CN116193430A - Authentication and authorization result notification and processing method, device, apparatus and medium thereof - Google Patents
Authentication and authorization result notification and processing method, device, apparatus and medium thereof Download PDFInfo
- Publication number
- CN116193430A CN116193430A CN202310180184.3A CN202310180184A CN116193430A CN 116193430 A CN116193430 A CN 116193430A CN 202310180184 A CN202310180184 A CN 202310180184A CN 116193430 A CN116193430 A CN 116193430A
- Authority
- CN
- China
- Prior art keywords
- authentication
- authorization
- amf
- network slice
- result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses an authentication and authorization result notification and a processing method, equipment, a device and a medium thereof, wherein the method comprises the following steps: obtaining authentication and authorization results of the network slice; and notifying the authentication and authorization result to an access and mobile management function. The access and mobile management function receives the authentication and authorization result notification of the network slice; the access and mobility management function updates locally stored authentication and authorization results. The invention solves the problem that the specific authentication and authorization states/results of the network slice can not be synchronized between different access and mobile management functions.
Description
The invention is a divisional application of the invention application of which the application date is 2020, 4 and 7, the application number is 2020102640648, and the invention name is an authentication and authorization result notification and a processing method, equipment, device and medium thereof.
Technical Field
The present invention relates to the field of wireless communications technologies, and in particular, to an authentication and authorization result notification and a processing method, apparatus, device, and medium thereof.
Background
The prior art only supports the scenario that a UE (User Equipment) registers to the same PLMN (public land mobile network ) through 3GPP access and non-3 GPP access (i.e. only one AMF (access and mobility management function, access and Mobility Management Function) provides services to the UE), does not support the scenario that the UE registers to a different PLMN through different accesses, i.e. does not support the scenario that the UE has 2 AMFs, and therefore the prior art has the following disadvantages: the prior art does not support applications involving a scenario where the UE has 2 AMFs.
Disclosure of Invention
The invention provides an authentication and authorization result notification and a processing method, equipment, device and medium thereof, which are used for solving the problem that when UE has AMFs with a plurality of services, the network slice specific authentication and authorization state/result cannot be synchronized among different AMFs.
The embodiment of the invention provides an authentication and authorization result notification method, which comprises the following steps:
obtaining authentication and authorization results of the network slice;
and notifying the AMF of the authentication and authorization result.
In practice, it comprises:
the UDM obtains authentication and authorization results of the network slice from the AMF or the AAA server;
the UDM informs the other AMFs of the authentication and authorization results.
In implementation, the UDM notifies other AMFs of the authentication and authorization result when it is determined that the AMF serving the UE is greater than one according to the context of the UE.
In practice, the UDM informs the other AMFs of the authentication and authorization result when it is determined that one or a combination of the following occurs:
other AMFs include an Allowed NSSAI allocated to the UE including an S-NSSAI; or alternatively, the first and second heat exchangers may be,
the authentication and authorization result information of the S-NSSAI related to other AMFs comprises the information of the S-NSSAI; or alternatively, the first and second heat exchangers may be,
other AMFs subscribe to the authentication and authorization result information of the S-NSSAI; or alternatively, the first and second heat exchangers may be,
the authentication and authorization results of the network slice change.
In practice, the authentication and authorization result of a network slice obtained by the UDM from the AMF is an authentication and authorization status/result that the AMF notifies the UDM after performing the authentication and authorization process of the network slice.
In practice, it comprises:
the UE obtains the authentication and authorization result of the network slice from the AMF;
the UE informs other AMFs of the authentication and authorization results.
In practice, the UE is the authentication and authorization result of the network slice obtained after the authentication and authorization process of the network slice of the S-NSSAI is completed through the AMF.
In implementation, when the UE determines that the AMF serving the UE is greater than one, the UE notifies other AMFs of the authentication and authorization result.
In practice, the UE determines that the Allowed nsai allocated by other AMFs includes S-nsai; and/or, when the authentication and authorization result is determined to be changed, notifying other AMFs of the authentication and authorization result.
In implementation, the UE informs other AMFs of the authentication and authorization result by carrying the authentication and authorization result in a registration request sent to the other AMFs; or alternatively, the first and second heat exchangers may be,
the UE informs other AMFs of the authentication and authorization results by carrying information according to preset rules in registration requests sent to the other AMFs.
In practice, it comprises:
the AUSF or AAA server obtains the authentication and authorization result of the network slice;
the AUSF or AAA server notifies the AMF of the authentication and authorization result.
In implementation, the other AMF notified by the AUSF or AAA server is the AMF which is set by the AMF or UDM and needs to be notified when subscribing the authentication and authorization result of the S-NSSAI to the AUSF or AAA server.
In practice, when the authentication and authorization result for a certain S-nsai changes, the AUSF or AAA server notifies the AMF of the changed authentication and authorization result.
The embodiment of the invention provides an authentication and authorization result notification processing method, which comprises the following steps:
the AMF receives authentication and authorization result notification of the network slice;
The AMF updates the locally stored authentication and authorization results.
In practice, updating locally stored authentication and authorization results includes:
updating the Allowed NSSAI and the rejected S-NSSAI of the UE.
In implementation, after updating the locally stored authentication and authorization result, the method further includes:
the PDU session established by the UE and related to S-NSSAI1 is released.
In practice, further comprising:
after performing the network slice specific authentication and authorization procedure, the AMF informs the UDM of the authentication and authorization result.
In practice, further comprising:
after receiving the authentication and authorization result notified by the UE, the AMF requests the AAA server to verify the validity of the authentication and authorization result provided by the UE through the AUSF.
In practice, when the AMF or UDM subscribes to the authentication and authorization result of S-NSSAI with the AUSF or AAA server, the AUSF or AAA server notifies the AMF of the authentication and authorization result of the received network slice.
The embodiment of the invention provides communication equipment, which comprises the following components:
a processor for reading the program in the memory, performing the following process:
obtaining authentication and authorization results of the network slice;
notifying AMF of the authentication and authorization result;
and a transceiver for receiving and transmitting data under the control of the processor.
In practice, the communication device is located in a UDM, wherein:
obtaining authentication and authorization results of the network slice from the AMF or AAA server;
and notifying other AMFs of the authentication and authorization results.
In implementation, when it is determined that the AMF serving the UE is greater than one according to the context of the UE, the authentication and authorization result is notified to other AMFs.
In practice, the authentication and authorization result is notified to other AMFs upon determining that one or a combination of the following occurs:
other AMFs include an Allowed NSSAI allocated to the UE including an S-NSSAI; or alternatively, the first and second heat exchangers may be,
the authentication and authorization result information of the S-NSSAI related to other AMFs comprises the information of the S-NSSAI; or alternatively, the first and second heat exchangers may be,
other AMFs subscribe to the authentication and authorization result information of the S-NSSAI; or alternatively, the first and second heat exchangers may be,
the authentication and authorization results of the network slice change.
In practice, the authentication and authorization result of the network slice obtained from the AMF is an authentication and authorization status/result that the AMF notifies the UDM after performing the authentication and authorization process of the network slice.
In an implementation, a communication device is located at a UE, wherein:
obtaining authentication and authorization results of the network slice from the AMF;
and notifying other AMFs of the authentication and authorization results.
In practice, the authentication and authorization result of the network slice is obtained after the authentication and authorization process of the network slice of the S-NSSAI is completed through the AMF.
In implementation, when the AMF for providing service for the UE is determined to be more than one, the authentication and authorization result is notified to other AMFs.
In practice, the Allowed NSSAI assigned in determining other AMFs includes S-NSSAI; and/or, when the authentication and authorization result is determined to be changed, notifying other AMFs of the authentication and authorization result.
In implementation, the authentication and authorization result is carried in a registration request sent to other AMFs to inform the other AMFs of the authentication and authorization result; or alternatively, the first and second heat exchangers may be,
and informing other AMFs of the authentication and authorization results by carrying information according to preset rules in registration requests sent to the other AMFs.
In practice, the communication device is located at an AUSF or AAA server, wherein:
obtaining authentication and authorization results of the network slice;
and notifying the AMF of the authentication and authorization result.
In implementation, the other AMF to be notified is an AMF to be notified, which is set by the AMF or UDM when subscribing the authentication and authorization result of the S-NSSAI to the AUSF or AAA server.
In practice, when the authentication and authorization result for a certain S-nsai changes, the AMF is notified of the changed authentication and authorization result.
The embodiment of the invention provides an AMF, which comprises the following steps:
a processor for reading the program in the memory, performing the following process:
Receiving authentication and authorization result notification of a network slice;
updating the locally stored authentication and authorization results when the authentication and authorization results are inconsistent with the locally stored authentication and authorization results;
and a transceiver for receiving and transmitting data under the control of the processor.
In practice, updating locally stored authentication and authorization results includes:
updating the Allowed NSSAI and the rejected S-NSSAI of the UE.
In implementation, after updating the locally stored authentication and authorization result, the method further includes:
the PDU session established by the UE and related to S-NSSAI1 is released.
In practice, further comprising:
after performing the network slice specific authentication and authorization procedure, the UDM is informed about the authentication and authorization result.
In practice, further comprising:
and after receiving the authentication and authorization result notified by the UE, requesting the AAA server to verify the validity of the authentication and authorization result provided by the UE through the AUSF.
In practice, when the AMF or UDM subscribes to the authentication and authorization result of S-NSSAI with the AUSF or AAA server, the AUSF or AAA server notifies the AMF of the authentication and authorization result of the received network slice.
The embodiment of the invention provides an authentication and authorization result notification device, which comprises:
The acquisition module is used for acquiring authentication and authorization results of the network slice;
and the notification module is used for notifying the AMF of the authentication and authorization result.
The embodiment of the invention provides an authentication and authorization result notification processing device, which comprises:
the receiving module is used for receiving the authentication and authorization result notification of the network slice;
and the updating module is used for updating the authentication and authorization results stored locally.
An embodiment of the present invention provides a computer-readable storage medium, which stores a computer program for executing the above-described authentication and authorization result notification method and/or authentication and authorization result notification processing method.
The invention has the following beneficial effects:
in the technical scheme provided by the embodiment of the invention, after the authentication and authorization result of the network slice is obtained, the authentication and authorization result is notified to the AMF. Further, other AMFs may be notified by the UDM or UE, AUSF or AAA server, and since each AMF can learn the authentication and authorization results on other AMFs, the problem of being unable to synchronize network slice specific authentication and authorization states/results between different AMFs is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention and do not constitute a limitation on the invention. In the drawings:
FIG. 1 is a schematic diagram of an authentication and authorization process for a network slice in an embodiment of the present invention;
fig. 2 is a schematic diagram of a re-authentication and re-authorization process of a network slice according to an embodiment of the present invention;
fig. 3 is a schematic diagram of an authorization revocation procedure of a network slice in an embodiment of the present invention;
FIG. 4 is a schematic diagram of an implementation flow of an authentication and authorization result notification method according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of an implementation flow of an authentication and authorization result notification processing method according to an embodiment of the present invention;
FIG. 6 is a flowchart of an authentication and authorization result notification implementation in accordance with a first embodiment of the present invention;
fig. 7 is a schematic diagram of an AMF receiving an indication from a UDM that a UE has registered with another AMF according to a first embodiment of the present invention;
FIG. 8 is a schematic illustration of events of a change in the particular authentication and authorization status/results of a network slice of the UDM subscribing S-NSSAI to an AMF, respectively, in accordance with a first embodiment of the present invention;
FIG. 9 is a flowchart of the authentication and authorization result notification implementation in the second embodiment of the present invention;
Fig. 10 is a schematic diagram of a process of implementing UDM synchronization between different AMFs when authentication and authorization result status/results change in the second embodiment of the present invention;
FIG. 11 is a schematic diagram of an authentication and authorization result notification implementation flow in a third embodiment of the present invention;
FIG. 12 is a flowchart of the authentication and authorization result notification implementation in the fourth embodiment of the present invention;
FIG. 13 is a schematic diagram of a UDM subscription authentication and authorization status/result implementation flow in a fifth embodiment of the present invention;
fig. 14 is a schematic flow chart of AMF subscription authentication and authorization status/result implementation in the fifth embodiment of the present invention;
fig. 15 is a schematic structural diagram of a communication device according to an embodiment of the present invention;
fig. 16 is a schematic diagram of an AMF structure according to an embodiment of the invention.
Detailed Description
The inventors noted during the course of the invention that:
when AAA (Authentication, authorization and accounting, authorization and Accounting) server is required to authenticate and authorize S-nsai (single network slice selection assistance information ), a network slice specific Authentication and authorization procedure is triggered. The AAA server may belong to the HPLMN (local public land mobile network, home Public Land Mobile Network) operator or a third party, in which case the AAA proxy needs to be deployed if the AAA server belongs to the third party.
During registration, if the AMF decides that authentication and authorization is required for S-nsai in Allowed nsai (licensed network slice selection assistance information), or the AAA server triggers a re-authentication, the AMF triggers a network slice specific authentication and authorization procedure. In this process, the AMF takes the role of an EAP (extensible authentication protocol ) authenticator and communicates with the AAA server through the AUSF (authentication server function ).
The network slice specific authentication and authorization is described below.
Fig. 1 is a schematic diagram of an authentication and authorization process of a network slice, and as shown in the figure, mainly includes:
steps 101, trigger to perform Slice-Specific Authentication And Authorisation (trigger for performing slice-specific authentication and authorization).
The AMF triggers a network slice specific authentication and authorization procedure for S-nsai that needs to perform the network slice specific authentication and authorization procedure based on subscription information or due to AAA-S (AAA Server) triggers.
The AMF sends a NAS (non access stratum ) mobility management transfer message to the UE, including an EAP identity request and S-nsai.
The UE returns a NAS mobility management transmission message to the AMF, wherein the message comprises an EAP identification reply and an S-NSSAI.
Step 104, nausf_NSSAA_authentication Req (Nausf_NSSAA_authentication request; NSSAA: network Slice specific authentication and authorization, network Slice-Specific Authentication and Authorization) carries EAP ID Response (EAP ID Response), GPSI (general public subscription identity, generic Public Subscription Identifier), S-NSSAI.
The AMF sends a Nausf_NSSAA_Authenticate request to the AUSF, carrying an EAP identity reply, AAA server address, GPSI, S-NSSAI.
If an AAA-P (AAA Proxy) is deployed, the AUSF sends an EAP identity reply message, GPSI and S-NSSAI to the AAA Proxy, otherwise the message is directly sent to the AUSF. The AUSF encapsulates the EAP identity reply message, the GPSI, and the S-nsai with an AAA protocol message supported by the AAA proxy or AAA server, and then sends the AAA protocol message to the AAA proxy or AAA server.
The AAA proxy sends an EAP identity reply message, GPSI and S-NSSAI to the AAA server according to the AAA server address. The AAA server stores the GPSI and creates an association between the GPSI and the EAP identity in the EAP identity reply message, so the AAA server may use the association to cancel authentication or trigger re-authentication.
Step 109, nausf_NSSAA_ Authenticate Resp (Nausf interface NSSAA authentication response) (EAP msg, GPSI, S-NSSAI).
Step 112, nausf_NSSAA_ Authenticate Request (EAP msg, GPSI, S-NSSAI).
In steps 107-114, EAP messages are interacted between the AAA server and the UE.
EAP authentication is completed. The AAA server stores the S-nsai that has been authorized and the AAA-S may trigger the re-authentication and authorization based on the local policy decision. The AAA server sends EAP success/failure messages, GPSI, and S-NSSAI to the AAA proxy (if undeployed, directly to the AUSF).
If an AAA proxy is used, the AAA proxy sends an AAA protocol message (EAP success/failure, S-NSSAI, GPSI) to the AUSF.
Step 117, nausf_NSSAA_ Authenticate Resp (EAP Success/failuremsg, GPSI, S-NSSAI).
The AUSF sends a nausf_nssaa_authentication reply (EAP success/failure, S-NSSAI, GPSI) to the AMF.
Step 118, NAS MM Transport (EAP success/failure).
The AMF sends a NAS mobility management transfer message (EAP success/failure) to the UE.
Steps 119, UE configuration update procedure (UE configuration update procedure).
If an update of the Allowed NSSAI or the rejected S-NSSAI is required, the AMF initiates a UE configuration update procedure.
The AAA server triggered network slice specific re-authentication and re-authorization procedure is described below.
Fig. 2 is a schematic diagram of a network slice re-authentication and re-authorization process, and as shown in the figure, mainly includes:
An AAA server (AAA-S) sends an AAA protocol reauthentication request, carrying GPSI, S-NSSAI, requesting reauthentication and authorization of the network slice identified by S-NSSAI for the UE identified by GPSI. If an AAA proxy (AAA-P) is deployed, the message is sent to the AAA proxy, otherwise it is sent directly to the AUSF.
If an AAA proxy is deployed, the AAA proxy forwards the message to the AUSF.
Step 203b, nudm_uecm_get Resp (AMF ID).
In steps 203a-203b, the AUSF obtains the AMF ID from the UDM (unified data management entity, unified Data Management) using nudm_uecm_get.
Step 204, NAusf_NSSAA_Notify (NAusf interface NSSAA notification) (Re-Auth event, GPSI, S-NSSAI).
The AUSF notifies the AMF of a re-authentication event requesting the AMF to re-authenticate/authorize the S-nsai for the UE. The AUSF sends a nausf_nssaa_notify (GPSI, S-NSSAI) to the AMF.
The AMF triggers a network slice specific authentication and authorization procedure.
The AAA server triggered slice specific authorization revocation procedure is described below.
Fig. 3 is a schematic diagram of an authorization revocation procedure of a network slice, and as shown in the figure, mainly includes:
The AAA server (AAA-S) sends an AAA protocol de-authentication request message (GPSI, S-NSSAI) requesting to de-authenticate the S-NSSAI authorization of the UE identified by the GPSI. If an AAA proxy (AAA-P) is deployed, the message is sent to the AAA proxy.
If an AAA proxy is deployed, the AAA proxy forwards the message to the AUSF.
In steps 303a-303b, the AUSF obtains the AMF ID from the UDM using nudm_uecm_get.
Step 304, NAusf_NSSAA_Notify (Revoke Auth event (revocation authentication event), GPSI, S-NSSAI).
The AUSF sends a nausf_nssaa_notify (GPSI, S-nsai) to the AMF requesting the AMF to revoke the authorization of the S-nsai for the UE.
Steps 305, UE Configuration Update (UE configuration update).
The AMF withdraws the S-NSSAI from the Allowed NSSAI of the UE, and then sends the updated Allowed NSSAI to the UE.
As can be seen, the prior art only supports the scenario that the UE registers to the same PLMN through the 3GPP access and the non-3 GPP access (i.e. only one AMF provides services for the UE), does not support the scenario that the UE registers to a different PLMN through a different access, i.e. does not support the scenario that the UE has 2 AMFs, so when there are more than 2 AMFs, each AMF cannot learn the state/result of authenticating and authorizing S-nsais stored on other AMFs.
In summary, current network slice specific authentication and authorization mechanisms do not support the scenario where a UE connects to different PLMNs through 3GPP access and non-3 GPP access. In this scenario, different AMFs in different PLMNs provide services for the UE, and the different AMFs allocate Allowed nsais to the UE respectively. Different Allowed NSSAIs may include the same S-NSSAI, and when authentication and authorization is performed for that S-NSSAI, only one AMF may be used, so that another AMF may not obtain the latest authentication and authorization status/results of the S-NSSAI. Based on this, an authentication and authorization result notification scheme is provided in the embodiments of the present invention to solve synchronization of authentication and authorization states/results between multiple AMFs.
The following describes specific embodiments of the present invention with reference to the drawings.
In the description process, the implementation on the UDM, UE, AUSF, AAA server and the AMF, etc. side will be described separately, and then an example of their cooperation implementation will be given to better understand the implementation of the solution given in the embodiment of the present invention. Such description does not mean that they must be carried out in cooperation or must be carried out separately, in fact, they solve the problems on their own side respectively when they are carried out separately, while they are used in combination with better technical results.
FIG. 4 is a schematic flow chart of an implementation of the authentication and authorization result notification method, which may include:
FIG. 5 is a schematic flow chart of an authentication and authorization result notification processing method, as shown in the figure, including:
Specifically, the AMF may update the locally stored authentication and authorization result when the authentication and authorization result is inconsistent with the locally stored authentication and authorization result.
The implementation on UDM, UE, AUSF or AAA server side, respectively, is described below.
1. Implementation on UDM.
In this manner, the UDM synchronizes the authentication and authorization results of the S-NSSAI among the plurality of AMFs.
In practice, the scheme may include:
the UDM obtains authentication and authorization results of the network slice from the AMF or the AAA server;
the UDM informs the other AMFs of the authentication and authorization results.
The UDM obtains authentication and authorization results of the network slice from the AMF or AAA server and informs other AMFs of the authentication and authorization results.
Specifically, the UDM may notify the authentication and authorization result to other AMFs when it is determined that the AMF serving the UE is greater than one according to the context of the UE.
In a specific implementation, the UDM notifies the other AMFs of the authentication and authorization result when it is determined that one or a combination of the following occurs:
other AMFs include an Allowed NSSAI allocated to the UE including an S-NSSAI; or alternatively, the first and second heat exchangers may be,
the authentication and authorization result information of the S-NSSAI related to other AMFs comprises the information of the S-NSSAI; or alternatively, the first and second heat exchangers may be,
other AMFs subscribe to the authentication and authorization result information of the S-NSSAI; or alternatively, the first and second heat exchangers may be,
the authentication and authorization results of the network slice change.
Specifically, the UDM may make the following decisions before sending authentication and authorization results to other AMFs:
Whether more than 1 AMF is included in the context of the UE, if more than 1, it means that there are multiple AMFs serving the UE, and thus synchronous authentication and authorization results are required.
Specifically, in addition to this, the UDM may further determine whether it is necessary to provide the authentication and authorization result of S-nsai 1 to other AMFs (in this example, the S-nsai is numbered 1 for distinction, and the same applies hereinafter), where the determination is based on that the Allowed nsai allocated to the UE by other AMFs includes S-nsai 1, or the authentication and authorization result information of S-nsai related to other AMFs includes the information of S-nsai 1, or other AMFs subscribe to the authentication and authorization result information of S-nsai 1.
If the above judgment results are yes, the UDM sends the authentication and authorization results of the S-NSSAI1 to other AMFs, such as AMF2.
For the AMF side, in an implementation, updating the locally stored authentication and authorization results includes:
updating the Allowed NSSAI and the rejected S-NSSAI of the UE.
In a specific implementation, after updating the locally stored authentication and authorization result, the method further comprises:
the PDU session established by the UE and related to S-NSSAI1 is released.
Specifically, after the AMF2 receives the authentication and authorization result of the S-nsai 1, if the result is unchanged, the AMF2 does not perform any operation, and if the result is changed from successful to failed, the AMF2 updates the Allowed nsai and the rejected S-nsai of the UE and releases the PDU session related to the S-nsai 1 that the UE has established.
For the AMF side, in an implementation, further comprising:
after performing the network slice specific authentication and authorization procedure, the AMF informs the UDM of the authentication and authorization result.
In a specific implementation, the authentication and authorization result of the network slice obtained by the UDM from the AMF is an authentication and authorization status/result that the AMF notifies the UDM after performing the authentication and authorization process of the network slice.
In particular, the AMF may inform the UDM of the authentication and authorization status/results after performing a network slice specific authentication and authorization procedure. The UDM may also request authentication and authorization status/results from the AAA server.
2. Implementation on UE.
In this manner, the UE synchronizes the authentication and authorization results of the S-nsai among the multiple AMFs.
In practice, this may include:
the UE obtains the authentication and authorization result of the network slice from the AMF;
the UE informs other AMFs of the authentication and authorization results.
In particular implementations, the UE is the authentication and authorization result of the network slice obtained after the authentication and authorization process of the network slice of the S-nsai is completed through the AMF.
Specifically, after the UE completes the network slice specific authentication and authorization procedure of S-nsai 1 through AMF1 (for convenience of distinction, AMF number 1, the same applies hereinafter), the UE notifies the other AMFs of the authentication and authorization result of S-nsai 1.
For the AMF side, in an implementation, further comprising:
after receiving the authentication and authorization result notified by the UE, the AMF requests the AAA server to verify the validity of the authentication and authorization result provided by the UE through the AUSF.
Specifically, the AMF requests the AAA server to verify the validity of the UE provided information through the AUSF.
In implementation, when the UE determines that the AMF serving the UE is greater than one, the UE notifies other AMFs of the authentication and authorization result.
In practice, the UE determines that the Allowed nsai allocated by other AMFs includes S-nsai; and/or, when the authentication and authorization result is determined to be changed, notifying other AMFs of the authentication and authorization result.
Specifically, before the UE sends the authentication and authorization result to other AMFs, the following determination may be made:
whether the UE is connected to multiple AMFs, if more than 1, indicates that there are multiple AMFs serving the UE, thus requiring synchronized authentication and authorization results.
In addition, the UE may further determine whether the authentication and authorization result of S-nsai 1 needs to be provided to other AMFs, where the determination may be based on whether the Allowed nsai allocated by other AMFs includes S-nsai 1 or whether the authentication and authorization result changes.
In implementation, the UE informs other AMFs of the authentication and authorization result by carrying the authentication and authorization result in a registration request sent to the other AMFs; or alternatively, the first and second heat exchangers may be,
The UE informs other AMFs of the authentication and authorization results by carrying information according to preset rules in registration requests sent to the other AMFs.
Specifically, the UE may explicitly or implicitly notify other AMFs of the authentication and authorization results of S-nsai 1. If the notification is explicit notification, the UE sends a registration request to other AMFs, and the message comprises the latest authentication and authorization result of the S-NSSAI 1; if the notification is implicit, the UE sends a registration request to other AMFs, and the Requested NSSAI included in the request message does not include S-NSSAI1 (e.g., authentication and authorization result is failure) or includes S-NSSAI (e.g., authentication and authorization result is success).
3. Implementation on an AUSF or AAA server.
In this manner, the AUSF or AAA server synchronizes the authentication and authorization results of the S-nsai between AMFs.
The AUSF or AAA server obtains the authentication and authorization result of the network slice;
the AUSF or AAA server notifies the AMF of the authentication and authorization result.
In implementation, the other AMF notified by the AUSF or AAA server is the AMF which is set by the AMF or UDM and needs to be notified when subscribing the authentication and authorization result of the S-NSSAI to the AUSF or AAA server.
In practice, when the authentication and authorization result for a certain S-nsai changes, the AUSF or AAA server notifies the AMF of the changed authentication and authorization result.
For the AMF side, in implementation, when the AMF or UDM subscribes to the authentication and authorization result of S-nsai with the AUSF or AAA server, the AUSF or AAA server notifies the AMF of the authentication and authorization result of the received network slice.
Specifically, the AMF or the UDM may subscribe to the authentication and authorization result of the S-NSSAI from the AUSF or the AAA server, and when the UDM subscribes, the UDM sets the result notification endpoint to the information of the AMF. When the authentication and authorization result for a certain S-nsai changes, the AAA server directly notifies the AUSF, which notifies the AMF of the result.
The following is an example.
Example 1
In this embodiment, the UDM synchronizes network slice specific authentication and authorization result states between different AMFs through a subscription and notification mechanism.
Fig. 6 is a schematic diagram of an authentication and authorization result notification implementation flow in the first embodiment, which may include:
Specifically, the AMF sends a Nudm_EventExposure_Subscribe message to the UDM, and the parameters include the UE ID, S-NSSAI, and network slice specific authentication and authorization status/results. The AMF subscribes to the network slice specific authentication and authorization status/results of the S-NSSAI of the UE with the UDM through this message. The AMF may provide a plurality of S-NSSAIs.
Step 602, nudm_eventExposure_notify (nudm_event open_notification) carries network slice specific authentication and authorization status/results.
Specifically, when the UDM finds that the authentication and authorization status/results of the S-nsai change, the UDM sends a nudm_eventExposure_notify message to the AMF, and the parameters include the network slice specific authentication and authorization status/results of the S-nsai.
In practice, before the AMF sends step 601 in fig. 6 to the UDM, an indication may be received from the UDM that the UE has registered with other AMFs. The AMF may receive the above indication during registration or a related indication from the UDM via a subscription/notification mechanism or notification information directly from the UDM. At least possible implementations may be as follows:
fig. 7 is a schematic diagram of an AMF receiving an indication from a UDM that a UE has registered with another AMF according to the first embodiment, which may include:
mode one:
step 701, nudm_uecm_ Registration Request (nudm_uecm_registration request).
Step 702, nudm_uecm_ Registration Response (nudm_uecm_registration response) carries a multiple AMF registration indication.
Specifically, in the process of UE registration, the AMF sends a nudm_uecm_ Registration Request message (carrying the UE ID, AMF ID) to the UDM, and registers the AMF ID to the UDM.
In this way, if the UDM finds that the UE context already includes other AMF IDs, the UDM carries a multiple AMF registration indication in the reply message when it returns a nudm_uecm_ Registration Response message to the AMF. The AMF knows from the indication that there are other AMFs serving the UE, and the AMF subscribes to the network slice specific authentication and authorization status/results of the S-nsai with the UDM.
Mode two:
Step 704, nudm_eventExposure_notify, carrying the AMF registration status.
Specifically, the AMF sends a nudm_eventExposure_subscore message (carrying the UE ID, AMF registration status) to the UDM.
When the UDM finds that the AMF registration status of the UE (i.e., multi-AMF registration or single AMF registration) changes, the UDM sends nudm_eventExposure_subscore (AMF registration status) to the AMF. If the AMF finds that the UE' S AMF registration status is multi-AMF registration, the AMF subscribes to the network slice specific authentication and authorization status/results of S-NSSAI with the UDM.
Mode three:
step 705, nudm_uecm_get Request.
Specifically, the AMF sends a nudm_uecm_get request message to the UDM, where the message includes the UE ID and the AMF, and the UDM returns a nudm_uecm_get reply message to the AMF, where the message includes the identity of the AMF that the UE registered at this time. If the UDM returns multiple AMF identities, indicating that the UE is now registered with multiple AMFs, the AMF subscribes to the network slice specific authentication and authorization status/results of S-NSSAI with the UDM.
Mode four:
step 707, a first notification message.
Specifically, when the UDM discovers that the AMF registration state of the UE changes, the UDM sends first notification messages (first, second, etc. used in the embodiment are only for distinguishing from other notification messages, and are not implemented by using a message of "first notification message", and the following description) to the AMF registered by the UE, where the message parameter is the AMF registration state, that is, multiple AMF registration or single AMF registration. If multiple AMF registration, the AMF subscribes to the network slice specific authentication and authorization status/results of S-nsai with the UDM.
It should be noted that, the above four modes are not in any dependency, and are all independently implemented schemes.
When the UE registers with multiple AMFs (i.e., the AMF registration state is multiple AMF registration, where the UE context stored by the UDM includes information of the multiple AMFs), the UDM subscribes to the network slice specific authentication and authorization states/results of the S-nsai with the AMFs, respectively.
Fig. 8 is a schematic diagram of events of a specific authentication and authorization status/result change of a UDM subscribing to an AMF for S-nsai, respectively, according to the first embodiment, which may include:
the description of fig. 8 is as follows:
Specifically, the UDM sends a namf_eventExposure_subscore message to the AMF, the parameters including the UE ID, network slice specific authentication and authorization status/results. The AMF subscribes to the UDM for the UE's network slice specific authentication and authorization status/results through the message.
Step 802, namf_eventExposure_notify, carries the network slice specific authentication and authorization status/results.
Specifically, when the AMF finds that the network slice specific authentication and authorization status/result of the UE changes, the AMF sends a namf_eventExposure_notify message to the UDM, and the parameters include S-nsai and the network slice specific authentication and authorization status/result.
Example two
In this embodiment, the UDM stores the network slice specific authentication and authorization status/results of the S-NSSAI and synchronizes the information to different AMFs.
Fig. 9 is a schematic diagram of an authentication and authorization result notification implementation flow in the second embodiment, and as shown in the drawing, a specific process of obtaining a network slice specific authentication and authorization status/result by the UDM may include:
step 901, the AMF sends a third request message to the UDM, carrying the UE ID.
Specifically, the AMF sends a third request message to the UDM, the message including the UE identity, requesting a network slice specific authentication and authorization status/result for the UE. One or more S-nsais may also be included in the message indicating the authentication and authorization status/results of the requesting S-nsais, and if no S-nsais are provided, indicating the status/results of the S-nsais in need of performing authentication and authorization among all subscribed S-nsais of the requesting UE.
Step 902, the UDM returns a third reply message to the AMF carrying the network slice specific authentication and authorization status/results.
Specifically, the UDM returns a third reply message to the AMF with message parameters that are network slice specific authentication and authorization status/results.
Step 903, network slice specific authentication and authorization procedures.
Specifically, if the UDM does not return any information, the AMF initiates authentication and authorization procedures for all S-nsais in the Allowed nsais that need to perform authentication and authorization. If the UDM returns authentication and authorization status/results of the part S-NSSAI as failed, the AMF removes these S-NSSAI from the Allowed NSSAI and places them in the rejected S-NSSAI.
Step 904, the AMF sends a second request message to the UDM carrying the UE ID, the network slice specific authentication and authorization status/result.
Specifically, the AMF sends a second request message to the UDM with parameters UE ID, network slice specific authentication and authorization status/results. The second request message may be a nudm_uecm_update message or a newly defined message.
Step 905, UDM returns a second reply message to AMF.
Assuming that the UE first registers with the network through AMF1, AMF1 needs to perform authentication and authorization procedures for S-nsai 1, S-nsai 2, and S-nsai 3 included in the Allowed nsai decided by the UE, AMF1 initiates the procedure, requesting UDM to provide authentication and authorization status/results for these 3S-nsais. Because the 3S-NSSAI related states and results are not stored in the UDM, authentication and authorization states/results are not included in the reply message returned by the UDM. AMF1 initiates network slice specific authentication and authorization procedures for these 3S-NSSAIs, respectively, assuming that the authentication and authorization status/results of S-NSSAI1 and S-NSSAI2 are successful and the authentication and authorization status/results of S-NSSAI3 are failed. AMF1 sends the authentication and authorization status/results of the 3S-NSSAIs to the UDM via steps 904 and 905 of the process described above.
When the UE registers with the network again through AMF2, AMF2 decides Allowed nsais for the UE, and discovers that S-nsais 2, S-nsais 3 and S-nsais 4 in the Allowed nsais need to perform network slice specific authentication and authorization procedures. AMF2 requests authentication and authorization status/results of S-NSSAI2, S-NSSAI3 and S-NSSAI4 from UDM, to which UDM returns self-stored information. Since S-NSSAI2 has been authenticated successfully, AMF2 skips the authentication and authorization process; AMF2 removes S-NSSAI3 from Allowed NSSAI and includes it in the rejected S-NSSAI, due to its failure to authenticate; since the UDM does not return the authentication and authorization status/results of S-nsai 4, AMF2 triggers a network slice specific authentication and authorization procedure for it. AMF2 sends the authentication and authorization status/results of S-NSSAI to UDM.
Fig. 10 is a schematic flow chart of a process of implementing UDM synchronization between different AMFs when the authentication and authorization result status/result changes in the second embodiment, as shown in the drawing, a process of UDM synchronization between different AMFs when the network slice specific authentication and authorization status/result changes may include:
step 1001, AMF2 sends a second request message to the UDM, the message including the UE ID, network slice specific authentication and authorization status/results.
Specifically, AMF2 finds that the network slice specific authentication and authorization status/result changes, e.g. the AAA server revokes the authentication and authorization of S-nsai 4, or the AAA server triggered re-authentication and re-authorization procedure of S-nsai 2 fails, AMF2 sends a second request message to UDM, the message including UE ID, network slice specific authentication and authorization status/result.
Step 1002, the UDM returns a second reply message to the AMF 2.
The UDM updates the local information.
Step 1003, UDM sends a fourth known message to AMF1, the parameters including UE ID, network slice specific authentication and authorization status/results.
Specifically, if the UDM discovers that the authentication and authorization status/result of the S-nsai 2 stored in the AMF1 needs to be updated, the UDM sends a fourth notification message to the AMF1, where the parameters include the UE ID and the network slice specific authentication and authorization status/result.
Step 1004, AMF2 returns a fourth reply message to the UDM.
To support the above mechanism, the following information may be stored in the UDM in the UE context:
1. < AMF1, allowed nsai 1>, < AMF2, allowed nsai 2>, authentication and authorization status/results of S-nsai; or alternatively, the process may be performed,
2. < S-nsai, authentication and authorization status/result, reporting AMF information of the authentication and authorization status/result of the S-nsai >; or alternatively, the process may be performed,
3. AMF1, S-nsai, authentication and authorization status/results.
The UDM internal processing logic is different depending on the information stored by the UDM. If an Allowed NSSAI is stored in the UDM, the AMF also provides the Allowed NSSAI when reporting network slice specific authentication and authorization status/results. When the AMF reports the authentication and authorization status of the S-nsai, the UDM checks which Allowed nsais also located in the S-nsai and sends the authentication and authorization status of the S-nsai to the AMF corresponding to the Allowed nsai.
Example III
In this embodiment, the UDM obtains the authentication and authorization status/results of the network slice from the AAA server.
Fig. 11 is a schematic diagram of an authentication and authorization result notification implementation flow in the third embodiment, which may include:
step 1101, the UDM sends authentication and authorization status/result subscription to the AUSF, the message including S-nsai;
step 1102, the AUSF sends the message authentication and authorization status/result subscription, the message including S-NSSAI to the AAA server;
the AUSF forwards the message to the AAA server;
step 1103, the AAA server sends an authentication and authorization status/result notification to the AUSF, where the message parameter is the authentication and authorization status/result of the S-nsai.
When the AAA server finds that the authentication and authorization state/result of the S-NSSAI changes, the AAA server sends an authentication and authorization state/result notification to the AUSF, and the message parameter is the authentication and authorization state/result of the S-NSSAI.
Step 1104, the AUSF forwards the authentication and authorization status/result notification to the UDM, with the message parameter being the authentication and authorization status/result of the S-nsai.
After the UDM obtains the information described above, it sends an event notification to the AMF that has subscribed to the authentication and authorization status/results of the S-NSSAI.
Example IV
In this embodiment, the UE synchronizes network slice specific authentication and authorization status/results between AMFs.
Fig. 12 is a schematic diagram of an authentication and authorization result notification implementation flow in the fourth embodiment, which may include:
step 1201, the UE sends a registration request to the AMF, the message including S-nsai, network slice specific authentication and authorization status/results (optional parameters).
Step 1202, the AMF sends information provided by the UE to the AUSF to check the correctness of the information provided by the UE.
Step 1203, AUSF forwards the message registration request of the AMF, the message including S-nsai, the network slice specific authentication and authorization status/result to the AAA server.
Step 1204, the AAA server returns the network slice specific authentication and authorization status/results of the S-NSSAI to the AUSF.
Step 1205, the AUSF forwards the message network slice specific authentication and authorization status/results to the AMF.
In step 1206, the AMF box UE returns a registration accept message.
For S-nsai included in the Allowed nsai, but not checking the authentication and authorization status/results, the AMF needs to trigger a network slice specific authentication and authorization procedure.
Example five
In this embodiment, the AAA server synchronizes schemes of authentication and authorization status/results between AMFs.
Fig. 13 is a schematic flow chart of a UDM subscription authentication and authorization status/result implementation in the fifth embodiment, where, as shown in the drawing, the UDM subscription authentication and authorization status/result may include:
step 1301, UDM sends authentication and authorization status/result subscription (UE ID, S-nsai, notification node, AAA server address) to AUSF.
The AAA server address may be preconfigured in the UDM or may be provided by the AMF, where the notification node is information of the AMF. The UDM may trigger this process when it finds that there are multiple serving AMFs for the UE (including multiple AMFs in the context of the UE) and the Allowed nsais assigned by different serving AMFs each include the same S-nsais that need to perform authentication and authorization.
Step 1302, the AUSF sends the authentication and authorization status/result subscription message to the AAA server according to the AAA server address in the message.
In step 1303, the AAA server discovers that the authentication and authorization status/result of the S-nsai changes, and the AAA server notifies the AMF of the authentication and authorization status/result of the S-nsai according to the information of the notification node in the subscription message.
Fig. 14 is a schematic flow chart of AMF subscription authentication and authorization status/result implementation in the fifth embodiment, where the AMF subscription authentication and authorization status/result may include:
step 1401, AMF sends authentication and authorization status/result subscription (UE ID, S-nsai, informing node, AAA server address) to AUSF.
Wherein the notification node is information of an AMF. The AMF may trigger this process when it finds that the UE registers with multiple AMFs and that the Allowed nsais assigned by different serving AMFs each include the same S-nsais that need to perform authentication and authorization. The UDM or UE may provide AMF with information of the Allowed nsais allocated by other AMFs.
Step 1402, the AUSF sends authentication and authorization status/result subscription messages to the AAA server according to the AAA server address in the message.
Step 1403, the AAA server discovers that the authentication and authorization status/result of the S-nsai changes, and the AAA server notifies the AMF of the authentication and authorization status/result of the S-nsai according to the information of the notification node in the subscription message.
Based on the same inventive concept, the embodiments of the present invention further provide a communication device, an AMF, an authentication and authorization result notification device, an authentication and authorization result notification processing device, and a computer readable storage medium, and because the principle of solving the problem of these devices is similar to that of the authentication and authorization result notification method and the authentication and authorization result notification processing method, the implementation of these devices may refer to the implementation of the method, and the repetition is omitted.
In implementing the technical scheme provided by the embodiment of the invention, the method can be implemented as follows.
Fig. 15 is a schematic structural diagram of a communication device, as shown, including:
obtaining authentication and authorization results of the network slice;
notifying AMF of the authentication and authorization result;
a transceiver 1510 for receiving and transmitting data under the control of the processor 1500.
In practice, the communication device is located in a UDM, wherein:
obtaining authentication and authorization results of the network slice from the AMF or AAA server;
and notifying other AMFs of the authentication and authorization results.
In implementation, when it is determined that the AMF serving the UE is greater than one according to the context of the UE, the authentication and authorization result is notified to other AMFs.
In practice, the authentication and authorization result is notified to other AMFs upon determining that one or a combination of the following occurs:
other AMFs include an Allowed NSSAI allocated to the UE including an S-NSSAI; or alternatively, the first and second heat exchangers may be,
the authentication and authorization result information of the S-NSSAI related to other AMFs comprises the information of the S-NSSAI; or alternatively, the first and second heat exchangers may be,
other AMFs subscribe to the authentication and authorization result information of the S-NSSAI; or alternatively, the first and second heat exchangers may be,
the authentication and authorization results of the network slice change.
In practice, the authentication and authorization result of the network slice obtained from the AMF is an authentication and authorization status/result that the AMF notifies the UDM after performing the authentication and authorization process of the network slice.
In an implementation, a communication device is located at a UE, wherein:
obtaining authentication and authorization results of the network slice from the AMF;
and notifying other AMFs of the authentication and authorization results.
In practice, the authentication and authorization result of the network slice is obtained after the authentication and authorization process of the network slice of the S-NSSAI is completed through the AMF.
In implementation, when the AMF for providing service for the UE is determined to be more than one, the authentication and authorization result is notified to other AMFs.
In practice, the Allowed NSSAI assigned in determining other AMFs includes S-NSSAI; and/or, when the authentication and authorization result is determined to be changed, notifying other AMFs of the authentication and authorization result.
In implementation, the authentication and authorization result is carried in a registration request sent to other AMFs to inform the other AMFs of the authentication and authorization result; or alternatively, the first and second heat exchangers may be,
and informing other AMFs of the authentication and authorization results by carrying information according to preset rules in registration requests sent to the other AMFs.
In practice, the communication device is located at an AUSF or AAA server, wherein:
Obtaining authentication and authorization results of the network slice;
and notifying the AMF of the authentication and authorization result.
In implementation, the other AMF to be notified is an AMF to be notified, which is set by the AMF or UDM when subscribing the authentication and authorization result of the S-NSSAI to the AUSF or AAA server.
In practice, when the authentication and authorization result for a certain S-nsai changes, the AMF is notified of the changed authentication and authorization result.
Where in FIG. 15, a bus architecture may comprise any number of interconnected buses and bridges, with various circuits of the one or more processors, as represented by processor 1500, and the memory, as represented by memory 1520, being linked together. The bus architecture may also link together various other circuits such as peripheral devices, voltage regulators, power management circuits, etc., which are well known in the art and, therefore, will not be described further herein. The bus interface provides an interface. The transceiver 1510 may be a number of elements, including a transmitter and a receiver, providing a means for communicating with various other apparatus over a transmission medium. The processor 1500 is responsible for managing the bus architecture and general processing, and the memory 1520 may store data used by the processor 1500 in performing operations.
The embodiment of the invention provides an authentication and authorization result notification device, which comprises:
the acquisition module is used for acquiring authentication and authorization results of the network slice;
and the notification module is used for notifying the AMF of the authentication and authorization result.
Specific implementations can be seen in the implementation of authentication and authorization result notification methods.
For convenience of description, the parts of the above apparatus are described as being functionally divided into various modules or units, respectively. Of course, the functions of each module or unit may be implemented in the same piece or pieces of software or hardware when implementing the present invention.
FIG. 16 is a schematic diagram of an AMF, as shown, the AMF includes:
receiving authentication and authorization result notification of a network slice;
updating locally stored authentication and authorization results;
a transceiver 1610 for receiving and transmitting data under the control of the processor 1600.
Specifically, the locally stored authentication and authorization results may be updated when the authentication and authorization results are inconsistent with the locally stored authentication and authorization results.
In practice, updating locally stored authentication and authorization results includes:
updating the Allowed NSSAI and the rejected S-NSSAI of the UE.
In implementation, after updating the locally stored authentication and authorization result, the method further includes:
the PDU session established by the UE and related to S-NSSAI1 is released.
In practice, further comprising:
after performing the network slice specific authentication and authorization procedure, the UDM is informed about the authentication and authorization result.
In practice, further comprising:
and after receiving the authentication and authorization result notified by the UE, requesting the AAA server to verify the validity of the authentication and authorization result provided by the UE through the AUSF.
In practice, when the AMF or UDM subscribes to the authentication and authorization result of S-NSSAI with the AUSF or AAA server, the AUSF or AAA server notifies the AMF of the authentication and authorization result of the received network slice.
Where in FIG. 16, the bus architecture may comprise any number of interconnected buses and bridges, and in particular one or more processors represented by the processor 1600 and various circuits of memory represented by the memory 1620. The bus architecture may also link together various other circuits such as peripheral devices, voltage regulators, power management circuits, etc., which are well known in the art and, therefore, will not be described further herein. The bus interface provides an interface. The transceiver 1610 may be a number of elements, i.e., include a transmitter and a receiver, providing a means for communicating with various other apparatus over a transmission medium. The processor 1600 is responsible for managing the bus architecture and general processing, and the memory 1620 may store data used by the processor 1600 in performing operations.
The embodiment of the invention provides an authentication and authorization result notification processing device, which comprises:
the receiving module is used for receiving the authentication and authorization result notification of the network slice;
and the updating module is used for updating the authentication and authorization results stored locally.
Specific implementation can be seen in the implementation of the authentication and authorization result notification processing method.
For convenience of description, the parts of the above apparatus are described as being functionally divided into various modules or units, respectively. Of course, the functions of each module or unit may be implemented in the same piece or pieces of software or hardware when implementing the present invention.
An embodiment of the present invention provides a computer-readable storage medium, which stores a computer program for executing the above-described authentication and authorization result notification method and/or authentication and authorization result notification processing method.
Specific implementations may refer to implementations of the authentication and authorization result notification method and/or the authentication and authorization result notification processing method.
In summary, in the technical solution provided in the embodiments of the present invention, the UDM or AAA server or UE synchronizes the authentication and authorization status/results of network slices between different AMFs. Specific:
The UDM obtains the authentication and authorization status/results of the network slice from the AMF or AAA server and sends this information to the other AMFs to which the UE is connected. Further UDMs subscribe to the AMF or AAA server for authentication and authorization status/results of the network slice. The AMF subscribes to UDM for authentication and authorization status/results of the network slice.
The UDM or AMF subscribes to the authentication and authorization status/results of the network slice with the AAA server. A further AAA server informs the UDM or AMF of the authentication and authorization status/results of the network slice. The UDM informs the AMF of the authentication and authorization status/results of the network slice.
The UE sends the authentication and authorization status/results of the network slice to the AMF. After the further AMF receives the information provided by the UE, the validity of the information provided by the UE may be verified to the AAA server through the AUSF.
The scheme provided by the embodiment of the invention solves the problem that the specific authentication and authorization states/results of the network slice cannot be synchronized among different AMFs.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, magnetic disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
Claims (6)
1. An authentication and authorization result notification method applied to an authentication service function, comprising the following steps:
obtaining authentication and authorization results of the network slice from the first access and mobility management function AMF or an authentication, authorization and accounting AAA server;
when the authentication and authorization result for the S-NSSAI changes, notifying the changed authentication and authorization result to the second AMF;
the authentication and authorization result of the network slice is an authentication and authorization result obtained by the first AMF after the authentication and authorization process of the network slice is executed; the first AMF and the second AMF are AMFs respectively registered when the UE connects to different PLMNs through different access types at the same time.
2. The method of claim 1 wherein the second AMF notified by the authentication service function is an AMF to be notified set by the second AMF or UDM when subscribing to authentication and authorization results of the S-nsai with the authentication service function or AAA server.
3. A communication device, comprising:
a processor for reading the program in the memory, performing the following process:
obtaining authentication and authorization results of the network slice from the first access and mobility management function AMF or an authentication, authorization and accounting AAA server;
when the authentication and authorization result for the S-NSSAI changes, notifying the changed authentication and authorization result to the second AMF;
the authentication and authorization result of the network slice is an authentication and authorization result obtained by the first AMF after the authentication and authorization process of the network slice is executed; the first AMF and the second AMF are AMFs respectively registered when the UE connects to different PLMNs through different access types at the same time.
4. The apparatus of claim 3 wherein the second AMF notified by the authentication service function is an AMF to be notified set by the second AMF or UDM when subscribing to authentication and authorization results of the S-nsai with the authentication service function or AAA server.
5. An authentication and authorization result notification device applied to an authentication service function, comprising:
an obtaining module, configured to obtain an authentication and authorization result of the network slice from the first access and mobility management function AMF or the authentication, authorization and accounting AAA server;
the notification module is used for notifying the changed authentication and authorization result to the second AMF when the authentication and authorization result for the S-NSSAI changes;
the authentication and authorization result of the network slice is an authentication and authorization result obtained by the first AMF after the authentication and authorization process of the network slice is executed; the first AMF and the second AMF are AMFs respectively registered when the UE connects to different PLMNs through different access types at the same time.
6. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program for executing the method of any one of claims 1 to 2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310180184.3A CN116193430A (en) | 2020-04-07 | 2020-04-07 | Authentication and authorization result notification and processing method, device, apparatus and medium thereof |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010264064.8A CN113498059B (en) | 2020-04-07 | 2020-04-07 | Authentication and authorization result notification and processing method, equipment, device and medium thereof |
| CN202310180184.3A CN116193430A (en) | 2020-04-07 | 2020-04-07 | Authentication and authorization result notification and processing method, device, apparatus and medium thereof |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010264064.8A Division CN113498059B (en) | 2020-04-07 | 2020-04-07 | Authentication and authorization result notification and processing method, equipment, device and medium thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116193430A true CN116193430A (en) | 2023-05-30 |
Family
ID=77995445
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010264064.8A Active CN113498059B (en) | 2020-04-07 | 2020-04-07 | Authentication and authorization result notification and processing method, equipment, device and medium thereof |
| CN202310180184.3A Pending CN116193430A (en) | 2020-04-07 | 2020-04-07 | Authentication and authorization result notification and processing method, device, apparatus and medium thereof |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010264064.8A Active CN113498059B (en) | 2020-04-07 | 2020-04-07 | Authentication and authorization result notification and processing method, equipment, device and medium thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN113498059B (en) |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018231027A1 (en) * | 2017-06-17 | 2018-12-20 | 엘지전자(주) | Method for registering terminal in wireless communication system and apparatus therefor |
| CN109429295B (en) * | 2017-08-31 | 2021-11-23 | 中兴通讯股份有限公司 | Method for selecting AMF, system and storage medium |
| CN110167025B (en) * | 2018-02-13 | 2021-01-29 | 华为技术有限公司 | Communication method and communication device |
| JP7047921B2 (en) * | 2018-02-16 | 2022-04-05 | 日本電気株式会社 | Communication device, first network device, method of communication device, and method of first network device |
| KR102391819B1 (en) * | 2018-04-09 | 2022-04-29 | 삼성전자주식회사 | Method and apparatus using network slicing |
| US11388661B2 (en) * | 2018-04-14 | 2022-07-12 | Telefonaktiebolaget Lm Ericsson (Publ) | Network slice configuration update |
| KR102569538B1 (en) * | 2018-09-18 | 2023-08-22 | 광동 오포 모바일 텔레커뮤니케이션즈 코포레이션 리미티드 | Method and Apparatus for Network Slice Authentication |
-
2020
- 2020-04-07 CN CN202010264064.8A patent/CN113498059B/en active Active
- 2020-04-07 CN CN202310180184.3A patent/CN116193430A/en active Pending
Also Published As
| Publication number | Publication date |
|---|---|
| CN113498059B (en) | 2023-03-10 |
| CN113498059A (en) | 2021-10-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11844014B2 (en) | Service authorization for indirect communication in a communication system | |
| US11496320B2 (en) | Registration method and apparatus based on service-based architecture | |
| CN113424564A (en) | System and method for device triggered re-authentication supporting slice-specific secondary authentication and authorization | |
| CN113438196B (en) | Service authorization method, device and system | |
| US11895487B2 (en) | Method for determining a key for securing communication between a user apparatus and an application server | |
| WO2018202284A1 (en) | Authorizing access to user data | |
| CN112105021B (en) | Authentication method, device and system | |
| EP2466759B1 (en) | Method and system for changing a selected home operator of a machine to machine equipment | |
| CN113498060B (en) | Method, device, equipment and storage medium for controlling network slice authentication | |
| US20230396602A1 (en) | Service authorization method and system, and communication apparatus | |
| JP2023519997A (en) | Method and communication apparatus for securing terminal parameter updates | |
| KR102127028B1 (en) | Method and device for internet protocol multimedia subsystem terminal to access network | |
| CN113498059B (en) | Authentication and authorization result notification and processing method, equipment, device and medium thereof | |
| US20230370840A1 (en) | Method, ue, and network entity for handling synchronization of security key in wireless network | |
| TW202245442A (en) | Communication method and apparatus | |
| JP2024517897A (en) | Method, device and storage medium for authentication of NSWO services | |
| CN115396895A (en) | Service authorization method and device | |
| CN114978556A (en) | Slice authentication method, device and system | |
| JP2023552486A (en) | Target information acquisition method, transmission method, apparatus, device and storage medium | |
| WO2021079023A1 (en) | Inter-mobile network communication security | |
| CN114024693A (en) | Authentication method, authentication device, session management function entity, server and terminal | |
| CN111464324A (en) | Secure communication method, device and system | |
| CN113676903B (en) | Slice authentication authorization management method, device and system | |
| WO2016180145A1 (en) | Wireless network authentication method and core network element, access network element and terminal | |
| US20240187860A1 (en) | Methods and means for providing access to external networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |