阅读说明：本技术 认证授权的方法和装置 (Authentication and authorization method and device ) 是由 吴义壮 于 2020-05-22 设计创作，主要内容包括：本申请提供了一种认证授权的方法和装置。该方法可以包括：会话管理网元接收来自终端设备的会话建立请求消息,该会话建立请求消息用于请求建立与数据网络的会话；会话管理网元判断是否存在数据网络对终端设备的认证结果；当会话管理网元确定存在认证结果时,会话管理网元不对该会话发起二次认证流程,即跳过二次认证流程。在本申请中,会话管理网元可以根据数据网络已经对终端设备进行过认证,确定跳过二次认证流程,从而可以适用于更多的场景,减少重复执行二次认证带来的信令开销,而且方案简单易行。(The application provides a method and a device for authentication and authorization. The method can comprise the following steps: a session management network element receives a session establishment request message from terminal equipment, wherein the session establishment request message is used for requesting to establish a session with a data network; the session management network element judges whether an authentication result of the data network to the terminal equipment exists or not; when the session management network element determines that the authentication result exists, the session management network element does not initiate a secondary authentication process for the session, i.e., skips the secondary authentication process. In the application, the session management network element can determine to skip the secondary authentication process according to the fact that the data network has already authenticated the terminal equipment, so that the method is applicable to more scenes, signaling overhead caused by repeated execution of secondary authentication is reduced, and the scheme is simple and easy to implement.)

1. A method of authenticating an authorization, comprising:

receiving a session establishment request message from a terminal device, wherein the session establishment request message is used for requesting to establish a session with a data network;

judging whether an authentication result of the data network to the terminal equipment exists or not;

and when the authentication result exists, skipping a secondary authentication process for the session.

2. The method of claim 1, wherein the authentication result comprises authentication authorization information, and wherein the authentication authorization information comprises one or more of the following:

one or more data network identifications, identifications of authentication network elements of the data network, aging information, indexes of authorization texts of the data network, an aggregated maximum bit rate of sessions authorized by the data network, allowed media access control addresses, allowed virtual local area networks, and information for indicating reporting of session information.

3. The method of claim 1, further comprising:

and when the authentication result does not exist, initiating a secondary authentication process for the session, or suspending the session.

4. The method of claim 3,

after initiating a secondary authentication procedure for the session, the method further comprises:

suspending the session according to first indication information sent by the terminal device or an authentication network element of the data network,

the first indication information is used for indicating the data network to perform secondary authentication on another session of the terminal equipment.

5. The method according to claim 3, wherein the initiating the secondary authentication procedure for the session or suspending the session when the authentication result does not exist comprises:

when the authentication result does not exist, judging whether the data network carries out secondary authentication on another session of the terminal equipment or not;

when the data network carries out secondary authentication on another session of the terminal equipment, suspending the session; alternatively, the first and second electrodes may be,

and when the data network does not perform secondary authentication on another session of the terminal equipment, initiating a secondary authentication process on the session.

6. The method of claim 5, wherein after suspending the session, the method further comprises:

and acquiring an authentication result of the data network for another session of the terminal equipment, wherein the authentication result of the other session is used for indicating that the secondary authentication for the other session is successful or failed.

7. The method of claim 6,

when the authentication result of the other session indicates that the secondary authentication of the other session is successful, skipping a secondary authentication process for the session and continuing a subsequent establishment process of the session; alternatively, the first and second electrodes may be,

refusing to establish the session when the authentication result of the other session indicates that secondary authentication for the other session fails.

8. The method of claim 3,

in case of initiating a secondary authentication procedure for the session, the method further comprises;

after successful secondary authentication of the session, according to any of: determining whether to store an authentication result of the session: session attributes, local policy or second indication information for the session,

wherein the second indication information is: information from an authentication network element of the data network or from the terminal device indicating whether to store an authentication result of the session.

9. The method according to any one of claims 1 to 8, wherein the determining whether there is an authentication result of the data network to the terminal device comprises:

judging whether the authentication result exists locally; alternatively, the first and second electrodes may be,

judging whether the unified data management network element has the authentication result or not; alternatively, the first and second electrodes may be,

judging whether the authentication result exists according to third indication information from the terminal equipment or an authentication network element of the data network; alternatively, the first and second electrodes may be,

and judging whether the authenticated data set has the authentication result.

10. The method of claim 9, wherein the determining whether the authentication result exists in the authenticated data set comprises:

determining that the authentication result exists when the authenticated dataset includes an identification of the data network; alternatively, the first and second electrodes may be,

determining that the authentication result is not present when the authenticated data set does not include an identification of the data network.

11. A method of authenticating an authorization, comprising:

sending a session establishment request message to a session management network element, wherein the session establishment request message is used for requesting to establish a session with a data network;

in the process of performing secondary authentication on the session with the data network, judging whether the data network performs secondary authentication on another session of the terminal equipment;

and when the data network performs secondary authentication on another session of the terminal equipment, sending first indication information to the session management network element, wherein the first indication information is used for indicating the data network to perform secondary authentication on another session of the terminal equipment.

12. The method of claim 11, wherein the determining that the data network secondarily authenticates another session of a terminal device during the secondarily authenticating the session with the data network comprises:

and after receiving the identity authentication protocol request message from the session management network element, judging whether the data network carries out secondary authentication on another session of the terminal equipment.

13. The method according to claim 11 or 12, characterized in that the method further comprises:

and after the data network finishes the secondary authentication of the other session of the terminal equipment, sending an authentication result of the other session to the session management network element, wherein the authentication result of the other session is used for indicating the success or failure of the secondary authentication of the other session.

14. The method of claim 13, further comprising:

according to one or more of the stored information and the session attribute of the session, after the secondary authentication of the data network for another session of the terminal equipment is determined, the authentication result of the another session is sent to the session management network element;

wherein, the stored information is used to indicate that after the secondary authentication of another session of the terminal device by the data network is finished, the authentication result of the another session is sent to the session management network element.

15. A method of authenticating an authorization, comprising:

receiving an authentication authorization message from a session management network element, wherein the authentication authorization message is used for a data network to verify whether a terminal device is authorized to establish a session for accessing the data network;

judging whether an authentication result of the data network to the terminal equipment exists or not, or judging whether the data network carries out secondary authentication on another session of the terminal equipment;

and sending first indication information to the session management network element, where the first indication information is used to indicate whether there is an authentication result of the data network for the terminal device, or the first indication information is used to indicate that the data network performs secondary authentication for another session of the terminal device.

16. The method of claim 15, wherein if it is determined that the data network secondarily authenticates another session of the terminal device, the method further comprises:

and after the data network finishes the secondary authentication of the other session of the terminal equipment, sending an authentication result of the other session to the session management network element, wherein the authentication result of the other session is used for indicating the success or failure of the secondary authentication of the other session.

17. The method according to any one of claims 11 to 16, further comprising:

and sending second indication information to the session management network element, wherein the second indication information is used for indicating whether information of the authentication result of the data network to the terminal equipment is stored or not.

18. An apparatus for authenticating an authorization, characterized in that it comprises means for implementing the method according to any one of claims 1 to 17.

19. An apparatus for authenticating an authorization, comprising:

a processor to execute computer instructions stored in the memory to cause the apparatus to perform: the method of any one of claims 1 to 17.

20. A computer-readable storage medium, on which a computer program is stored which, when executed by a computer, causes the method of any one of claims 1 to 17 to be carried out.

Technical Field

The present application relates to the field of communications, and more particularly, to a method and apparatus for authenticating an authorization.

Background

In terms of network security, the primary tasks of a network include: the terminal equipment accessing the network is authenticated and authorized. One authentication method commonly used at present includes: and (5) performing secondary authentication. And after the terminal equipment is accessed into the operator network and the first-level authentication between the terminal equipment and the operator network is successful, the terminal equipment and the operator network are connected in a network. If the terminal device needs to access a Data Network (DN), the terminal device establishes a Protocol Data Unit (PDU) session with the operator network. And in the process of establishing the PDU session between the terminal equipment and the operator network, performing second-level authentication between the terminal equipment and the authentication network element corresponding to the DN.

In actual communication, one terminal device may establish two or more PDU sessions for the same DN in some scenarios. For the secondary authentication under a plurality of PDU session scenarios, a commonly used scheme includes: and judging whether DN (data network name, DNN) of the two PDU sessions are the same or not to determine whether to execute secondary authentication or not.

Specifically, the terminal device initiates a first PDU session establishment request, and after performing secondary authentication, stores authentication information, where the authentication information includes DNN. When the terminal equipment initiates a second PDU session establishment request, if DNN in the second PDU session establishment request is the same as DNN in the stored authentication information of the first PDU session, determining not to execute a secondary authentication process; and if the DNN in the second PDU session establishment request is different from the DNN in the stored authentication information of the first PDU session, determining to execute a secondary authentication process.

The method for determining whether to execute the secondary authentication procedure according to whether the DNNs of two PDU sessions are the same or not has limited application scenarios, and may cause multiple PDU sessions accessing the same DN to execute multiple secondary authentication procedures, thereby causing additional signaling overhead.

Disclosure of Invention

The application provides a method and a device for authentication and authorization, so that the method and the device can be suitable for more scenes, reduce signaling overhead caused by repeated execution of secondary authentication, and have a simple and easy scheme.

In a first aspect, a method of authenticating an authorization is provided. The method may be executed by the session management network element, or may also be executed by a chip or a chip system or a circuit configured in the session management network element, which is not limited in this application.

The method can comprise the following steps: receiving a session establishment request message from a terminal device, wherein the session establishment request message is used for requesting to establish a session with a data network; judging whether an authentication result of the data network to the terminal equipment exists or not; and when the authentication result exists, skipping a secondary authentication process for the session.

As an example, the authentication result is authentication success, that is, the data network has authenticated the terminal device, and the authentication authorization is successful. In this example, the secondary authentication procedure is skipped for the session, that is, the secondary authentication procedure may be skipped and the session may be established using the authentication authorization information (i.e., the authentication authorization information that is successfully authenticated).

As yet another example, the authentication result is authentication failure, that is, the data network has authenticated the terminal device and the authentication authorization has failed. In this example, the secondary authentication flow is skipped for the session. At this point, the session may be denied. Alternatively, it may be determined whether to deny the establishment of the session based on the reason for the failure.

Based on the above technical solution, in the session establishment process, the session management network element may determine whether to initiate a secondary authentication procedure according to whether the data network (or the authentication network element of the data network) has authenticated the terminal device, that is, the authentication and authorization procedure is used for the data network to authenticate and authorize the terminal device to establish the session access data network. For example, in the case where there is an authentication result, the secondary authentication procedure is skipped for the session. Therefore, the method can be suitable for more scenes, and can also avoid repeatedly executing the process of secondary authentication under the scene that different data network identifiers (DNN) are used. By the embodiment of the application, the session management network element can be ensured to avoid repeatedly executing a secondary authentication process as much as possible even if different DNNs are used for accessing the data network.

With reference to the first aspect, in certain implementations of the first aspect, the authentication result includes authentication authorization information, and the authentication authorization information includes one or more of the following: one or more data network identifications, identifications of authentication network elements of the data network, aging information, indexes of authorization texts of the data network, an aggregated maximum bit rate of sessions authorized by the data network, allowed media access control addresses, allowed virtual local area networks, and information for indicating reporting of session information.

With reference to the first aspect, in certain implementations of the first aspect, the method further includes: and when the authentication result does not exist, initiating a secondary authentication process for the session, or suspending the session.

Illustratively, suspending a session, or suspending an establishment session, means to temporarily stop the establishment session, or temporarily stop a secondary authentication procedure for the session, or wait for an authentication result of another session.

For example, in case it is determined that the session is suspended, a secondary authentication result may be requested or subscribed to the unified data management network element.

In a scenario, the terminal device carries indication information in the session establishment request message, indicating that the session is a redundant session. In this scenario, based on the indication, the second authentication may be skipped directly, or the session may be suspended and the authentication result of another session may be reused.

In another scenario, the terminal device initiates two sessions simultaneously, and the session establishment request message includes indication information indicating that the session is suspended or indicating that another session is to be secondarily authenticated for the data network. In this scenario, the session may be suspended by skipping the secondary authentication procedure based on the indication information.

Based on the technical scheme, the method and the device can be suitable for a scene of simultaneously establishing a plurality of sessions, or a scene of performing secondary authentication on the data network and the terminal equipment when a session establishment request is initiated. Thereby, the process of repeatedly executing the secondary authentication can be further avoided.

With reference to the first aspect, in some implementations of the first aspect, after initiating the secondary authentication procedure for the session, the method further includes: and suspending the session according to first indication information sent by the terminal device or an authentication network element of the data network, wherein the first indication information is used for indicating the data network to perform secondary authentication on another session of the terminal device.

Illustratively, the first indication information may also be used to indicate that the session is suspended. It should be understood that specific contents indicated by the first indication information may not be limited, and any manner for enabling the session management network element to suspend the session based on the indication of the terminal device or the authentication network element of the data network falls within the protection scope of the embodiment of the present application.

Based on the technical scheme, when the authentication result does not exist, a secondary authentication process can be initiated. In the process of performing the secondary authentication procedure, the terminal device or the data network (or the authentication network element of the data network) determines that the current data network and/or the terminal device is performing the secondary authentication (i.e., performing the secondary authentication on another session), and may send a suspension indication (i.e., the first indication information), so that the session management network element may suspend the session according to the indication information, i.e., temporarily stop establishing the session. Therefore, the centralized control point terminal equipment or the data network (or the authentication network element of the data network) can indicate that the secondary authentication is being executed, so that the signaling overhead caused by repeatedly executing the secondary authentication process is avoided.

With reference to the first aspect, in certain implementations of the first aspect, the method further includes: when the authentication result does not exist, judging whether the data network carries out secondary authentication on another session of the terminal equipment or not; when the data network carries out secondary authentication on another session of the terminal equipment, suspending the session; or when the data network does not perform secondary authentication on another session of the terminal equipment, initiating a secondary authentication process on the session.

Based on the above technical solution, the session management network element may determine whether the data network is performing the secondary authentication or not when it is determined that the authentication result does not exist.

With reference to the first aspect, in certain implementations of the first aspect, after suspending the session, the method further includes: and acquiring an authentication result of the data network for another session of the terminal equipment, wherein the authentication result of the other session is used for indicating that the secondary authentication for the other session is successful or failed.

Wherein the authentication result of the other session is used to indicate that the secondary authentication of the other session succeeded or failed.

Illustratively, a result of an authentication of the data network for another session of the terminal device is saved.

Illustratively, the authentication result of the data network for another session of the terminal device is obtained from any one of: the authentication network element, the terminal equipment, the unified data management network element or the local area of the data network.

With reference to the first aspect, in some implementations of the first aspect, when the authentication result of the another session indicates that the secondary authentication of the another session is successful, the secondary authentication procedure is skipped for the session, and a subsequent establishment procedure of the session is continued; or, when the authentication result of the other session indicates that the secondary authentication for the other session fails, refusing to establish the session.

For example, in a case that the authentication result of the other session indicates that the secondary authentication for the other session fails, the session management network element may also determine whether to reject establishing the session and/or whether to save the authentication result according to the reason of the failure.

Based on the technical scheme, the secondary authentication process can be skipped, and the terminal equipment or the data network (or the authentication network element of the data network) directly sends the authentication authorization result to the session management network element, so that the signaling overhead caused by repeatedly executing the secondary authentication process is avoided.

With reference to the first aspect, in some implementations of the first aspect, in a case where a secondary authentication procedure is initiated for the session, the method further includes; after successful secondary authentication of the session, according to any of: determining whether to store an authentication result of the session: the session attribute, the local policy or second indication information of the session, wherein the second indication information is: information from an authentication network element of the data network or from the terminal device indicating whether to store an authentication result of the session.

With reference to the first aspect, in some implementations of the first aspect, the determining whether there is an authentication result of the data network for the terminal device includes: judging whether the authentication result exists locally; or, judging whether the authentication result exists in the unified data management network element; or, judging whether the authentication result exists according to third indication information from the terminal device or an authentication network element of the data network; or, judging whether the authenticated data set has the authentication result.

Illustratively, the authenticated data set may be obtained locally or from a unified data management network element.

Illustratively, the authenticated data set represents authenticated authentication results, wherein the authenticated authentication results may include authentication results that have been successfully authenticated and/or authentication results that have failed to be authenticated. For example, it may be checked from the result of successful authentication whether there is information that the data network has authenticated the terminal device, and if so, it indicates that the data network has authenticated the terminal device, and the authentication result is successful authentication. For another example, it may be checked whether there is information that the data network has authenticated the terminal device from the result of authentication failure, and if so, it indicates that the data network has authenticated the terminal device, and the authentication result is authentication failure.

For example, the third indication information is from the terminal device, and the third indication information may be embodied as a session identifier. This example may be used for high-reliability low-latency communication scenarios.

For example, when the session (e.g., denoted as session #1) is established, the terminal device simultaneously carries a session identifier (e.g., session ID) of another session (e.g., denoted as session # 2). In this way, it is indicated that session #1 and session #2 are redundant with each other, i.e. access to the same data network. For such session #1, the session management network element may also further determine that no secondary authentication needs to be initiated, or reuse the authentication authorization result of another session # 2.

For yet another example, the third indication information is from a terminal device, and the third indication information may be embodied as DNN. This example may be used for high-reliability low-latency communication scenarios.

For example, the terminal device simultaneously carries the DNN of another session (e.g., denoted as session #2) when establishing the session (e.g., denoted as session # 1). In this way, it is indicated that this session #1 is a session of the same data network different from the previous DNN. For such session #1, the session management network element may also further determine that no secondary authentication needs to be initiated, or reuse the authentication authorization result of another session # 2.

With reference to the first aspect, in some implementations of the first aspect, the determining whether the authentication result exists in the authenticated dataset includes: determining that the authentication result exists when the authenticated dataset includes an identification of the data network; alternatively, it is determined that the authentication result does not exist when the authenticated data set does not include an identification of the data network.

In a second aspect, a method of authenticating an authorization is provided. The method may be executed by the session management network element, or may also be executed by a chip or a chip system or a circuit configured in the session management network element, which is not limited in this application.

The method can comprise the following steps: receiving a session establishment request message from a terminal device, wherein the session establishment request message is used for requesting to establish a session with a data network; judging whether the data network carries out secondary authentication on the other session of the terminal equipment; when the data network carries out secondary authentication on another session of the terminal equipment, suspending the session.

Based on the above technical solution, in the session establishment process, the session management network element may determine whether to suspend the session according to whether the data network (or the authentication network element of the data network) is authenticating the terminal device (i.e., authenticating another session of the terminal device). For example, when the data network performs secondary authentication on another session of the terminal device, the session may be suspended, an authentication result of the other session may be waited for, and whether to initiate secondary authentication or whether to establish the session may be determined according to the authentication result of the other session. Therefore, the method can be applied to more scenes, and can also avoid repeatedly executing the process of secondary authentication under the scene that another session is carrying out secondary authentication when a session establishment request is initiated. By the embodiment of the application, repeated execution of the secondary authentication process can be avoided as far as possible.

With reference to the second aspect, in some implementations of the second aspect, the suspending the session when the data network authenticates another session of the terminal device for the second time includes: and suspending the session according to first indication information carried in the session establishment request message, wherein the first indication information is used for indicating the data network to perform secondary authentication on another session of the terminal equipment.

With reference to the second aspect, in some implementations of the second aspect, after suspending the session, the method further includes: and acquiring an authentication result of the data network for another session of the terminal equipment, wherein the authentication result of the other session is used for indicating that the secondary authentication for the other session is successful or failed.

Illustratively, the authentication result of the data network for another session of the terminal device is obtained from any one of: the authentication network element, the terminal equipment, the unified data management network element or the local area of the data network.

With reference to the second aspect, in certain implementations of the second aspect, the method further includes: when the authentication result of the other session indicates that the secondary authentication of the other session is successful, skipping a secondary authentication process for the session and continuing a subsequent establishment process of the session; or, when the authentication result of the other session indicates that the secondary authentication for the other session fails, refusing to establish the session.

Based on the technical scheme, after judging whether the secondary authentication is performed or not, whether an authentication result exists or not can be judged, namely whether the data network authenticates the terminal equipment or not is judged, so that repeated authentication can be avoided.

With reference to the second aspect, in certain implementations of the second aspect, the method further includes: when the data network does not perform secondary authentication on another session of the terminal equipment, judging whether an authentication result of the data network on the terminal equipment exists or not; when the authentication result exists, skipping a secondary authentication process for the session; or, when the authentication result does not exist, initiating a secondary authentication process for the session.

With reference to the second aspect, in some implementations of the second aspect, in a case where a secondary authentication procedure is initiated for the session, the method further includes; after successful secondary authentication of the session, according to any of: determining whether to store an authentication result of the session: the session attribute, the local policy or second indication information of the session, wherein the second indication information is: information from an authentication network element of the data network or from the terminal device indicating whether to store an authentication result of the session.

With reference to the second aspect, in some implementations of the second aspect, the determining whether there is an authentication result of the data network for the terminal device includes: judging whether the authentication result exists locally; or, judging whether the authentication result exists in the unified data management network element; or, judging whether the authentication result exists according to third indication information from the terminal device or an authentication network element of the data network; or, judging whether the authenticated data set has the authentication result.

With reference to the second aspect, in certain implementations of the second aspect, the authenticated data set comprises a successfully authenticated data set; the determining whether the authentication result exists in the authenticated data set includes: determining that the authentication result exists when the successfully authenticated data set includes an identification of the data network; determining that the authentication result is not present when the successfully authenticated data set does not include an identification of the data network.

In a third aspect, a method of authenticating an authorization is provided. The method may be executed by the terminal device, or may also be executed by a chip or a chip system or a circuit configured in the terminal device, which is not limited in this application.

The method can comprise the following steps: judging that an authentication result of the data network to the terminal equipment exists; and sending a session establishment request message and first indication information to a session management network element, wherein the session establishment request message is used for requesting to establish a session with the data network, and the first indication information is used for indicating that an authentication result of the data network for the terminal equipment exists.

In a fourth aspect, a method of authenticating an authorization is provided. The method may be executed by the terminal device, or may also be executed by a chip or a chip system or a circuit configured in the terminal device, which is not limited in this application.

The method can comprise the following steps: judging that the data network carries out secondary authentication on the other session of the terminal equipment; and sending a session establishment request message and first indication information to a session management network element, wherein the session establishment request message is used for requesting to establish a session with the data network, and the first indication information is used for indicating the data network to perform secondary authentication on another session of the terminal equipment.

In a fifth aspect, a method of authenticating an authorization is provided. The method may be executed by the terminal device, or may also be executed by a chip or a chip system or a circuit configured in the terminal device, which is not limited in this application.

The method can comprise the following steps: sending a session establishment request message to a session management network element, wherein the session establishment request message is used for requesting to establish a session with a data network; in the process of performing secondary authentication on the session with the data network, judging whether the data network performs secondary authentication on another session of the terminal equipment; and when the data network performs secondary authentication on another session of the terminal equipment, sending first indication information to the session management network element, wherein the first indication information is used for indicating the data network to perform secondary authentication on another session of the terminal equipment.

Based on the above technical solution, in the session establishment process (for example, in the process of performing secondary authentication on the session), the terminal device may determine whether to send a suspend indication to the session management network element according to whether the data network (or the authentication network element of the data network) is authenticating the terminal device (that is, authenticating another session of the terminal device). For example, when the data network performs secondary authentication on another session of the terminal device, it may send a suspend indication, wait for an authentication result of the other session, and determine whether to initiate secondary authentication or determine whether to establish a session according to the authentication result of the other session. Therefore, the method can be applied to more scenes, and can also avoid repeatedly executing the process of secondary authentication under the scene that another session is carrying out secondary authentication when a session establishment request is initiated. By the embodiment of the application, repeated execution of the secondary authentication process can be avoided as far as possible.

With reference to the third aspect, the fourth aspect, or the fifth aspect, in some implementation manners, the determining, in the process of performing secondary authentication on the session with the data network, that the data network performs secondary authentication on another session of a terminal device includes: and after receiving the identity authentication protocol request message from the session management network element, judging whether the data network carries out secondary authentication on another session of the terminal equipment.

With reference to the third aspect, the fourth aspect, or the fifth aspect, in certain implementations, the method further includes: and after the data network finishes the secondary authentication of the other session of the terminal equipment, sending an authentication result of the other session to the session management network element, wherein the authentication result of the other session is used for indicating the success or failure of the secondary authentication of the other session.

With reference to the third aspect, the fourth aspect, or the fifth aspect, in some implementations, it is determined, according to one or more of stored information and a session attribute of the session, that an authentication result of another session is sent to the session management network element after a secondary authentication of the other session of the terminal device by the data network is completed, where the stored information is used to indicate that the authentication result of the other session is sent to the session management network element after the secondary authentication of the other session of the terminal device by the data network is completed.

With reference to the third aspect, the fourth aspect, or the fifth aspect, in certain implementations, the method further includes: and sending second indication information to the session management network element, wherein the second indication information is used for indicating whether information of the authentication result of the data network to the terminal equipment is stored or not.

In a sixth aspect, a method of authenticating an authorization is provided. The method may be executed by an authentication network element of a data network, or may also be executed by a chip or a chip system or a circuit configured in the authentication network element of the data network, which is not limited in this application.

The method can comprise the following steps: receiving an authentication authorization message from a session management network element, wherein the authentication authorization message is used for a data network to verify whether a terminal device is authorized to establish a session for accessing the data network; judging whether an authentication result of the data network to the terminal equipment exists or not, or judging whether the data network carries out secondary authentication on another session of the terminal equipment; and sending first indication information to the session management network element, where the first indication information is used to indicate whether there is an authentication result of the data network for the terminal device, or the first indication information is used to indicate that the data network performs secondary authentication for another session of the terminal device.

Based on the above technical solution, in the session establishment process, the data network (or the authentication network element of the data network) determines whether there is a secondary authentication procedure being executed, so as to skip the secondary authentication procedure and directly send an authentication authorization result to the session management network element. Therefore, the secondary authentication result can be judged and reused by the centralized control point data network (or the authentication network element of the data network), thereby avoiding the signaling overhead caused by repeatedly executing the secondary authentication process.

With reference to the sixth aspect, in some implementations of the sixth aspect, in a case that it is determined that the data network performs secondary authentication on another session of the terminal device, the method further includes: and after the data network finishes the secondary authentication of the other session of the terminal equipment, sending an authentication result of the other session to the session management network element, wherein the authentication result of the other session is used for indicating the success or failure of the secondary authentication of the other session.

With reference to the sixth aspect, in certain implementations of the sixth aspect, the method further comprises: and determining to send an authentication result of another session to the session management network element after the secondary authentication of the data network for another session of the terminal device is finished according to one or more of the stored information and the session attribute of the session, where the stored information is used to indicate that the authentication result of the another session is sent to the session management network element after the secondary authentication of the data network for another session of the terminal device is finished.

With reference to the sixth aspect, in certain implementations of the sixth aspect, the method further comprises: and sending second indication information to the session management network element, wherein the second indication information is used for indicating whether information of the authentication result of the data network to the terminal equipment is stored or not.

In a seventh aspect, a method of authenticating an authorization is provided. The method may be executed by the session management network element and the unified data management network element, or may also be executed by a chip or a chip system or a circuit configured in the session management network element and the unified data management network element, which is not limited in this application.

The method can comprise the following steps: a session management network element receives a session establishment request message from terminal equipment, wherein the session establishment request message is used for requesting to establish a session with a data network; the session management network element sends a request message to a unified data management network element, wherein the request message is used for requesting the authentication result of the terminal equipment; the unified data management network element sends the authentication result of the terminal equipment to the session management network element; and when the authentication result of the data network to the terminal equipment exists, skipping the secondary authentication process for the session.

In an eighth aspect, an apparatus for authenticating an authorization is provided, the apparatus being configured to perform the method provided in the first aspect to the seventh aspect. In particular, the apparatus may comprise means for performing the methods provided in the first to seventh aspects.

In a ninth aspect, an apparatus for authenticating an authorization is provided that includes a processor. The processor is coupled to the memory and is operable to execute the instructions in the memory to implement the method of any one of the possible implementations of the first to seventh aspects. Optionally, the apparatus further comprises a memory. Optionally, the apparatus further comprises a communication interface, the processor being coupled to the communication interface for inputting and/or outputting information. The information includes at least one of instructions and data.

In one implementation, the apparatus is a device, such as a session management network element or an authentication network element of a data network or a terminal device. When the apparatus is a device, the communication interface may be a transceiver, or an input/output interface.

In another implementation, the apparatus is a chip or a system of chips. When the apparatus is a chip or a system of chips, the communication interface may be an input/output interface, which may be an input/output interface, an interface circuit, an output circuit, an input circuit, a pin or related circuit on the chip or the system of chips, and the like. The processor may also be embodied as a processing circuit or a logic circuit.

In another implementation, the apparatus is a chip or a system-on-chip configured in a device, such as a session management network element or an authentication network element of a data network or a terminal device.

Alternatively, the transceiver may be a transmit-receive circuit. Alternatively, the input/output interface may be an input/output circuit.

A tenth aspect provides a computer-readable storage medium having a computer program stored thereon, which, when executed by an apparatus, causes the apparatus to implement the method of the first to seventh aspects and any possible implementation manner of the first to seventh aspects.

In an eleventh aspect, there is provided a computer program product comprising instructions which, when executed by a computer, cause an apparatus to carry out the method provided in the first to seventh aspects.

In a twelfth aspect, a communication system is provided, which includes the session management network element, the terminal device, and the authentication network element of the data network, or includes the session management network element, the terminal device, the authentication network element of the data network, and the unified data management network element.

Drawings

Fig. 1 is a schematic diagram of a network architecture suitable for use in embodiments of the present application.

Fig. 2 shows a schematic diagram of the secondary authentication process.

Fig. 3 and 4 are diagrams illustrating a multi-PDU session scenario applicable to an embodiment of the present application.

Fig. 5 shows a schematic diagram of multiple PDU sessions served by different SMFs.

Fig. 6 is a schematic diagram of a method for authenticating an authorization proposed according to an embodiment of the present application.

Fig. 7(1) and (2) show schematic diagrams of a method of authenticating an authorization suitable for an embodiment of the present application.

Fig. 8 shows a schematic diagram of a method of authenticating an authorization suitable for use in yet another embodiment of the present application.

Fig. 9 shows a schematic diagram of a method of authenticating an authorization suitable for use in another embodiment of the present application.

Fig. 10 shows a schematic diagram of a method of authenticating an authorization suitable for use in yet another embodiment of the present application.

Fig. 11 is a schematic block diagram of an apparatus for authenticating an authorization provided in an embodiment of the present application.

Fig. 12 is a schematic structural diagram of an apparatus for authenticating authorization provided in an embodiment of the present application.

Detailed Description

The technical solution in the present application will be described below with reference to the accompanying drawings.

The technical scheme provided by the application can be applied to various communication systems, such as: a fifth Generation (5th Generation, 5G) mobile communication system or new radio access technology (NR). The 5G mobile communication system may include a non-independent Network (NSA) and/or an independent network (SA), among others.

The technical scheme provided by the application can be applied to any scene of terminal equipment for establishing a plurality of Protocol Data Units (PDU) sessions.

The technical scheme provided by the application can also be applied to Machine Type Communication (MTC), Long Term Evolution-machine (LTE-M) communication between machines, device-to-device (D2D) network, machine-to-machine (M2M) network, internet of things (IoT) network, or other networks. The IoT network may comprise, for example, a car networking network. The communication modes in the car networking system are collectively referred to as car-to-other devices (V2X, X may represent anything), for example, the V2X may include: vehicle to vehicle (V2V) communication, vehicle to infrastructure (V2I) communication, vehicle to pedestrian (V2P) or vehicle to network (V2N) communication, etc.

For the understanding of the embodiments of the present application, a network architecture suitable for the embodiments of the present application will be first described in detail with reference to fig. 1.

Fig. 1 is a schematic diagram of a network architecture suitable for the method provided by the embodiment of the present application. As shown in fig. 1, the network architecture is, for example, the 5G Generation system (5 GS) defined by the third Generation Partnership Project (3 GPP). The network architecture can be divided into AN Access Network (AN) and a Core Network (CN). The access network may be used to implement radio access related functions, and may include a 3GPP access network (or 3GPP access technology) and a non-third generation partnership project (non-3GPP) access network (or non-3GPP access technology). The core network mainly comprises the following key logic network elements: an access and mobility management function (AMF) network element, a Session Management Function (SMF) network element, a User Plane Function (UPF) network element, a Policy Control Function (PCF) network element, and a Unified Data Management (UDM) network element, etc.

The following briefly introduces the network elements shown in fig. 1:

1. user Equipment (UE): may be referred to as a terminal device, an access terminal, a subscriber unit, a subscriber station, a mobile station, a remote terminal, a mobile device, a user terminal, a wireless communication device, a user agent, or a user equipment.

The terminal device may be a device providing voice/data connectivity to a user, e.g. a handheld device, a vehicle mounted device, etc. with wireless connection capability. Currently, some examples of terminals may be: a mobile phone (mobile phone), a tablet computer (pad), a computer with wireless transceiving function (e.g., a laptop, a palmtop, etc.), a Mobile Internet Device (MID), a Virtual Reality (VR) device, an Augmented Reality (AR) device, a wireless terminal in industrial control (industrial control), a wireless terminal in self driving (self driving), a wireless terminal in remote medical (remote medical), a wireless terminal in smart grid (smart grid), a wireless terminal in transportation security, a wireless terminal in smart city (smart city), a wireless terminal in smart home (smart home), a cellular phone, a cordless phone, a session initiation protocol (session initiation protocol), a PDA, a wireless local loop phone (SIP), a wireless personal digital assistant (personal digital assistant, etc.) A handheld device with wireless communication capabilities, a computing device or other processing device connected to a wireless modem, a vehicle mounted device, a wearable device, a terminal device in a 5G network or a terminal device in a Public Land Mobile Network (PLMN) for future evolution, etc.

Furthermore, the terminal device may also be a terminal device in an Internet of things (IoT) system. The IoT is an important component of future information technology development, and is mainly technically characterized in that articles are connected with a network through a communication technology, so that an intelligent network with man-machine interconnection and object interconnection is realized. The IoT technology can achieve massive connection, deep coverage, and power saving of the terminal through, for example, Narrowband (NB) technology.

In addition, the terminal equipment can also comprise sensors such as an intelligent printer, a train detector, a gas station and the like, and the main functions of the terminal equipment comprise data collection (part of the terminal equipment), control information and downlink data receiving of the network equipment, electromagnetic wave sending and uplink data transmission to the network equipment.

It should be understood that the terminal device may be any device that can access the network. The terminal equipment and the access network equipment can communicate with each other by adopting a certain air interface technology.

2. Access Network (AN): the access network may provide a network access function for authorized users in a specific area, and includes Radio Access Network (RAN) equipment and AN equipment. The RAN device is mainly a 3GPP network wireless network device, and the AN device may be AN access network device defined by non-3 GPP.

The access network may be an access network employing different access technologies. There are two types of current radio access technologies: 3GPP access technologies (e.g., radio access technologies employed in 3G, 4G, or 5G systems) and non-3GPP (non-3GPP) access technologies. The 3GPP access technology refers to an access technology conforming to 3GPP standard specifications, and for example, an access network device in a 5G system is called a next generation Base station Node (gNB) or RAN. The non-3GPP access technology refers to an access technology that does not comply with the 3GPP standard specification, and examples thereof include an air interface technology represented by an Access Point (AP) in wireless fidelity (WiFi), a Worldwide Interoperability for Microwave Access (WiMAX), a Code Division Multiple Access (CDMA) network, and the like. Access network equipment (AN equipment) may allow interworking between terminal equipment and a 3GPP core network using non-3GPP technology.

An access network that implements access network functionality based on wireless communication technology may be referred to as a RAN. The radio access network can be responsible for functions such as radio resource management, quality of service (QoS) management, data compression and encryption on the air interface side. The wireless access network provides access service for the terminal equipment, and then completes the forwarding of the control signal and the user data between the terminal and the core network.

The radio access networks may include, for example, but are not limited to: macro base station, micro base station (also called small station), Radio Network Controller (RNC), Node B (NB), Base Station Controller (BSC), Base Transceiver Station (BTS), home base station (e.g., home evolved NodeB, or home Node B, HNB), baseband unit (BBU), AP in WiFi system, wireless relay Node, wireless backhaul Node, Transmission Point (TP), or Transmission Reception Point (TRP), etc., and may also be a gbb or transmission point (TRP or TP) in 5G (e.g., NR) system, one or a group (including multiple antenna panels) antenna panel of base station in 5G system, or may also be a network Node constituting a gbb or transmission point, such as a baseband unit (BBU), or a distributed unit (pdu), or a base station in a next generation communication 6G system, etc. The embodiment of the present application does not limit the specific technology and the specific device form adopted by the radio access network device.

The access network may serve the cell. A terminal device may communicate with a cell via transmission resources (e.g., frequency domain resources, or alternatively, spectrum resources) allocated by an access network device.

3. AMF network element: the method is mainly used for mobility management, access management and the like, such as user location updating, user registration network, user switching and the like. The AMF may also be used to implement other functions in a Mobility Management Entity (MME) besides session management. Such as functions of lawful interception, or access authorization (or authentication).

4. SMF network element: the method is mainly used for session management, Internet Protocol (IP) address allocation and management of the UE, selection of a termination point of an interface capable of managing a user plane function, policy control or charging function, downlink data notification, and the like. In the embodiment of the present application, the SMF primary user is responsible for session management in the mobile network, such as session establishment, modification, release, and the like. The specific functions may include, for example, allocating an IP address to the terminal device, selecting a UPF that provides a message forwarding function, and the like.

5. UPF network element: and the terminal equipment is responsible for forwarding and receiving user data in the terminal equipment. The UPF network element may receive user data from a Data Network (DN) and transmit the user data to the terminal device through the access network device. The UPF network element may also receive user data from the terminal device via the access network device and forward the user data to the data network. The transmission resource and scheduling function for providing service for the terminal equipment in the UPF network element are managed and controlled by the SMF network element.

6. Data Network (DN): a service network for providing data services to users. Such as the Internet (Internet), a third party's service network, an IP Multimedia Services (IMS) network, etc.

7. Authentication service network element (AUSF): the method is mainly used for user authentication and the like.

8. Network open function (NEF) network element: mainly for supporting the opening of capabilities and events, such as for securely opening services and capabilities provided by 3GPP network functions to the outside.

9. The network storage network element (NRF) is used for storing the network functional entity and the description information of the service provided by the network functional entity, and supporting service discovery, network element entity discovery, and the like.

10. PCF network element: the unified policy framework is used for guiding network behaviors, providing policy rule information for control plane functional network elements (such as AMF (advanced metering framework), SMF (simple message format) network elements and the like), and taking charge of acquiring user subscription information related to policy decision and the like.

11. UDM network element: the method is used for generating authentication trusts, user identification processing (such as storing and managing user permanent identities and the like), access authorization control, subscription data management and the like.

12. Application Function (AF) network element: mainly supports interaction with a 3GPP core network to provide services, such as influencing data routing decision, interacting with a Policy Control Function (PCF), or providing a third party to a network side.

In the network architecture shown in fig. 1, network elements may communicate with each other through interfaces shown in the figure, and some interfaces may be implemented as service interfaces. As shown, the UE and the AMF may interact through an N1 interface, and the interaction Message may be referred to as an N1 Message (N1 Message), for example. The RAN and the AMF may interact with each other through an N2 interface, and an N2 interface may be used for sending non-access stratum (NAS) messages, and the like. The RAN and the UPF may interact with each other via an N3 interface, and an N3 interface may be used to transmit user plane data, etc. The SMF and the UPF may interact with each other through an N4 interface, and an N4 interface may be used to transmit information such as tunnel identification information, data cache indication information, and downlink data notification message of the N3 connection. The UPF and DN can interact through an N6 interface, and an N6 interface can transmit data of a user plane, and the like. The relationships between the other interfaces and the network elements are shown in fig. 1, and for brevity, a detailed description thereof is omitted.

It should be understood that the network architecture applied to the embodiments of the present application is only an exemplary network architecture described in terms of a conventional point-to-point architecture and a service architecture, and the network architecture to which the embodiments of the present application are applied is not limited thereto, and any network architecture capable of implementing the functions of the network elements described above is applicable to the embodiments of the present application.

It should also be understood that the AMFs, SMFs, UPFs, network slice selection function network elements (NSSFs), NEFs, AUSFs, NRFs, PCFs, UDMs shown in fig. 1 may be understood as network elements in the core network for implementing different functions, e.g., may be combined into a network slice as needed. The core network elements may be independent devices, or may be integrated in the same device to implement different functions, and the specific form of the network elements is not limited in the present application.

It is also to be understood that the above-described nomenclature is defined merely to distinguish between different functions, and is not intended to limit the application in any way. This application does not exclude the possibility of using other nomenclature in 5G networks and other networks in the future. For example, in a 6G network, some or all of the above network elements may follow the terminology in 5G, and may also adopt other names, etc. The name of the interface between each network element in fig. 1 is only an example, and the name of the interface in the specific implementation may be other names, which is not specifically limited in this application. In addition, the name of the transmitted message (or signaling) between the network elements is only an example, and the function of the message itself is not limited in any way.

To facilitate understanding of the embodiments of the present application, first, a brief description will be given of terms referred to in the present application.

1. Protocol Data Unit (PDU) session (PDU session)

The 5G core network (5G core, 5GC) supports PDU connection services. The PDU connect service may refer to a service in which PDU packets are exchanged between a terminal device and a DN. The PDU connection service is implemented by the terminal device initiating the establishment of a PDU session. After a PDU session is established, a data transmission channel between the terminal device and the DN is established. In other words, the PDU session is UE level. Each end-point device may establish one or more PDU sessions. The terminal device may access the DN through a PDU session established between the terminal device and the DN.

As mentioned before, the SMF primary user is responsible for session management in the mobile network. The PDU session may be established, modified or released between the terminal device and the SMF through NAS Session Management (SM) signaling.

In the embodiment of the present application, the terminal device may establish multiple PDU sessions or multiple PDU connection services, for example, the terminal device may establish two or more PDU sessions, and the multiple PDU sessions are not limited. For example, the DN identities (DNNs) of these PDU sessions may be different or the same. As another example, different PDU sessions may be served by the same SMF or by different SMFs. As another example, the establishment of these PDU sessions may be initiated simultaneously or sequentially.

2. Secondary authentication

In terms of network security, the primary tasks of a network include: terminals accessing the network are authenticated and authorized. Only after passing the authentication, a terminal device can access the 3GPP network and further request to establish a PDU session to access various services on the DN.

In the current 4G network, Authentication and authorization of the terminal device are directly performed by the operator network, and in the 5G standardization, such an Authentication method is called Primary Authentication (Primary Authentication) or may also be called Primary Authentication. With the development of the industry vertical and the internet of things, it is expected that DNs outside the operator network will also have authentication and authorization requirements for terminal devices accessing the DNs (though through the operator network). In order to meet such a requirement, 3GPP defines a new Authentication method, which is called Secondary Authentication (Secondary Authentication) or may also be called Secondary Authentication, in 5G security standardization, and the Authentication method may be used by a data network other than the operator network to authenticate or authorize the terminal device through the operator network.

After the terminal device is accessed to the operator network and the first-level authentication between the terminal device and the operator network is successful, if the terminal device needs to access a certain DN, the terminal device and the operator network establish a PDU session. In the process of establishing a PDU session between a terminal device and a network, a second-level authentication is performed between the terminal device and an authentication server (i.e., an authentication network element) corresponding to a DN, where the authentication server corresponding to the DN includes a network element for performing a second authentication. The establishment of a PDU session may be triggered by the terminal device or the Core Network (CN) of the operator network. During or after the PDU session is established, a secondary authentication process is initiated by the operator network. For example, the terminal device may send an authentication request to the operator network, and the operator network may forward the authentication request to an authentication server corresponding to the DN, so that the authentication server corresponding to the DN performs authentication and/or authorization between the DN and the terminal device. The authentication server corresponding to the DN (for example, the authentication server abbreviated as DN) may be, for example: authentication, authorization, accounting (AAA) server (server). The result of the authentication and/or authorization of the terminal device by the authentication server corresponding to the DN is sent to the operator network, and the operator network confirms whether to establish a corresponding PDU session connection for the terminal device based on the result.

For ease of understanding, the flow of the secondary authentication is briefly described with reference to fig. 2.

The terminal device sends a registration request to the AMF 201.

202, the terminal device performs a first level of authentication with the operator network.

After receiving the registration request sent by the terminal device, the AMF may trigger the AUSF to perform a first-level authentication between the terminal device and the operator network.

Optionally, in the process of performing the first-level authentication between the terminal device and the operator network by the AUSF, authentication information required for the first-level authentication may be acquired from the UDM, and then the first-level authentication between the terminal device and the operator network may be implemented according to the authentication information generated by the UDM or the stored authentication information.

And 203, establishing NAS safety between the terminal equipment and the AMF.

After a first level of authentication between the terminal device and the operator network passes, the AMF may establish NAS security with the terminal device. NAS exists in a radio communication protocol stack of Universal Mobile Telecommunications System (UMTS) as a functional layer between a CN and a terminal device. The NAS supports signaling and/or data transmission between both the CN and the terminal device.

The terminal device initiates a session establishment request 204.

After the terminal device establishes NAS security with the AMF, the terminal device may initiate a session establishment request to the AMF, which may be used, for example, to request establishment of a PDU session. The terminal device sends a NAS message to the AMF, and the session establishment request may be carried in the NAS message.

The AMF sends a session setup request to the SMF 205.

After receiving the NAS message sent by the terminal device, the AMF may decode the session establishment request in the NAS message, and then send the session establishment request to the SMF. Wherein, the SMF can be the SMF of the connection requested by the PDU session requested to be established by the session establishment request.

The SMF checks 206 the subscription data.

After the SMF receives the session establishment request, the SMF retrieves subscription data from the UDM. If the subscription data indicates that a secondary authentication needs to be performed, step 207 may be performed.

207, SMF initiates an Extensible Authentication Protocol (EAP) authentication procedure.

Optionally, if the session establishment request does not carry the authentication information, performing steps 208 and 209; if the session establishment request carries authentication information, steps 208 and 209 may be skipped.

The SMF sends 208 an EAP request to the terminal device.

The SMF sends an EAP request to the terminal device to request the identity information of the terminal device.

209, the terminal device feeds back an EAP response to the SMF.

The terminal device feeds back an EAP response to the SMF to inform the identity information of the terminal device.

At 210, the SMF initiates the establishment of an N4 interface session connection with the UPF.

If there is no UPF for transmitting messages between the SMF and an authentication server (e.g., AAA server) of the DN, the SMF initiates the establishment of an N4 interface session connection with the UPF.

It is to be understood that step 210 may not be performed if there is a UPF between the SMF and the authentication server of the DN for transmitting the message.

The SMF sends 211 an EAP response to the authentication server of the DN together with the identity information of the terminal device.

As shown in fig. 2, the SMF sends the EAP response and the identity information of the terminal device to the DN authentication server through the UPF.

The SMF sends the EAP response from the terminal device and authentication information (i.e., the identity information of the terminal device) to the UPF over the N4 interface session connection established in step 210. And the UPF sends the EAP response and the identity information of the terminal equipment to the DN authentication server.

The authentication server of the DN authenticates and/or authorizes the terminal device 212.

The terminal device and the authentication server of the DN may perform one or more EAP message interactions to complete authentication of the terminal device by the authentication server of the DN.

The message type or the interaction mode of the EAP message that interacts between the terminal device and the authentication server of the DN depends on the particular EAP authentication method used, and the application is not limited herein.

213, the authentication server of the DN sends an authentication success message to the SMF via the UPF.

If the authentication server of the DN successfully authenticates the terminal device, the authentication server of the DN may send an authentication success message to the UPF and send an authentication success message to the SMF through the UPF and N4 interface session connection.

The SMF initiates 214 other flows of PDU session establishment.

After the authentication server of the DN finishes EAP authentication with the terminal device, the SMF may continue with other procedures to initiate PDU session establishment, which may include, but is not limited to: the SMF sends an N4 interface session establishment/modification request to the UPF, and the UPF feeds back an N4 interface session establishment/modification response to the SMF.

215, the SMF sends a PDU session setup success message to the terminal device via the AMF.

The SMF sends the PDU session establishment success message to the AMF, and the AMF forwards the PDU session establishment success message to the terminal equipment.

It should be understood that the above steps 201 to 215 are only exemplary, and do not limit the scope of the embodiments of the present application.

3. Multi-PDU session scenario

In actual communication, one terminal device may establish two or more PDU sessions for the same DN in some scenarios. Several possible scenarios are presented below.

Scene 1: high reliability low latency communication (URLLC)

In order to ensure reliable transmission of services, when the initiated service requires high reliability requirements, the terminal device may establish multiple PDU sessions (e.g., two PDU sessions) through the operator network for transmitting the same service, i.e., the multiple PDU sessions for accessing the same DN. Taking two PDU sessions as an example, as shown in particular in figure 3,

as shown in fig. 3, two PDU sessions established between the terminal device and the DN, PDU session 1 and PDU session 2, may be served by different SMFs, such as SMF1 and SMF2, with PDU session 1 and PDU session 2 accessing the same DN. It should be understood that multiple PDU sessions established between the terminal device and the DN may also be served by the same SMF. A plurality of PDU sessions are established between the terminal device and the DN, and when the plurality of PDU sessions are used for accessing to the same DN, DNN and/or network identification (e.g., single network slice selection assistance information (S-NSSAI)) provided by the terminal device are different. For example, the DNNs provided by the terminal devices are different; for another example, the terminal equipment provides different S-NSSAIs; as another example, the terminal device may provide different DNN and S-NSSAI.

Scene 2: edge Computing (EC) communication

In EC communication, in order to support access to services in an EC environment, three access modes may be included, as shown in fig. 4.

As shown in fig. 4, access scheme 1: i.e. distributed anchor point, the end device establishes a PDU session for accessing the service in the local EC environment. And an access mode 2: i.e. session break kout, the terminal device establishes a PDU session, which may access the services in the local EC environment, and which may also access the services centrally deployed at the remote end. That is, the service offloading may be implemented in the access method 2, specifically, for example, the service offloading may be implemented by an Uplink Classifier (UL CL), or may also be implemented by a Branch Point (BP), which is not limited herein. It should be understood that the access method 1 and the access method 2 are only exemplary illustrations, and do not limit the scope of the embodiments of the present application.

And an access mode 3: the end-point device establishes multiple PDU sessions (e.g., two PDU sessions) simultaneously, one for accessing traffic in the local EC environment and another for accessing traffic centrally deployed at the remote end. It should be understood that the multiple PDU sessions may be established at different times or simultaneously as desired, and the SMFs serving the PDU sessions may be the same or different. In addition, the DNN used to establish the PDU session may also be different. It can be concluded that in EC communication, a scenario may also occur in which a terminal device establishes multiple PDU sessions.

Scene 3: sessions with the same DN but different requirements

For the same DN, the requirements of different services may be different, such as different service continuity requirements. Or in order to ensure the continuity of the service, the continuity of the service is ensured by a break-before-break (make-before-break) mode. make-before-break is the mechanism that establishes a new path before the original path is torn down. In this case, two PDU sessions are also established between the terminal device and the operator network. In this case, the DNNs of the multiple PDU sessions may be the same or different.

As can be seen from the above three scenarios, for the same DN, one terminal device may establish two or more PDU sessions, where the two or more PDU sessions may be established simultaneously or at different times as needed, and DNNs for establishing the two or more PDU sessions may be different.

The above briefly introduces a scenario of multiple PDU sessions applicable to the embodiments of the present application, and it should be understood that the embodiments of the present application are not limited thereto. Any scenario involving multiple PDU sessions is applicable to the embodiments of the present application.

Regarding the secondary authentication in the scenario of multiple PDU sessions, taking two PDU sessions as an example, the existing scheme is briefly introduced.

The existing scheme includes that terminal equipment initiates the establishment of a first PDU session, SMF judges and determines to execute secondary authentication, and information of successful authentication is stored in local or UDM. Wherein the authentication information comprises DNN. During the second PDU session setup, the SMF obtains authentication information for the first PDU session (which may be locally stored authentication information or authentication information obtained from the UDM). And the SMF determines not to execute the secondary authentication process according to the fact that the DNN in the second PDU session request is the same as the DNN in the authentication information of the first PDU session, and authorizes to establish the newly-initiated PDU session (namely the second PDU session), namely continues to execute the subsequent process of establishing the PDU session.

In the existing scheme, the SMF determines whether to initiate a secondary authentication procedure according to whether DNNs in the authentication information are the same, which has limited application scenarios, and may cause multiple PDU sessions accessed to the same DN to execute multiple secondary authentication procedures, thereby causing additional signaling overhead. For example, when a plurality of PDU sessions accessed to the same DN use different DNNs, the above scheme cannot identify a new PDU session for accessing the same DN, thereby causing the plurality of PDU sessions accessed to the same DN to perform a secondary authentication procedure for multiple times, resulting in additional signaling overhead.

In addition, in the existing scheme, the scenario mainly aims at that when the terminal device initiates the second PDU session establishment procedure, the secondary authentication procedure between the terminal device and the DN initiated by the SMF is already completed, and the result is stored in the SMF or the UDM. If the terminal device initiates the second PDU session and is executing the secondary authentication process, the SMF cannot determine to skip the secondary authentication process according to the existing logic. Especially when two PDU sessions are served by different SMFs, respectively, as shown in fig. 5, the first PDU session is served by SMF1 and the second PDU session is served by SMF2, which may also result in additional signaling overhead.

In view of the above, the present application provides a method, which is not only applicable to more scenes and reduces signaling overhead caused by repeatedly performing secondary authentication, but also has a simple and easy scheme.

Various embodiments provided herein will be described in detail below with reference to the accompanying drawings.

Fig. 6 is a schematic interaction diagram of a method 600 for authenticating an authorization provided by an embodiment of the present application. The method 600 may include the following steps.

The SMF receives a session establishment request message from the terminal device requesting establishment of session #1 with the data network #1 610.

For differentiation and without loss of generality, in step 610, the session requested to be established by the terminal device is denoted as session #1, and the data network requested to be accessed by the terminal device is denoted as data network # 1.

The terminal device initiates a session establishment request, which may be used, for example, to request establishment of a PDU session with the data network. Illustratively, the terminal device initiates a PDU session setup request to the AMF, which sends the PDU session setup request to the SMF.

In the session establishment process, the SMF may determine whether to initiate a secondary authentication procedure according to whether there is an authentication result of the data network #1 for the terminal device.

The SMF determines 620 whether there is an authentication result of the terminal device by the data network # 1.

The authentication result, which may alternatively be referred to as an authentication authorization result, is used to determine whether the data network #1 has authenticated and authorized the terminal device. For example, the authentication result may represent an authentication result of another session to the terminal device (e.g., a success or failure of a secondary authentication to another session).

Optionally, the authentication result may include time information, that is, valid information of the authentication result or a valid authentication result. For example, the authentication result includes an authentication time range. Within the authentication time range, the authentication result is valid; if the authentication time is not within the authentication time range, the authentication result is invalid. It should be understood that the description is intended for illustrative purposes only and is not intended to limit the scope of the embodiments of the present disclosure. For example, the authentication result may not be saved after the authentication time range is exceeded.

In one possible case, the authentication result is successful. That is, the SMF may determine whether the data network #1 has succeeded in authentication and authorization for the terminal device.

In yet another possible scenario, the authentication result is an authentication failure. That is, the SMF may determine whether the data network #1 has failed in authentication authorization for the terminal device.

The SMF determines whether there is an authentication result, which is described in detail below.

The method 600 may include the steps of: step 631 or step 632.

631, when there is an authentication result, the secondary authentication procedure is skipped for session # 1.

One possible scenario is that the SMF determines that the data network #1 successfully authenticates and authorizes the terminal device. In this case, the SMF skips the secondary authentication procedure for session #1, and establishes session #1 using the authorization information for which authentication is successful. In this case, reference may be made to step 706B in method 700 below with respect to a possible step after SMF determines to skip the secondary authentication procedure for session # 1.

In yet another possible case, the SMF determines that the data network #1 fails to authenticate and authorize the terminal device. It is understood that after the data network fails to authenticate and authorize the terminal device, the result of the failure may be recorded (or the result of the failure is determined whether to be recorded or not, for example, for a period of time, in consideration of the reason of the failure). In this way, when the terminal device requests to access the data network again, the SMF may determine not to initiate secondary authentication for the terminal device based on the result of authentication failure. And in this case the SMF may refuse to establish session # 1.

In this application, reference is made multiple times to skipping a secondary authentication procedure, the meaning of which is understood by those skilled in the art. And skipping the secondary authentication process, wherein all steps of the secondary authentication process or part of steps of the secondary authentication process are skipped. The secondary authentication procedure is skipped, for example, steps 207 to 213, 210 to 213, 212 to 213, etc. may be skipped as described above. For example, when the authentication result is authentication success, which indicates that the data network has authenticated and authorized the terminal device, the terminal device may access or communicate with the data network based on the previous authentication result.

632, if there is no authentication result, the secondary authentication procedure is initiated for the session #1, or the session #1 is suspended.

One possible scenario is to initiate a secondary authentication procedure for session #1 when there is no authentication result.

In the case where the data network #1 has not authenticated the terminal device, a secondary authentication procedure may be initiated for the session #1, specifically referring to step 706A in the method 700 below.

Yet another possible scenario is when there is no authentication result, session #1 is suspended.

The data network #1 may be authenticating or about to authenticate the terminal device. In this case, the session #1 may be suspended when the SMF determines that the data network #1 is authenticating or is about to authenticate the terminal device. The suspension of session #1 or suspension of session #1 means that session #1 is temporarily suspended or the secondary authentication procedure for session #1 is temporarily suspended. For example, it may be to wait for the authentication result of another session and determine how to process the session #1 based on the authentication result of another session. Wherein the authentication result of the other session may be used to indicate that the secondary authentication of the other session succeeded or failed.

In a possible scenario, the terminal device carries session information (e.g. session ID) of another session (e.g. denoted as session #2) when establishing session # 1. In this way, it is indicated that session #1 and session #2 are redundant with each other, i.e., access to the same DN. For such session #1, the SMF may further determine that no secondary authentication needs to be initiated, or reuse the authentication authorization result of another session #2 (e.g., suspend session #1, wait for the authentication authorization result of session # 2). In the URLLC scenario, the session #1 indicated by the indication information #1 sent by the terminal device is a redundant session, in this scenario, the SMF does not need to perform secondary authentication, and the SMF may obtain a result according to the indication information #1, or in other words, when it is necessary to initiate secondary authentication, always initiate secondary authentication for another session (such as session 2), and directly skip secondary authentication for the session # 1.

In yet another possible scenario, the terminal device initiates two sessions simultaneously, one session #1 and the other session # 3. Indication information for indicating that the session #1 is suspended or for indicating that another session (i.e., session #3) is to be secondarily authenticated for the data network #1 is included in the setup request message of the session # 1. In this scenario, the SMF may skip the secondary authentication procedure suspended session #1 based on the indication information. Alternatively, in this scenario, the SMF may request or subscribe to the result of the secondary authentication from the UDM, in order to process the suspended session #1 according to the result of the secondary authentication.

In the present application, it is mentioned multiple times that secondary authentication is being performed, which may include that secondary authentication is being performed; alternatively, it may also include that a secondary authentication is to be performed. Such as whether secondary authentication is to be performed or is being performed for another session. For simplicity, the following is collectively expressed in terms of performing secondary authentication.

Regarding this case, the following is described in detail in connection with aspect two.

By the embodiment of the application, in the session establishment process, the SMF may determine whether to initiate a secondary authentication process according to whether the data network has authenticated the terminal device, or the SMF may determine whether to suspend the session according to whether the data network and the terminal device are performing authentication or are going to perform authentication. Namely, the authentication authorization process is used for the data network to authenticate whether the terminal equipment can establish the session to access the data network. Therefore, the process of repeatedly executing secondary authentication can be avoided under the scene of using different DNN identification data networks and under the scene of simultaneously establishing a session or authenticating another session when establishing the session. By the embodiment of the application, even if different DNNs are used for accessing the data network, the SMF can be ensured to avoid repeatedly executing the secondary authentication process as much as possible.

The embodiments of the present application will be described in detail below with reference to several aspects. The following aspects may be used alone or in combination, and are not limited thereto.

The first aspect is as follows: the SMF determines whether there is a mode of the authentication result.

Implementation mode 1: the SMF may determine whether an authentication result exists according to the authentication authorization information.

For example, the SMF may determine whether the authentication result exists in the authenticated dataset. The authenticated data set represents data or information that has been authenticated. For example, the SMF may determine whether the data network #1 is included in the data network for which the terminal device has been authenticated, or the SMF may determine whether the terminal device is included in the terminal device for which the data network #1 has been authenticated. The authenticated data set may include two data sets, such as a data set that is authenticated successfully and a data set that is authenticated unsuccessfully, and the SMF may determine whether the authentication result exists from the data set that is authenticated successfully and the data set that is authenticated unsuccessfully.

For example, the terminal device transmits DNN for identifying the data network #1, for example, denoted as DNN #1, to the SMF. The authentication authorization information includes DNN that has been successfully authorized. Whether an authentication result exists is determined by judging whether DNN #1 exists in the successfully authorized DNN, such as determining whether the terminal device has successfully authenticated and authorized.

Optionally, the authentication authorization information may further include, but is not limited to, one or more of the following items: a data network Specific identity (DN-Specific Id), an identity (Identifier, Id) of an authentication server of the data network (e.g., DN-AAA Id), aging information, an index (index) of a data network authorization text, an Aggregated Maximum Bit Rate (AMBR) of a session authorized by the data network, an allowed MAC address(s), an allowed Virtual Local Area Network (VLAN) identity (VID) (VIDs), a report session information indication, and session management control related information. The reporting session information indication is used for indicating the relevant information of the reporting session, such as the address information of the session.

When DNN and DNN #1 contained in the authentication authorization information are the same, the same data network is indicated, namely, secondary authentication is not required to be executed; when the DNN and DNN #1 contained in the authentication authority information are different, it may be determined whether the DNN and the slave DNN #1 contained in the authentication authority information are equivalent DNNs, i.e., whether the same data network is indicated. Equivalent DNNs, i.e. DNNs representing identities of the same data network.

Illustratively, multiple DNNs (or a list of DNNs) (i.e., equivalent DNNs) may be preconfigured to indicate the same data network. For example, the SMF obtains the plurality of DNNs according to the acquired authentication authorization information.

For example, DNN #1 is DNN1, and the plurality of DNNs (i.e., equivalent DNNs) in the authentication authorization information include { DNN1, DNN2, DNN3 }. Then the data network which is authenticated and authorized and the data network #1 which the terminal device requests to access are the same data network; or, the terminal device has already been authenticated with the data network requesting access before, and does not need to perform a secondary authentication process. In this case, the method 600 may include step 631.

For another example, DNN #1 is DNN5, and the plurality of DNNs (i.e., equivalent DNNs) in the authentication authorization information include { DNN1, DNN2, DNN3 }. Then the data network with the authenticated authorization and the data network #1 which the terminal device requests to access are different data networks; or, the terminal device is not authenticated with the data network requesting access, and a secondary authentication process is required. In this case, method 600 may include step 632.

Alternatively, the authentication authorization information may be acquired according to any one of the following.

As an example, the SMF may obtain the authentication authorization information through the context of the terminal device. Or, the SMF may obtain the context of the terminal device, and determine whether to initiate the secondary authentication procedure for the session #1 according to the context of the terminal device.

As yet another example, the SMF obtains stored authentication authorization information locally.

As yet another example, the SMF obtains authentication authorization information from an authentication server of the data network.

As yet another example, the SMF obtains authentication authorization information from the UDM.

The following describes a possible complete flow of the SMF to acquire the authentication and authorization information with reference to the specific embodiments in fig. 7 to 10.

Implementation mode 2: the SMF can determine whether or not there is an authentication result based on the indication information # 1.

It should be understood that, for distinction and without loss of generality, in the present embodiment, the indication information #1 represents information for judging whether or not there is an authentication result.

In one example, the indication information #1 is from a terminal device.

The terminal device transmits start instruction information #1 to the SMF so that the SMF judges whether or not there is an authentication result based on the instruction information # 1. The indication information #1 may be sent to the SMF through a separate signaling, or may be carried in the session establishment request message, which is not limited to this.

In a possible case, the indication information #1 may be transmitted before the presence or absence of the authentication result is judged. If the SMP determines that there is no authentication result, and after initiating the secondary authentication procedure for the session #1, the SMP is sent to the terminal device, and after receiving the EAP, the terminal device sends the indication information # 1. For another example, after the SMP determines that there is no authentication result and before initiating the secondary authentication procedure for the session #1, the terminal device sends the instruction information #1 to the SMF.

In yet another possible case, the indication information #1 may be transmitted before it is not judged whether or not there is an authentication result. If the terminal device initiates a session establishment request, it may first determine whether there is an authentication result or whether there is a secondary authentication in progress, and if so, send the indication information # 1. In this case, the SMF may determine whether there is an authentication result or whether to suspend the session #1 directly from the indication information #1 without determining whether there is an authentication result.

The form of the indication information #1 is not limited.

In one possible form, the indication #1 may be embodied as a session identifier.

For example, when establishing session #1, the terminal device simultaneously carries a session identifier (e.g., session ID) of another session (e.g., denoted as session # 2). In this way, it is indicated that session #1 and session #2 are redundant with each other, i.e., access to the same DN. For such session #1, the SMF may also further determine that no secondary authentication needs to be initiated, or reuse the authentication authorization result of another session # 2. For example, in a possible scenario, with the URLLC scenario, the session #1 indicated by the indication information #1 sent by the terminal device is a redundant session, in this scenario, the SMF does not need to perform secondary authentication, and the SMF may obtain a result according to the indication information #1, or, when it is necessary to initiate secondary authentication, always initiate secondary authentication for another session (such as session 2), and directly skip secondary authentication for the session # 1.

In yet another possible form, the indication information #1 may be embodied as DNN.

For example, the terminal device carries the DNN of another session (e.g., denoted as session #2) at the same time when session #1 is established. In this way, this session #1 is indicated as a session of the same DN different from the previous DNN. For such session #1, the SMF may also further determine that no secondary authentication needs to be initiated, or reuse the authentication authorization result of another session # 2.

In yet another possible form, the indication information #1 may be embodied by adding a field or multiplexing an existing field.

For example, the terminal device, when establishing the session #1, determines whether the session #1 is a session of the same data network, that is, whether the data network #1 is the same as the data network of the previously established session. For example, if the value of the new field or the existing field is "0", which indicates that the two fields are different, the SMF may initiate secondary authentication for the session # 1; if the value of the added field or the existing field is "1", which indicates the same, for this session #1, the SMF may further determine that it is not necessary to initiate secondary authentication, or reuse the authentication authorization result of another session # 2.

Therefore, the indication information is sent to the SMF by the terminal device, so that the SMF perceives that a session using a different DNN has been established. Therefore, the SMF can identify sessions using different DNNs in the same data network, thereby avoiding signaling overhead caused by repeated execution of secondary authentication procedures.

As yet another example, the indication #1 is from an authentication server of the data network # 1.

The authentication server of the data network #1 transmits the instruction information #1 to the SMF so that the SMF judges whether or not there is an authentication result based on the instruction information # 1.

In the session establishment process, it is determined by the authentication server of the data network #1 whether the terminal device is authenticated, and the authentication authorization result may be directly transmitted to the SMF. Therefore, the secondary authentication result can be judged and reused by the authentication server of the centralized control point data network, thereby avoiding signaling overhead caused by repeatedly executing a secondary authentication process.

In the above aspect, the method for the SMF to determine whether there is an authentication result is mainly described, and in combination with the aspect two, a scheme about performing secondary authentication is described.

The second aspect is that: the SMF determines that secondary authentication is in progress.

For the same data network, one terminal device may establish two or more sessions, and the two or more sessions may be established simultaneously or at different times as required. It may happen that secondary authentication may be being performed when the terminal device initiates a setup request for session # 1.

For example, after the terminal device initiates a session establishment request of session #1 and the SMF determines that there is no authentication result, a secondary authentication procedure may be initiated for session #1, or it may be determined whether secondary authentication is currently performed. For another example, before the SMF determines whether the authentication result exists, the SMF has already determined whether the secondary authentication is currently performed. If the SMF determines that secondary authentication is in progress, such as the secondary authentication corresponding to session #2, then session #1 is suspended.

The SMF determines whether to continue establishing session #1 or to refuse to establish session #1, based on the authentication authorization result of session # 2.

As a possible case, the authentication authorization result indicates that the secondary authentication for session #2 is successful. The authentication and authorization result may further include: and authenticating the authorization information. In this case, the SMF determines to continue the session #1 establishment according to the authentication authorization result, and does not need to perform the secondary authentication procedure (i.e., skip the secondary authentication procedure), and continues to establish the session #1 based on the authentication authorization information.

Yet another possible scenario, the authentication authorization result indicates that the secondary authentication for session #2 failed. In this case, the SMF may determine to reject the session #1 establishment, i.e., terminate the establishment of the session #1, according to the authentication authorization result; alternatively, the SMF may determine whether to terminate the establishment of session #1 according to the reason for the authentication authorization failure.

Alternatively, the SMF may determine that the secondary authentication for session #2 succeeded or failed according to feedback from an authentication server of the data network.

For example, the SMF may determine the subsequent process according to whether feedback of the authentication server of the data network, such as the authentication result of session #2, is received after a preset time period. The preset duration may be a predefined duration, as predefined by the protocol; alternatively, it may be a time period determined based on historical communication conditions.

Illustratively, this may be achieved by a timer. For example, after the SMF suspends session #1, a timer is activated for a preset duration. If the authentication result of the session #2 is not received before the timer expires, it is determined that the secondary authentication for the session #2 fails, and the establishment of the session #1 is terminated.

One possible implementation: the SMF may determine that the secondary authentication is being performed based on the indication information # 2.

It should be understood that, for distinction and without loss of generality, in the present embodiment, the indication information #2 represents information for indicating that secondary authentication is being performed.

In one example, the indication #2 is from a terminal device.

The terminal device transmits the indication information #2 to the SMF so that the SMF suspends the session #1 according to the indication information # 2. The indication information #2 may be sent to the SMF through a separate signaling, or may be carried in the session establishment request message, which is not limited to this.

For example, before sending the session establishment request message, the terminal device may determine that one session (e.g., denoted as session #2) corresponding to the same data network (i.e., data network #1) is performing the secondary authentication procedure. Therefore, the indication information #2 is transmitted to the SMF by the terminal device, thereby causing the SMF to suspend the session # 1. In this case, the SMF may determine that the secondary authentication procedure does not need to be initiated according to an instruction of the terminal device without determining whether there is an authentication result.

As another example, the terminal device initiates two sessions (session #1 and session #3) simultaneously. When the SMF receives the indication information #2 in which the indication information #2 is included in the session establishment request of the session #1, the secondary authentication procedure may be directly skipped according to the indication information #2, and the session #1 may be suspended. In this case, the SMF and another SMF have not received the establishment request of another session (i.e., session #3) or have received the establishment request of session #3 at the same time, but the SMF may indicate information to directly skip the secondary authentication procedure, so that repeated secondary authentication may also be avoided.

For another example, after the SMF determines that there is no authentication result and determines that the secondary authentication procedure is initiated for the session #1, in the secondary authentication procedure, the terminal device sends the indication information #2 to the SMF, so that the SMF suspends the session #1 according to the indication information # 2.

As yet another example, the indication #2 is from an authentication server of the data network # 1.

The authentication server of the data network #1 transmits the instruction information #2 to the SMF so that the SMF determines that the secondary authentication is being performed, and suspends the session # 1.

In the session establishment procedure, it is determined by the authentication server of the data network #1 whether the terminal device is being authenticated.

It should be understood that the determination by the SMF that the secondary authentication is being performed according to the indication information #2 is merely an example, and is not limited thereto. For example, the SMF may determine whether or not secondary authentication is being performed.

Alternatively, in the second aspect, the SMF may also determine whether to continue to perform the session #1 establishment procedure according to the result of the secondary authentication being performed, according to the indication information # 4. It should be understood that, for the sake of distinction and without loss of generality, in the embodiment of the present application, the indication information #4 represents information for determining whether it is necessary to determine whether to continue to perform the session #1 establishment procedure according to the result of the secondary authentication being performed. Specifically, reference may be made to the description in fig. 8 below.

The solutions described in the first and second aspects may be used alone or in combination. For example, the SMF determines whether an authentication result exists according to the scheme of the first aspect, and determines whether secondary authentication is being performed according to the scheme of the second aspect if it is determined that the authentication result does not exist. For another example, the SMF may first determine whether secondary authentication is being performed according to the scheme described in aspect two, and directly suspend the session if it is determined that secondary authentication is being performed.

In the following, with reference to the third aspect, a scheme for storing the authentication and authorization result and/or the authentication and authorization information is described.

The third aspect is that: the SMF determines whether to store the authentication result. The authentication result includes, for example: authentication authorization results (e.g., authentication success or failure) and/or authentication authorization information.

Implementation mode 1: the SMF may determine whether to store the authentication result according to the indication information # 3.

It should be understood that, for distinction and without loss of generality, in the present embodiment, the indication information #3 represents information for determining whether to store an authentication result.

For example, if the indication information #3 indicates that the authentication result can be reused, or the indication information #3 indicates that the SMF stores the authentication result, based on the indication information #3, the SMF determines to store the authentication authorization information. If the indication information #3 indicates that the authentication result is not reusable, or the indication information #3 indicates that the SMF does not store the authentication result, based on the indication information #3, the SMF determines not to store the authentication authorization information.

In one example, the indication #3 is from a terminal device.

The terminal device transmits start instruction information #3 to the SMF so that the SMF determines whether to store the authentication result based on the instruction information # 3. The indication information #3 may be sent to the SMF through a separate signaling, or may be carried in the session establishment request message, which is not limited to this.

As yet another example, the indication #3 is from an authentication server of the data network # 1.

The authentication server of the data network #1 transmits the indication information #3 to the SMF so that the SMF determines whether to store the authentication result based on the indication information # 3.

Implementation mode 2: the SMF may determine whether to store the authentication result based on the session attributes and/or local policy.

The local policy may, for example, indicate a predefined requirement, such as a predefined storage of the authentication result or a predefined non-storage of the authentication result.

Session attributes, for example, may include, but are not limited to: session type (type) (e.g., IP or ethernet or unstructured), session and service continuity mode, user plane security management information, multi-access PDU connectivity service, highly reliable type, etc. attributes. For example, for a multi-access PDU connection service, the SMF stores the authentication result.

By selectively storing the authentication results, resource and space utilization can be improved. It is to be understood that the above description is intended to be illustrative, and not restrictive. For example, it may also be predefined, such as protocol definition, to store the authentication result of the secondary authentication, such as storing for a certain period of time.

Alternatively, when the SMF determines to store the authentication result, it may store a certain time period, such as a storage time period or an expiration period. After the storage duration expires, the authentication result can be deleted, thereby ensuring higher security. The storage duration may be predefined, or may be provided by an authentication network element of the data network, which is not limited to this.

The solutions described in the above aspects can be used alone or in combination. For example, the SMF determines whether or not there is an authentication result according to the scheme of the first aspect, determines that secondary authentication is being performed according to the scheme of the second aspect in the case where there is no authentication result, and may determine whether or not to store the authentication result according to the scheme of the third aspect.

The embodiments of the present application have been briefly described above in connection with three aspects. In the following, several embodiments applicable to the present application are described with reference to the possible complete flows shown in fig. 7 to fig. 10, taking the authentication server of the data network as DN-AAA and the session as PDU session as an example.

Fig. 7(1) and (2) show schematic interaction diagrams of a method 700 suitable for use in an embodiment of the present application. The method 700 mainly introduces the above-described scheme in which the SMF determines whether there is an authentication result according to the authorization information.

The method 700 may include the following steps.

701, the terminal equipment initiates a PDU session establishment request to the AMF.

The terminal device may send a NAS message to the AMF through AN access network (AN or RAN), where the NAS message includes a PDU session setup request. For example, the NAS message includes Single Network Slice Selection Assistance Information (S-NSSAI) and Session Management (SM) (N1 SM) Information, and the N1 SM Information includes a session establishment request. The PDU connection service, namely the service of exchanging PDU data packets between the terminal equipment and the DN, can be realized by the terminal equipment initiating the establishment of the PDU session. After a PDU session is established, a data transmission channel between the terminal device and the DN is established.

For example, the NAS message may also carry a DNN, that is, a DN indicating that the terminal device wants to access.

The AMF sends a PDU session setup request to the SMF 702.

For example, the AMF may send N to the SMF_smfInterface PDU Session setup Session management context request (N)_smfPdusesion _ createsmcontextrequest) message containing a PDU session establishment Request. Optionally, the message may further include a DNN for indicating a DN that the terminal device wants to access.

It is to be understood that N_smfThe message pdusesion _ createsmcontextrequest is merely an example, and is not limited thereto. It is feasible that the PDU session setup request is carried in any message as long as the AMF can send the PDU session setup request to the SMF.

After receiving the PDU session establishment request, the SMF may first obtain a session management subscription of the terminal device. For example, it may be obtained locally or from the UDM. For convenience of explanation, fig. 7 only shows the case of obtaining from the UDM, and it should be understood that any scheme that can enable the SMF to obtain the session management subscription of the terminal device is applicable to the embodiment of the present application.

703, the SMF requests session management subscription information of the terminal device from the UDM.

Illustratively, the SMF may send N to the UDM_udmInterface session management subscription acquisition (N)_udmSDM Get) message requesting session management subscription information of the terminal device.

It is to be understood that N_udmThe message SDM Get is merely an example, and is not limited thereto. It is feasible that the SMF requests the session management subscription information of the terminal device from the UDM, which is carried in any message.

The UDM sends session management subscription information of the terminal device to the SMF 704.

Exemplarily, the UDM may send N to the SMF_udmInterface session management contract acquisition response (N)_udmA _ SDM _ Get response) message, where the response message includes session management subscription information of the terminal device.

It is to be understood that N_udmThe message SDM _ Get _ response is merely an exemplary illustration and is not limited thereto. As long as the UDM can send the session management subscription information of the terminal device to the SMF, it is feasible that the session management subscription information is carried in any message.

After acquiring the session management subscription information of the terminal device, the SMF can determine whether the PDU session needs to be subjected to secondary authentication and authorization. Assume that the SMF determines that the PDU session requires a secondary authentication grant.

705, the SMF determines that the authentication mode is a secondary authentication.

In other words, the SMF determines that the PDU session requires a secondary authentication grant. It will be appreciated that the SMF determines that the terminal device and DN require secondary authentication. Before initiating the secondary authentication procedure, the SMF may determine whether the terminal device has already performed secondary authentication with the DN (i.e., whether there is an authentication result), thereby determining whether to initiate secondary authentication.

706, the SMF determines whether to initiate a secondary authentication procedure.

Optionally, step 705 and step 706 may also be combined, that is, the same step is performed to determine that the authentication mode is secondary authentication and determine whether to initiate a secondary authentication process. Or it can be understood that, when the authentication mode is the secondary authentication, it is determined by default whether to initiate the secondary authentication process.

For example, whether to initiate the secondary authentication procedure may be determined based on implementation 1 described in the first aspect of the method 600. Two schemes are briefly introduced below.

Scheme 1: and the SMF judges whether to initiate a secondary authentication process or not according to the UE context information.

If the SMF has the context of the UE, the SMF can determine whether to initiate a secondary authentication process according to the context of the UE. If the SMF determines that the secondary authentication needs to be performed according to the context of the UE, step 706A in (1) of fig. 7 is performed. If the SMF determines to skip the secondary authentication procedure (or not initiate the secondary authentication procedure) according to the UE context, step 706B in fig. 7(2) is executed.

Specifically, the SMF may include, according to whether the context of the UE includes: and the authentication authorization information corresponding to the DNN or the authentication authorization information of the DN indicated by the DNN determines whether to execute secondary authentication.

The authentication authorization information may include a DNN that identifies the DN and is compared to the DNN received from the AMF to determine whether the DN is the same DN. The authentication authorization information may further include PDU session management control related information. Optionally, the authentication authorization information may further include, but is not limited to, one or more of the following items: DN-Specific Id, DN-AAA Id, aging information, index (index) of DN authorization text, aggregated maximum bit rate AMBR of session authorized by DN, allowed MAC address(s), allowed virtual local area network identification (VIDs) and PDU session information reporting indication. The report PDU session information indication is used to indicate the report PDU session related information, such as the address information of the PDU session.

When the DNN contained in the authentication authorization information is the same as the DNN received from the AMF, the DNN is the same DN, namely, secondary authentication does not need to be executed; when the DNN contained in the authentication authorization information and the DNN received from the AMF are different, it may be determined whether the DNN contained in the authentication authorization information and the DNN received from the AMF are equivalent DNNs, i.e., whether the same DN is indicated. Equivalent DNNs, i.e., representing DNNs that identify the same DN.

Illustratively, multiple DNNs (or a list of DNNs) (i.e., equivalent DNNs) may be preconfigured to indicate the same DN. For example, the UDM sends the session management subscription information of the terminal device to the SMF including the plurality of DNNs. As another example, the SMF may obtain the authentication authorization information from a local storage or from the UDM.

For example, the DNN received from the AMF is DNN1, and the plurality of DNNs (i.e., equivalent DNNs) in the authentication authorization information include { DNN1, DNN2, DNN3 }. Then the authenticated and authorized DN and the DN requested to be accessed by the terminal equipment are the same DN; or, the terminal device has already been authenticated with the DN requesting access before, and does not need to perform a secondary authentication procedure. In this case, the SMF may perform step 706B in fig. 7 (2).

As another example, the DNN received from the AMF is DNN5, and the plurality of DNNs (i.e., equivalent DNNs) in the authentication authorization information include { DNN1, DNN2, DNN3 }. Then the DN which is authorized by authentication and the DN which the terminal device requests to access are different; or, the terminal device is not authenticated with the DN requesting access, and a secondary authentication process is required. In this case, the SMF may perform step 706A in fig. 7 (1).

Based on the above scheme 1, the SMF can determine whether to initiate a secondary authentication process according to the context of the locally stored UE, and the scheme is simple and easy to implement.

Scheme 2: and the SMF judges whether to initiate a secondary authentication process according to the acquired authentication and authorization information.

Alternatively, if there is no UE context on the SMF, the SMF may request the UDM for the authentication authorization information of the terminal device, i.e. the SMF may perform steps 707 and 708. The SMF may request the UDM for authentication authorization information of the terminal device, or historical secondary authentication authorization information, that is, information related to the previous secondary authentication authorization performed by the terminal device. Therefore, the SMF can judge whether to initiate a secondary authentication process according to the acquired authentication and authorization information.

707, the SMF requests authentication authorization information of the terminal device to the UDM.

Illustratively, the SMF may send N to the UDM_udmA UE _ Get message requesting authentication and authorization information of the terminal device. Alternatively, the N_udmThe UE _ Get message may also contain DNN information.

It is to be understood that N_udmThe UE _ Get message is only an exemplary message and is not limited thereto.

Optionally, step 707 and step 703 may also be combined, that is, the SMF may simultaneously request the authentication and authorization information of the UE when requesting the session management subscription information of the UE.

The UDM sends 708 the authentication authorization information of the terminal device to the SMF.

Optionally, step 708 and step 704 may also combine processing, that is, the UDM may send the UE authentication and authorization information at the same time when sending the UE session management subscription information.

In one case, the UDM stores therein authentication and authorization information of the terminal device. Exemplarily, the UDM may send N to the SMF_udmA UE _ gettresponse message, which contains authentication and authorization information of the terminal device. Optionally, the UDM contains an authentication authorization tokenAnd DNN information equivalent to DNN.

If the request message of the SMF for requesting the authentication and authorization information of the terminal equipment from the UDM comprises DNN information, the authentication and authorization information of the UE acquired by the SMF is the authentication and authorization information of the data network corresponding to the DNN. DNN list information for DNs may be configured in the UDM, i.e., there are multiple DNNs (i.e., equivalent DNNs) that may indicate the same DN. Optionally, the authentication and authorization information sent by the UDM to the SMF carries one or more DNNs equivalent to the DNNs.

And the SMF judges whether to initiate a secondary authentication process or not according to the authentication authorization information in the response message. If the SMF determines that the secondary authentication needs to be performed according to the authentication authorization information in the response message, step 706A in fig. 7(1) is performed. If the SMF determines to skip the secondary authentication process according to the authentication authorization information in the response message, step 706B in fig. 7(2) is executed. As to the content of the authentication authorization information and the SMF determination method, reference may be made to the description in scheme 1, and details are not repeated here.

In another case, the UDM does not store the authentication and authorization information of the terminal device. Exemplarily, the UDM may send N to the SMF_udmA UE _ Get response message, which does not include the authentication and authorization information of the terminal device. Or, the UDM may not send a message to the SMF, and after the SMF does not receive a response of the UDM (for example, after a preset time length, the response of the UDM is not received), the SMF defaults to having no authentication and authorization information of the terminal device. In this case, the SMF may determine to initiate a secondary authentication procedure, i.e., perform step 706A.

It should be understood that steps 707 and 708 are merely exemplary. Optionally, the SMF may also store authentication authorization information locally. In this case, the SMF may not need to request authentication authorization information from the UDM, i.e. step 707 and step 708 may not need to be performed.

Step 706A of fig. 7(1) and step 706B of fig. 7(2) are described below.

Step 706A: and executing a secondary authentication process. As shown in fig. 7(1), after the SMF determines to initiate the secondary authentication flow, the method 700 may include steps 706a1 through 706a 7.

706a1, the SMF determines to initiate a secondary authentication flow.

It can be appreciated that SMF triggers a secondary authentication procedure.

706a2, the terminal device performs secondary authentication and authorization with the DN-AAA.

The DN-AAA authenticates and/or authorizes the terminal device. The terminal device and the DN-AAA can perform EAP message interaction once or more times to complete the authentication of the terminal device by the DN-AAA. The process of performing secondary authentication on the terminal device and the DN-AAA may refer to the existing flow of secondary authentication, for example, refer to the description of 206 to 212 above, which is not limited.

If the DN-AAA successfully authenticates the terminal equipment, the DN-AAA can send a message of successful authentication to the SMF.

706a3, the DN-AAA sends a message to the SMF that authentication was successful.

The message that the authentication is successful, or the authentication result, indicates that the second authentication for another PDU session is successful. The message of successful authentication may include authentication authorization information. Optionally, the message that the authentication is successful may include indication information #3, where the indication information #3 is used to indicate whether the authentication result can be reused, or the indication information #3 is used to indicate whether the SMF needs to store the authentication result.

706a4, the SMF stores authentication authorization information.

As an example, the SMF determines whether to store the authentication authorization information according to the indication information # 3.

If the indication information #3 indicates that the authentication result can be reused, or the indication information #3 indicates that the SMF stores the authentication result, the SMF determines to store the authentication authorization information based on the indication information # 3. If the indication information #3 indicates that the authentication result is not reusable, or the indication information #3 indicates that the SMF does not store the authentication result, based on the indication information #3, the SMF determines not to store the authentication authorization information.

As yet another example, the SMF determines whether to store the authentication authorization information according to local policy or PDU session attributes.

The local policy may, for example, indicate a predefined requirement, such as predefined storage of the authentication authorization information or predefined non-storage of the authentication authorization information.

PDU session attributes, for example, may include but are not limited to: PDU session type (type) (e.g., IP or ethernet or unstructured), session and service continuity mode, user plane security management information, multi-access PDU connection service (multi-access PDU connection service), high reliability type, etc. attributes. For example, for a multi-access PDU connection service, the SMF stores authentication authorization information.

As yet another example, the SMF determines whether to store the authentication authorization information according to whether the indication information #3 is received.

If the SMF receives indication information #3 from the DN-AAA for indicating that the authentication result can be reused or for indicating that the authentication result is stored, the SMF determines to store the authentication authorization information; if the SMF does not receive the indication information #3 from the DN-AAA, the SMF determines not to store the authentication and authorization information.

It should be understood that the above examples are illustrative only, and the present application is not limited thereto. For example, the SMF may directly store the authentication authorization information by default.

706a5, the SMF sends authentication authorization information to the UDM.

Illustratively, the SMF may send N to the UDM_udmInterface session management subscription update (N)_udmSDM Update) message including authentication authorization information of the secondary authentication. The authentication authorization information may include, for example, but is not limited to: DN-Specific Id, DNN, DN-AAA Id, aging information, index of DN authorization text, AMBR of session authorized by DN, allowed MAC address(s), allowed VID(s), and report PDU session information indication.

It is to be understood that N_udmThe _ SDM _ Update message is merely an example, and is not limited thereto. It is feasible that the SMF is carried in any message as long as it can send the authentication authorization information to the UDM.

706a6, the UDM sends a response message to the SMF.

The UDM sends a response message to the SMF for the authentication authorization information. Illustratively, the SMF receives N transmitted by the UDM_udmSDM _ Update response (N)_udmSDM update response) message.

706a7, the SMF continues the PDU session setup procedure.

After the end of the authentication of the terminal device by the DN-AAA, the SMF may continue with other procedures for initiating the PDU session establishment, which may include, but are not limited to: the SMF sends an N4 interface session establishment/modification request to the UPF, and the UPF feeds back an N4 interface session establishment/modification response to the SMF. The SMF may also send a PDU session setup success message to the terminal device via the AMF.

It should be understood that the above is only a simple exemplary illustration, and reference may be made to existing solutions for specific secondary authentication and authorization processes, and the embodiments of the present application are not limited thereto.

Step 706B: the secondary authentication process is not performed. As shown in fig. 7(2), where the SMF determines to skip the secondary authentication flow, the method 700 may include steps 706B 1-706B 6.

706B1, the SMF determines to skip the secondary authentication.

For example, in this case, step 706a2 in fig. 7(1) need not be performed.

706B2, the SMF determines the address of the PDU session for the terminal device.

And the SMF executes a PDU session establishment process according to the acquired authentication and authorization information. The authentication and authorization information may be, for example, obtained by the SMF from the context of the UE; as another example, it may be that the SMF gets from the UDM; and as another example, may be stored locally by the SMF. Reference may be made in particular to the above description.

If the SMF receives the grant information for PDU session control, for example, it may include but is not limited to: index of DN authorization text, AMBR of session authorized by DN, allowed MAC address(s), allowed VID(s), and report PDU session information indication. The SMF performs a PDU session setup procedure using the grant information. For example, the SMF may send the PCF an index of the DN grant text, the AMBR of the session for which the DN is granted, and determine the address of the PDU session based on the allowed MAC address(s) and the allowed vid(s).

706B3, the SMF determines the target DN-AAA based on the obtained DNN or authentication authorization information.

Taking the example that the SMF determines the target DN-AAA according to the authentication authorization information, a possible implementation way is that the DN-AAA address is stored in the authentication result, so that the DN-AAA can be determined according to the authentication result; in yet another possible implementation, the authentication result includes a DN-Specific Id, and the DN AAA address is determined according to the DN-Specific Id.

It should be appreciated that any manner by which the SMF may determine the target DN-AAA is suitable for use in embodiments of the present application.

706B4, the SMF reports the address information of the PDU session to the target DN-AAA.

The address information of the PDU session may include, for example, but is not limited to: IP addresses, MAC addresses, VIDs, or the like.

For example, the SMF may report address information of the PDU session as indicated by the DN-AAA. For example, the SMF may determine, according to the PDU session information reporting indication in the authentication and authorization information, address information to notify the DN-AAAPDU session.

For yet another example, the SMF may determine address information to notify the DN-AAA PDU session based on local configuration (e.g., local configuration requirements for address information needed to notify the PDU session).

Optionally, the SMF may also carry a General Public Subscription Identifier (GPSI) of the terminal device.

706B5, DN-AAA stores the information for the new SMF.

The DN-AAA may determine to store the information of the new SMF, i.e., maintain a session with the SMF for subsequent DN-AAA interaction with the SMF.

706B6, the SMF continues the PDU session setup procedure.

The SMF continues to perform the PDU session establishment procedure, which may include, for example but not limited to: the SMF sends an N4 interface session establishment/modification request to the UPF, and the UPF feeds back an N4 interface session establishment/modification response to the SMF.

It should be understood that the order of execution is not meant to imply any order to the steps, and the order of execution of the steps should be determined by their function and inherent logic. For example, step 706B4 may also occur after PDU session establishment is complete, i.e., after step 706B 6. For another example, step 706 and step 705 may be combined, that is, the same step is performed to determine that the authentication mode is the secondary authentication and determine whether to initiate the secondary authentication process.

One embodiment is described above in connection with method 700 shown in fig. 7. According to the embodiment of the application, in the PDU session establishment process, the SMF can determine whether to initiate a secondary authentication process according to the UE context, the authentication and authorization information acquired from the UDM or the authentication and authorization information stored locally. The authentication authorization information also comprises PDU session management control related information, so that when a secondary authentication process is skipped, a PDU session can be directly established according to the authentication authorization information. In addition, the authentication authorization information may further include a plurality of DNN information (i.e., equivalent DNNs) for identifying the same DN, so that it may be ensured that a procedure of repeatedly performing secondary authentication may also be avoided in a scenario where different DNNs are used to identify a DN. By the embodiment of the application, even if different DNNs are used for accessing the DN, the SMF can avoid repeatedly executing a secondary authentication process as much as possible. In addition, the stored grant information is enhanced to ensure that control information for the PDU session can also be used.

Fig. 8 shows a schematic interaction diagram of a method 800 suitable for use in yet another embodiment of the present application. Method 800 generally introduces the scheme described above with respect to performing secondary authentication, and in method 800, after the SMF determines to initiate a secondary authentication procedure according to whether there is an authentication result, the DN authentication server may indicate to the SMF to suspend the session.

The method 800 may include the following steps.

The terminal device initiates a PDU session setup request to the AMF 801.

Illustratively, the terminal device sends a NAS message to the AMF, where the NAS message may also carry a DNN, that is, a DN indicating that the terminal device wants to access.

It should be understood that step 801 is similar to the specific process of step 701 in method 700 above. Since step 701 has already been described in detail in method 700 above, it is not repeated here for brevity.

Unlike step 701, in step 801, the terminal device may further send authentication and authorization information corresponding to the DN, for example, the PDU session establishment request includes the authentication and authorization information corresponding to the DN, or may also send the authentication and authorization information corresponding to the DN to the AMF separately.

The AMF sends a PDU session setup request to the SMF 802.

It should be appreciated that step 802 is similar to the specific process of step 702 in method 700 above. Since step 702 has already been described in detail in method 700 above, it is not repeated here for brevity.

803, the SMF requests session management subscription information of the terminal device to the UDM.

It should be understood that step 803 is similar to the specific process of step 703 in method 700 above. Since the step 703 has already been described in detail in the above method 700, it is not described here again for brevity.

And 804, the UDM sends the session management subscription information of the terminal equipment to the SMF.

It should be appreciated that step 804 is similar to the specific process of step 704 in method 700 above. Since step 704 has already been described in detail above in method 700, it is not repeated here for brevity.

The SMF determines the authentication mode to be a secondary authentication 805.

It should be appreciated that step 805 is similar to the specific process of step 705 in method 700 above. Since step 705 has already been described in detail above in method 700, it is not repeated here for brevity.

806, the SMF may determine whether to initiate a secondary authentication procedure.

For example, step 807 and step 808 may be included.

807, the SMF requests authentication authorization information of the terminal device to the UDM.

It should be appreciated that step 807 is similar to the specific process of step 707 in method 700 above. Since step 707 has already been described in detail in method 700 above, it is not repeated here for brevity.

808, the UDM sends authentication authorization information of the terminal device to the SMF.

It should be appreciated that step 808 is similar to the specific process of step 708 in method 700 above. Since step 708 has already been described in detail above in method 700, it is not repeated here for brevity.

It should be appreciated that step 806 is similar to the specific process of step 706 in method 700 above. Since step 706 has already been described in detail above in method 700, it is not repeated here for brevity.

It is assumed that, by the judgment, the SMF determines to initiate the secondary authentication procedure.

809, the SMF determines to initiate a secondary authentication procedure.

In the method 800, after the SMF determines to initiate the secondary authentication procedure based on whether there is an authentication result, the SMF may also determine whether there is an ongoing secondary authentication procedure.

For example, in step 806, the SMF may further determine whether there is a secondary authentication procedure being performed on the DN corresponding to the DNN (i.e., the DNN in step 801) locally. If yes, the SMF skips the secondary authentication process, and locally stores the indication information #4, wherein the indication information #4 indicates whether to continue executing the PDU session process according to the executing secondary authentication result. And if not, determining to initiate a secondary authentication process. Specifically, the following is described in connection with the illustrated embodiment of method 1000.

The SMF sends an authentication authorization request message to the DN-AAA 810.

The SMF sends an authentication authorization request message to the DN-AAA, which includes information for authentication authorization (e.g., EAP information).

811, the DN-AAA determines that authentication is being performed for the same terminal device.

And the DN-AAA determines that the same DN (DN-specific ID) executes secondary authentication for the same terminal equipment according to the request message sent by the SMF. The DN-AAA may locally store the SMF identity and the indication information #5, where the indication information #5 is used to indicate that the SMF needs to be notified of the secondary authentication authorization result.

The DN-AAA sends an authentication authorization response message to the SMF 812.

A suspend indication, i.e., an indication that the SMF is suspending the PDU session, may be included in the response message sent by the DN-AAA to the SMF. Suspend, or pause, means to temporarily stop establishing a PDU session or to temporarily stop performing a secondary authentication procedure.

813, SMF suspends PDU session.

The SMF suspends the PDU session, i.e. the SMF does not continue to perform the setup procedure of the PDU session.

The SMF may determine subsequent processing based on the DN-AAA feedback, such as the authentication result for another PDU session. For example, after successful secondary authentication for another PDU session, the SMF may continue the PDU session establishment procedure, and the SMF may not need to repeatedly perform the secondary authentication procedure, e.g., step 706B in method 700 may be performed. As another example, the SMF may terminate the establishment of the PDU session after a failure to perform a secondary authentication for another PDU session. Alternatively, after the authentication authorization fails, the SMF may determine whether to terminate the establishment of the PDU session according to the reason for the authentication failure.

For example, the SMF may determine the subsequent processing according to whether a feedback of the DN-AAA is received after a preset time period, such as a secondary authentication result of another PDU session (i.e., a secondary authentication result of a PDU session that has just undergone secondary authentication). The preset duration may be a predefined duration, as predefined by the protocol; alternatively, it may be a time period determined based on historical communication conditions.

Illustratively, this may be achieved by a timer. For example, after the SMF suspends the PDU session, the timer is activated for a preset duration. For another example, after receiving the authentication authorization response message of the DN-AAA, the SMF activates the timer with a preset duration as a time length. If the message of the second authentication result of another PDU session (namely the second authentication result of the PDU session which just carries out the second authentication) is not received before the timer expires, the second authentication of another PDU session is determined to fail, and the establishment of the PDU session is terminated.

814, DN-AAA authentication is complete, determining to notify SMF.

The DN-AAA may determine to notify the SMF based on locally stored indication #5, or the DN-AAA may also notify the SMF by default.

If the second authentication and authorization is successful, after the second authentication and authorization is successful, the DN-AAA sends an authentication result indicating the successful second authentication of another PDU session (namely the successful or failed second authentication of another PDU session which just carries out the second authentication) and authentication and authorization information to the SMF; if the second authentication and authorization fails, after the second authentication and authorization fails, the DN-AAA indicates the failure of the second authentication of another PDU session to the SMF (namely the failure of the second authentication of another PDU session which just carries out the second authentication). Or if the secondary authentication and authorization fails, the DN-AAA does not send the secondary authentication result of another PDU session, and the SMF defaults to the authentication and authorization failure after the SMF does not receive the authentication result in the preset time length.

815, the DN-AAA sends the authentication authorization result to the SMF.

The authentication and authorization result comprises: the authentication result of the successful secondary authentication of another PDU session (namely the successful secondary authentication of the PDU session which just carries out the secondary authentication) and authentication authorization information; or, the authentication and authorization result includes: and (5) performing authentication result of secondary authentication failure on another PDU session.

816, the SMF processes the pending PDU session according to the authentication authorization result.

For example, the SMF determines to continue the PDU session establishment or to reject the PDU session establishment according to the authentication authorization result.

In one possible case, the authentication and authorization result includes: the authentication result of the second authentication success for another PDU session (namely, the second authentication success of the PDU session which just performed the second authentication) and the authentication authorization information. In this case, the SMF determines to continue the PDU session establishment according to the authentication result, and continues to establish the PDU session based on the authentication authorization information without performing the secondary authentication process.

In yet another possible scenario, the authentication and authorization result includes: and (5) performing authentication result of secondary authentication failure on another PDU session. In this case, the SMF may determine to reject the PDU session establishment, i.e., terminate the establishment of the PDU session, according to the authentication authorization result. Alternatively, in this case, the SMF may also determine whether to reject the PDU session establishment according to the reason for the authentication authorization failure.

Optionally, in the case that the authentication and authorization are successful, the SMF may report address information of the PDU session to the DN-AAA.

817, SMF reports PDU conversation address information to DN-AAA.

The address information of the PDU session may include, for example, but is not limited to: IP addresses, MAC addresses, VIDs, or the like.

For example, the SMF may report address information of the PDU session as indicated by the DN-AAA. For example, the SMF may determine, according to the PDU session information reporting indication in the authentication and authorization information, address information to notify the DN-AAAPDU session.

For yet another example, the SMF may determine address information to notify the DN-AAA PDU session based on local configuration (e.g., local configuration requirements for address information needed to notify the PDU session).

As yet another example, the SMF may determine address information to notify the DN-AAA PDU session based on subscription information obtained from the UDM.

Optionally, the SMF may also carry the GPSI of the terminal device.

Yet another embodiment is described above in connection with method 800 shown in FIG. 8. According to the embodiment of the application, in the PDU session establishment process, the DN authentication server determines whether the executing secondary authentication process exists or not, and stores the indication information, so that the secondary authentication process is skipped to directly send the authentication authorization result to the SMF. Therefore, the centralized control point DN authentication server can judge and reuse the secondary authentication result, thereby avoiding the signaling overhead brought by repeatedly executing the secondary authentication process.

Fig. 9 shows a schematic interaction diagram of a method 900 suitable for use in yet another embodiment of the present application. The method 900 mainly introduces the scheme regarding performing secondary authentication as described above, and in the method 900, after the SMF determines to initiate the secondary authentication procedure according to whether the authentication result exists, the terminal device may indicate to the SMF to suspend the session.

Method 900 may include the following steps.

901, the terminal equipment initiates a PDU session setup request to the AMF.

It should be understood that step 901 is similar to the specific process of step 701 in method 700 above. Since step 701 has already been described in detail in method 700 above, it is not repeated here for brevity.

The AMF sends a PDU session setup request to the SMF 902.

It should be appreciated that step 902 is similar to the specific process of step 702 in method 700 above. Since step 702 has already been described in detail in method 700 above, it is not repeated here for brevity.

The SMF requests session management subscription information of the terminal device to the UDM 903.

It should be understood that step 903 is similar to the specific process of step 703 in method 700 above. Since the step 703 has already been described in detail in the above method 700, it is not described here again for brevity.

904, the UDM sends session management subscription information of the terminal device to the SMF.

It should be appreciated that step 804 is similar to the specific process of step 704 in method 700 above. Since step 704 has already been described in detail above in method 700, it is not repeated here for brevity.

905, the SMF determines that the PDU session requires a secondary authentication grant.

It should be appreciated that step 905 is similar to the specific process of step 705 in method 700 above. Since step 705 has already been described in detail above in method 700, it is not repeated here for brevity.

The SMF may determine 906 whether to initiate a secondary authentication procedure.

For example, step 907 and step 908 may be included.

907, the SMF requests the authentication authorization information of the terminal device to the UDM.

It should be appreciated that step 907 is similar to the specific process of step 707 in method 700 above. Since step 707 has already been described in detail in method 700 above, it is not repeated here for brevity.

908, the UDM sends authentication authorization information of the terminal device to the SMF.

It should be appreciated that step 908 is similar to the specific process of step 708 in method 700 above. Since step 708 has already been described in detail above in method 700, it is not repeated here for brevity.

It should be appreciated that step 906 is similar to the specific process of step 906 in method 700 above. Since step 906 has already been described in detail above in method 700, it is not repeated here for brevity.

It is assumed that, by the judgment, the SMF determines to initiate the secondary authentication procedure.

The SMF determines 909 to initiate the secondary authentication procedure.

The SMF sends 910 an authentication message to the AMF.

The SMF sends an authentication message to the terminal device for authentication of the terminal device. Alternatively, the SMF may send the authentication message to the terminal device through the AMF.

Illustratively, the SMF may send N to the AMF_amfInterface N1N2message transfer (N)_smfN1N2message transfer) message containing an authentication message.

911, the AMF sends an authentication message to the terminal device.

Illustratively, the AMF may send a NAS Session Management (SM) transport (NAS SM transport) message to the terminal device, the message including the authentication message.

The terminal device, upon receiving the authentication message, may determine whether secondary authentication is being performed. It is assumed that the terminal device determines that secondary authentication is being performed.

The terminal device determines that secondary authentication is being performed 912.

The terminal device determines that secondary authentication is being performed for the same DN (or corresponding same DN-specific Id), then the terminal device may send a suspend indication (i.e., indication #2) to the SMF. The terminal device may send a suspend indication to the SMF via the AMF.

Optionally, the terminal device may also locally store the indication information #5, which indicates that the SMF needs to be notified of the secondary authentication authorization result (e.g., the terminal device sends the indication information # 1). Alternatively, it may be predefined that the terminal device needs to notify the SMF secondary authentication authorization result.

913, the terminal device sends a suspend indication to the AMF.

Illustratively, the terminal device may send a NAS SM transport message to the AMF, which contains the suspend indication. The suspend indication indicates that the SMF is performing a secondary authentication procedure.

The AMF sends a suspend indication to the SMF 914.

For example, the AMF may send N to the SMF_smfInterface PDU session update session management context (N)_smf_PDUSession_UpdateSMContext) message containing a suspend indication. The suspend indication indicates that the SMF is performing a secondary authentication procedure.

915, the SMF suspends the PDU session.

After receiving the suspension indication, the SMF suspends the PDU session, i.e. does not continue to execute the PDU session establishment procedure. Optionally, after receiving the suspend indication, the SMF may further subscribe to the UDM for an authorization result notification, and based on the subscription authorization result notification, the UDM may notify the SMF when receiving a new authentication result. Or, optionally, after receiving the suspend indication, the SMF may also notify the DN-AAA of the subscription authorization result, and based on the notification of the subscription authorization result, the DN-AAA may notify the SMF when receiving a new authentication result.

The SMF may determine the subsequent processing according to the feedback of the terminal device, such as an authentication result that the secondary authentication for another PDU session is successful or an authentication result that the secondary authentication for another PDU session is failed. For example, after the second authentication for another PDU session is successful, the SMF may continue the PDU session establishment procedure, and the SMF may not need to repeatedly perform the second authentication procedure, such as step 706B in the method 700. For another example, after the secondary authentication for another PDU session fails, the SMF may terminate the establishment of the PDU session; or, according to the reason of the authentication authorization failure, whether to terminate the establishment of the PDU session is determined.

For example, the SMF may determine the subsequent processing according to whether feedback of the terminal device is received after a preset time period, such as an authentication result of secondary authentication of another PDU session. The preset duration may be a predefined duration, as predefined by the protocol; alternatively, it may be a time period determined based on historical communication conditions.

Illustratively, this may be achieved by a timer. For example, after the SMF suspends the PDU session, the timer is activated for a preset duration. For another example, after receiving the suspending indication of the AMF, the SMF activates the timer for a preset time length. If the authentication result of the secondary authentication of another PDU session is not received before the timer expires, the authentication authorization is determined to fail, and the establishment of the PDU session is terminated.

The terminal device determines 916 that the secondary authentication is finished.

After the terminal device determines that the secondary authentication is completed, the terminal device may transmit authentication result notification information to the SMF according to locally stored instruction information #5 or according to a predetermined rule. For example, the terminal device may notify the SMF of the secondary authentication result, or the terminal device may notify the SMF to acquire the secondary authentication result.

The terminal device may send authentication result notification information to the SMF through the AMF.

917, the terminal device sends authentication result notification information to the AMF.

Illustratively, the terminal device may send a NAS SM transport message, which includes authentication result notification information, to the AMF.

918, the AMF sends authentication result notification information to the SMF.

For example, the AMF may send N to the SMF_smfA message _pdusesion _ update smcontext, where the message includes authentication result notification information, and the authentication result notification information is used to indicate success or failure of secondary authentication of the session.

In one case, if the SMF notifies the secondary authentication result of the authentication result notification message, the SMF may determine that the authentication authorization is successful or the authentication authorization is failed according to the authentication result notification message.

In another case, if the authentication result notification message notifies the SMF to acquire the secondary authentication result, the SMF may request the UDM to provide the secondary authentication authorization result according to the authentication result notification message. In this case, method 900 may also include steps 919 through 921.

919, SMF obtains authentication authorization information from UDM according to the authentication result notification information.

The SMF requests authentication authorization information of the terminal device to the UDM 920.

It should be appreciated that step 920 is similar to the specific process of step 707 in method 700 above. Since step 707 has already been described in detail in method 700 above, it is not repeated here for brevity.

It should also be understood that step 920 may not be performed, i.e. the UDM notifies the SMF upon receiving a new authentication result, based on a previous subscription authorization result notification by the SMF.

921, the UDM sends authentication authorization information of the terminal device to the SMF.

It should be appreciated that step 921 is similar to the specific process of step 708 in method 700 above. Since step 708 has already been described in detail above in method 700, it is not repeated here for brevity.

The SMF can confirm the authentication and authorization result according to the notification of the terminal equipment or the authentication and authorization information of the terminal equipment acquired from the UDM, and can determine to continue the PDU session establishment or reject the PDU session establishment according to the authentication and authorization result.

In one possible case, the authentication and authorization result includes: the authentication result of the second authentication success for another PDU session (namely, the second authentication success of the PDU session which just performed the second authentication) and the authentication authorization information. In this case, the SMF determines to continue the PDU session establishment according to the authentication and authorization result, and continues to establish the PDU session based on the authentication and authorization information without performing a secondary authentication process.

In yet another possible scenario, the authentication and authorization result includes: and (5) performing authentication result of secondary authentication failure on another PDU session. In this case, the SMF determines to reject the PDU session establishment, i.e., terminates the establishment of the PDU session, according to the authentication authorization result. Alternatively, in this case, the SMF may also determine whether to reject the PDU session establishment according to the reason for the authentication authorization failure.

Optionally, in the case that the authentication and authorization are successful, the SMF may report address information of the PDU session to the DN-AAA. The address information of the PDU session may include, for example, but is not limited to: IP addresses, MAC addresses, VIDs, or the like.

If the SMF determines that address information of the PDU session needs to be reported to the DN-AAA, the SMF may determine the target DN authentication server based on the DN-specific Id, if the authentication authorization is successful.

922, SMF determines the target DN-AAA.

The SMF may determine a target DN-AAA based on the obtained DN-specific Id (DNN).

923, SMF reports the address information of PDU conversation to the target DN-AAA.

Alternatively, the SMF may determine the address of the target DN-AAA based on the DN-specific Id, or the SMF may report the PDU session address to the DN-AAA based on the DN-AAA address in the authentication and authorization information.

924, the DN-AAA determines to store the new SMF information.

If the SMF is a new SMF, the DN-AAA determines to store the SMF information.

In one possible implementation, whether to store SMF information may be determined based on whether a local association has been established with the SMF.

For example, if the DN-AAA has already been associated with an SMF, it indicates that the SMF is not new, and thus no SMF information needs to be stored.

As another example, if the DN-AAA does not establish an association with an SMF, it indicates that the SMF is new, and the SMF information is stored.

Yet another embodiment is described above in connection with method 900 shown in fig. 9. According to the embodiment of the application, in the PDU session establishment process, the terminal equipment determines whether the secondary authentication process is executed, and stores the indication information, so that the secondary authentication process is skipped to directly send the authentication authorization result to the SMF. Therefore, the terminal equipment indicates that the secondary authentication is being performed, so that the signaling overhead caused by repeatedly performing the secondary authentication process is avoided.

Fig. 10 shows a schematic interaction diagram of a method 1000 suitable for use in yet another embodiment of the present application. The method 1000 mainly introduces that when a terminal device requests to establish a session, the SMF is indicated to suspend the session or whether a secondary authentication procedure needs to be initiated.

The method 1000 may include the following steps.

1001, the terminal device determines the PDU session as the same DN.

It will be appreciated that the terminal device may determine, prior to sending the PDU session establishment request, that a PDU session is established that is the same DN as the previously established session or as the DN that is performing the secondary authentication.

For example, the terminal device determines that the established PDU session is one of the redundant PDU sessions of the DN.

As another example, the terminal device determines that a PDU session of the same DN different from the previous DNN is used.

For another example, the terminal device determines that one PDU session corresponding to the same DN is executing the secondary authentication procedure.

The end device initiates a PDU session setup request to the AMF 1002.

It should be understood that step 1002 is similar to the specific process of step 701 in method 700 above. Since step 701 has already been described in detail in method 700 above, it is not repeated here for brevity.

Unlike step 701, in step 1002, the terminal device may also transmit information (i.e., indication information #1) for determining whether to perform the secondary authentication procedure. For example, the PDU session establishment request includes information for determining whether to perform the secondary authentication procedure, or the information for determining whether to perform the secondary authentication procedure may be separately transmitted to the AMF.

Optionally, the terminal device may send one or more of: DNN information, PDU session ID of the associated PDU session, an indication that secondary authentication is being performed or an indication that secondary authentication need not be performed (i.e., indication # 2).

As an example, in the case where the terminal device determines that the established PDU session is one of redundant PDU sessions of the DN, the terminal device may send: associated PDU session information, such as a PDU session ID for the associated PDU session.

As yet another example, in the event that the terminal device determines that a PDU session of the same DN different from the previous DNN is used, the terminal device may send: DNN information, i.e., the DNN of the PDU session previously established with the DN.

For another example, when the terminal device determines that one PDU session corresponding to the same DN is executing the secondary authentication procedure, the terminal device may send: an indication that secondary authentication is being performed or an indication that secondary authentication is not to be performed (i.e., indication information # 2).

1003, the AMF sends a PDU session setup request to the SMF.

It should be appreciated that step 1003 is similar to the specific process of step 702 in method 700 above. Since step 702 has already been described in detail in method 700 above, it is not repeated here for brevity.

Unlike step 702, the AMF may also send information to the SMF to determine whether to perform a secondary authentication procedure in step 1003. For example, the PDU session establishment request includes information for determining whether to perform the secondary authentication procedure, or the information for determining whether to perform the secondary authentication procedure may be separately sent to the SMF.

The SMF requests session management subscription information of the terminal device from the UDM 1004.

Illustratively, the SMF may send N to the UDM_udmAn SDM _ Get message requesting session management subscription information of the terminal device.

In one case, if the information (i.e., the indication information #1) for determining whether to perform the secondary authentication procedure includes the indication information (i.e., the indication information #2) that the secondary authentication is being performed, N transmitted from the SMF to the UDM_udmThe _ SDM _ Get message may include: and indication information for indicating the UDM to notify the SMF after receiving the authentication and authorization information of the terminal equipment. In this case, method 1000 may include performing steps 1006 and 1007.

In another case, if DNN information is included in the information (i.e., indication information #1) for determining whether to perform the secondary authentication procedure, N transmitted from the SMF to the UDM_udmThe _ SDM _ Get message may include: instructing the UDM to send authentication authorization information for the corresponding DNN. In this case, steps 1006 and 1007 need not be performed.

In yet another case, if the PDU session ID of the associated PDU session is included in the information (i.e., indication information #1) for determining whether to perform the secondary authentication procedure, N transmitted by the SMF to the UDM_udmThe _ SDM _ Get message may include: and instructing the UDM to send authentication authorization information corresponding to the PDU session ID. In this case, steps 1009 and 1010 need not be performed.

1005, the UDM sends the session management subscription information of the terminal device to the SMF.

Exemplarily, the UDM may send N to the SMF_udmAnd a _ SDM _ Get response message, wherein the response message contains the session management subscription information of the terminal device.

After acquiring the session management subscription information of the terminal device, the SMF can determine whether the PDU session needs to be subjected to secondary authentication and authorization. Assume that the SMF determines that the PDU session requires a secondary authentication grant.

And 1006, the SMF determines the authentication mode to be secondary authentication. I.e. the SMF determines that the PDU session requires a secondary authentication grant.

It should be appreciated that step 1006 is similar to the specific process of step 705 in method 700 above. Since step 705 has already been described in detail above in method 700, it is not repeated here for brevity.

1007, the SMF may determine whether to initiate a secondary authentication procedure.

In case 1, the terminal device determines that one PDU session corresponds to the same DN and is executing the secondary authentication process, the terminal device sends the indication information (i.e., indication information #2) that the secondary authentication is being executed to the SMF, and the SMF may determine to skip the secondary authentication based on the indication.

In case 2, the terminal device determines that the established PDU session is one of redundant PDU sessions of the DN, and sends associated PDU session information (e.g., PDU session ID of the associated PDU session) to the SMF, and based on the indication, the SMF may determine to skip the secondary authentication.

In this case 1 or 2, the SMF may transmit a subscription message (e.g., a numm _ SDM _ subscribe message) to the UDM, the message instructing the UDM to notify the SMF after receiving the authentication authorization information of the terminal device. Alternatively, the SMF may subscribe to the UDM for authorization result notification, and the UDM may notify the SMF when receiving a new authentication result. Alternatively, the SMF may also subscribe to the DN-AAA for authorization result notification. Alternatively, in this case, the SMF may send a request message directly to the DN-AAA or UDM for requesting notification of the authentication authorization result (i.e., the authentication result of the secondary authentication for another PDU session). If the authentication and authorization are successful, the SMF determines to continue the PDU session establishment according to the authentication and authorization result; if the authentication and authorization fails, the SMF determines to reject the PDU session establishment according to the authentication and authorization result, namely, terminates the establishment of the PDU session, or determines whether to reject the PDU session establishment according to the reason of the authentication and authorization failure.

It should be understood that the above description is only exemplary. For example, in case 1 or case 2, the SMF may also see whether there is secondary authentication or an authentication result being performed locally. If not, SMF subscribes to the result to UDM or DN-AAA.

In case 3, the terminal device determines that the same PDU session of the DN different from the previous DNN is used, and sends DNN information, that is, DNN of the PDU session previously established with the DN to the SMF, based on which the SMF can determine to skip the secondary authentication.

In this case 3, the SMF may determine whether there is an authentication authorization result for the corresponding DNN according to the local information. If the authentication and authorization result corresponding to the DNN is locally available, reusing the DNN; and if the authentication and authorization result corresponding to the DNN does not exist locally, inquiring the UDM whether the authentication and authorization result corresponding to the DNN exists. Optionally, when the SMF queries the UDM for whether there is a corresponding DNN authentication authorization result, the query request may carry DNN information. In another case, if the PDU session ID of the associated PDU session is included in the information (i.e., the indication information #1) for determining whether to perform the secondary authentication procedure, the SMF may determine whether there is an authentication authorization result corresponding to the PDU session ID according to the local information. If the local has the authentication authorization result corresponding to the PDU session ID, reusing; and if the authentication and authorization result corresponding to the PDU session ID does not exist locally, inquiring the UDM whether the authentication and authorization result corresponding to the PDU session ID exists or not. Optionally, when the SMF queries the UDM for whether there is an authentication authorization result corresponding to the PDU session ID, the query request may carry the PDU session ID.

The three cases described above are merely exemplary. The SMF may determine whether to initiate a secondary authentication procedure according to the indication of the terminal device, through step 1007. Alternatively, the SMF may query locally or based on the UDM to determine whether to initiate a secondary authentication procedure.

The SMF determines 1008 to skip the secondary authentication flow.

Taking case 1 or case 2 as an example, then the SMF may send a subscribe message to the UDM, i.e., method 1000 may include step 1009.

1009, the SMF sends a subscribe message to the UDM.

Namely, the SMF subscribes to the UDM for an event, which is used for notifying the UDM of notifying the SMF after receiving the authentication and authorization information of the terminal device.

It should be understood that fig. 10 only illustrates the case where the SMF sends the subscription message to the UDM for convenience of description, and is not limited thereto. For example, the SMF may also send a subscribe message to the DN-AAA.

1010, UDM sends authentication authorization information to SMF

And when the UDM receives the authentication and authorization information, the SMF is informed. The SMF may continue the establishment of the PDU session based on the authentication authorization information.

1011, the SMF reports the address information of the PDU session to the DN-AAA.

Alternatively, the SMF may report the PDU session address to the DN-AAA.

Optionally, the SMF may also carry the GPSI of the terminal device.

1012, the DN-AAA determines to store the new SMF information.

The DN-AAA may store SMF and corresponding PDU session information.

It should be appreciated that step 1012 is similar to the specific process of step 924 in method 900 above. Since step 924 has already been described in detail above in method 900, it is not repeated here for brevity.

Yet another embodiment is described above in connection with method 1000 shown in fig. 10. According to the method and the terminal device, the indication information is sent to the SMF through the terminal device, so that the SMF can sense whether the secondary authentication is executed or the PDU session using different DNNs is established. Therefore, the SMF can identify the PDU session of which the same DN uses different DNNs and whether the secondary authentication process is executed, thereby avoiding the signaling overhead caused by repeatedly executing the secondary authentication process.

Several possible complete processes are described in detail above in connection with fig. 7-10. It is to be understood that in the above embodiments, each network element may perform some or all of the steps in each embodiment. These steps or operations are merely examples, and other operations or variations of various operations may be performed by embodiments of the present application. Further, the various steps may be performed in a different order presented in the embodiments, and not all of the operations in the embodiments of the application may be performed. The sequence number of each step does not mean the execution sequence, and the execution sequence of each process should be determined by the function and the inherent logic of the process, and should not be limited in any way to the implementation process of the embodiment of the present application.

It should be understood that, in some embodiments, the session is taken as a PDU session, which is exemplified and not limited. Any session for accessing a DN is suitable for use with embodiments of the present application.

It should also be appreciated that in some of the embodiments described above, a specific message is used, such as N_smfMessage _ PDUSESION _ UpdateSMContext Request, N_udmSDM Get message, N_udmSDM _ Get response message, N_udmUE Get message N_udmUE Get response message N_udmSDM Update message, N_udmSDM update message, etc., without limitation as to the naming and type of the message. Any message that can achieve the same function is applicable to the embodiments of the present application.

Based on the technical scheme, the authentication and authorization process can be used for the data network to authenticate and authorize whether the terminal equipment can establish the session to access the data network. Specifically, in the session establishment process, the SMF may determine whether to initiate the secondary authentication procedure according to whether the data network has successfully authenticated and authorized the terminal device, so that it may be ensured that the secondary authentication procedure is not repeatedly executed even in a scenario where different DNN identifiers are used for identifying the data network. By the embodiment of the application, even if different DNNs are used for accessing the data network, the SMF can be ensured to avoid repeatedly executing the secondary authentication process as much as possible.

In addition, based on the above technical solution, in the session establishment process, the DN authentication server or the terminal device determines whether there is a secondary authentication procedure being executed, and stores the indication information, so as to skip the secondary authentication procedure and directly send an authentication authorization result to the SMF. Therefore, the secondary authentication result can be judged and reused by the centralized control point DN authentication server or the terminal equipment, thereby avoiding signaling overhead caused by repeatedly executing the secondary authentication process.

The various embodiments described herein may be implemented as stand-alone solutions or combined in accordance with inherent logic and are intended to fall within the scope of the present application.

It is to be understood that, in the above embodiments of the method, the method and operations implemented by a device (e.g., SMF, terminal device, DN authentication server, etc.) may also be implemented by a component (e.g., a chip or a circuit) applicable to the device.

The method provided by the embodiment of the present application is described in detail above with reference to fig. 6 to 10. Hereinafter, the apparatus provided in the embodiment of the present application will be described in detail with reference to fig. 11 and 12. It should be understood that the description of the apparatus embodiments corresponds to the description of the method embodiments, and therefore, for brevity, details are not repeated here, since the details that are not described in detail may be referred to the above method embodiments.

The above-mentioned scheme provided by the embodiment of the present application is introduced mainly from the perspective of interaction between network elements. It will be appreciated that each network element, for example a terminal equipment device or SMF or DN-AAA, comprises corresponding hardware structures and/or software modules for performing the respective functions in order to implement the above-described functions. Those of skill in the art would appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

In the embodiment of the present application, functional modules may be divided for each network element according to the above method example, for example, each functional module may be divided corresponding to each function, or two or more functions may be integrated in one processing module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. It should be noted that, in the embodiment of the present application, the division of the module is schematic, and is only one logic function division, and there may be another division manner in actual implementation. The following description will be given taking the example of dividing each functional module corresponding to each function.

Fig. 11 is a schematic block diagram of an apparatus for authenticating an authorization provided in an embodiment of the present application. The apparatus 1100 includes a transceiving unit 1110 and a processing unit 1120. The transceiver 1110 may implement corresponding communication functions, and the processing unit 1120 is configured to perform data processing. The transceiving unit 1110 may also be referred to as a communication interface or a communication unit.

Optionally, the apparatus 1100 may further include a storage unit, which may be used to store instructions and/or data, and the processing unit 1120 may read the instructions and/or data in the storage unit, so as to enable the communication apparatus to implement the foregoing method embodiments.

The apparatus 1100 may be configured to perform the actions performed by the terminal device in the foregoing method embodiments, in this case, the apparatus 1100 may be the terminal device or a component configurable in the terminal device, the transceiver 1110 is configured to perform the operations related to transceiving on the terminal device side in the foregoing method embodiments, and the processing unit 1120 is configured to perform the operations related to processing on the terminal device side in the foregoing method embodiments.

Alternatively, the apparatus 1100 may be configured to perform the actions performed by the SMF in the foregoing method embodiments, in this case, the apparatus 1100 may be an SMF or a component configurable in the SMF, the transceiver 1110 is configured to perform the operations related to the transceiving of the SMF side in the foregoing method embodiments, and the processing unit 1120 is configured to perform the operations related to the processing of the SMF side in the foregoing method embodiments.

Alternatively, the apparatus 1100 may be configured to perform the actions performed by the authentication server of the DN (or the authentication network element of the DN) in the above method embodiment, in this case, the apparatus 1100 may be the authentication server of the DN or a component configurable to the authentication server of the DN, the transceiving unit 1110 is configured to perform the transceiving-related operations on the authentication server side of the DN in the above method embodiment, and the processing unit 1120 is configured to perform the processing-related operations on the authentication server side of the DN in the above method embodiment.

As one design, the apparatus 1100 is configured to perform the actions performed by the SMF in the embodiment shown in fig. 6.

In one implementation, the transceiving unit 1110 is configured to: receiving a session establishment request message from a terminal device, wherein the session establishment request message is used for requesting to establish a session with a data network; the processing unit 1120 is configured to: judging whether an authentication result of the data network to the terminal equipment exists or not; and when the authentication result exists, skipping the secondary authentication process for the session.

As an example, the authentication result includes authentication authorization information, and the authentication authorization information includes one or more of the following: one or more data network identifications, identifications of authentication network elements of the data network, aging information, indexes of data network authorization texts, an aggregated maximum bit rate of sessions authorized by the data network, allowed media access control addresses, allowed virtual local area networks, and information indicating reporting of session information.

As yet another example, processing unit 1120 is to: and when judging that the authentication result does not exist, initiating a secondary authentication process for the session, or suspending the session.

As yet another example, the processing unit 1120 is specifically configured to: and suspending the session according to first indication information sent by the terminal equipment or an authentication network element of the data network, wherein the first indication information is used for indicating the data network to carry out secondary authentication on another session of the terminal equipment.

As yet another example, processing unit 1120 is further configured to: when the authentication result does not exist, judging whether the data network carries out secondary authentication on another session of the terminal equipment; when the data network carries out secondary authentication on another session of the terminal equipment, suspending the session; or when the data network does not perform secondary authentication on another session of the terminal equipment, initiating a secondary authentication process on the session.

As yet another example, the transceiving unit 1110 is further configured to: and acquiring an authentication result of the other session of the terminal equipment by the data network, wherein the authentication result of the other session is used for indicating that the secondary authentication of the other session is successful or failed.

As yet another example, processing unit 1120 is further configured to: when the authentication result of the other session indicates that the secondary authentication of the other session is successful, skipping the secondary authentication process for the session and continuing the establishment process of the subsequent session; alternatively, when the authentication result of the other session indicates that the secondary authentication for the other session fails, the establishment of the session is denied.

As yet another example, processing unit 1120 is further configured to: after the second authentication of the session is successful, according to any one of: determining whether to store the authentication result of the session: session attributes of the session, a local policy or second indication information, wherein the second indication information is: information from an authentication network element of the data network or from the terminal device indicating whether to store the authentication result of the session.

As yet another example, the processing unit 1120 is specifically configured to: judging whether an authentication result exists locally; or, judging whether the unified data management network element has an authentication result; or, judging whether an authentication result exists according to third indication information from the terminal equipment or an authentication network element of the data network; or, judging whether the authenticated data set has an authentication result.

As yet another example, the processing unit 1120 is specifically configured to: determining that an authentication result exists when the authenticated dataset includes an identification of a data network; alternatively, when the authenticated data set does not include an identification of the data network, it is determined that there is no authentication result.

In another implementation, the transceiving unit 1110 is configured to: receiving a session establishment request message from a terminal device, wherein the session establishment request message is used for requesting to establish a session with a data network; the processing unit 1120 is configured to: judging whether the data network carries out secondary authentication on the other session of the terminal equipment; when the data network authenticates another session of the terminal device a second time, the session is suspended.

As an example, the processing unit 1120 is specifically configured to: and suspending the session according to first indication information carried in the session establishment request message, wherein the first indication information is used for indicating a data network to perform secondary authentication on another session of the terminal equipment.

As yet another example, the transceiving unit 1110 is further configured to: and acquiring an authentication result of the other session of the terminal equipment by the data network, wherein the authentication result of the other session is used for indicating that the secondary authentication of the other session is successful or failed.

As yet another example, processing unit 1120 is further configured to: when the authentication result of the other session indicates that the secondary authentication of the other session is successful, skipping the secondary authentication process for the session and continuing the establishment process of the subsequent session; alternatively, when the authentication result of the other session indicates that the secondary authentication for the other session fails, the establishment of the session is denied.

As yet another example, processing unit 1120 is further configured to: when the data network does not perform secondary authentication on another session of the terminal equipment, judging whether an authentication result of the data network on the terminal equipment exists or not; when the authentication result exists, skipping the secondary authentication process for the session; or when the authentication result does not exist, initiating a secondary authentication process for the session.

As yet another example, processing unit 1120 is further configured to: according to any one of: determining whether to store the authentication result of the session: session attributes of the session, a local policy or second indication information, wherein the second indication information is: information from an authentication network element of the data network or from the terminal device indicating whether to store the authentication result of the session.

As yet another example, the processing unit 1120 is specifically configured to: judging whether an authentication result exists locally; or, judging whether the unified data management network element has an authentication result; or, judging whether an authentication result exists according to third indication information from the terminal equipment or an authentication network element of the data network; or, judging whether the authenticated data set has an authentication result.

As yet another example, the processing unit 1120 is specifically configured to: determining that an authentication result exists when the authenticated dataset includes an identification of a data network; alternatively, when the authenticated data set does not include an identification of the data network, it is determined that there is no authentication result.

The apparatus 1100 may implement steps or flows corresponding to the SMF execution in the methods 600 to 1000 according to embodiments of the application, and the apparatus 1100 may include units for performing the methods performed by the SMF in the methods 600 to 1000 in fig. 6 to 10. Also, the units and other operations and/or functions described above in the apparatus 1100 are respectively for implementing the corresponding flows of the method 600 in fig. 6 to the method 1000 in fig. 10.

When the apparatus 1100 is configured to execute the method 600 in fig. 6, the transceiver 1110 is configured to execute step 610 in the method 600, and the processing unit is configured to instruct 620, 631 or 632 in the method 600.

When the apparatus 1100 is configured to perform the method 700 in fig. 7, the transceiver 1110 may be configured to perform steps 702, 703, 704, 707, 708, 706A3, 706a5, 706a6, 706B4 in the method 700, and the processing unit 1120 may be configured to perform steps 705, 706a1, 706a2, 706a4, 706a7, 706B1, 706B2, 706B3, 706B6 in the method 700.

When the apparatus 1100 is configured to perform the method 800 in fig. 8, the transceiver 1110 is configured to perform steps 803, 804, 807, 808, 810, 812, 815, 817 in the method 800, and the processing unit 1120 is configured to perform steps 805, 806, 809, 813, 816 in the method 800.

When the apparatus 1100 is configured to perform the method 900 in fig. 9, the transceiving unit 1110 may be configured to perform steps 903, 904, 907, 908, 910, 914, 918, 920, 921, 923 in the method 900, and the processing unit 1120 may be configured to perform steps 905, 906, 909, 915, 919, 922 in the method 900.

When the apparatus 1100 is configured to perform the method 1000 in fig. 10, the transceiver 1110 may be configured to perform steps 1004, 1005, 1007, 1009, 1010 in the method 1000, and the processing unit 1120 may be configured to perform steps 1006, 1007, 1008 in the method 1000.

It should be understood that the specific processes of the units for executing the corresponding steps are already described in detail in the above method embodiments, and therefore, for brevity, detailed descriptions thereof are omitted.

As another design, apparatus 1100 is configured to perform the actions performed by the terminal device in the embodiment shown in FIG. 6 above.

In one implementation, the transceiving unit 1110 is configured to: receiving a session establishment request message from a terminal device, wherein the session establishment request message is used for requesting to establish a session with a data network; the processing unit 1120 is configured to: in the process of carrying out secondary authentication on a session with a data network, judging whether the data network carries out secondary authentication on another session of the terminal equipment; the transceiving unit 1110 is further configured to: when the data network carries out secondary authentication on another session of the terminal equipment, first indication information is sent to a session management network element, and the first indication information is used for indicating the data network to carry out secondary authentication on another session of the terminal equipment.

As an example, the processing unit 1120 is specifically configured to: after the transceiving unit 1110 receives the authentication protocol request message from the session management network element, it is determined whether the data network performs secondary authentication on another session of the terminal device.

As yet another example, the transceiving unit 1110 is further configured to: and sending the authentication result of the other session to the session management network element, wherein the authentication result of the other session is used for indicating the success or failure of the secondary authentication of the other session.

As yet another example, the transceiving unit 1110 is further configured to: and determining to send an authentication result of another session to the session management network element after the secondary authentication of another session to the terminal equipment by the data network is finished according to one or more of the stored information and the session attribute of the session, wherein the stored information is used for indicating that the authentication result of another session is sent to the session management network element after the secondary authentication of another session to the terminal equipment by the data network is finished.

As yet another example, the transceiving unit 1110 is further configured to: and sending second indication information to the session management network element, wherein the second indication information is used for indicating whether information of the authentication result of the data network to the terminal equipment is stored or not.

The apparatus 1100 may implement steps or flows corresponding to the SMF execution in the methods 600 to 1000 according to embodiments of the application, and the apparatus 1100 may include units for performing the methods performed by the SMF in the methods 600 to 1000 in fig. 6 to 10. Also, the units and other operations and/or functions described above in the apparatus 1100 are respectively for implementing the corresponding flows of the method 600 in fig. 6 to the method 1000 in fig. 10.

Wherein, when the apparatus 1100 is configured to execute the method 600 in fig. 6, the transceiver 1110 is configured to execute step 610 in the method 600.

When the apparatus 1100 is configured to perform the method 700 in fig. 7, the transceiver 1110 is configured to perform step 701 in the method 700.

When the apparatus 1100 is configured to perform the method 800 in fig. 8, the transceiver 1110 is configured to perform step 801 in the method 800.

When the apparatus 1100 is configured to perform the method 900 of fig. 9, the transceiver unit 1110 is configured to perform steps 901, 911, 913, 917 of the method 900, and the processing unit 1120 is configured to perform steps 912, 916 of the method 900.

When the apparatus 1100 is configured to perform the method 1000 in fig. 10, the processing unit 1120 may be configured to perform step 1001 in the method 1000, and the transceiver 1110 may be configured to perform step 1002 in the method 1000.

It should be understood that the specific processes of the units for executing the corresponding steps are already described in detail in the above method embodiments, and therefore, for brevity, detailed descriptions thereof are omitted.

As a further alternative, the apparatus 1100 is configured to perform the actions performed by the authentication server of the DN in the embodiment shown in fig. 6, and the transceiving unit 1110 is configured to: receiving an authentication authorization message from a session management network element, wherein the authentication authorization message is used for verifying whether a terminal device authorizes the establishment of a session accessed to a data network; the processing unit 1120 is configured to: judging whether an authentication result of the data network to the terminal equipment exists or not, or judging whether the data network carries out secondary authentication to another session of the terminal equipment or not; the transceiving unit 1110 is further configured to: and sending first indication information to a session management network element, wherein the first indication information is used for indicating whether an authentication result of the data network to the terminal equipment exists or not, or the first indication information is used for indicating the data network to perform secondary authentication on another session of the terminal equipment.

As an example, in the case that it is determined that the data network performs secondary authentication on another session of the terminal device, the transceiving unit 1110 is further configured to: and after the data network finishes the secondary authentication of the other session of the terminal equipment, sending an authentication result of the other session to the session management network element, wherein the authentication result of the other session is used for indicating the success or failure of the secondary authentication of the other session.

As another example, the transceiving unit 1110 is specifically configured to: and determining to send an authentication result of another session to the session management network element after the secondary authentication of another session to the terminal equipment by the data network is finished according to one or more of the stored information and the session attribute of the session, wherein the stored information is used for indicating that the authentication result of another session is sent to the session management network element after the secondary authentication of another session to the terminal equipment by the data network is finished.

As yet another example, the transceiving unit 1110 is further configured to: and sending second indication information to the session management network element, wherein the second indication information is used for indicating whether information of the authentication result of the data network to the terminal equipment is stored or not.

The apparatus 1100 may implement steps or flows performed by an authentication server corresponding to the DN in the methods 600 through 1000 according to embodiments of the present application, and the apparatus 1100 may include units for performing the methods performed by the authentication server in the methods 600 through 1000 in fig. 6 through 10. Also, the units and other operations and/or functions described above in the apparatus 1100 are respectively for implementing the corresponding flows of the method 600 in fig. 6 to the method 1000 in fig. 10.

When the apparatus 1100 is configured to execute the method 600 in fig. 6, the transceiver 1110 may be configured to execute the step 610 in the method 600, and the processing unit 1120 may be configured to execute the step 620, 631, or 632 in the method 600.

When the apparatus 1100 is configured to perform the method 700 of fig. 7, the transceiver 1110 is configured to perform the steps 706A3, 706B4 of the method 700, and the processing unit 1120 is configured to perform the steps 706a2, 706B5 of the method 700.

When the apparatus 1100 is configured to perform the method 800 of fig. 8, the transceiver 1110 is configured to perform steps 810, 812, 815, 817 of the method 800, and the processing unit 1120 is configured to perform steps 811, 814 of the method 800.

When the apparatus 1100 is configured to perform the method 900 in fig. 9, the transceiver 1110 is configured to perform step 923 in the method 900, and the processing unit 1120 is configured to perform step 924 in the method 900.

When the apparatus 1100 is configured to perform the method 1000 in fig. 10, the transceiver 1110 may be configured to perform step 1011 of the method 1000, and the processing unit 1120 may be configured to perform step 1012 of the method 1000.

It should be understood that the specific processes of the units for executing the corresponding steps are already described in detail in the above method embodiments, and therefore, for brevity, detailed descriptions thereof are omitted.

The processing unit 1120 in the above embodiments may be implemented by at least one processor or processor-related circuitry. The transceiving unit 1110 may be implemented by a transceiver or transceiver-related circuitry. The storage unit may be implemented by at least one memory.

As shown in fig. 12, an embodiment of the present application further provides an apparatus 1200 for authenticating an authorization. The apparatus 1200 comprises a processor 1210, the processor 1210 being coupled to a memory 1220, the memory 1220 being configured to store computer programs or instructions and/or data, the processor 1210 being configured to execute the computer programs or instructions and/or data stored by the memory 1220 such that the methods in the above method embodiments are performed.

Optionally, the apparatus 1200 comprises one or more processors 1210.

Optionally, as shown in fig. 12, the apparatus 1200 may further include a memory 1220.

Optionally, the apparatus 1200 may include one or more memories 1220.

Alternatively, the memory 1220 may be integrated with the processor 1210 or separately provided.

Optionally, as shown in fig. 12, the device 1200 may further include a transceiver 1230, and the transceiver 1230 is used for receiving and/or transmitting signals. For example, processor 1210 may be configured to control transceiver 1230 to receive and/or transmit signals.

As a scheme, the device 1200 is configured to implement the operations performed by the terminal device in the above method embodiments.

For example, the processor 1210 is configured to implement processing-related operations performed by the terminal device in the above method embodiments, and the transceiver 1230 is configured to implement transceiving-related operations performed by the terminal device in the above method embodiments.

Alternatively, the apparatus 1200 is configured to implement the operations performed by the SMF in the above method embodiments.

For example, the processor 1210 is configured to implement processing-related operations performed by the SMF in the above method embodiments, and the transceiver 1230 is configured to implement transceiving-related operations performed by the SMF in the above method embodiments.

As yet another approach, the device 1200 is used to implement the operations performed by the authentication server of the DN in the above method embodiments.

For example, processor 1210 is configured to implement processing-related operations performed by the authentication server of the DN in the above method embodiments, and transceiver 1230 is configured to implement transceiving-related operations performed by the authentication server of the DN in the above method embodiments.

It should be understood that the specific processes of the modules for executing the corresponding steps are already described in detail in the above method embodiments, and therefore, for brevity, detailed descriptions thereof are omitted.

The embodiment of the application also provides a processing device, which comprises a processor and an interface; the processor is configured to perform the method of any of the above method embodiments.

It is to be understood that the processing means described above may be one or more chips. For example, the processing device may be a Field Programmable Gate Array (FPGA), an Application Specific Integrated Circuit (ASIC), a system on chip (SoC), a Central Processing Unit (CPU), a Network Processor (NP), a digital signal processing circuit (DSP), a Microcontroller (MCU), a Programmable Logic Device (PLD), or other integrated chips.

Embodiments of the present application also provide a computer-readable storage medium on which computer instructions for implementing the method performed by the terminal device in the foregoing method embodiments are stored.

For example, the computer program, when executed by a computer, causes the computer to implement the method performed by the terminal device in the above-described method embodiment.

Embodiments of the present application also provide a computer-readable storage medium on which computer instructions for implementing the method performed by the SMF in the above method embodiments are stored.

For example, the computer program, when executed by a computer, causes the computer to implement the method performed by the SMF in the above-described method embodiments.

Embodiments of the present application also provide a computer-readable storage medium on which computer instructions for implementing the method performed by the authentication server of the DN in the above-described method embodiments are stored.

For example, the computer program, when executed by a computer, causes the computer to implement the method performed by the authentication server of the DN in the above-described method embodiment.

Embodiments of the present application also provide a computer program product containing instructions, which when executed by a computer, cause the computer to implement the method performed by the terminal device, or the method performed by the SMF, or the method performed by the authentication server of the DN in the above method embodiments.

The embodiment of the application also provides a communication system, which comprises the terminal equipment, the SMF and the DN in the embodiment.

It is clear to those skilled in the art that for convenience and brevity of description, any of the explanations and advantages provided above for relevant contents of any of the communication apparatuses may refer to the corresponding method embodiments provided above, and no further description is provided herein.

The embodiment of the present application does not particularly limit a specific structure of an execution subject of the method provided by the embodiment of the present application, as long as communication can be performed by the method provided by the embodiment of the present application by running a program in which codes of the method provided by the embodiment of the present application are recorded. For example, an execution main body of the method provided by the embodiment of the present application may be a terminal device or a network device, or a functional module capable of calling a program and executing the program in the terminal device or the network device.

Various aspects or features of the disclosure may be implemented as a method, apparatus, or article of manufacture using standard programming and/or engineering techniques. The term "article of manufacture" as used herein is intended to encompass a computer program accessible from any computer-readable device, carrier, or media.

The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device including one or more available media integrated servers, data centers, and the like. Available media (or computer-readable media) may include, for example but not limited to: magnetic or magnetic storage devices (e.g., floppy disks, hard disks (e.g., removable hard disks), magnetic tapes), optical media (e.g., compact disks, CD's, Digital Versatile Disks (DVD), etc.), smart cards, and flash memory devices (e.g., erasable programmable read-only memories (EPROM), cards, sticks, or key drives, etc.), or semiconductor media (e.g., Solid State Disks (SSD), usb disks, read-only memories (ROMs), Random Access Memories (RAMs), etc.) that may store program code.

Various storage media described herein can represent one or more devices and/or other machine-readable media for storing information. The term "machine-readable medium" can include, but is not limited to: wireless channels and various other media capable of storing, containing, and/or carrying instruction(s) and/or data.

It will be appreciated that the memory referred to in the embodiments of the application may be either volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The non-volatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), or a flash memory. Volatile memory can be Random Access Memory (RAM). For example, RAM can be used as external cache memory. By way of example and not limitation, RAM may include the following forms: static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), double data rate synchronous dynamic random access memory (DDR SDRAM), enhanced synchronous SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), and direct bus RAM (DR RAM).

It should be noted that when the processor is a general-purpose processor, a DSP, an ASIC, an FPGA or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware component, the memory (memory module) may be integrated into the processor.

It should also be noted that the memory described herein is intended to comprise, without being limited to, these and any other suitable types of memory.

In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the above-described division of units is only one type of division of logical functions, and there may be other divisions when actually implementing, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not implemented. Furthermore, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to implement the scheme provided by the application.

In addition, functional units in the embodiments of the present application may be integrated into one unit, or each unit may exist alone physically, or two or more units are integrated into one unit.

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof.

When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. The procedures or functions described in accordance with the embodiments of the present application are all or partially generated upon loading and execution of computer program instructions on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. For example, the computer may be a personal computer, a server, or a network appliance, among others. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wirelessly (e.g., infrared, wireless, microwave, etc.). With regard to the computer-readable storage medium, reference may be made to the above description.

The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present application should be covered within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims and the specification.