authentication function in extensible authentication protocol
CN102625308A (en) Method, apparatus and system for realization of mutual authentication based on LTE-LAN
EP4138429A1 (en) Network roaming authentication method and apparatus, and electronic device and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant