CN114071465B

CN114071465B - Access control method, device and communication equipment

Info

Publication number: CN114071465B
Application number: CN202110369540.7A
Authority: CN
Inventors: 柯小婉
Original assignee: Vivo Mobile Communication Co Ltd
Current assignee: Vivo Mobile Communication Co Ltd
Priority date: 2020-07-31
Filing date: 2021-04-06
Publication date: 2024-08-06
Anticipated expiration: 2041-04-06
Also published as: CN114071465A

Abstract

The embodiment of the application provides an access control method, an access control device and communication equipment, and relates to the technical field of communication. The access control method comprises the following steps: acquiring first information and/or second information; the first information includes at least one of: indication information of a first access mode, routing indication of a first type and network identification of the first type; the second information includes at least one of: a first type of network identification, a first type of routing indication, a first type of group identification, and identification information of a terminal; performing a first operation according to the first information and/or the second information; the first operation includes at least one of: selecting a first authentication service network element; a first type of group identity is determined, a first type of routing indication is determined or a first type of network identity is determined. By using the method of the embodiment of the application, the selection of the authentication service network element can be supported under the scene that the terminal accesses the first network in the first access mode.

Description

Access control method, device and communication equipment

Technical Field

The embodiment of the application relates to the technical field of communication, in particular to an access control method, an access control device and communication equipment.

Background

Currently, in order to download a certificate for accessing a separate non-public Network (Standalone Non-public Network, SNPN) to access another Network (this may be referred to as onboarding), the terminal needs to authenticate the authentication of the server by a default certificate. However, at this point the authentication service function (Authentication Server Function, AUSF) of the other network may be terminal independent, irrespective of the permanent identity of the subscription of the terminal. In this case, how to select the authentication service network element is an urgent problem to be solved.

Disclosure of Invention

The embodiment of the application provides an access control method, an access control device and communication equipment, which are used for solving the problem of how to select an authentication service network element.

In order to solve the technical problems, the application is realized as follows:

in a first aspect, an embodiment of the present application provides an access control method, which is applied to a first communication device, including:

Acquiring first information and/or second information; wherein the first information includes at least one of: indication information of a first access mode, routing indication of a first type and network identification of the first type; the second information includes at least one of: a first type of network identification, a first type of routing indication, a first type of group identification, and identification information of a terminal;

executing a first operation according to the first information and/or the second information;

wherein the first operation includes at least one of:

selecting a first authentication service network element;

Determining a first type of group identity, a first type of routing indication, information of a service provider and/or a first type of network identity;

Requesting to discover an authentication service network element according to the first type group identifier, the first type routing indication, the first type network identifier, the information of the service provider and/or the indication information of the first access mode;

The indication information of the first access mode is used for indicating at least one of the following: an access method for accessing the first network for downloading a certificate for accessing the second network, an access method for accessing the first network without having a certificate capable of accessing the first network, an access method capable of using only limited services, and a certificate for accessing the first network by the terminal are default certificates;

the first network and the second network are the same network or different networks;

Wherein the first authentication service network element comprises at least one of: an authentication service network element for providing authentication service for the terminal of the first access mode, and an authentication service network element for providing authentication service for the terminal with the default certificate;

The group identification of the first type includes: a group identity of an authentication service network element for providing an authentication service to a terminal of a first access mode;

the first type of network identification includes: network identification for the first access mode;

the first type of routing indication includes: a routing indication for the first access mode;

The identification information of the terminal includes at least one of: a first identifier of the terminal, a second identifier of the terminal and a third identifier of the terminal;

The first identification of the terminal comprises information of an authentication provider of the terminal;

The second identifier of the terminal comprises a first type of network identifier and/or a first type of routing indication;

The third identifier of the terminal comprises information of an authentication provider of the terminal, a first type of network identifier and/or a first type of routing indication.

In a second aspect, an embodiment of the present application provides an access control method, applied to a second communication device, including:

transmitting first information;

wherein the first information includes at least one of: indication information of a first access mode, routing indication of a first type, network identification of the first type and identification information of a terminal;

In a third aspect, an embodiment of the present application provides an access control method, which is applied to a third communication device, including:

Acquiring third information and/or fourth information; wherein the third information includes at least one of: a first type of group identification, information of an authentication provider, a first type of routing indication, a first type of network identification and indication information of a first access mode; the fourth information is used for indicating the attribution information of the authentication service network element, and the fourth information comprises at least one of the following items: routing indication supported by an authentication service network element, network identification of a network to which the authentication service network element belongs, group identification to which the authentication service network element belongs, access mode supported by the authentication service network element, authentication service type supported by the authentication service network element, information of an authentication provider supported by the authentication service network element, and the authentication provider can authenticate a terminal with a default certificate;

Executing a third operation according to the third information and/or the fourth information;

wherein the third operation includes at least one of:

Finding an authentication service network element matched with the third information, wherein fourth information of the authentication service network element is matched with the third information;

transmitting the discovered authentication service network element;

wherein the authentication service type supported by the authentication service network element comprises the support of providing authentication service for a terminal with a default certificate;

the first type of network identification includes: network identification for the first access mode.

In a fourth aspect, an embodiment of the present application provides an access control method, which is applied to a fourth communication device, including:

Transmitting fourth information;

wherein, the fourth information is used for indicating the attribution information of the authentication service network element; the fourth information includes at least one of: routing indication supported by an authentication service network element, network identification of a network to which the authentication service network element belongs, group identification to which the authentication service network element belongs, access mode supported by the authentication service network element, authentication service type supported by the authentication service network element, information of an authentication provider supported by the authentication service network element, and the authentication provider can authenticate a terminal with a default certificate;

wherein the routing indication supported by the authentication service network element is a first type of routing indication;

The network identifier of the network to which the authentication service network element belongs is a first type of network identifier;

the group identifier to which the authentication service network element belongs is a first type group identifier;

the access modes supported by the authentication service network element comprise a first access mode;

the authentication service type supported by the authentication service network element comprises the step of supporting the provision of authentication service for the terminal with the default certificate;

the first access mode comprises at least one of the following: an access method for accessing the first network for downloading a certificate for accessing the second network, an access method for accessing the first network without a certificate capable of accessing the first network, and an access method capable of using only limited services;

In a fifth aspect, an embodiment of the present application provides an access control apparatus, applied to a first communication device, including:

the first acquisition module is used for acquiring the first information and/or the second information; wherein the first information includes at least one of: indication information of a first access mode, routing indication of a first type and network identification of the first type; the second information includes at least one of: a first type of network identification, a first type of routing indication, a first type of group identification, and identification information of a terminal;

the first execution module is used for executing a first operation according to the first information and/or the second information;

wherein the first operation includes at least one of:

selecting a first authentication service network element;

In a sixth aspect, an embodiment of the present application provides an access control apparatus, applied to a second communication device, including:

the first sending module is used for sending the first information;

In a seventh aspect, an embodiment of the present application provides an access control apparatus, applied to a third communication device, including:

The second acquisition module is used for acquiring third information and/or fourth information; wherein the third information includes at least one of: a first type of group identification, a first type of routing indication, a first type of network identification, information of an authentication provider, and indication information of a first access mode; the fourth information is used for indicating the attribution information of the authentication service network element, and the fourth information comprises at least one of the following items: routing indication supported by an authentication service network element, network identification of a network to which the authentication service network element belongs, group identification to which the authentication service network element belongs, access mode supported by the authentication service network element, authentication service type supported by the authentication service network element, information of an authentication provider supported by the authentication service network element, and the authentication provider can authenticate a terminal with a default certificate;

the second execution module is used for executing a third operation according to the third information and/or the fourth information;

wherein the third operation includes at least one of:

transmitting the discovered authentication service network element;

In an eighth aspect, an embodiment of the present application provides an access control apparatus, which is applied to a fourth communication device, including:

The second sending module is used for sending fourth information;

In a ninth aspect, an embodiment of the present application provides an access control method, applied to a fifth communication device, including:

In the case where the fifth condition is satisfied, performing a fifth operation;

the fifth operation includes at least one of:

selecting a network element for the terminal without using fifth information;

Wherein,

The fifth condition includes at least one of: the terminal is in a first access mode;

The fifth information includes at least one of: the method comprises the steps of user identification of a terminal, MNC in the terminal user identification, MCC in the terminal user identification, information in realm in the terminal user identification, first network identification NID in the terminal user identification and network identification in the terminal user identification.

In a tenth aspect, an embodiment of the present application provides an access control apparatus applied to a second communication device, including:

A third execution module for executing a fifth operation if the fifth condition is satisfied;

the fifth operation includes at least one of:

selecting a network element for the terminal without using fifth information;

Wherein,

The fifth information includes at least one of: user identification of the terminal, network identification information in the terminal user identification, and information in realm in the terminal user identification.

In a tenth aspect, an embodiment of the present application provides a communication device, including a processor, a memory, and a computer program stored on the memory and executable on the processor, where the computer program when executed by the processor may implement the steps of the access control method provided in the first aspect, or implement the steps of the access control method provided in the second aspect, or implement the steps of the access control method provided in the third aspect, or implement the steps of the access control method provided in the fourth aspect, or implement the steps of the access control method provided in the ninth aspect.

In a first aspect, an embodiment of the present application provides a readable storage medium, on which a program or an instruction is stored, which when executed by a processor, implements the steps as may be implemented by the access control method provided in the first aspect, or implements the steps as may be implemented by the access control method provided in the second aspect, or implements the steps as may be implemented by the access control method provided in the third aspect, or implements the steps as may be implemented by the access control method provided in the fourth aspect, or implements the steps as may be implemented by the access control method provided in the ninth aspect.

It is to be understood that, by this embodiment, the selection of the authentication service network element can be supported in the scenario where the terminal accesses the first network in the first access manner.

Drawings

Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the application. Also, like reference numerals are used to designate like parts throughout the figures. In the drawings:

fig. 1A is a schematic diagram of a wireless communication system according to an embodiment of the present application;

Fig. 1B is a schematic diagram of a relationship between network elements in a first access manner in the present application;

Fig. 2 is a flow chart of an access control method according to an embodiment of the application;

Fig. 3 is a flow chart of an access control method according to another embodiment of the present application;

Fig. 4 is a flow chart of an access control method according to another embodiment of the present application;

Fig. 5 is a flow chart of an access control method according to another embodiment of the present application;

Fig. 6 is a flowchart of an indication process of service authentication of application scenario 1 according to an embodiment of the present application;

fig. 7 is a flowchart of a service selection procedure of the application scenario 2 according to an embodiment of the present application;

Fig. 8 is a flowchart of a service selection procedure of the application scenario 3 according to an embodiment of the present application;

Fig. 9 is a block diagram of an access control device according to an embodiment of the present application;

Fig. 10 is a block diagram of another access control apparatus according to an embodiment of the present application;

fig. 11 is a block diagram of another access control apparatus according to an embodiment of the present application;

fig. 12 is a block diagram of another access control device according to an embodiment of the present application;

Fig. 13 is a block diagram of a communication device according to an embodiment of the present application.

Detailed Description

The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.

The terms first, second and the like in the description and in the claims, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate, such that embodiments of the application may be practiced otherwise than as specifically illustrated and described herein, and that the "first" and "second" distinguishing between objects generally being of the same type, and not necessarily limited to the number of objects, such as the first object may be one or more. Furthermore, in the description and claims, "and/or" means at least one of the connected objects, and the character "/" generally means a relationship in which the associated object is an "or" before and after.

Fig. 1A shows a block diagram of a wireless communication system to which embodiments of the present application are applicable. The wireless communication system includes a terminal 11 and a network device 12. The terminal 11 may include a relay supporting a terminal function and/or a terminal supporting a relay function, the terminal 11 may also be referred to as a terminal device or a User Equipment (UE), the terminal 11 may be a Mobile phone, a tablet (Tablet Personal Computer), a Laptop (Laptop Computer) or a terminal-side device called a notebook, a Personal digital assistant (Personal DIGITAL ASSISTANT, PDA), a Mobile internet device (Mobile INTERNET DEVICE, MID), a palm Computer, a netbook, an ultra Mobile Personal Computer (ultra-Mobile Personal Computer, UMPC), a Mobile internet device (Mobile INTERNET DEVICE, MID), a wearable device (Wearable Device) or a vehicle-mounted device (Vehicle User Equipment, VUE), a pedestrian terminal (PEDESTRIAN USER EQUIPMENT, PUE), and the wearable device includes: a bracelet, earphone, glasses, etc. It should be noted that the specific type of the terminal 11 is not limited in the embodiment of the present application. The network side device 12 may be a base station or a core network, where the base station may be called a node B, an evolved node B, an access Point, a base transceiver station (Base Transceiver Station, BTS), a radio base station, a radio transceiver, a Basic service set (Basic SERVICE SET, BSS), an Extended service set (Extended SERVICE SET, ESS), a node B, an evolved node B (eNB), a home node B, a home evolved node B, a WLAN access Point, a WiFi node, a transmission and reception Point (TRANSMITTING RECEIVING Point, TRP), or some other suitable terminology in the field, and the base station is not limited to a specific technical vocabulary so long as the same technical effect is achieved, and it should be noted that, in the embodiment of the present application, only the base station in the NR system is taken as an example, but the specific type of the base station is not limited.

In some communication scenarios, there are scenarios where the communication device does not have credentials of the network but needs to access the network, for example: when deployed in a separate non-public Network (Standalone Non-public Network, SNPN), the UE may not have the credentials and UE identity available for access SNPN. Such as factory deployed SNPN and terminals just purchased in the marketplace, or SNPN and spectator terminals deployed at the concert site.

In order for this type of UE to acquire the credentials and UE identity for access SNPN, the UE may access a certain network (hereinafter referred to as the first network) and download the credentials for access SNPN. For example, the UE accesses the first network, establishes a data channel, and connects to the configuration server through the data channel, downloads SNPN the certificate from the configuration server or the UE accesses the first network, and the control network element of the first network downloads SNPN the certificate to the configuration server instead of the UE.

The manner in which the first network is accessed in order to download credentials for accessing the second network may be referred to as onboarding. The first network and the second network may be the same network.

In the case where the UE does not have the credentials of the first network, the first network needs to authenticate the UE to download the credentials for the UE or to establish a data channel for downloading the credentials. The UE may have a Default certificate thereon, at which point the first network may request the Default certificate authentication server (DCS Default CREDENTIAL SERVER) to authenticate the UE with the Default certificate. The DCS may authenticate the UE directly or request other entities to authenticate the UE.

This type of authentication emulates authentication of a UE in roaming access to other networks but is different from UE roaming authentication.

In the roaming case, the AMF of the network visited by the UE selects for the UE the authentication server of the UE Home network (Home-Authentication Server Function, home AUSF) and requests the Home AUSF to authenticate the UE.

In onboarding manner, as shown in fig. 1B, the AMF of the first network may select an authentication proxy server (e.g., authentication server function (Authentication Server Function, AUSF), or AAA (Authentication Authorization Accounting Server) server proxy) under the first network that the UE accesses for the UE, and request the Default authentication server (defaults CREDENTIAL SERVER, DCS) in another network to authenticate the UE by the authentication proxy server. When the UE has a default certificate that is a certificate of a communication network (e.g., a 3GPP network), DCS may be the home AUSF of the UE's home network. The NRF stores the relationship of the network elements and can be called to query the network elements.

A UE with public land mobile network (Public Land Mobile Network, PLMN) credentials may: 1) roaming access to other PLMN networks through PLMN certificates, 2) access SNPN through PLMN certificates, 3) default certificate authentication to the first network may also be performed onboarding. Wherein for mode 1), the AMF of the UE access network is contacted with AUSF of the UE home network. For mode 3), the AMF of the UE access network contacts an authentication proxy server (e.g., AUSF, or AAA server proxy) of the access network, which contacts the UE home AUSF. For mode 2), the authentication structure of mode 1) may be adopted, and the authentication structure of mode 3) may be adopted.

To support the authentication structure of mode 3), the following problems are also solved:

Problem 1: the current AUSF selection of AMF connection is that AMF is selected based on home network identity (Home Network Identifier) or SUPI associated AUSF Group identity (Group ID) in Subscription permanent identity (Subscription PERMANENT IDENTIFIER, SUPI) provided by the UE. However, in the onboarding architecture, the AMF of the first network needs to select the AUSF in the first network for the UE, and the AUSF further selects AUSF of the UE home location for the UE. AUSF of the first network is independent of the UE and independent of the SUPI of the UE. How to distinguish between UEs of different access types selects the different AUSF becomes a problem to be solved.

In the embodiment of the present application, the obtaining may be alternatively understood as obtaining from configuration, receiving after request, obtaining through self-learning, deriving from unreceived information, or obtaining after processing according to received information, which may be specifically determined according to actual needs, and the embodiment of the present application is not limited thereto. Such as when some capability indication information sent by the device is not received, it may be deduced that the device does not support the capability.

Alternatively, the transmission may comprise broadcasting, broadcasting in a system message, returning in response to the request.

In one embodiment of the application, the non-public network is an acronym for non-public network. The non-public network may be referred to as one of the following: a non-public communication network. The non-public network may include at least one of the following deployment means: physical non-public network, virtual non-public network, and non-public network implemented on public network. In one embodiment, the non-public network is a closed access group (Closed Access Group, CAG). A CAG may consist of a group of terminals.

In one embodiment of the application, the non-public network service is an abbreviation for non-public network service. The non-public network service may also be referred to as one of the following: network services of a non-public network, non-public communication services, non-public network communication services, network services of a non-public network, or other naming. It should be noted that, in the embodiment of the present application, the naming manner is not specifically limited. In one embodiment, the non-public network is a closed access group, and the non-public network service is a network service of the closed access group.

In one embodiment of the application, the non-public network may comprise or be referred to as a private network. The private network may be referred to as one of the following: private communication network, private network, local Area Network (LAN), private Virtual Network (PVN), isolated communication network, private communication network, or other naming. It should be noted that, in the embodiment of the present application, the naming manner is not specifically limited.

In one embodiment of the application, the public network is simply referred to as a public network. The public network may be referred to as one of the following: public communication networks or other naming. It should be noted that, in the embodiment of the present application, the naming manner is not specifically limited.

In an alternative embodiment of the application, the authentication service includes initiating an authentication request for the terminal to an authentication server (e.g., DCS, or home AUSF). The authentication service network element may be an authentication agent providing authentication services for the terminal. Optionally, the authentication service network element may include, but is not limited to, one of the following: AUSF, AAA proxy.

In an optional embodiment of the present application, the indication information of the first access mode is used to indicate at least one of the following: an access method for accessing the first network for downloading a certificate for accessing the second network, an access method for accessing the first network without having a certificate capable of accessing the first network, an access method capable of using only limited services, and a certificate for accessing the first network by the terminal are default certificates.

In an optional embodiment of the present application, the certificate of the terminal accessing the first network being a default certificate means that when the terminal accesses the first network, the certificate corresponding to the identifier of the terminal provided to the first network is the default certificate. In one embodiment, the default certificate is not a certificate of the first network.

Optionally, the first network and the second network are the same network or different networks.

In an alternative embodiment of the present application, the network type of the first network may include, but is not limited to, one of the following: public network (such as PLMN), independent non-public network (such as NPN), public network integrated non-public network (such as PNI NPN).

In an alternative embodiment of the application, the certificate without the capability to access the first network comprises a certificate without the capability to access an unrestricted service of the first network.

1) In one embodiment, the terminal directly has the credentials of the B-network, and the terminal may be considered to have credentials that enable access to the B-network.

2) In another embodiment, there is a protocol (such as a roaming protocol) between the service provider a (including the a network) and the B network, which allows the terminal of a to access the B network to enjoy the network service, and at this time, it may be considered that the terminal of a has a certificate capable of accessing the B network, that is, the certificate of a. Here, the terminal of the service provider a and the terminal of the B network access the B network, and it can be considered that access is a non-restricted service.

3) In another embodiment, in the manner that the terminal of the service provider C (including the C network) accesses the B network in order to download the certificate of accessing the B network, the certificate of C that the terminal has can help the B network request the authentication server in C to verify the terminal. The certificate of C that the terminal has at this time is not a certificate that can access the B network, but a certificate that the B network can verify the terminal, which is generally called a default certificate. Here, the terminal of the service provider C accesses the B network, and can be considered to access the limited service.

In an alternative embodiment of the application, the authentication provider is a provider capable of verifying a terminal with a default certificate. In one embodiment, the authentication provider does not include a terminal home network in a roaming scenario.

In an optional embodiment of the application, the information of the authentication provider of the terminal includes at least one of the following: the default certificate of the terminal corresponds to the network identifier of the network, the network identifier in the identifier of the terminal corresponding to the default certificate of the terminal, the network identifier of the home network of the terminal, the index information of the default certificate verification provider and the index information of the DCS. It is not easy to understand. The certificate of the terminal corresponds to the identity of the terminal. The information of the authentication provider of the terminal may be contained in the identity of the terminal.

In an alternative embodiment of the present application, the first identifier of the terminal includes one of: terminal identification corresponding to a default certificate of the terminal, or terminal identification of the terminal in the DCS.

In one embodiment, the identifier of the home network of the terminal is the identifier of the network in the identifiers of the terminals corresponding to the default certificate of the terminal. In another embodiment, the home network identification of the terminal is an identification of the authentication provider network.

Optionally, the DCS is a device in the authentication provider of the terminal. When the DCS includes AUSF to which the terminal belongs, the first identifier of the terminal is the terminal identifier of the terminal in the home network. At this time, the index information of the default certificate verifier or the index information of DCS is the identification of the home network of the terminal.

In an alternative embodiment of the present application, the home network may be a network corresponding to a default certificate of the terminal. In one embodiment, home AUSF is AUSF in the home network. The home NRF is an NRF in the home network. The other home network element is a network element in the home network.

In an alternative embodiment of the application, the network identification of the first type comprises a home network identification of the first type. The home network identification for the first access mode includes a home network identification for the first access mode. The first type of home network identification includes: home network identification for the first access mode.

In an alternative embodiment of the present application, the first type of network identification may be one of: authenticating the network identifier of the provider, the network identifier corresponding to the default certificate of the terminal, and the network identifier in the identifier of the terminal corresponding to the default certificate of the terminal.

In an alternative embodiment of the present application, the communication device may comprise at least one of: communication network elements and terminals.

In one embodiment of the present application, the communication network element may include at least one of: core network elements and radio access network elements.

In the embodiment of the present application, the core network element (CN network element) may include, but is not limited to, at least one of the following: core network equipment, core network nodes, core network functions, core network elements, mobility management entities (Mobility MANAGEMENT ENTITY, MME), access Mobility management functions (ACCESS MANAGEMENT functions, AMFs), network storage functions (Network Repository Function, NRFs), session management functions (Session Management Function, SMFs), user plane functions (User Plane Function, UPFs), serving gateway (SERVING GW, SGW), PDN gateway (PDN GATE WAY ), policy control functions (Policy Control Function, PCFs), policy and charging Rules Function units (Policy AND CHARGING Rules functions, PCRF), GPRS service Support nodes (SERVING GPRS Support nodes, SGSN), gateway GPRS Support nodes (GATEWAY GPRS Support nodes, GGSN), unified data management (Unified DATA MANAGEMENT, UDM), unified data storage (Unified Data Repository, UDR), home subscriber servers (Home Subscriber Server, HSS), and application functions (Application Function, AF).

The following describes an access control method according to an embodiment of the present application.

Referring to fig. 2, an embodiment of the present application provides an access control method applied to a first communication device; the first communication device includes an AMF. Optionally, the first communication device is a communication device in a first network. As shown in fig. 2, the method includes:

Step 21: the first information and/or the second information is acquired.

Wherein the first information includes, but is not limited to, at least one of: indication information of a first access mode, routing indication of a first type and network identification of the first type. The second information includes, but is not limited to, at least one of: a first type of routing indication, a first type of network identification, a first type of group identification, identification information of the terminal.

Optionally, the first type of group identification includes: and the authentication service network element group identification is used for providing authentication service for the terminal of the first access mode.

Optionally, the first type of network identifier includes: network identification for the first access mode.

Optionally, the first type of routing indication includes: and a routing indication for the first access mode.

In one embodiment, the first information may be received from a terminal. The first information may be included in an identification of the terminal (e.g., SUCI, or SUPI, etc.).

In another embodiment, the second information may be obtained in a local configuration of the first communication device.

The identification information of the terminal may include at least one of: a first identification of the terminal, a second identification of the terminal, and a third identification of the terminal.

1) The first identification of the terminal contains information of an authentication provider of the terminal. The authentication provider is a provider capable of verifying a terminal having a default certificate, or a provider capable of authenticating a terminal (e.g., a home network of the terminal, a network to which the default certificate of the terminal corresponds). In one embodiment, the authentication provider does not include a terminal home network in a roaming scenario

The information of the authentication provider of the terminal includes at least one of the following: the default certificate of the terminal corresponds to the network identifier of the network, the network identifier in the identifier of the terminal corresponding to the default certificate of the terminal, the network identifier of the home network of the terminal, the index information of the default certificate verification provider and the index information of the DCS. It is not easy to understand. The certificate of the terminal corresponds to the identity of the terminal. The information of the authentication provider of the terminal may be contained in the identity of the terminal.

The first identification of the terminal comprises one of: terminal identification corresponding to a default certificate of the terminal, or terminal identification of the terminal in the DCS.

2) The second identifier of the terminal comprises a first type of network identifier and/or a first type of routing indication;

3) The third identifier of the terminal comprises information of an authentication provider of the terminal, a first type of network identifier and/or a first type of routing indication.

It will be appreciated that the network identity of the first type and/or the routing indication of the first type may be determined from the second identity of the terminal or from the third identity of the terminal.

1) In one embodiment, a first identity of a terminal and a first type of network identity may be transmitted.

2) In another embodiment, a first identification of the terminal and a first type of routing indication may be sent.

3) In another embodiment, the first identity of the terminal and the second identity of the terminal may be transmitted.

4) In another embodiment, a third identification of the terminal may be sent.

Step 22: and executing the first operation according to the first information and/or the second information.

Wherein the first operation may include at least one of:

selecting a first authentication service network element;

and requesting to discover the authentication service network element according to the first type group identifier, the first type routing indication, the first type network identifier, the information of the service provider and/or the indication information of the first access mode.

Optionally, the indication information of the first access manner may be used to indicate at least one of: an access method for accessing the first network for downloading a certificate for accessing the second network, an access method for accessing the first network without having a certificate capable of accessing the first network, an access method capable of using only limited services, and a certificate for accessing the first network by the terminal are default certificates.

In one embodiment, the indication of the first access mode includes a first registration type. And the first registration type may be used to indicate at least one of: the registration method for registering the first network for downloading the certificate for accessing the second network, and the registration method for registering the first network without having the certificate capable of accessing the first network.

Optionally, the certificate capable of accessing the first network includes a certificate capable of accessing an unrestricted service of the first network. The certificate not having the capability to access the first network includes a certificate not having the unrestricted service capability to access the first network.

Optionally, the first authentication service network element includes at least one of the following: an authentication service network element for providing authentication service for the terminal of the first access mode, and an authentication service network element for providing authentication service for the terminal with the default certificate.

In one embodiment, the authentication service includes initiating an authentication request for the terminal to an authentication server (e.g., DCS, or home AUSF).

In the embodiment of the present application, the request for discovering the authentication service network element may include at least one of the following according to the group identifier of the first type, the routing indication of the first type, the network identifier of the first type, or the indication information of the first access mode:

Transmitting the first type group identifier to a first target end, wherein the first type group identifier is used for the first target end to find an authentication service network element matched with the first type group identifier;

Transmitting the indication information of the first access mode to a first target end, wherein the indication information of the first access mode is used for the first target end to find an authentication service network element matched with the indication information of the first access mode;

and sending the first type of routing indication to a first target end, wherein the first type of routing indication is used for the first target end to find an authentication service network element matched with the first type of routing indication.

And sending the first type of network identification to a first target end, wherein the first type of network identification is used for the first target end to find an authentication service network element matched with the first type of network identification.

Optionally, the first target end may include: network element devices responsible for querying network elements in the network, such as network repository functions (Network Repository Function, NRF).

Optionally, the authentication service network element may include, but is not limited to, one of the following: AUSF, AAA proxy. In one embodiment, the authentication service network element may be an authentication proxy providing authentication services for the terminal.

In one embodiment, discovery AUSF may be requested from the NRF by a AUSF group identification specific to the first access mode.

Optionally, the acquiring the first information may include: first information is acquired from a terminal. And/or, the acquiring the second information may include: and acquiring second information according to the configuration on the first communication equipment.

Optionally, the acquiring the first information and/or the second information may include at least one of:

Acquiring indication information of a first access mode from a terminal;

A group identity of a first type, a routing indication of the first type, or a network identity of the first type is obtained according to a configuration on the first communication device.

Further, the performing the first operation according to the first information and/or the second information may include:

Determining a first type of group identifier, a first type of routing indicator or a first type of network identifier according to the indication information of the first access mode;

and requesting to discover the authentication service network element according to the first type group identifier, the first type routing indicator and/or the first type network identifier.

A network identification of a first type and/or a routing indication of the first type is obtained from the terminal,

Acquiring a first type of group identification according to the configuration on the first communication equipment;

Determining a first type of group identifier according to the first type of network identifier and/or the first type of routing instruction;

and requesting to discover the authentication service network element according to the group identifier of the first type.

Optionally, the first operation further includes at least one of:

receiving an authentication service network element which requests discovery;

Deriving a first type of network identification and/or a first type of routing indication according to a second identification of the terminal or a third identification of the terminal;

The second identification of the terminal is not sent to the first authentication service network element or the discovered authentication service network element;

according to the third identification of the terminal, a first identification of the terminal is derived;

and sending the first identification of the terminal to the first authentication service network element or the discovered authentication service network element.

Referring to fig. 3, an embodiment of the present application provides an access control method applied to a second communication device; the second communication device includes a UE. As shown in fig. 3, the method includes:

step 31: and sending the first information.

Wherein, the first information packet may include at least one of the following: indication information of a first access mode, routing indication of a first type, network identification of the first type and identification information of a terminal.

The first type of routing indication includes: and a routing indication for the first access mode.

The indication information of the first access mode is used for indicating at least one of the following: an access method for accessing the first network for downloading a certificate for accessing the second network, an access method for accessing the first network without having a certificate capable of accessing the first network, an access method capable of using only limited services, and a certificate for accessing the first network by the terminal are default certificates.

The first network and the second network are the same network or different networks.

Optionally, the first information is sent to a first network accessed by the terminal. The mode of the terminal accessing the first network is a first access mode. The first information may be included in an identification of the terminal (e.g., SUCI, or SUPI, etc.).

Optionally, the sending the first information may include: and transmitting the first information when the first condition is satisfied. Wherein the first condition may include at least one of:

The purpose of the second communication device accessing the first network is to download credentials for accessing the second network;

the second communication device does not have a certificate capable of accessing the first network;

the second communication device accessing the first network is only able to use the restricted service.

In one embodiment, the network identifier for the first access mode is sent through a subscriber permanent identifier SUPI of the terminal.

Note that the second communication device not having a certificate capable of accessing the first network includes: the second communication device does not have a certificate of the first network or the second communication device does not have a certificate of a service provider that is able to access the first network.

The certificate capable of accessing the first network may include a certificate capable of accessing an unrestricted service of the first network. The certificate not having the capability to access the first network includes a certificate not having the unrestricted service capability to access the first network.

Optionally, the identification information of the terminal may include at least one of: a first identification of the terminal, a second identification of the terminal, and a third identification of the terminal.

1) The first identification of the terminal contains information of an authentication provider of the terminal. The authentication provider is a provider capable of verifying a terminal having a default certificate or a provider capable of authenticating a terminal (e.g., a home network of a terminal).

The information of the authentication provider of the terminal includes at least one of the following: the default certificate of the terminal corresponds to the network identifier of the network, the network identifier in the identifier of the terminal corresponding to the default certificate of the terminal, the network identifier of the home network of the terminal, the index information of the default certificate verification provider and the index information of the DCS. The information of the authentication provider of the terminal may be contained in the identity of the terminal.

It is not easy to understand. The certificate of the terminal corresponds to the identity of the terminal. The first identification of the terminal comprises one of: terminal identification corresponding to a default certificate of the terminal, or terminal identification of the terminal in the DCS.

4) In another embodiment, a third identification of the terminal may be sent.

Optionally, before the step of transmitting the first information, the method may further include at least one of:

Generating a second identifier of the terminal, namely setting a routing indication in the identifier of the terminal as a first type of routing indication and/or setting a home network identifier in the identifier of the terminal as a first type of network identifier;

a third identity of the terminal is generated, i.e. a network identity of the first type is added to the identity of the terminal and/or a routing indication of the first type is added to the identity of the terminal.

In one embodiment, the operation of generating the second identity of the terminal and/or generating the third identity of the terminal is performed if the first condition is met. The first condition is as described above and will not be described here again.

Referring to fig. 4, an embodiment of the present application provides an access control method applied to a third communication device; the third communication device includes an NRF. Optionally, the third communication device is a communication device in the first network. As shown in fig. 4, the method includes:

Step 41: third information and/or fourth information is acquired.

Optionally, the third information may include at least one of: the method comprises the steps of a first type of group identification, a first type of routing indication, a first type of network identification, information of an authentication provider and indication information of a first access mode.

Optionally, the fourth information is used to indicate the home information of the authentication service network element. The fourth information may include at least one of: routing indication supported by the authentication service network element, network identification of a network to which the authentication service network element belongs, group identification to which the authentication service network element belongs, access mode supported by the authentication service network element, authentication service type supported by the authentication service network element, information of an authentication provider supported by the authentication service network element, and the authentication provider can authenticate a terminal with a default certificate.

In one embodiment, the restricted service includes a service that downloads credentials that enable access to a network.

In one embodiment, the third information may be obtained from the AMF.

In another embodiment, the fourth information, i.e. the home information of the authentication service network element, may be obtained from the authentication service network element (e.g. AUSF or AAA proxy).

Step 42: and executing the third operation according to the third information and/or the fourth information.

Wherein the third operation may include at least one of:

finding an authentication service network element matching the third information, namely, matching fourth information of the authentication service network element with the third information;

And sending the discovered authentication service network element.

Wherein the authentication service type supported by the authentication service network element comprises supporting to provide authentication service for the terminal with the default certificate.

In one embodiment, the discovered authentication service network element is sent to a second target. The second target end comprises: AMF. In one embodiment, the third information is received from the second target.

Alternatively, the authentication service network element may comprise one of the following: AUSF, AAA proxy.

In one embodiment, the authentication service network element matching the third information is the first authentication service network element. The first authentication service network element includes: an authentication service network element for providing authentication service to the terminal of the first access mode.

In one embodiment, the first type of group identification comprises one of: AUSF Group ID, AAA proxy group ID.

In one embodiment, discovery AUSF may be requested from the NRF.

Optionally, in the operation of discovering the authentication service network element matching the third information, when the third information includes the indication information of the first access mode, the access mode supported by the discovered authentication service network element is the first access mode; or when the third information includes a first type of routing indication, the discovered routing indication supported by the authentication service network element is the first type of routing indication; or when the third information includes a network identifier of the first type, the network identifier of the network to which the discovered authentication service network element belongs is the network identifier of the first type; or when the third information includes a group identifier of the first type, the group identifier to which the discovered authentication service network element belongs is the group identifier of the first type; or when the third information includes information of an authentication provider, the information of the authentication provider supported by the discovered authentication service network element includes information of the authentication provider in the third information.

Or the discovered authentication service network element satisfies at least one of the following:

The routing indication supported by the discovered authentication service network element is a first type of routing indication;

the network identifier of the network to which the discovered authentication service network element belongs is a first type of network identifier;

the group identifier to which the discovered authentication service network element belongs is a first type group identifier;

the found access mode supported by the authentication service network element is a first access mode;

the authentication service type supported by the discovered authentication service network element is used for supporting the authentication service provided for the terminal with the default certificate.

Referring to fig. 5, an embodiment of the present application provides an access control method applied to a fourth communication device; the fourth communication device includes AUSF. Optionally, the fourth communication device is a communication device in the first network. As shown in fig. 5, the method includes:

Step 51: and transmitting fourth information.

Wherein the fourth information is used for indicating the attribution information of the authentication service network element. The fourth information may include at least one of: the method comprises the steps of routing indication supported by an authentication service network element, network identification of a network to which the authentication service network element belongs, group identification to which the authentication service network element belongs, access mode supported by the authentication service network element, authentication service type supported by the authentication service network element, information of an authentication provider supported by the authentication service network element, and the authentication provider can authenticate a terminal with a default certificate.

Wherein the routing indication supported by the authentication service network element is a first type of routing indication.

The network identifier of the network to which the authentication service network element belongs is a first type of network identifier.

The group identifier to which the authentication service network element belongs is a first type of group identifier.

The access modes supported by the authentication service network element comprise a first access mode.

The authentication service type supported by the authentication service network element includes support for providing authentication services (e.g. as authentication proxy) to terminals having default credentials.

The first access mode comprises at least one of the following: an access method for accessing the first network for downloading a certificate for accessing the second network, an access method for accessing the first network without having a certificate capable of accessing the first network, an access method capable of using only limited services, and a certificate for accessing the first network by the terminal are default certificates.

The group identification of the first type includes: and the authentication service network element group identification is used for providing authentication service for the terminal of the first access mode.

The first type of routing indication of the first type includes: and a routing indication for the first access mode.

Optionally, the sending the fourth information may include: transmitting the fourth information if the second condition is satisfied; wherein the second condition includes: the authentication service network element is an authentication service network element for providing authentication service for the terminal in the first access mode.

The embodiment of the application provides an access control method which is applied to fifth communication equipment; the fourth communication device comprises at least one of: AMF, AUSF, UDM. Optionally, the fifth communication device is a communication device in the first network. The method comprises the following steps:

the fifth operation includes at least one of:

selecting a network element for the terminal without using fifth information;

Wherein,

In one embodiment, for a terminal accessing the network through a non-first access mode, selecting a network device for the terminal according to information in a user identification of the terminal is a default operation. An exception operation is therefore required for terminals accessing the network via a non-first access mode.

Wherein the network identification information in the terminal user identification comprises at least one of the following items; MNC in the end user identifier, MCC in the end user identifier, and network identifier NID in the end user identifier.

Optionally, before the step of performing the fifth operation if the fifth condition is met, the method further includes: obtaining first information, the first information comprising at least one of: indication information of a first access mode, routing indication of a first type and network identification of the first type; the second information includes at least one of: a first type of network identification, a first type of routing indication, a first type of group identification, and identification information of a terminal; wherein,

Optionally, after the step of obtaining the first information, it is determined that the fifth condition is satisfied according to the first information.

Optionally, the network element includes at least one of: the core network element, the authentication service function AUSF, unified data management UDM, unified data storage UDR.

In one embodiment, the network element may be a network device.

The method provided by the embodiment of the application is described below with reference to a specific application scenario.

Application scenario one

In a first application scenario, as shown in fig. 6, the service authentication indication process may include:

Step 61: an authentication service network element (hereinafter AUSF is described as an example) for providing an authentication service to a terminal of a first access mode initiates a registration request to an NRF, such as Nnrf _ NF MANAGEMENT _ NF REGISTER.

Optionally, the registration request includes fourth information, where the fourth information is used to indicate home information of the authentication service network element, and the fourth information may include at least one of the following: the network identifier of the network to which the authentication service network element belongs, the group identifier to which the authentication service network element belongs, and the access mode supported by the authentication service network element.

In one embodiment, the authentication service element may be configured to provide the authentication service to the terminal in the first access mode when the network identifier of the network to which the authentication service element belongs is a first type of home network identifier.

In another embodiment, in the case that the group identifier to which the authentication service network element belongs is a group identifier of the first type, it may be said that the authentication service network element is configured to provide the authentication service for the terminal of the first access mode.

Application scene two

In the second application scenario, the UE registers for the first network, where the registration type is a first access manner. The first network needs to request DCS to authenticate the UE. AMF, NRF, AUSF is a communication device in the first network, home NRF and home AUSF are devices in the UE home network, and home AUSF is an embodiment of DCS. As shown in fig. 7, the process of selecting AUSF may include:

step 71: the UE initiates a registration request to the AMF, where a registration type of the registration request is indication information of the first access mode (e.g., a first registration type).

Step 72: the AMF performs AUSF selection operations according to the indication information (such as the first registration type) of the first access mode provided by the UE, including at least one of the following:

(1) AUSF, selecting a locally configured first access mode;

(2) Selecting a locally configured group identity AUSF for the first access mode (AUSF Group ID) and requesting discovery AUSF from the NRF according to the AUSF group identity;

(3) Sending, to the NRF, indication information of the first access mode through a network function Discovery Request, such as Nnrf _nf discovery_request, for requesting to discover AUSF supporting the first access mode;

it should be understood that, before this, AUSF registers the NRF with the access mode that provides support, such as the first access mode.

(4) Sending a first type of Network identification (Home Network ID) to the NRF through a Network function Discovery Request, such as Nnrf _nf discovery_request;

It should be understood that, before this, the network identifier of the network to which the network element for providing the authentication service belongs should be the network identifier of the first access mode when the AUSF supporting the first access mode registers the NRF. Such as a network identification specific to the first access mode.

(5) Transmitting a first type of group identification to the NRF through a network function Discovery Request, such as Nnrf _nf discovery_request;

It should be understood that, before this, the group identifier to which the authentication network element belongs should be correspondingly provided when the AUSF supporting the first access mode registers the NRF as the network identifier of the first access mode. Such as a group identity of an authentication serving network element dedicated to the first access mode.

Step 73: the NRF performs a third operation according to the acquired third information and/or fourth information.

Wherein the third information may include at least one of: a group identity of a first type, a network identity of a first type, and indication information of a first access mode. The fourth information is used for indicating the attribution information of the authentication service network element. The fourth information may include at least one of: network identification of the network to which the authentication service network element belongs, group identification to which the authentication service network element belongs, and access mode supported by the authentication service network element.

Wherein the third operation includes at least one of:

Discovering an authentication service network element (illustrated later with AUSF) that matches the third information;

And sending the discovered authentication service network element to the AMF.

Step 74: the AMF sends a UE authentication request to AUSF, such as Nausf _ UEAuthentication _ Authenticate Request. The request may include a first identifier of the terminal (first SUCI or first SUPI that is true for the UE).

Step 75 to step 78: AUSF finds out home AUSF through NRF and home NRF according to the first identity of the terminal, or home network identity in the first UE identity, or AUSF group identity corresponding to the first UE identity, etc.

Specifically, at step 75, AUSF sends a network function Discovery Request, such as Nnrf _nf discovery_request, to the NRF. Wherein, the discovery request may include one of the following: a first identity of the terminal, a Home Network identity, home Network ID, AUSF group identity related to the first identity of the terminal, etc.

In step 76, the NRF sends a network function Discovery Request, such as Nnrf _nf discovery_request, to the home NRF. The discovery request may include a first identifier of the terminal, or a home network identifier in the first UE identifier, or a first UE identifier corresponding to AUSF group identifier AUSF group identifier, etc.

In step 77, the home NRF returns a network function Discovery Response, such as Nnrf _nf discovery_response, to the NRF.

In step 78, the NRF returns a network function Discovery Response, such as Nnrf _nf discovery_response, to AUSF.

Step 79: AUSF initiate a UE authentication request, such as Nausf _ UE Authentication _ Authenticate Request, to home AUSF. The request includes the generated second SUCI or first SUPI, SN-name, indication information of the first access mode, and the like.

The home AUSF may then initiate an authentication procedure to the UE.

Application scenario three

In the third application scenario, the UE registers with the first network and provides the identification information of the terminal. The first network needs to request DCS to authenticate the UE. AMF, NRF, AUSF is a communication device in the first network, home NRF and home AUSF are devices in the UE home network, and home AUSF is an embodiment of DCS. As shown in fig. 8, the process of selecting AUSF may include:

Step 81: the UE initiates a registration request to the AMF. Optionally, the registration request includes first information. Such as identification information of the terminal, for example.

The identification information of the terminal may include at least one of: a first identifier of the terminal, a second identifier of the terminal and a third identifier of the terminal;

The AMF may perform: deriving a first type of network identification and/or a first type of routing indication according to the second identification of the terminal or the third identification of the terminal;

The first type of network identification is a specific value, e.g. 111, specific to the first access mode.

The first type of routing indication is a specific value specific to the first access mode.

1) In one embodiment, the registration request includes a first identifier of the terminal and a first type of network identifier.

2) In another embodiment, the registration request includes a first identifier of the terminal and a second identifier of the terminal.

3) In another embodiment, the registration request includes a third identifier of the terminal.

When the first identifier (SUPI or SUPI) of the terminal indicates subscription of PLMN or SNPN, the DCS index information includes the SUPI real Home Network ID of the UE.

Step 82: the AMF sends a network function Discovery Request, such as Nnrf _nf discovery_request, to the NRF, i.e. queries AUSF the NRF according to the home network identifier of the first access mode, and obtains AUSF.

Optionally, the request includes AUSF Home Network ID and/or Group ID.

Step 83: the NRF returns the sent discovery authentication service network element AUSF to the AMF.

Step 84: the AMF sends a UE authentication request to AUSF, such as Nausf _ UEAuthentication _ Authenticate Request.

Alternatively, the AMF may perform at least one of:

deriving a first identifier of the terminal according to the third identifier of the terminal;

Step 85 to step 89: steps 75 to 79 in the second application scenario are not repeated here.

Referring to fig. 9, an embodiment of the present application provides an access control apparatus applied to a first communication device, as shown in fig. 9, the access control apparatus 90 includes:

A first acquiring module 91, configured to acquire first information and/or second information; wherein the first information includes at least one of: indication information of a first access mode, routing indication of a first type and network identification of the first type; the second information includes at least one of: a first type of network identification, a first type of routing indication, a first type of group identification, and identification information of a terminal;

a first execution module 92, configured to execute a first operation according to the first information and/or the second information;

wherein the first operation includes at least one of:

selecting a first authentication service network element;

Optionally, the first execution module 92 is further configured to execute at least one of the following:

Optionally, the first obtaining module 91 is specifically configured to: first information is acquired from a terminal.

Optionally, the first obtaining module 91 is specifically configured to: and acquiring second information according to the configuration on the first communication equipment.

Optionally, the first obtaining module 91 is specifically configured to at least one of:

Acquiring indication information of a first access mode from a terminal;

Acquiring a first type of group identifier, a first type of routing indicator or a first type of network identifier according to configuration on the first communication equipment;

wherein said performing a first operation according to said first information and/or said second information comprises at least one of:

Optionally, the first operation further includes at least one of:

receiving an authentication service network element which requests discovery;

Deriving a first type of network identifier and/or a first type of routing indication according to the second identifier of the terminal or the third identifier of the terminal;

And sending a first identification of the terminal to the first authentication service network element or the discovered authentication service network element.

In this embodiment, the access control device 90 can implement each process implemented in the method embodiment shown in fig. 2 of the present application and achieve the same beneficial effects, and in order to avoid repetition, the description is omitted here.

Referring to fig. 10, an embodiment of the present application provides an access control apparatus applied to a second communication device, as shown in fig. 10, the access control apparatus 100 includes:

a first transmitting module 101, configured to transmit first information;

Optionally, the first sending module 101 is specifically configured to: transmitting the first information when a first condition is satisfied;

wherein the first condition includes at least one of:

Optionally, the access control device 100 further includes:

The generation module is used for generating a second identifier of the terminal, setting a routing indication in the identifier of the terminal as a first type of routing indication and/or setting a home network identifier in the identifier of the terminal as a first type of network identifier; and/or

Generating a third identity of the terminal, adding the network identity of the first type to the identity of the terminal and/or adding the routing indication of the first type to the identity of the terminal.

In this embodiment, the access control device 100 can implement each process implemented in the method embodiment shown in fig. 3 of the present application and achieve the same beneficial effects, and in order to avoid repetition, the description is omitted here.

Referring to fig. 11, an embodiment of the present application provides an access control apparatus applied to a second communication device, as shown in fig. 11, the access control apparatus 110 includes:

A second acquiring module 111, configured to acquire third information and/or fourth information; wherein the third information includes at least one of: a first type of group identification, a first type of routing indication, a first type of network identification, information of an authentication provider, and indication information of a first access mode; the fourth information is used for indicating the attribution information of the authentication service network element, and the fourth information comprises at least one of the following items: routing indication supported by an authentication service network element, network identification of a network to which the authentication service network element belongs, group identification to which the authentication service network element belongs, access mode supported by the authentication service network element, authentication service type supported by the authentication service network element, information of an authentication provider supported by the authentication service network element, and the authentication provider can authenticate a terminal with a default certificate;

a second execution module 112, configured to execute a third operation according to the third information and/or the fourth information;

wherein the third operation includes at least one of:

transmitting the discovered authentication service network element;

Optionally, in the operation of discovering an authentication service network element matching the third information,

When the third information includes the indication information of the first access mode, the found access mode supported by the authentication service network element is the first access mode;

Or when the third information includes a first type of routing indication, the discovered routing indication supported by the authentication service network element is the first type of routing indication;

or when the third information includes a network identifier of the first type, the network identifier of the network to which the discovered authentication service network element belongs is the network identifier of the first type;

Or when the third information includes a group identifier of the first type, the group identifier to which the discovered authentication service network element belongs is the group identifier of the first type.

Or when the third information comprises information of an authentication provider, the information of the authentication provider supported by the discovered authentication service network element comprises information of the authentication provider in the third information;

In this embodiment, the access control device 110 can implement each process implemented in the method embodiment shown in fig. 4 of the present application and achieve the same beneficial effects, and in order to avoid repetition, the description is omitted here.

Referring to fig. 12, an embodiment of the present application provides an access control apparatus applied to a second communication device, as shown in fig. 12, the access control apparatus 120 includes:

A second transmitting module 121 for transmitting fourth information;

The first access mode comprises at least one of the following: an access method for accessing the first network for downloading a certificate for accessing the second network, an access method for accessing the first network without having a certificate capable of accessing the first network, an access method capable of using only limited services, and a certificate for accessing the first network by the terminal are default certificates;

Optionally, the second sending module 121 is further configured to: transmitting the fourth information if the second condition is satisfied;

wherein the second condition includes: the authentication service network element is an authentication service network element for providing authentication service for the terminal in the first access mode.

In this embodiment, the access control device 120 can implement each process implemented in the method embodiment shown in fig. 5 of the present application and achieve the same beneficial effects, and in order to avoid repetition, the description is omitted here.

The present application also provides an access control device applied to a fifth communication apparatus, including:

the fifth operation includes at least one of:

selecting a network element for the terminal without using fifth information;

Wherein,

Optionally, the apparatus further comprises:

A third obtaining module, configured to obtain first information, where the first information includes at least one of: indication information of a first access mode, routing indication of a first type and network identification of the first type; the second information includes at least one of: a first type of network identification, a first type of routing indication, a first type of group identification, and identification information of a terminal; wherein,

Optionally, the apparatus further comprises:

And the determining module is used for determining that the fifth condition is met according to the first information.

Optionally, the network element includes at least one of: core network elements, AUSF, UDM and UDR.

In one embodiment, the network element may be a network device.

Referring to fig. 13, fig. 13 is a schematic structural diagram of another communication device provided in an embodiment of the present application, and as shown in fig. 13, a communication device 130 includes: the processor 131, the memory 132, and the computer program stored in the memory 132 and capable of running on the processor, where the components in the communication device 130 are coupled together through the bus interface 133, where the computer program when executed by the processor 131 can implement each process implemented in the method embodiment shown in fig. 2, or implement each process implemented in the method embodiment shown in fig. 3, or implement each process implemented in the method embodiment shown in fig. 4, or implement each process implemented in the method embodiment shown in fig. 5, and achieve the same technical effect, and are not repeated herein.

The embodiment of the present application further provides a computer readable storage medium, where a computer program is stored, where the computer program when executed by a processor implements each process implemented in the method embodiment shown in fig. 2, or implements each process implemented in the method embodiment shown in fig. 3, or implements each process implemented in the method embodiment shown in fig. 4, or implements each process implemented in the method embodiment shown in fig. 5, and the same technical effects can be achieved, and are not repeated herein. Wherein the computer readable storage medium is selected from Read-Only Memory (ROM), random access Memory (Random Access Memory, RAM), magnetic disk or optical disk.

It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising instructions for causing a terminal (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the method according to the embodiments of the present application.

The embodiments of the present application have been described above with reference to the accompanying drawings, but the present application is not limited to the above-described embodiments, which are merely illustrative and not restrictive, and many forms may be made by those having ordinary skill in the art without departing from the spirit of the present application and the scope of the claims, which are to be protected by the present application.

Claims

1. An access control method applied to a first communication device, comprising:

acquiring first information; the first information comprises identification information of a terminal, the identification information of the terminal comprises a third identification of the terminal, and the third identification of the terminal comprises a routing indication for a first access mode and index information of DCS;

Executing a first operation according to the first information;

wherein the first operation comprises:

selecting a first authentication service network element;

wherein the first access manner includes at least one of: an access method for accessing the first network for downloading a certificate for accessing the second network, an access method for accessing the first network without having a certificate capable of accessing the first network, an access method capable of using only limited services, and a certificate for accessing the first network by the terminal are default certificates.

2. The method of claim 1, wherein the first information further comprises: indication information of a first access mode;

3. The method according to claim 1 or 2, wherein the method further comprises:

obtaining second information, wherein the second information comprises: a group identification of a first type;

4. The method of claim 3, wherein the step of,

The acquiring the first information includes: acquiring first information from a terminal;

And/or the number of the groups of groups,

The acquiring the second information includes: and acquiring second information according to the configuration on the first communication equipment.

5. A method according to claim 3, wherein the acquiring the first information:

Acquiring the indication information of the first access mode from a terminal;

And/or the number of the groups of groups,

The acquiring the second information includes:

And acquiring the group identifier of the first type according to the configuration on the first communication equipment.

6. A method according to claim 3, wherein the obtaining the first information comprises:

Acquiring a network identifier for a first access mode and the routing indication for the first access mode from a terminal;

And/or

The acquiring the second information includes:

a group identity of a first type is obtained according to a configuration on a first communication device.

7. The method of claim 1, wherein the first operation further comprises:

And according to the third identification of the terminal, deriving a network identification for the first access mode and a routing indication for the first access mode.

8. An access control method applied to a second communication device, comprising:

transmitting first information;

The first information comprises identification information of a terminal, wherein the identification information of the terminal comprises a third identification of the terminal, and the third identification of the terminal comprises a routing indication for a first access mode and index information of DCS;

9. The method of claim 8, wherein the first information further comprises: indication information of a first access mode;

10. The method of claim 8, wherein the transmitting the first information comprises:

transmitting the first information when a first condition is satisfied;

wherein the first condition includes at least one of:

11. The method of claim 8, wherein prior to the step of transmitting the first information, the method further comprises at least one of:

generating a third identifier of the terminal, adding the network identifier for the first access mode to the identifier of the terminal and/or adding the routing indication for the first access mode to the identifier of the terminal.

12. An access control method applied to a third communication device, comprising:

acquiring third information and fourth information; wherein the third information includes a routing indication for the first access mode and at least one of: a group identifier of a first type, a network identifier for a first access mode, information of an authentication provider, and indication information of the first access mode; the fourth information includes: an access mode supported by the authentication service network element;

Performing a third operation according to the third information and the fourth information;

Wherein the third operation includes:

transmitting the discovered authentication service network element;

13. The method of claim 12, wherein the indication information of the first access manner is used to indicate at least one of: an access method for accessing the first network for downloading a certificate for accessing the second network, an access method for accessing the first network without having a certificate capable of accessing the first network, an access method capable of using only limited services, and a certificate for accessing the first network by the terminal are default certificates;

14. The method according to claim 13, wherein, in the operation of discovering an authentication service network element matching the third information,

Or when the third information includes a routing instruction for the first access mode, the routing instruction supported by the discovered authentication service network element is the routing instruction for the first access mode;

or when the third information includes a network identifier for the first access mode, the network identifier of the network to which the discovered authentication service network element belongs is the network identifier for the first access mode;

Or when the third information includes a group identifier of the first type, the group identifier to which the discovered authentication service network element belongs is the group identifier of the first type;

the routing indication supported by the discovered authentication service network element is the routing indication for the first access mode;

The network identifier of the network to which the discovered authentication service network element belongs is a network identifier for a first access mode;

15. An access control method applied to a fourth communication device, comprising:

sending a registration request to a third communication device, the registration request including fourth information;

wherein the fourth information includes: an access mode supported by the authentication service network element; the access modes supported by the authentication service network element comprise a first access mode;

16. An access control apparatus for use with a first communication device, comprising:

The first acquisition module is used for acquiring first information; wherein the first information includes: the method comprises the steps that identification information of a terminal comprises a third identification of the terminal, and the third identification of the terminal comprises a route indication and index information of DCS (distributed control system) for a first access mode;

the first execution module is used for executing a first operation according to the first information;

wherein the first operation comprises:

selecting a first authentication service network element;

17. An access control apparatus applied to a second communication device, comprising:

the first sending module is used for sending the first information;

wherein the first information includes: the terminal identification information comprises a third identification of the terminal, wherein the third identification of the terminal comprises a routing indication for a first access mode and index information of DCS;

18. An access control apparatus applied to a third communication device, comprising:

The second acquisition module is used for acquiring third information and fourth information; wherein the third information includes a routing indication for the first access mode and at least one of: a group identifier of a first type, a network identifier for a first access mode, information of an authentication provider, and indication information of the first access mode; the fourth information includes: an access mode supported by the authentication service network element;

The second execution module is used for executing a third operation according to the third information and the fourth information;

Wherein the third operation includes:

transmitting the discovered authentication service network element;

19. An access control apparatus applied to a fourth communication device, comprising:

The second sending module is used for sending a registration request to the third communication equipment, wherein the registration request comprises fourth information;

wherein the fourth information includes: an access mode supported by the authentication service network element;

The first access mode comprises at least one of the following: an access method for accessing the first network in order to download a certificate for accessing the second network, an access method for accessing the first network without a certificate capable of accessing the first network, and an access method capable of using only limited services.

20. A communication device comprising a processor, a memory and a computer program stored on the memory and executable on the processor, which when executed by the processor performs the steps of the access control method according to any one of claims 1 to 7, or the steps of the access control method according to any one of claims 8 to 11, or the steps of the access control method according to claims 12-14, or the steps of the access control method according to claim 15.

21. A readable storage medium, characterized in that the readable storage medium has stored thereon a program or instructions which, when executed by a processor, implement the steps of the access control method according to any one of claims 1 to 7, or the steps of the access control method according to any one of claims 8 to 11, or the steps of the access control method according to claims 12-14, or the steps of the access control method according to claim 15.