OA19340A - Authentification for next generation systems - Google Patents

Authentification for next generation systems Download PDF

Info

Publication number
OA19340A
OA19340A OA1201900115 OA19340A OA 19340 A OA19340 A OA 19340A OA 1201900115 OA1201900115 OA 1201900115 OA 19340 A OA19340 A OA 19340A
Authority
OA
OAPI
Prior art keywords
upf
authentication
eap
response
function
Prior art date
Application number
OA1201900115
Inventor
Noamen BEN HENDA
Vesa Lehtovirta
David Castellanos Zamora
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Publication of OA19340A publication Critical patent/OA19340A/en

Links

Abstract

Methods and apparatus for secondary authentication in a network. A method performed by a user equipment (UE) comprises establishing a user plane (UP) session or connection with a UP function (UPF), receiving an extensible authentication protocol (EAP) based authentication request from the UPF and sending an EAP based authentication response to the UPF. A method performed by a user plane UP function (UPF) comprises establishing a UP session or connection to a user equipment (UE), sending an extensible authentication protocol (EAP) based authentication request to the UE, and receiving an EAP based authentication response from the UE.

Description

The inventive concept will now be described more fully hereinafter with reference to the accompanying drawings, in which certain embodiments of the inventive concept are shown. This inventive concept may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided by way of example so that this disclosure will be thorough and complété, and will fully convey the scope of the inventive concept to those skilled in the art. Like numbers refer to like éléments throughout the description.
One possible scénario for decoupling of authentication and authorization procedures for accessing different network slices (NSs) is the following. In order for an NG-user equipment (UE) to access a particular NS, the operator would first run a primary (usual) authentication for initial network access followed by a secondary NS-specific authentication. The secondary NS-specific authentication may possibly be under the control of a 3rd party. This is assuming trust between the 3rd party service provider and the mobile network operator (MNO) who for example is offering access and transport services to this 3rd party in a dedicated NS instance.
In long term évolution (LTE), there is a mechanism that could be relevant for the described scénario. This mechanism is described in clause 5.3.2 from TS 23.401. It is based on the so called ciphered option request and uses an information element called the protocol configuration options (PCO).
The PCO is one of the information éléments in non-access stratum (NAS) messages. The PCO may be used in several types of messages such as a packet data network (PDN) connectivity request to send information transparently through an Mobility Management Entity (MME) and a serving gateway (S-GW) to a PDN-GW. For example, the PCO may include an address allocation preference indicating that the UE prefers to obtain an Internet protocol version 4 (IPV4) address only after a default bearer activation by means of dynamic host configuration protocol version four (DHCPV4).
One use case of the PCO is the transfer of password authentication protocol (PAP) and challenge handshake authentication protocol (CHAP) usernames and passwords to the PDN-GW, which then runs them through an authentication, authorization, and accounting (AAA) server for access authorization. The AAA server may be located in an external domain. Since usernames and passwords are sensitive and needs to be protected, if the UE intends to send PCO which require ciphering (e.g., PAP/CHAP usernames and passwords), the UE shall set a ciphered options transfer flag in an attach request message and send the PCO only after authentication and NAS security setup hâve been completed.
Fig. 2 shows the message flow required for running such an additional (i.e. secondary) authentication procedure through the PDN-GW in LTE. In the following, a more detailed description of the steps therein is provided.
An UE is within the UE domain. An MME, a S-GW, a home subscriber server (HSS), and a PDN-GW are within the MNO domain. An AAA server is within a third party domain.
In step 1 the UE sends an attach request message with a ciphered options transfer flag set to the MME.
In step 2 an authentication and key agreement (AKA) procedure is run between the UE and the HSS. Upon successful authentication the next steps are executed.
In step 3 a NAS security is set up, using secure mode command (SMC). After the NAS security has been set up, ail NAS messages are confidentiality and integrity protected.
In step 4 the MME sends a ciphered options request message to the UE for the retrieval of the PCO.
In step 5 the UE replies with a ciphered options response message including the PAP/CHAP username and password in the PCO information element. In case the UE has subscriptions to multiple PDNs, then the UE includes an access point name (APN) in the message as well.
In step 6 the MME deciphers the received data, uses possible provided APN to identify a PDN-GW, and forwards the PCO through the S-GW to the target PDN-GW in a create session request message.
In step 7 the PDN-GW sends the received PAP/CHAP information in a diameter/radius access request message to an external AAA server. Upon success, the session création procedure proceeds as usual.
The above steps 4-7 thus represent a secondary authentication, performed after the first authentication in step 2 has been completed. However, to use this mechanism in or extension into NG Systems would provide some drawbacks.
Firstly, the mechanism is very limited in terms of possible authentication methods. Currently there is only support for PAP and CHAP. But since PAP today is obsolète from a security point of view, only CHAP is essentially possible to use.
Secondly, in order to support other methods and use the PCO information element for the transport of authentication information, the mechanism would be required to specify spécial messages between the MME and the S-GW and the S-GW and PDN-GW dedicated to this purpose. I.e. to handle authentication methods that require more than just one round-trip.
Furthermore, it is difficult to see how this mechanism would fit in the NG architecture, which is going to be broken further down. In fact, taking into considération the new architectural features (TR 23.799), there will probably be more hops in the path between the UE and the PDN-GW, for example in relation to ongoing work on the split of the MME into a mobility management function (MMF) and a session management function SMF (TR 23-799) and control and user plane séparation (CUPS) work for the control and user plane split (TR 23.714). This implies more overload and signaling in the core network (CN).
Finally, this mechanism is a workaround because there is no direct protocol between the UE and the PDN-GW. Making it generic enough to support other authentication methods would be technically challenging, especially since many methods hâve strict recommendations and requirements on the transport layer.
Running the secondary authentication on the user plane (UP), once it is set up is presented. A limited UP session may be run for the secondary authentication procedure, rather than allowing full access to the PDN. Once the secondary authentication is completed, a limited UP session may be upgraded to one having full access to a data network. The use of an extensible authentication protocol (EAP), as defined in RFC3748, is also presented. The EAP is used for authentication between the UE and a potentially external AAA server, where an NG-UP function (UPF), playing a similar rôle to that of the PDN-GW in LTE, endorses the rôle of an EAP authenticator. EAP payloads would be carried by a protocol for carrying authentication for network access (PANA), as defined in RFC5191, which protocol is IP-based. Another alternative is that the NG-UPF endorses the rôle of the EAP server.
The presented solution uses EAP which is widely used and provides support for many authentication methods such as EAP-transport layer security (TLS), EAP-authentication and key agreement (AKA), EAP-tunneled TLS (TTLS) and EAP-protected extensible authentication protocol (PEAP). The presented solution is IP-based and thus agnostic to the type of access network (AN). Further, since it is UP based, the secondary authentication can be performed independently on NS spécifie basis even for scénarios where the NG-UE supports multiple possibly simultaneous NS connectivity. By using EAP, the solution also supports different types of credentials and authentication methods. The EAP exchange may benefit from the protection over an air interface.
The secondary authentication is thus run of the UP bearers once the NG-UE is allocated an IP address. EAP is then used for authentication between the NG-UE and the (potentially external) AAA server where the NG-UPF endorses the rôle of the EAP authenticator.
An embodiment wherein the NG-UPF acts as an EAP authenticator is presented with reference to Fig. 3.
Fig. 3 shows a flow where an UP-based secondary authentication is run with an external AAA server. The NG-UE is in the UE domain. The NG mobility management function (MMF), the NG session management function (SMF), NG security anchor function (SEAF) and NG-UPF are in the MNO domain. The NG-UPF is an UPF corresponding to a PDN-GW in LTE. The AAA server is in a third party domain. The requirements on the NG-UPF is to include support of PANA and EAP, possibly in addition to the support of ail needed UP features of the PDN-GW in LTE such as the support of an SGi interface. In general, a NGprefix is used for NG system function corresponding to LTE concepts.
In step 1 the NG-UE sends an attach request initiating the attach procedure. The solution presented herein is not dépendent on how network slicing is supported, e.g. how the NS instances are selected and how the NG-UE is directed to the proper ones.
In step 2 the NG-UE runs a primary authentication with the NG SEAF. The NG SEAF may further be connected to a NG authentication server function (AUSF). A later, secondary authentication is not dépendent on how the NG SEAF and NG MMF are deployed (i.e. collocated or split) nor on the location of the NG SEAF (home or visited public land mobile network (PLMN)).
In step 3 a control plane security is established between the NG-UE and the end point of the NG NAS. The end point of the NG NAS may e.g. be the NG MMF or the NG SMF.
In step 4 a protocol data unit (PDU) session is thereafter established for the transport of UP data between the NG-UE and a data network via the NG-UPF. Step 4 may be a limited session allowing only for running the secondary authentication procedure. The later, secondary authentication dépends on the UP being set up, since it establishes IP connectivity between the NG-UE and the NG-UPF.
In step 5 a secondary EAP-based authentication is run between the NG-UE and the NGUPF, here endorsing the rôle of an EAP authenticator and relying on a backend external AAA server. The NG-UE is thereafter granted access in the data network based on the outcome of this authentication procedure.
This presented solution is agnostic on how non-3GPP access will be integrated and whether steps 1 to 3 are executed exactly as depicted here or differently. As long as an IP connectivity is established between the NG-UE and the NG-UPF, which is achieved in step 4, the EAP-based authentication can be run in step 5. In case radio access network (RAN) security has been established before step 5, then the EAP exchange would be protected also on the air interface.
Fig. 4 shows a protocol architecture for the EAP-based secondary authentication, between the NG-UPF and the NG-UE with NG-UPF as EAP authenticator, as described with reference to Fig. 3. The architecture shown in Fig. 4 is similar to the architecture of LTE regarding the transport of the UP traffic between the UE and the PDN-GW. The greyed boxes highlight the required additional protocol layers to provide the above described EAPbased secondary authentication.
An embodiment with a protocol architecture for EAP-based secondary authentication with NG-UPF as EAP server is presented with reference to Fig. 5.
In this embodiment the NG-UPF terminâtes the EAP exchange and endorses the rôle of a complété EAP server. The message flow for this embodiment is thus similar to that of Fig. 3, except that in step 5 an external AAA server is not contacted.
A mechanism for additional or secondary authentication in NG Systems between the NGUE and the NG-UPF terminating the UP traffic within the core network and possibly interacting with an external AAA-server has been presented. The NG-UPF corresponds to the PDN-GW in LTE. The mechanism is based on EAP over IP over UP traffic such that the NG-UPF endorses the EAP authenticator rôle or the EAP server rôle.
A communication network 4, wherein embodiments described herein can be implemented is presented in Fig. 1. A user equipment (UE) 1 is wirelessly connectable to a base station (BS) 2. The BS 2 is connected to a core network (CN) 3.
A method, according to an embodiment, for secondary authentication in a network is presented with reference to Fig. 6A. The method is performed by a next génération (NG) user equipment (UE), and comprises establishing 110 a user plane (UP) session or connection with a NG-UP function (UPF), receiving 130 an extensible authentication protocol (EAP) based authentication request from the NG-UPF, and sending 140 an EAP based authentication response to the NG-UPF.
The method may further comprise establishing 100 a primary authentication with a NG SEAF.
The method may further comprise receiving an EAP based authentication resuit from the UPF.
A method, according to an embodiment, for secondary authentication in a core network is presented with reference to Fig. 6B. The method is performed by a next génération (NG)user plane (UP) function (UPF), and comprises establishing no a user plane (UP) session or connection with a NG user equipment (UE), sending 120 an extensible authentication protocol (EAP) based authentication request to the NG UE, and receiving 150 an EAP based authentication response from the NG UE.
The method may further comprise sending 160 a vérification request of the received EAP based authentication response to an authentication, authorization, and accounting (AAA) server, and receiving 170 a vérification response from the AAA server.
The method may further comprise sending an authentication resuit to the UE, wherein the authentication is based on the vérification response from the AAA server.
A NG UE, according to an embodiment, for operation in a network is presented with reference to Fig. 7. The NG UE 1 comprises a processor 10, and a computer program product 12,13. The computer program product stores instructions that, when executed by the processor, causes the NG UE to establish 110 a UP session or connection with a NGUPF, receive 130 an EAP based authentication request from the NG-UPF, and to send 140 an EAP based authentication response to the NG-UPF.
A NG-UPF according to an embodiment, operative in a core network is presented with reference to Fig. 8. The NG-UPF comprises a processor 10, and a computer program product 12,13 storing instructions that, when executed by the processor, causes the NGUPF to establish 110 a UP session or connection to a NG UE, send 120 an EAP based authentication request to the NG UE, and to receive 150 an EAP based authentication response from the NG UE.
A NG UE, according to an embodiment, for operation in a network, is presented with reference to Fig. 9. The NG UE comprises a communication manager 61 for establishing 110 a UP session or connection with a NG-UPF, receiving 130 an EAP based authentication request from the NG-UPF, and for sending 140 an EAP based authentication response to the NG-UPF.
A NG-UPF, according to an embodiment, operative in a network is presented with reference to Fig. 10. The NG-UPF comprises a communication manager 71 for establishing 5 110 a UP session or connection with a NG UE, sending 120 an EAP based authentication request to the NG UE, and for receiving 150 an EAP based authentication response from the NG UE.
A computer program 14,15, according to an embodiment, for secondary authentication in a network is presented. The computer program comprises computer program code which, 10 when run on a NG UE, causes the NG UE to establish 110 a UP session or connection with a
NG-UPF, receive 130 an EAP based authentication request from the NG-UPF, and to send 140 an EAP based authentication response to the NG-UPF.
A computer program 14,15, according to an embodiment, for secondary authentication in a network is presented. The computer program comprises computer program code which, 15 when run on a NG-UPF, causes the NG-UPF to establish 110 a UP session or connection with a NG UE, send 120 an EAP based authentication request to the NG UE, and to receive 150 an EAP based authentication response from the NG UE.
A computer program product 12,13, according to an embodiment, is presented. The computer program product comprises a computer program 14,15 as presented above and a 20 computer readable storage means on which the computer program 14,15 is stored.
Fig. 7 is a schematic diagram showing some components of the NG UE 1. A processor 10 may be provided using any combination of one or more of a suitable central processing unit, CPU, multiprocessor, microcontroller, digital signal processor, DSP, application spécifie integrated circuit etc., capable of executing software instructions of a computer 25 program 14 stored in a memory. The memory can thus be considered to be or form part of the computer program product 12. The processor 10 may be configured to execute methods described herein with reference to Figs. 12 and 13.
The memory may be any combination of read and write memory and read only memory, ROM. The memory may also comprise persistent storage, which, for example, can be any single one or combination of magnetic memory, optical memory, solid state memory or even remotely mounted memory.
A second computer program product 13 in the form of a data memory may also be provided, e.g. for reading and/or storing data during execution of software instructions in the processor 10. The data memory can be any combination of read and write memory and read only memory, ROM, and may also comprise persistent storage, which, for example, can be any single one or combination of magnetic memory, optical memory, solid state memory or even remotely mounted memory. The data memory may e.g. hold other software instructions 15, to improve functionality for the NG UE 1.
The NG UE 1 may further comprise an input/output, I/O, interface 11 including e.g. a user interface. The NG UE 1 may further comprise a receiver configured to receive signalling from other nodes, and a transmitter configured to transmit signalling to other nodes (not illustrated). Other components of the NG UE 1 are omitted in order not to obscure the concepts presented herein.
Fig. 9 is a schematic diagram showing functional blocks of the NG UE 1. The modules may be implemented as only software instructions such as a computer program executing in the cache server or only hardware, such as application spécifie integrated circuits, field programmable gâte arrays, discrète logical components, transceivers, etc. or as a combination thereof. In an alternative embodiment, some of the functional blocks may be implemented by software and other by hardware. The modules correspond to the steps in the method illustrated in Fig. 6A, comprising a communication manager unit 61 and a détermination module unit 60. In the embodiments where one or more of the modules are implemented by a computer program, it shall be understood that these modules do not necessarily correspond to process modules, but can be written as instructions according to a programming language in which they would be implemented, since some programming languages do not typically contain process modules.
The communication manger 61 is for operation in a network. This module corresponds to the establish UP step 110, the receive request step 130 and the send response step 140 of Fig. 6A. This module can e.g. be implemented by the processor 10 of Fig. 7, when running the computer program.
The détermination manager 60 is for operation in a network. This module corresponds to the primary authentication step 100 of Fig. 6A. This module can e.g. be implemented by the processor 10 of Fig. 7, when running the computer program.
Fig. 8 is a schematic diagram showing some components of the NG-UPF 3. A processor 10 may be provided using any combination of one or more of a suitable central processing unit, CPU, multiprocessor, microcontroller, digital signal processor, DSP, application spécifie integrated circuit etc., capable of executing software instructions of a computer program 14 stored in a memory. The memory can thus be considered to be or form part of the computer program product 12. The processor 10 may be configured to execute methods described herein with reference to Fig. 6B.
The memory may be any combination of read and write memory, RAM, and read only memory, ROM. The memory may also comprise persistent storage, which, for example, can be any single one or combination of magnetic memory, optical memory, solid state memory or even remotely mounted memory.
A second computer program product 13 in the form of a data memory may also be provided, e.g. for reading and/or storing data during execution of software instructions in the processor 10. The data memory can be any combination of read and write memory, RAM, and read only memory, ROM, and may also comprise persistent storage, which, for example, can be any single one or combination of magnetic memory, optical memory, solid state memory or even remotely mounted memory. The data memory may e.g. hold other software instructions 15, to improve functionality for the NG-UPF 3.
The NG-UPF 3 may further comprise an input/output, I/O, interface 11 including e.g. a user interface. The NG-UPF 3 may further comprise a receiver configured to receive signalling from other nodes, and a transmitter configured to transmit signalling to other nodes (not illustrated). Other components of the NG-UPF 3 are omitted in order not to obscure the concepts presented herein.
Fig. 10 is a schematic diagram showing functional blocks of the NG-UPF 3. The modules may be implemented as only software instructions such as a computer program executing in the cache server or only hardware, such as application spécifie integrated circuits, field programmable gâte arrays, discrète logical components, transceivers, etc. or as a combination thereof. In an alternative embodiment, some of the functional blocks may be implemented by software and other by hardware. The modules correspond to the steps in the methods illustrated in Fig. 6B, comprising a communication manager unit 71 and a détermination manager unit 70. In the embodiments where one or more of the modules are implemented by a computer program, it shall be understood that these modules do not necessarily correspond to process modules, but can be written as instructions according to a programming language in which they would be implemented, since some programming languages do not typically contain process modules.
The communication manger 71 is for operation in a core network. This module corresponds to the establish UP step 110, the send request step 120, and the receive response step 150 of Fig. 6B. This module can e.g. be implemented by the processor 10 of Fig. 8, when running the computer program.
The détermination manager unit 70 is for operation in a core network. This module corresponds to the vérification request step 160 and the vérification response step 170 of Fig. 6B. This module can e.g. be implemented by the processor 10 of Fig. 8, when running the computer program.
The inventive concept has mainly been described above with reference to a few embodiments. However, as is readily appreciated by a person skilled in the art, other embodiments than the ones disclosed above are equally possible within the scope of the inventive concept, as defined by the appended patent claims.
The following are certain enumerated embodiments further illustrating various aspects the disclosed subject matter.
1. A method for secondary authentication in a network, performed by a next génération (NG) user equipment (UE), the method comprising:
establishing (no) a user plane (UP) session or connection with a NG-UP function (UPF);
receiving (130) an extensible authentication protocol (EAP) based authentication request from the UP NG-UPF; and sending (140) an EAP based authentication response to the UP NG-UPF.
2. The method according to item 1, further comprising:
establishing (100) a primary authentication with a NG- security anchor function (SEAF).
3. A method for secondary authentication in a network, performed by a next génération (NG)-user plane UP function (UPF), the method comprising:
establishing (110) a UP session or connection to a NG-user equipment (UE);
sending (120) an extensible authentication protocol (EAP) based authentication request to the NG UE; and receiving (150) an EAP based authentication response from the NG UE.
4. The method according to item 3, further comprising:
sending (160) a vérification request of the received EAP based authentication response to an authentication, authorization, and accounting (AAA) server; and receiving (170) a vérification response from the AAA server.
5. A next génération (NG) user equipment (UE) for operation in a network, the NG UE comprising:
a processor (10); and a computer program product (12,13) storing instructions that, when executed by the processor, causes the NG UE to:
establish (uo) a user plane (UP) session or connection with a NG-UP function (UPF);
receive (130) an extensible authentication protocol (EAP) based authentication request from the NG-UPF; and send (140) an EAP based authentication response to the NG-UPF.
6. The NG user equipment (UE) according to item 5, the NG UE further caused to:
establish (100) a primary authentication with a NG security anchor function (SEAF).
7. A next génération (NG)-user plane (UP) function (UPF) operative in a network, the NG-UPF comprising:
a processor (10); and a computer program product (12,13) storing instructions that, when executed by the processor, causes the NG-UPF to:
establish (110) a UP session or connection with a NG-user equipment (UE);
send (120) an extensible authentication protocol (EAP) based authentication request to the NG UE; and receive (150) an EAP based authentication response from the NG UE.
8. The NG user plane (UP) function (UPF) according to item 7, the NG-UPF further caused to:
send (160) a vérification request of the received EAP based authentication response to an authentication, authorization, and accounting (AAA) server; and receive (170) a vérification response from the AAA server.
9. A next génération (NG) user equipment (UE) for operation in a network, the NG UE comprising:
a communication manager (61) for establishing (lio) a user plane (UP) session or connection with a NG-UP function (UPF), receiving (130) an extensible authentication protocol (EAP) based authentication request from the NG-UPF, and sending (140) an EAP based authentication response to the NG-UPF.
10. A next génération (NG)-user plane (UP) function (UPF) operative in a network, the NG-UPF comprising:
a communication manager (71) for establishing (110) a user plane (UP) session or connection with a NG user equipment (UE), sending (120) an extensible authentication protocol (EAP) based authentication request to the NG UE, and receiving (150) an EAP based authentication response from the NG UE.
11. A computer program (14,15) for secondary authentication in a network, the computer program comprising computer program code which, when run on a next génération (NG) user equipment (UE), causes the NG UE to:
establish (110) a user plane (UP) session or connection with a NG-UP function (UPF);
receive (130) an extensible authentication protocol (EAP) based authentication request from the NG-UPF; and send (140) an EAP based authentication response to the NG-UPF.
12. A computer program (14,15) for secondary authentication in a network, the computer program comprising computer program code which, when run on a next génération (NG)user plane (UP) function (UPF), causes the NG-UPF to:
establish (110) a user plane (UP) session or connection to a NG user equipment (UE);
send (120) an extensible authentication protocol (EAP) based authentication request to the NG UE; and receive (150) an EAP based authentication response from the NG UE.
13- A computer program product (12,13) comprising a computer program (14,15) according to any one of items 11 to 12 and a computer readable storage means on which the computer program (14,15) is stored.

Claims (10)

1. A method for secondary authentication in a network, performed by a user equipment (UE), the method comprising:
establishing a primary authentication with a security anchor function (SEAF);
establishing a user plane (UP) session or connection with or via a UP function (UPF);
receiving an extensible authentication protocol (EAP) based authentication request via the UPF;
sending an EAP based authentication response to the UPF; and receiving an EAP based authentication resuit via the UPF, the EAP based authentication resuit based on a vérification response from an external authentication, authorization, and accounting (AAA) server.
2. The method according to claim 1, wherein the user equipment (UE) is a next génération (NG) UE.
3. The method according to claim 1, wherein the user plane function (UPF) is a next génération (NG) UPF.
4. The method according to claim 1, wherein the SEAF is further connected to an authentication server function (AUSF).
5. A method for secondary authentication in a network, performed by a user plane UP function (UPF), the method comprising:
establishing a UP session or connection to a user equipment (UE);
sending an extensible authentication protocol (EAP) based authentication request to the UE;
receiving an EAP based authentication response from the UE;
sending a vérification request of the received EAP based authentication response to an external authentication, authorization, and accounting (AAA) server;
receiving a vérification response from the external AAA server; and sending an authentication resuit to the UE, wherein the authentication resuit is based on the vérification response from the external AAA server.
6. The method according to claim 5, wherein the user equipment (UE) is a next génération (NG) user equipment (UE).
7. The method according to claim 5, wherein the user plane function (UPF) is a next génération (NG) UPF.
8. A user equipment (UE) for operation in a network, the UE comprising:
a processor; and a computer program product storing instructions that, when executed by the processor, causes the UE to:
establish a primary authentication with a security anchor function (SEAF);
establish a user plane (UP) session or connection with or via a UP function (UPF);
receive an extensible authentication protocol (EAP) based authentication request via the UPF;
send an EAP based authentication response to the UPF; and receive an EAP based authentication resuit via the UPF, the EAP based authentication resuit based on a vérification response from an external authentication, authorization, and accounting (AAA) server.
9. The user equipment (UE) according to claim 8, wherein the UE is a next génération (NG) UE.
10. The user equipment (UE) according to claim 8, wherein the UPF is a next génération (NG) UPF.
n. The user equipment (UE) according to claim 8, wherein the SEAF is further connected to an authentication server function (AUSF).
5 12. A user plane (UP) function (UPF) operative in a network, the UPF comprising:
a processor; and a computer program product storing instructions that, when executed by the processor, causes the UPF to:
establish a UP session or connection with a user equipment (UE);
10 send an extensible authentication protocol (EAP) based authentication request to the UE;
receive an EAP based authentication response from the UE;
send a vérification request of the received EAP based authentication response to an external authentication, authorization, and accounting (AAA) server;
15 receive a vérification response from the external AAA server; and send an authentication resuit to the UE, wherein the authentication resuit is based on the vérification response from the external AAA server.
13· The user plane (UP) function (UPF) according to claim 12, wherein the UPF is a next génération (NG) UPF.
20 14. The user plane (UP) function (UPF) according to claim 12, wherein the UE is a next génération (NG) UE.
OA1201900115 2016-10-31 2017-10-25 Authentification for next generation systems OA19340A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US62/415,006 2016-10-31

Publications (1)

Publication Number Publication Date
OA19340A true OA19340A (en) 2020-06-29

Family

ID=

Similar Documents

Publication Publication Date Title
KR102847659B1 (en) Signup onboarding using verified digital identities
US11829774B2 (en) Machine-to-machine bootstrapping
US10904756B2 (en) Authentication for next generation systems
EP3557898B1 (en) Authorisation verification method and apparatus
US11082838B2 (en) Extensible authentication protocol with mobile device identification
AU2021248311A1 (en) Communication system, method, and apparatus
CN116391377A (en) Authentication using digital identifiers for UE access
US20150327073A1 (en) Controlling Access of a User Equipment to Services
EP3476100B1 (en) Selection of ip version
CN109391942A (en) Method for triggering network authentication and related equipment
US10750363B2 (en) Methods and apparatuses for conditional WiFi roaming
OA19340A (en) Authentification for next generation systems
WO2023216274A1 (en) Key management method and apparatus, device, and storage medium
WO2025145525A1 (en) Method, device and system for managing akma service in communication networks
HK40002909B (en) Methods, apparatus, and computer readable storage medium for authentication for next generation systems
US20260067270A1 (en) Two factor authentication
HK40002909A (en) Authentication for next generation systems
WO2017132906A1 (en) Method and device for acquiring and sending user equipment identifier
WO2025232244A1 (en) Authentication method and apparatus, and communication device, storage medium and computer program product
CN120456019A (en) Communication method and communication device