[go: up one dir, main page]

WO2019062384A1 - Method and device for public network user accessing private network - Google Patents

Method and device for public network user accessing private network Download PDF

Info

Publication number
WO2019062384A1
WO2019062384A1 PCT/CN2018/101519 CN2018101519W WO2019062384A1 WO 2019062384 A1 WO2019062384 A1 WO 2019062384A1 CN 2018101519 W CN2018101519 W CN 2018101519W WO 2019062384 A1 WO2019062384 A1 WO 2019062384A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
authentication
public network
element device
user terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2018/101519
Other languages
French (fr)
Chinese (zh)
Inventor
倪靖清
尚小天
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Datang Mobile Communications Equipment Co Ltd
Original Assignee
Datang Mobile Communications Equipment Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Datang Mobile Communications Equipment Co Ltd filed Critical Datang Mobile Communications Equipment Co Ltd
Publication of WO2019062384A1 publication Critical patent/WO2019062384A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/106Mapping addresses of different types across networks, e.g. mapping telephone numbers to data network addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1073Registration or de-registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1101Session protocols
    • H04L65/1104Session initiation protocol [SIP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Definitions

  • the present invention relates to the field of mobile communications technologies, and in particular, to a method and a device for implementing a public network access private network.
  • 4G 4th Generation Mobile Communication Technology
  • some enterprises use the advanced communication mechanism under the 4G network to deploy a dedicated 4G wireless network, that is, 4G private network to realize the internal enterprise.
  • 4G private network is relative to the public network
  • the public network refers to the public wireless communication network operated by the telecom operators
  • the private network is the wireless network built by some enterprises, which is generally not covered by the public network. Areas, such as wireless communication systems established by industrial and mining enterprises in mines or tunnels.
  • a private network user in a 4G private network environment needs to use a subscriber-specific subscriber identity card (SIM card) to implement other specializations in the 4G private network coverage area and the 4G private network environment.
  • SIM card subscriber-specific subscriber identity card
  • the network user communicates.
  • the 4G private network base station and the public network base station use the same wireless communication mechanism, the 4G private network base station can receive the same in the 4G private network coverage area.
  • the access request of the public network user is reported to the network side of the private network.
  • the network side device of the private network cannot know the identity information and the authentication key of the public network user, the private network side cannot determine whether the public network user has the information.
  • the legal identity prohibits public network users from accessing the 4G private network. Therefore, when the public network user switches to the private network coverage within the coverage of the public network, the SIM card needs to be replaced with a specific SIM card for the private network, and sometimes the terminal device customized for the private network needs to be replaced.
  • the embodiment of the present invention provides a method and a device for implementing a public network access private network, which are used to solve the problem that a public network user in the prior art cannot access a 4G private network.
  • a method for implementing a public network user accessing a private network includes:
  • the first network element device in the core network of the private network receives the access request sent by the public network user terminal in the private network coverage area, and the access request includes the identity identifier of the public network user terminal. information;
  • the first network element device performs access authentication on the public network user terminal based on the pre-stored public network user information, and sends the second network element device in the public network core network after determining that the access authentication is passed.
  • An authentication request carrying the identity information, where the authentication request is used to instruct the second network element device to use the user authentication information corresponding to the identity identification information that is pre-stored to the public network user.
  • the terminal performs authentication;
  • the first network element device receives the authentication success response sent by the second network element device after the authentication succeeds, and sends the authentication success response to the public network user terminal by using the private network base station.
  • the first network element device performs access authentication on the public network user terminal according to the pre-stored public network user information, including:
  • the first network element device determines that the public network user information corresponding to the identity identification information is pre-stored, the first network element device determines that the public network user terminal passes the access authentication.
  • the first network element device sends an authentication request that carries the identity identification information to the second network element device in the core network of the public network, including:
  • the first network element device replaces the address information of the private network base station carried in the access request sent by the private network base station with the preset address information, and replaces the access request after the address information Claiming authentication request;
  • the first network element device sends the authentication request to a second network element device in the public network core network by using a standard protocol interface pre-agreed with the second network element device.
  • the method further includes:
  • the first network element device establishes a mapping relationship between the identity identification information and address information of the private network base station;
  • the first network element device sends the authentication success response to the public network user terminal by using the private network base station, including:
  • the first network element device acquires the identity identification information carried in the authentication success response
  • the first network element device sends the authentication success response to the public network user terminal by using the private network base station according to the obtained address information of the private network base station.
  • a method for implementing a public network user accessing a private network includes:
  • the second network element device in the core network of the public network receives the authentication request sent by the first network element device in the core network of the private network; wherein the authentication request includes the public network user terminal that is in the coverage of the private network.
  • Identity identification information and the authentication request is that the first network element device performs access authentication on the public network user terminal based on the pre-stored public network user information, and determines that the access authentication is passed;
  • the second network element device authenticates the public network user terminal based on the user authentication information corresponding to the identity identification information, and after the authentication succeeds, the first network element device Send authentication successfully responded.
  • an implementation device for accessing a private network by a public network user includes:
  • a receiving unit configured to receive an access request sent by a public network user terminal in a private network coverage area, where the access request includes identity information of the public network user terminal;
  • the first processing unit is configured to perform access authentication on the public network user terminal based on the pre-stored public network user information, and send the second network element device in the public network core network after determining that the access authentication is passed An authentication request carrying the identity information, where the authentication request is used to instruct the second network element device to use the user authentication information corresponding to the identity identification information that is pre-stored to the public network user.
  • the terminal performs authentication;
  • the second processing unit is configured to receive an authentication success response sent by the second network element device after the authentication succeeds, and send the authentication success response to the public network user terminal by using the private network base station.
  • the first processing unit when performing the access authentication on the public network user terminal based on the pre-stored public network user information, is configured to:
  • the public network user terminal is determined to pass the access authentication.
  • the first processing unit is configured to:
  • the device further includes an establishing unit, where the establishing unit is configured to: before replacing the address information of the private network base station with the preset address information, perform the following operations:
  • the second processing unit is configured to:
  • an implementation device for accessing a private network by a public network user includes:
  • a receiving unit configured to receive an authentication request sent by a first network element device in a private network core network, where the authentication request includes identity identification information of a public network user terminal that is in a private network coverage area, and The authentication request is performed by the first network element device performing access authentication on the public network user terminal based on the pre-stored public network user information, and determining that the access authentication is passed;
  • An authentication unit configured to authenticate the public network user terminal based on the user authentication information corresponding to the identity identification information, and send the information to the first network element device after the authentication succeeds The authentication was successfully responded.
  • a fifth aspect an electronic device, comprising: one or more processors; and one or more computer readable media, wherein the readable medium stores a program for implementing a public network user access private network, where The steps of the method of any of the second aspects are carried out when the program is executed by the one or more processors.
  • a computer readable medium having stored thereon a program for implementing a public network user access private network, wherein when the program is executed by one or more processors, causing the processor to execute The method of any of the second aspects.
  • a seventh aspect an electronic device, comprising: one or more processors; and one or more computer readable media, wherein the readable medium stores a program for implementing a public network user access private network, wherein The steps of the method as described in the third aspect are implemented when the program is executed by the one or more processors.
  • a computer readable medium storing, on the readable medium, a program for implementing a public network user access private network, wherein when the program is executed by one or more processors, causing the processor to execute A method as described in the third aspect.
  • the public network user information is pre-stored in the first network element device in the private network core network, and is received by the public network user terminal that is in the coverage of the private network through the private network base station.
  • the public network user terminal can perform access authentication according to the public network user information stored in advance.
  • the identity information of the public network user terminal may be reported to the second network element device in the core network of the public network, and the second network element device is based on the pre-stored and The user authentication information corresponding to the identity information is used to authenticate the public network user terminal.
  • the access authentication of the public network user terminal is completed in the first network element device of the private network core network
  • the public network is completed in the second network element device of the public network core network.
  • the authentication of the user terminal and the result of the authentication are notified to the first network element device, so that the private network can complete the access and authentication of the public network user terminal, thereby enabling the public network user not to replace the SIM card.
  • the private network can complete the access and authentication of the public network user terminal, thereby enabling the public network user not to replace the SIM card.
  • FIG. 1 is a schematic diagram of interaction between a private network side network element device and a public network side network element device according to an embodiment of the present disclosure
  • FIG. 2 is a schematic diagram of different functions implemented by a base station proxy module in a private network and a public network according to an embodiment of the present application;
  • FIG. 3 is a flowchart of a method for implementing a public network user access private network according to an embodiment of the present disclosure
  • FIG. 4 is a schematic diagram of a scenario in which a public network user terminal completes network access and authentication according to an embodiment of the present disclosure
  • FIG. 5 is a schematic diagram 1 of an implementation device for accessing a private network by a public network user according to an embodiment of the present disclosure
  • FIG. 6 is a schematic diagram 2 of an implementation device for accessing a private network by a public network user according to an embodiment of the present disclosure
  • FIG. 7 is a schematic diagram 3 of an implementation device for accessing a private network by a public network user according to an embodiment of the present disclosure.
  • the present application proposes a method and a device for implementing the public network user access private network, which can be installed with the SIM opened on the public network.
  • the public network user terminal of the card can be used not only in the public network, but also in the private network without replacing the SIM card. If the public network user terminal is to be used inside the private network, the public network user terminal first needs to complete the access and authentication process in the private network. Therefore, in the embodiment of the present application, the first network element device in the Evolved Packet Core (EPC) network of the private network LTE system is improved, so that the first network element device can complete the request for access.
  • EPC Evolved Packet Core
  • the network user terminal performs authentication, and the second network element device in the EPC network of the public network LTE system is improved, so that the private network EPC network and the public network EPC network can be connected, and then the second network in the public network EPC network.
  • the meta-device completes the authentication of the public network user terminal that is requested to access, so that the public network user terminal is successfully registered and used in the private network.
  • FIG. 1 a schematic diagram of interaction between a private network side network element device and a public network side network element device provided by an embodiment of the present application.
  • the private network EPC network side includes a first network element device
  • the public network EPC network side includes a second network element device
  • the private network IP Multimedia Subsystem (IMS) network side includes a third network element device, and a public network IMS network.
  • the side includes a fourth network element device.
  • IMS IP Multimedia Subsystem
  • the following describes the interaction process between the first network element device on the EPC network side of the private network and the second network element device on the EPC network side of the public network.
  • the first network element device may be configured to: receive an access request sent by a public network user terminal in a private network coverage area by using a private network base station, where the access request includes identity information of the public network user terminal; Network user information, performing access authentication on the public network user terminal; and after determining that the access authentication is passed, sending an authentication request carrying the identity identification information to the second network element device; receiving the second network element device After the sent authentication succeeds, the authentication success response is sent to the public network user terminal through the private network base station.
  • the second network element device may be configured to: after receiving the authentication request, perform authentication on the public network user terminal based on the pre-stored user authentication information corresponding to the identity identification information; and after the authentication succeeds, The first network element device sends an authentication success response.
  • the first network element device may include a first mobility management entity (MME), a first home subscriber server (HSS), a base station proxy module, and the like;
  • MME mobility management entity
  • HSS home subscriber server
  • the second network element device may include a second MME, a second HSS, and the like.
  • the first MME can interact with the first HSS to implement access authentication for the public network user terminal requesting access to the private network.
  • the first MME in the first network element device may be used to report the identity identification information of the public network user terminal that requests the access to the private network to the first HSS, where the designated allowed access is pre-stored in the first HSS.
  • the public network user information of the network is used for access authentication of the public network user terminal requesting access to the private network.
  • the identity information of the public network user terminal may be an International Mobile Subscriber Identity (IMSI) information stored in a SIM card used by the public network user terminal.
  • IMSI International Mobile Subscriber Identity
  • the base station proxy module is mainly used to implement communication with the second network element device on the public network EPC network side through a standard protocol interface that is open to the public network EPC network side. It can be deployed in the first MME or as a separate network element device in the EPC network, without affecting the implementation of its functions.
  • FIG. 2 different functions implemented by the base station proxy module in the private network and the public network are shown.
  • the base station proxy module may establish a mapping relationship between the identity information of the public network user terminal and the address information of the private network base station, so as to pass the response information fed back by the second network element device to the public network user terminal.
  • the private network base station having the mapping relationship is sent to the public network user terminal.
  • the mapping relationship established may specifically be a mapping relationship between the IMSI information of the public network user terminal and the Internet Protocol Address (IP address) information of the private network base station.
  • IP address Internet Protocol Address
  • the base station proxy module can be regarded as a public network base station that establishes a communication connection with the second network element device after the open standard protocol interface, and is used to report related information of the public network user terminal to the second network.
  • Meta device The standard protocol interface opened between the first network element device and the second network element device may be an S1 interface, and the communication connection established between the second network element device and the base station proxy module may be a flow control transmission protocol. , SCTP) link, of course, in the specific implementation, other standard protocol interfaces may be opened according to actual needs, or communication connections under different transmission protocols may be established, which is not limited in this application.
  • the base station proxy module may obtain the authentication result information obtained by the interaction between the first MEE and the first HSS, and after determining that the public network user terminal access authentication is passed, the special information carried in the access request sent by the private network base station is carried.
  • the address information of the network base station is replaced with its own address information, and the access request after the replacement address is used as an authentication request, and is sent to the second network element device through the open S1 interface and based on the established communication connection, so as to implement the second network.
  • the meta device completes the authentication of the public network user terminal.
  • the base station proxy module may map the relationship between the identity information of the public network user terminal and the address information of the private network base station according to the established public network user terminal.
  • the destination address information carried in the authentication success response is replaced by the address information of the base station proxy module with the address information of the private network base station corresponding to the identity identification information, and the authentication success response of the replaced address is sent to the private network base station. And then forwarded by the private network base station to the public network user terminal.
  • the interaction process between the third network element device on the private network IMS network side and the fourth network element device on the public network IMS network side is introduced.
  • the third network element device on the IMS network side of the private network and the fourth network element device on the IMS network side of the public network can pass the standard protocol interface.
  • the SIP interface is docked.
  • the public network user terminal may further send an IMS network registration request to the third network element device through the private network base station and the first network element device.
  • the third network element device can also send the IMS to the fourth network element device by using a Session Initiation Protocol (SIP) interface.
  • SIP Session Initiation Protocol
  • the network registration request is configured to enable the fourth network element device to successfully register the public network user terminal to the IMS network on the public network side.
  • the embodiment of the present application further provides a public network user access private network implementation method, and the specific method flowchart can refer to As shown in Figure 3, the following steps are included:
  • Step 301 The first network element device in the private network core network receives an access request sent by the public network user terminal in the private network coverage area through the private network base station, where the access request includes the public network user terminal. Identity information.
  • the first MME in the first network element device And receiving, by the first MME in the first network element device, an access request that is sent by the public network user terminal in the private network coverage area and carrying the identity identification information of the public network user terminal, and accessing The request is reported to the first HSS in the first network element device, and the first HSS performs access authentication on the public network user terminal.
  • the specified public network user information allowed to access the private network may be pre-stored in the first HSS.
  • Step 302 The first network element device performs access authentication on the public network user terminal based on the pre-stored public network user information, and after determining that the access authentication is passed, the second network in the public network core network is determined.
  • the meta device sends an authentication request carrying the identity information.
  • the access authentication of the public network user terminal may be performed by the first HSS based on the pre-stored public network user information. If it is determined that the public network user information corresponding to the identity identification information is pre-stored in the local area, the public network user terminal is determined to pass the access authentication, and if it is determined that the public network corresponding to the identity identification information is not pre-stored locally, The user information determines that the public network user terminal does not pass the access authentication. After the first HSS performs the access authentication, the first MME may send the authentication result information to the base station proxy module, where the authentication result information is used to indicate whether the public network user terminal having the identity identification information passes the access authentication.
  • the base station proxy module may determine, according to the authentication result information, whether the public network user terminal passes the access authentication. And after determining that the access authentication is passed, sending an authentication request carrying the identity identification information to the second network element device in the core network of the public network.
  • the first network element device and the second network element device are in the embodiment of the present application, and the information of the public network user terminal cannot be authenticated.
  • the interface between the private network EPC network and the public network EPC network can be interconnected through the open standard protocol interface S1 interface. Then, the second network element device in the public network EPC network completes the authentication of the public network user terminal.
  • the base station proxy module sends the authentication request that carries the identity identification information to the second network element device in the public network core network, which may include: the base station proxy module sends the access request sent by the private network base station.
  • the address information of the private network base station that is carried is replaced with the preset address information, and the access request after the replacement of the address information is used as the authentication request, and the standard protocol interface pre-agreed with the second network element device is used. Sending the authentication request to the second network element device in the public network core network.
  • the base station proxy module may further establish a mapping relationship between the identity identification information and the address information of the private network base station, so as to be subsequently received, before replacing the address information of the private network base station with the preset address information. After the information about the identity information carried by the second network element device is carried, the private network base station having the mapping relationship with the identity information is sent to the public network user terminal having the identity identification information. .
  • Step 303 The second network element device authenticates the public network user terminal according to the user authentication information corresponding to the identity identification information, and after the authentication succeeds, the first The NE device sends an authentication success response.
  • the second MME in the second network element device may receive an authentication request that is sent by the base station proxy module and that carries the identity identification information, and forward the received authentication request to the second HSS.
  • the second HSS in the public network EPC network pre-stores the user authentication information of the public network user, so the second HSS may perform the public network user terminal on the public network user terminal based on the user authentication information corresponding to the identity identification information that is stored in advance.
  • the authentication succeeds, and after the authentication is passed, the second MME sends an authentication success response to the base station proxy module of the first network element device. At this point, the authentication of the public network user terminal can be completed.
  • the second network element device on the EPC network side of the public network may carry the network authentication information when the authentication success response is sent, so that the public network user terminal can use the network authentication information to the network after receiving the authentication success response.
  • the side is authenticated.
  • the authentication process of the specific network side and the user side can refer to the prior art, and is not specifically described in this application.
  • Step 304 The first network element device receives an authentication success response sent by the second network element device after the authentication succeeds, and sends the authentication success to the public network user terminal by using the private network base station. response.
  • the first network element device sends the authentication success response to the public network user terminal by using the private network base station, which may include: the base station proxy module acquiring the identity identifier carried in the authentication success response. Obtaining, according to the mapping relationship between the identifier information and the address information of the private network base station, the address information of the private network base station corresponding to the identity identification information; The address information of the network base station is sent by the private network base station to the public network user terminal for the authentication success response.
  • the access authentication of the public network user terminal is completed in the first network element device of the private network core network
  • the public network is completed in the second network element device of the public network core network.
  • the authentication of the user terminal and the result of the authentication are notified to the first network element device, so that the private network can complete the access and authentication of the public network user terminal, thereby enabling the public network user not to replace the SIM card.
  • the private network can complete the access and authentication of the public network user terminal, thereby enabling the public network user not to replace the SIM card.
  • 1 to 9 shown in the figure indicate the network access and authentication process of the public network user terminal, specifically:
  • the public network user terminal sends an access request carrying the IMSI to the 4G private network base station.
  • the 24G private network base station forwards the access request to the first MME in the private network EPC.
  • the first MME in the private network EPC sends the IMSI of the public network user terminal to the first HSS, and the first HSS performs access authentication;
  • the first HSS determines whether the IMSI of the public network user terminal is stored in advance, and if yes, notifying the first MME to allow the public network user terminal to access the private network; otherwise, notifying the first MME that the public network user terminal is not allowed to access the network. Private Network;
  • the first MME notifies the base station proxy module of the access authentication result, and the base station proxy module sends the IMSI to the second MME in the operator EPC through the open S1 interface after determining that the public network user terminal is allowed to access the private network. Authentication request.
  • the base station proxy module when the base station proxy module sends the authentication request, the source IP address, that is, the IP address information of the 4G private network base station is changed to the IP address of the base station proxy module, so that the private network does not directly access the operator.
  • the network achieves the purpose of reducing the difficulty of security maintenance of private network equipment.
  • it can identify which 4G private network base station to send to the public network user terminal, and after receiving the access request forwarded by the 4G private network base station, Establish a mapping relationship between the IMSI of the public network user terminal and the IP address of the 4G private network base station.
  • the second MME sends the IMSI of the public network user terminal to the second HSS in the carrier network.
  • the second HSS authenticates the public network user terminal according to the user authentication information corresponding to the IMSI of the public network user terminal, and if the authentication succeeds, the network authentication information is carried back to the second MME. And the authentication success response of the IMSI of the public network user terminal.
  • the second MME sends the authentication success response to the base station proxy module.
  • the base station proxy module obtains the IMSI carried in the authentication success response, and obtains the IP address of the 4G private network base station corresponding to the IMSI based on the mapping relationship between the established IMSI and the IP address of the 4G private network base station, according to the obtained IP address,
  • the authentication success response is sent to the public network user terminal through the 4G private network base station.
  • the public network user terminal can complete the authentication on the network side based on the network authentication information carried in the authentication success response.
  • the network access and authentication process of the public network user terminal after being switched from the carrier network to the private network can be completed.
  • the public network user terminal is switched back to the carrier network by the private network, the public network user terminal can be directly used in the operator network because the authentication of the public network user terminal has been completed in the carrier network.
  • the second MME in the carrier network can also register relevant information about the public network user terminal for implementing 2G and 3G communication into the operator Mobile Switching Center (MSC).
  • MSC Mobile Switching Center
  • the operator MSC may send a registration success response to the second MME after the registration is successful.
  • the second MME returns a registration success response to the public network user terminal through the private network base station proxy module and the 4G private network base station.
  • the registration process of the IMS service may also be initiated to the IMS network of the private network, including:
  • the public network user terminal sends an IMS network registration request to the private network IMS network side through the 4G private network base station and the private network EPC.
  • the private network EPC and the 4G private network base station can send a registration success response to the public network user terminal.
  • the private network IMS network side can forward the IMS network registration request to the IMS network in the operator through an open SIP interface.
  • the IMS network side of the operator feeds back the registration success response to the private network IMS network side.
  • the public network user terminal can perform arbitrary handover in the private network and the operator network without affecting normal communication. Moreover, the public network user terminal can communicate with the public network user terminal in the operator network even if it is within the coverage of the private network.
  • an implementation device for accessing a private network of a public network user for example, a first network element device of a private network core network
  • the receiving unit 50 is configured to receive, by the public network user terminal, the access request sent by the private network base station, where the access request includes the identity identification information of the public network user terminal;
  • the first processing unit 51 is configured to perform access authentication on the public network user terminal based on the pre-stored public network user information, and after determining that the access authentication is passed, to the second network element device in the public network core network. Sending an authentication request carrying the identity information, where the authentication request is used to instruct the second network element device to perform user authentication information corresponding to the identity identification information, which is pre-stored, on the public network.
  • User terminal performs authentication;
  • the second processing unit 52 is configured to receive an authentication success response sent by the second network element device after the authentication succeeds, and send the authentication success response to the public network user terminal by using the private network base station.
  • the first processing unit 51 when performing the access authentication on the public network user terminal based on the pre-stored public network user information, is configured to:
  • the public network user terminal is determined to pass the access authentication.
  • the first processing unit 51 is configured to:
  • the device further includes an establishing unit 53, where the establishing unit 53 is configured to perform the following operations before replacing the address information of the private network base station with the preset address information:
  • the second processing unit 52 is configured to:
  • a device for implementing a public network access private network (for example, a second network element device of a public network core network) is provided, and at least includes a receiving unit. 60 and an authentication unit 61, wherein
  • the receiving unit 60 is configured to receive an authentication request sent by the first network element device in the private network core network, where the authentication request includes the identity identification information of the public network user terminal that is in the coverage of the private network, and The authentication request is that the first network element device performs access authentication on the public network user terminal based on the pre-stored public network user information, and determines that the access authentication is passed;
  • the authentication unit 61 is configured to perform authentication on the public network user terminal based on the user authentication information corresponding to the identity identification information, and after the authentication succeeds, to the first network element device. Send authentication successfully responded.
  • an embodiment of the present application further provides an implementation device for a public network user access private network, that is, an electronic device, including: one or more processors 500; and one or more computer readable media For example, the memory 520.
  • the processor 500 is configured to read a program in the memory 520 and perform the following process:
  • the authentication request is used to instruct the second network element device to perform authentication on the public network user terminal based on pre-stored user authentication information corresponding to the identity identification information;
  • the transceiver 510 is configured to receive and transmit data under the control of the processor 500.
  • performing access authentication on the public network user terminal based on the pre-stored public network user information including:
  • the public network user terminal is determined to pass the access authentication.
  • the sending, by the second network element device in the public network, the authentication request that carries the identity information includes:
  • the address information of the private network base station carried in the access request sent by the private network base station is replaced with preset address information, and the access request after replacing the address information is used as the authentication request;
  • the method before the replacement of the address information of the private network base station with the preset address information, the method further includes:
  • the processor 500 is configured to read a program in the memory 520 and perform the following process:
  • the authentication request includes identity identification information of the public network user terminal that is in the coverage of the private network, and the authentication request is The first network element device performs access authentication on the public network user terminal based on the pre-stored public network user information, and determines that the access authentication is sent after the access authentication is passed;
  • the bus architecture may include any number of interconnected buses and bridges, specifically linked by one or more processors represented by processor 500 and various circuits of memory represented by memory 520.
  • the bus architecture can also link various other circuits, such as peripherals, voltage regulators, and power management circuits, as is well known in the art and, therefore, will not be further described herein.
  • the bus interface provides an interface.
  • Transceiver 510 can be a plurality of components, including a transmitter and a transceiver, providing means for communicating with various other devices on a transmission medium.
  • the processor 500 is responsible for managing the bus architecture and general processing, and the memory 520 can store data used by the processor 500 when performing operations.
  • the processor 500 can be a central buried device (CPU), an application specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or a complex programmable logic device (Complex Programmable Logic Device). , CPLD).
  • CPU central buried device
  • ASIC application specific integrated circuit
  • FPGA field-programmable gate array
  • CPLD complex programmable logic device
  • embodiments of the present application can be provided as a method, system, or computer program product.
  • the present application can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment in combination of software and hardware.
  • the application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Multimedia (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention relates to the technical field of mobile communications, in particular to a method and device for a public network user accessing a private network, wherein the method provided by the present application may be applied to a first network element device in the core network of a private network, and specifically comprises: receiving an access request from a public network user terminal in the coverage area of a private network by means of a private network base station, the access request comprising identity information of the public network user terminal; after determining that the public network user terminal passes access authentication on the basis of pre-stored public network user information, sending an authentication request carrying the identity information to a second network element device in the core network of a public network, the authentication request being used for indicating to the second network element device to authenticate the public network user terminal; and after receiving an authentication success response from the second network element device after the authentication succeeds, sending the authentication success response to the public network user terminal by means of the private network base station. Thus, a public network user may access a private network and perform normal communication without replacing a subscriber identity module (SIM) card.

Description

一种公网用户接入专网的实现方法及设备Method and device for implementing public network user access private network

本申请要求在2017年9月26日提交中国专利局、申请号为201710884782.3、发明名称为“一种公网用户接入专网的实现方法及设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application filed on September 26, 2017, the Chinese Patent Office, the application number is 201710884782.3, and the invention name is "a method and device for implementing a public network access private network". This is incorporated herein by reference.

技术领域Technical field

本申请涉及移动通信技术领域,尤其涉及一种公网用户接入专网的实现方法及设备。The present invention relates to the field of mobile communications technologies, and in particular, to a method and a device for implementing a public network access private network.

背景技术Background technique

随着第四代移动通信技术(4th Generation Mobile Communication Technology,4G)网络的不断成熟,一些企业中利用4G网络下先进的通信机制,部署专门的4G无线网络,即4G专网来实现企业内部的无线通信等功能。其中,所谓专网是相对于公网而言的,公网是指电信运营商运营的公共无线通信网络,而专网则是某些企业自建的无线网络,一般部署在公网覆盖不到的区域,如工矿企业在矿井或隧道中建立的无线通信系统等。With the continuous maturity of the 4th Generation Mobile Communication Technology (4G) network, some enterprises use the advanced communication mechanism under the 4G network to deploy a dedicated 4G wireless network, that is, 4G private network to realize the internal enterprise. Features such as wireless communication. Among them, the so-called private network is relative to the public network, the public network refers to the public wireless communication network operated by the telecom operators, and the private network is the wireless network built by some enterprises, which is generally not covered by the public network. Areas, such as wireless communication systems established by industrial and mining enterprises in mines or tunnels.

现有技术中,4G专网环境下专网用户需使用专网特定的用户身份识别卡(Subscriber Identity Module,SIM卡),来实现在4G专网覆盖区域内与4G专网环境下的其它专网用户进行通信。而对于使用在公网开户的SIM卡的公网用户来说,在处于4G专网覆盖区域内时,由于4G专网基站与公网基站采用相同的无线通信机制,故4G专网基站能够接收公网用户的接入请求并上报给专网网络侧,但是由于专网网络侧设备不能获知公网用户的身份信息以及鉴权密钥等信息,故专网网络侧无法确定公网用户是否具备合法身份,进而禁止公网用户接入4G专网。因此,当公网用户在由公网覆盖范围内切换至专网覆盖范围内时,还需将SIM卡更换为专网特定的SIM卡,并且有时还需更换专门针对专网定制的终端设备。In the prior art, a private network user in a 4G private network environment needs to use a subscriber-specific subscriber identity card (SIM card) to implement other specializations in the 4G private network coverage area and the 4G private network environment. The network user communicates. For the public network users who use the SIM card opened on the public network, when the 4G private network base station and the public network base station use the same wireless communication mechanism, the 4G private network base station can receive the same in the 4G private network coverage area. The access request of the public network user is reported to the network side of the private network. However, because the network side device of the private network cannot know the identity information and the authentication key of the public network user, the private network side cannot determine whether the public network user has the information. The legal identity, in turn, prohibits public network users from accessing the 4G private network. Therefore, when the public network user switches to the private network coverage within the coverage of the public network, the SIM card needs to be replaced with a specific SIM card for the private network, and sometimes the terminal device customized for the private network needs to be replaced.

由此可见,现有技术中存在着公网用户无法接入4G专网的问题。It can be seen that in the prior art, there is a problem that the public network user cannot access the 4G private network.

发明内容Summary of the invention

本申请实施例提供了一种公网用户接入专网的实现方法及设备,用以解决现有技术中存在的公网用户无法接入4G专网的问题。The embodiment of the present invention provides a method and a device for implementing a public network access private network, which are used to solve the problem that a public network user in the prior art cannot access a 4G private network.

本申请实施例提供的具体技术方案如下:The specific technical solutions provided by the embodiments of the present application are as follows:

第一方面,一种公网用户接入专网的实现方法,包括:In a first aspect, a method for implementing a public network user accessing a private network includes:

专网核心网中的第一网元设备接收处于专网覆盖范围内的公网用户终端通过专网基 站发来的接入请求,所述接入请求中包含所述公网用户终端的身份标识信息;The first network element device in the core network of the private network receives the access request sent by the public network user terminal in the private network coverage area, and the access request includes the identity identifier of the public network user terminal. information;

所述第一网元设备基于预先存储的公网用户信息,对所述公网用户终端进行接入认证,并在确定接入认证通过后,向公网核心网中的第二网元设备发送携带有所述身份标识信息的鉴权请求,所述鉴权请求用于指示所述第二网元设备基于预先存储的与所述身份标识信息对应的用户鉴权信息,对所述公网用户终端进行鉴权;The first network element device performs access authentication on the public network user terminal based on the pre-stored public network user information, and sends the second network element device in the public network core network after determining that the access authentication is passed. An authentication request carrying the identity information, where the authentication request is used to instruct the second network element device to use the user authentication information corresponding to the identity identification information that is pre-stored to the public network user. The terminal performs authentication;

所述第一网元设备接收所述第二网元设备在鉴权成功后发送的鉴权成功响应,并通过所述专网基站向所述公网用户终端发送所述鉴权成功响应。The first network element device receives the authentication success response sent by the second network element device after the authentication succeeds, and sends the authentication success response to the public network user terminal by using the private network base station.

可选的,所述第一网元设备基于预先存储的公网用户信息,对所述公网用户终端进行接入认证,包括:Optionally, the first network element device performs access authentication on the public network user terminal according to the pre-stored public network user information, including:

所述第一网元设备若确定本地预先存储有与所述身份标识信息对应的公网用户信息,则确定所述公网用户终端通过接入认证。If the first network element device determines that the public network user information corresponding to the identity identification information is pre-stored, the first network element device determines that the public network user terminal passes the access authentication.

可选的,所述第一网元设备向公网核心网中的第二网元设备发送携带有所述身份标识信息的鉴权请求,包括:Optionally, the first network element device sends an authentication request that carries the identity identification information to the second network element device in the core network of the public network, including:

所述第一网元设备将所述专网基站发送的所述接入请求中携带的所述专网基站的地址信息替换为预设的地址信息,将替换地址信息后的接入请求作为所述鉴权请求;The first network element device replaces the address information of the private network base station carried in the access request sent by the private network base station with the preset address information, and replaces the access request after the address information Claiming authentication request;

所述第一网元设备通过与所述第二网元设备预先协定的标准协议接口,向所述公网核心网中的第二网元设备发送所述鉴权请求。The first network element device sends the authentication request to a second network element device in the public network core network by using a standard protocol interface pre-agreed with the second network element device.

可选的,所述第一网元设备在将所述专网基站的地址信息替换为预设的地址信息之前,所述方法还包括:Optionally, before the first network element device replaces the address information of the private network base station with the preset address information, the method further includes:

所述第一网元设备建立所述身份标识信息与所述专网基站的地址信息的映射关系;The first network element device establishes a mapping relationship between the identity identification information and address information of the private network base station;

所述第一网元设备通过所述专网基站向所述公网用户终端发送所述鉴权成功响应,包括:The first network element device sends the authentication success response to the public network user terminal by using the private network base station, including:

所述第一网元设备获取所述鉴权成功响应中携带的所述身份标识信息;The first network element device acquires the identity identification information carried in the authentication success response;

所述第一网元设备基于建立的所述映射关系,获取与所述身份标识信息对应的所述专网基站的地址信息;And acquiring, by the first network element device, address information of the private network base station corresponding to the identity identification information, according to the established mapping relationship;

所述第一网元设备根据获取的所述专网基站的地址信息,通过所述专网基站向所述公网用户终端发送所述鉴权成功响应。The first network element device sends the authentication success response to the public network user terminal by using the private network base station according to the obtained address information of the private network base station.

第二方面,一种公网用户接入专网的实现方法,包括:In a second aspect, a method for implementing a public network user accessing a private network includes:

公网核心网中的第二网元设备接收专网核心网中的第一网元设备发送的鉴权请求;其中,所述鉴权请求中包含处于专网覆盖范围内的公网用户终端的身份标识信息,且所述鉴权请求为所述第一网元设备在基于预先存储的公网用户信息对所述公网用户终端进行接 入认证,并确定接入认证通过后发送的;The second network element device in the core network of the public network receives the authentication request sent by the first network element device in the core network of the private network; wherein the authentication request includes the public network user terminal that is in the coverage of the private network. Identity identification information, and the authentication request is that the first network element device performs access authentication on the public network user terminal based on the pre-stored public network user information, and determines that the access authentication is passed;

所述第二网元设备基于预先存储的与所述身份标识信息对应的用户鉴权信息,对所述公网用户终端进行鉴权;并在鉴权成功后,向所述第一网元设备发送鉴权成功响应。The second network element device authenticates the public network user terminal based on the user authentication information corresponding to the identity identification information, and after the authentication succeeds, the first network element device Send authentication successfully responded.

第三方面,一种公网用户接入专网的实现设备,包括:In a third aspect, an implementation device for accessing a private network by a public network user includes:

接收单元,用于接收处于专网覆盖范围内的公网用户终端通过专网基站发来的接入请求,所述接入请求中包含所述公网用户终端的身份标识信息;a receiving unit, configured to receive an access request sent by a public network user terminal in a private network coverage area, where the access request includes identity information of the public network user terminal;

第一处理单元,用于基于预先存储的公网用户信息,对所述公网用户终端进行接入认证,并在确定接入认证通过后,向公网核心网中的第二网元设备发送携带有所述身份标识信息的鉴权请求,所述鉴权请求用于指示所述第二网元设备基于预先存储的与所述身份标识信息对应的用户鉴权信息,对所述公网用户终端进行鉴权;The first processing unit is configured to perform access authentication on the public network user terminal based on the pre-stored public network user information, and send the second network element device in the public network core network after determining that the access authentication is passed An authentication request carrying the identity information, where the authentication request is used to instruct the second network element device to use the user authentication information corresponding to the identity identification information that is pre-stored to the public network user. The terminal performs authentication;

第二处理单元,用于接收所述第二网元设备在鉴权成功后发送的鉴权成功响应,并通过所述专网基站向所述公网用户终端发送所述鉴权成功响应。The second processing unit is configured to receive an authentication success response sent by the second network element device after the authentication succeeds, and send the authentication success response to the public network user terminal by using the private network base station.

可选的,基于预先存储的公网用户信息,对所述公网用户终端进行接入认证时,所述第一处理单元用于:Optionally, when performing the access authentication on the public network user terminal based on the pre-stored public network user information, the first processing unit is configured to:

若确定本地预先存储有与所述身份标识信息对应的公网用户信息,则确定所述公网用户终端通过接入认证。If it is determined that the public network user information corresponding to the identity information is pre-stored, the public network user terminal is determined to pass the access authentication.

可选的,向公网核心网中的第二网元设备发送携带有所述身份标识信息的鉴权请求时,所述第一处理单元用于:Optionally, when the second network element device in the public network core network sends the authentication request that carries the identity information, the first processing unit is configured to:

将所述专网基站发送的所述接入请求中携带的所述专网基站的地址信息替换为预设的地址信息,将替换地址信息后的接入请求作为所述鉴权请求;And replacing the address information of the private network base station carried in the access request sent by the private network base station with the preset address information, and using the access request after replacing the address information as the authentication request;

通过与所述第二网元设备预先协定的标准协议接口,向所述公网核心网中的第二网元设备发送所述鉴权请求。And transmitting, by the standard protocol interface pre-agreed with the second network element device, the authentication request to the second network element device in the public network core network.

可选的,所述设备还包括建立单元,所述建立单元用于在将所述专网基站的地址信息替换为预设的地址信息之前,执行以下操作:Optionally, the device further includes an establishing unit, where the establishing unit is configured to: before replacing the address information of the private network base station with the preset address information, perform the following operations:

建立所述身份标识信息与所述专网基站的地址信息的映射关系;Establishing a mapping relationship between the identity information and the address information of the private network base station;

通过所述专网基站向所述公网用户终端发送所述鉴权成功响应时,所述第二处理单元用于:When the private network base station sends the authentication success response to the public network user terminal, the second processing unit is configured to:

获取所述鉴权成功响应中携带的所述身份标识信息;Obtaining the identity identification information carried in the authentication success response;

基于建立的所述映射关系,获取与所述身份标识信息对应的所述专网基站的地址信息;Obtaining address information of the private network base station corresponding to the identity identification information, based on the established mapping relationship;

根据获取的所述专网基站的地址信息,通过所述专网基站向所述公网用户终端发送所 述鉴权成功响应。And sending, by the private network base station, the authentication success response to the public network user terminal according to the obtained address information of the private network base station.

第四方面,一种公网用户接入专网的实现设备,包括:In a fourth aspect, an implementation device for accessing a private network by a public network user includes:

接收单元,用于接收专网核心网中的第一网元设备发送的鉴权请求;其中,所述鉴权请求中包含处于专网覆盖范围内的公网用户终端的身份标识信息,且所述鉴权请求为所述第一网元设备在基于预先存储的公网用户信息对所述公网用户终端进行接入认证,并确定接入认证通过后发送的;a receiving unit, configured to receive an authentication request sent by a first network element device in a private network core network, where the authentication request includes identity identification information of a public network user terminal that is in a private network coverage area, and The authentication request is performed by the first network element device performing access authentication on the public network user terminal based on the pre-stored public network user information, and determining that the access authentication is passed;

鉴权单元,用于基于预先存储的与所述身份标识信息对应的用户鉴权信息,对所述公网用户终端进行鉴权;并在鉴权成功后,向所述第一网元设备发送鉴权成功响应。An authentication unit, configured to authenticate the public network user terminal based on the user authentication information corresponding to the identity identification information, and send the information to the first network element device after the authentication succeeds The authentication was successfully responded.

第五方面,一种电子设备,包括:一个或多个处理器;以及一个或多个计算机可读介质,所述可读介质上存储有用于实现公网用户接入专网的程序,其中,所述程序被所述一个或多个处理器执行时,实现如第二方面中任一项所述的方法的步骤。A fifth aspect, an electronic device, comprising: one or more processors; and one or more computer readable media, wherein the readable medium stores a program for implementing a public network user access private network, where The steps of the method of any of the second aspects are carried out when the program is executed by the one or more processors.

第六方面,一种计算机可读介质,所述可读介质上存储有用于实现公网用户接入专网的程序,其中,所述程序被一个或多个处理器执行时,使得处理器执行如第二方面中任一项所述的方法。In a sixth aspect, a computer readable medium having stored thereon a program for implementing a public network user access private network, wherein when the program is executed by one or more processors, causing the processor to execute The method of any of the second aspects.

第七方面,一种电子设备,包括:一个或多个处理器;以及一个或多个计算机可读介质,所述可读介质上存储有用于实现公网用户接入专网的程序,其中,所述程序被所述一个或多个处理器执行时,实现如第三方面所述的方法的步骤。A seventh aspect, an electronic device, comprising: one or more processors; and one or more computer readable media, wherein the readable medium stores a program for implementing a public network user access private network, wherein The steps of the method as described in the third aspect are implemented when the program is executed by the one or more processors.

第八方面,一种计算机可读介质,所述可读介质上存储有用于实现公网用户接入专网的程序,其中,所述程序被一个或多个处理器执行时,使得处理器执行如第三方面所述的方法。In an eighth aspect, a computer readable medium storing, on the readable medium, a program for implementing a public network user access private network, wherein when the program is executed by one or more processors, causing the processor to execute A method as described in the third aspect.

本申请实施例的有益效果如下:通过在专网核心网中的第一网元设备中预先存储公网用户信息,在接收到处于专网覆盖范围内的公网用户终端通过专网基站发送的接入请求后,可根据预先存储的公网用户信息,对所述公网用户终端进行接入认证。进一步地,在确定接入认证成功后,可将所述公网用户终端的身份标识信息上报给公网核心网中的第二网元设备,由第二网元设备基于预先存储的与所述身份标识信息对应的用户鉴权信息,对所述公网用户终端进行鉴权。由此可见,本申请中在专网核心网的第一网元设备中完成对所述公网用户终端的接入认证,在公网核心网的第二网元设备中完成对所述公网用户终端的鉴权并将鉴权结果通知给所述第一网元设备,可使专网完成对所述公网用户终端的接入以及鉴权,进而能够达到公网用户在不更换SIM卡的情况下,接入专网并进行正常通信的目的。The beneficial effects of the embodiments of the present application are as follows: the public network user information is pre-stored in the first network element device in the private network core network, and is received by the public network user terminal that is in the coverage of the private network through the private network base station. After the access request, the public network user terminal can perform access authentication according to the public network user information stored in advance. Further, after determining that the access authentication is successful, the identity information of the public network user terminal may be reported to the second network element device in the core network of the public network, and the second network element device is based on the pre-stored and The user authentication information corresponding to the identity information is used to authenticate the public network user terminal. Therefore, in the present application, the access authentication of the public network user terminal is completed in the first network element device of the private network core network, and the public network is completed in the second network element device of the public network core network. The authentication of the user terminal and the result of the authentication are notified to the first network element device, so that the private network can complete the access and authentication of the public network user terminal, thereby enabling the public network user not to replace the SIM card. In the case of accessing the private network and performing normal communication.

附图说明DRAWINGS

图1为本申请实施例提供的专网侧网元设备与公网侧网元设备之间的交互示意图;FIG. 1 is a schematic diagram of interaction between a private network side network element device and a public network side network element device according to an embodiment of the present disclosure;

图2为本申请实施例中基站代理模块在专网以及公网中实现的不同功能的示意图;2 is a schematic diagram of different functions implemented by a base station proxy module in a private network and a public network according to an embodiment of the present application;

图3为本申请实施例提供的一种公网用户接入专网的实现方法的流程图;FIG. 3 is a flowchart of a method for implementing a public network user access private network according to an embodiment of the present disclosure;

图4为本申请实施例提供的公网用户终端完成入网及鉴权的场景示意图;4 is a schematic diagram of a scenario in which a public network user terminal completes network access and authentication according to an embodiment of the present disclosure;

图5为本申请实施例中提供的一种公网用户接入专网的实现设备的示意图一;FIG. 5 is a schematic diagram 1 of an implementation device for accessing a private network by a public network user according to an embodiment of the present disclosure;

图6为本申请实施例中提供的一种公网用户接入专网的实现设备的示意图二;FIG. 6 is a schematic diagram 2 of an implementation device for accessing a private network by a public network user according to an embodiment of the present disclosure;

图7为本申请实施例中提供的一种公网用户接入专网的实现设备的示意图三。FIG. 7 is a schematic diagram 3 of an implementation device for accessing a private network by a public network user according to an embodiment of the present disclosure.

具体实施方式Detailed ways

为了使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请作进一步地详细描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其它实施例,都属于本申请保护的范围。The present invention will be further described in detail with reference to the accompanying drawings, in which FIG. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present application without departing from the inventive scope are the scope of the present application.

为了解决现有技术中存在的公网用户无法接入4G专网中的问题,本申请提出了一种公网用户接入专网的实现方法及设备,可以使安装有在公网开户的SIM卡的公网用户终端,不仅可以在公网中使用,也可以在不更换SIM卡的情况下在专网内部使用。其中,若要实现公网用户终端在专网内部使用,则公网用户终端首先需要在专网中完成接入以及鉴权的过程。故此,本申请实施例中,通过对专网LTE系统的分组核心演进(Evolved Packet Core,EPC)网络中的第一网元设备进行改进,可以使第一网元设备完成对请求接入的公网用户终端进行认证,通过对公网LTE系统的EPC网络中的第二网元设备进行改进,可以实现专网EPC网络和公网EPC网络的对接,进而由公网EPC网络中的第二网元设备完成对请求接入的公网用户终端进行鉴权,从而使公网用户终端成功注册到专网中并使用。In order to solve the problem that the public network user in the prior art cannot access the 4G private network, the present application proposes a method and a device for implementing the public network user access private network, which can be installed with the SIM opened on the public network. The public network user terminal of the card can be used not only in the public network, but also in the private network without replacing the SIM card. If the public network user terminal is to be used inside the private network, the public network user terminal first needs to complete the access and authentication process in the private network. Therefore, in the embodiment of the present application, the first network element device in the Evolved Packet Core (EPC) network of the private network LTE system is improved, so that the first network element device can complete the request for access. The network user terminal performs authentication, and the second network element device in the EPC network of the public network LTE system is improved, so that the private network EPC network and the public network EPC network can be connected, and then the second network in the public network EPC network. The meta-device completes the authentication of the public network user terminal that is requested to access, so that the public network user terminal is successfully registered and used in the private network.

需要注意的是,在本申请实施例的描述中,“第一”、“第二”等词汇,仅用于区分描述的目的,而不能理解为指示或暗示相对重要性,也不能理解为指示或暗示顺序。It should be noted that in the description of the embodiments of the present application, the terms “first”, “second” and the like are only used to distinguish the purpose of description, and cannot be understood as indicating or implying relative importance, nor can it be understood as an indication. Or suggest the order.

下面结合附图对本申请优选的实施方式进行详细说明。The preferred embodiments of the present application are described in detail below with reference to the accompanying drawings.

首先,参照图1所示,为本申请实施例提供的专网侧网元设备与公网侧网元设备之间的交互示意图。First, referring to FIG. 1 , a schematic diagram of interaction between a private network side network element device and a public network side network element device provided by an embodiment of the present application.

专网EPC网络侧包括第一网元设备,公网EPC网络侧包括第二网元设备,专网IP多媒体子系统(IP Multimedia Subsystem,IMS)网络侧包括第三网元设备,公网IMS网络侧包括第四网元设备。The private network EPC network side includes a first network element device, and the public network EPC network side includes a second network element device, and the private network IP Multimedia Subsystem (IMS) network side includes a third network element device, and a public network IMS network. The side includes a fourth network element device.

下面,首先对专网EPC网络侧中第一网元设备与公网EPC网络侧中的第二网元设备的交互过程进行具体介绍。The following describes the interaction process between the first network element device on the EPC network side of the private network and the second network element device on the EPC network side of the public network.

第一网元设备可用于:接收处于专网覆盖范围内的公网用户终端通过专网基站发送的接入请求,该接入请求中包含公网用户终端的身份标识信息;基于预先存储的公网用户信息,对公网用户终端进行接入认证;并在确定接入认证通过后,向第二网元设备发送携带有所述身份标识信息的鉴权请求;在接收到第二网元设备发送的鉴权成功响应后,通过专网基站向公网用户终端发送鉴权成功响应。The first network element device may be configured to: receive an access request sent by a public network user terminal in a private network coverage area by using a private network base station, where the access request includes identity information of the public network user terminal; Network user information, performing access authentication on the public network user terminal; and after determining that the access authentication is passed, sending an authentication request carrying the identity identification information to the second network element device; receiving the second network element device After the sent authentication succeeds, the authentication success response is sent to the public network user terminal through the private network base station.

第二网元设备可用于:在接收到鉴权请求后,基于预先存储的与所述身份标识信息对应的用户鉴权信息,对公网用户终端进行鉴权;并在鉴权成功后,向第一网元设备发送鉴权成功响应。The second network element device may be configured to: after receiving the authentication request, perform authentication on the public network user terminal based on the pre-stored user authentication information corresponding to the identity identification information; and after the authentication succeeds, The first network element device sends an authentication success response.

本申请实施例中,所述第一网元设备可包括第一移动管理实体(Mobile Managenment Entity,MME),第一归属签约用户服务器(Home Subscriber Server,HSS)以及基站代理模块等;所述第二网元设备可包括第二MME,第二HSS等。In this embodiment, the first network element device may include a first mobility management entity (MME), a first home subscriber server (HSS), a base station proxy module, and the like; The second network element device may include a second MME, a second HSS, and the like.

第一MME与第一HSS之间可进行交互,实现对请求接入专网的公网用户终端的接入认证。具体地,第一网元设备中的第一MME可用于将请求接入专网的公网用户终端的身份标识信息等上报给第一HSS,第一HSS中可预先存储指定的允许接入专网的公网用户信息,用于对请求接入专网的公网用户终端进行接入认证。其中,公网用户终端的身份标识信息可为公网用户终端使用的SIM卡中存储的国际移动用户识别码(International Mobile Subscriber Identity,IMSI)信息等。The first MME can interact with the first HSS to implement access authentication for the public network user terminal requesting access to the private network. Specifically, the first MME in the first network element device may be used to report the identity identification information of the public network user terminal that requests the access to the private network to the first HSS, where the designated allowed access is pre-stored in the first HSS. The public network user information of the network is used for access authentication of the public network user terminal requesting access to the private network. The identity information of the public network user terminal may be an International Mobile Subscriber Identity (IMSI) information stored in a SIM card used by the public network user terminal.

基站代理模块主要用于通过与公网EPC网络侧协定开放的标准协议接口,实现与公网EPC网络侧的第二网元设备的通信。可部署在第一MME中,也可作为EPC网络中单独的网元设备,均不影响其功能的实现。The base station proxy module is mainly used to implement communication with the second network element device on the public network EPC network side through a standard protocol interface that is open to the public network EPC network side. It can be deployed in the first MME or as a separate network element device in the EPC network, without affecting the implementation of its functions.

具体地,可参照图2所示,展示了基站代理模块在专网以及公网中实现的不同功能。Specifically, referring to FIG. 2, different functions implemented by the base station proxy module in the private network and the public network are shown.

对于专网来说,可将企业专网的多个基站映射到同一基站,即基站代理模块,基站代理模块将不同专网基站发送的信息中携带的源地址信息替换为自身的地址信息,并以替换后的地址信息作为源地址信息,向公网中的第二网元设备发送信息。并且,在替换地址信息之前,基站代理模块可建立公网用户终端的身份标识信息与专网基站的地址信息的映射关系,以便将第二网元设备反馈的响应信息通过与该公网用户终端具有映射关系的专网基站发送给该公网用户终端。其中,建立的映射关系具体可为公网用户终端的IMSI信息与专网基站的互联网协议地址(Internet Protocol Address,IP地址)信息之间的映射关系。For the private network, multiple base stations of the enterprise private network can be mapped to the same base station, that is, the base station proxy module, and the base station proxy module replaces the source address information carried in the information sent by the different private network base stations with its own address information, and The replaced address information is used as source address information to send information to the second network element device in the public network. And, before the address information is replaced, the base station proxy module may establish a mapping relationship between the identity information of the public network user terminal and the address information of the private network base station, so as to pass the response information fed back by the second network element device to the public network user terminal. The private network base station having the mapping relationship is sent to the public network user terminal. The mapping relationship established may specifically be a mapping relationship between the IMSI information of the public network user terminal and the Internet Protocol Address (IP address) information of the private network base station.

对于公网来说,该基站代理模块可视为在开放标准协议接口后,与第二网元设备建立 通信连接的一个公网基站,用于将公网用户终端的相关信息上报给第二网元设备。其中,这里第一网元设备与第二网元设备之间开放的标准协议接口可为S1接口,第二网元设备与基站代理模块建立的通信连接可为流控制传输协议(Stream Control Transmission Protocol,SCTP)链接,当然,具体实施时,还可根据实际需求开放其它标准协议接口,或建立不同传输协议下通信连接,本申请对此并不限定。For the public network, the base station proxy module can be regarded as a public network base station that establishes a communication connection with the second network element device after the open standard protocol interface, and is used to report related information of the public network user terminal to the second network. Meta device. The standard protocol interface opened between the first network element device and the second network element device may be an S1 interface, and the communication connection established between the second network element device and the base station proxy module may be a flow control transmission protocol. , SCTP) link, of course, in the specific implementation, other standard protocol interfaces may be opened according to actual needs, or communication connections under different transmission protocols may be established, which is not limited in this application.

具体地,基站代理模块可获取第一MEE与第一HSS之间交互得到的认证结果信息,并在确定公网用户终端接入认证通过后,将专网基站发送的接入请求中携带的专网基站的地址信息替换为自身的地址信息,将替换地址后的接入请求作为鉴权请求,通过开放的S1接口并基于建立的通信连接发送给第二网元设备,以实现由第二网元设备完成对公网用户终端的鉴权。Specifically, the base station proxy module may obtain the authentication result information obtained by the interaction between the first MEE and the first HSS, and after determining that the public network user terminal access authentication is passed, the special information carried in the access request sent by the private network base station is carried. The address information of the network base station is replaced with its own address information, and the access request after the replacement address is used as an authentication request, and is sent to the second network element device through the open S1 interface and based on the established communication connection, so as to implement the second network. The meta device completes the authentication of the public network user terminal.

基站代理模块在接收到第二网元设备对公网用户终端鉴权成功后发送的鉴权成功响应之后,可根据建立的公网用户终端的身份标识信息与专网基站的地址信息的映射关系,鉴权成功响应中携带的目的地址信息由基站代理模块的地址信息替换为与所述身份标识信息对应的专网基站的地址信息,并将替换后地址的鉴权成功响应发送给专网基站,进而由专网基站转发给所述公网用户终端。After receiving the authentication success response sent by the second network element device to the public network user terminal after successful authentication, the base station proxy module may map the relationship between the identity information of the public network user terminal and the address information of the private network base station according to the established public network user terminal. The destination address information carried in the authentication success response is replaced by the address information of the base station proxy module with the address information of the private network base station corresponding to the identity identification information, and the authentication success response of the replaced address is sent to the private network base station. And then forwarded by the private network base station to the public network user terminal.

继续参照图1所示,对专网IMS网络侧的第三网元设备与公网IMS网络侧的第四网元设备的交互过程进行介绍。With reference to FIG. 1, the interaction process between the third network element device on the private network IMS network side and the fourth network element device on the public network IMS network side is introduced.

为实现专网与公网之间通信业务的互通,本申请实施例中,专网IMS网络侧的第三网元设备与公网IMS网络侧的第四网元设备之间可通过标准协议接口SIP接口进行对接。In order to implement the communication between the private network and the public network, in the embodiment of the present application, the third network element device on the IMS network side of the private network and the fourth network element device on the IMS network side of the public network can pass the standard protocol interface. The SIP interface is docked.

公网用户终端在成功接入到专网之后,可进一步通过专网基站以及第一网元设备向第三网元设备发送IMS网络注册请求。相应地,第三网元设备将所述公网用户终端成功注册到专网侧的IMS网络中后,还可通过会话初始协议(Session Initiation Protocol,SIP)接口,向第四网元设备发送IMS网络注册请求,以使第四网元设备将所述公网用户终端成功注册到公网侧的IMS网络中。这样,公网用户终端在处于专网覆盖范围内时,不仅可以与专网覆盖范围内的其它公网用户进行语音通话等业务,还可通过专网IMS网络,接入公网IMS网络,进而与处于公网覆盖范围内的其他公网用户终端进行语音通话等通信业务。并且,上述公网用户终端由专网IMS网络接入公网IMS网络的过程,对于用户侧来说是感知不到的,公网用户终端无需进行额外的操作,便可实现在公网以及专网之间漫游使用。After successfully accessing the private network, the public network user terminal may further send an IMS network registration request to the third network element device through the private network base station and the first network element device. Correspondingly, after the third network element device successfully registers the public network user terminal to the IMS network on the private network side, the third network element device can also send the IMS to the fourth network element device by using a Session Initiation Protocol (SIP) interface. The network registration request is configured to enable the fourth network element device to successfully register the public network user terminal to the IMS network on the public network side. In this way, when the public network user terminal is in the private network coverage, it can not only perform voice call services with other public network users in the private network coverage, but also access the public network IMS network through the private network IMS network. Perform voice communication and other communication services with other public network user terminals that are within the coverage of the public network. Moreover, the process of accessing the public network IMS network by the private network IMS network by the private network IMS network is not perceptible to the user side, and the public network user terminal can implement the public network and the specialization without additional operations. Roaming between networks.

基于上述对专网侧网元设备与公网侧的网元设备间的交互过程的介绍,本申请实施例还提供了一种公网用户接入专网的实现方法,具体方法流程图可参照图3所示,包括以下步骤:Based on the foregoing description of the interaction process between the private network side network element device and the network element side network element device, the embodiment of the present application further provides a public network user access private network implementation method, and the specific method flowchart can refer to As shown in Figure 3, the following steps are included:

步骤301:专网核心网中的第一网元设备接收处于专网覆盖范围内的公网用户终端通过专网基站发来的接入请求,所述接入请求中包含所述公网用户终端的身份标识信息。Step 301: The first network element device in the private network core network receives an access request sent by the public network user terminal in the private network coverage area through the private network base station, where the access request includes the public network user terminal. Identity information.

其中,可由第一网元设备中的第一MME接收处于专网覆盖范围内的公网用户终端通过专网基站发送的携带有公网用户终端的身份标识信息的接入请求,并将接入请求上报给第一网元设备中的第一HSS,由第一HSS对公网用户终端进行接入认证。其中,在第一HSS中可预先存储指定的允许接入专网的公网用户信息。And receiving, by the first MME in the first network element device, an access request that is sent by the public network user terminal in the private network coverage area and carrying the identity identification information of the public network user terminal, and accessing The request is reported to the first HSS in the first network element device, and the first HSS performs access authentication on the public network user terminal. The specified public network user information allowed to access the private network may be pre-stored in the first HSS.

步骤302:所述第一网元设备基于预先存储的公网用户信息,对所述公网用户终端进行接入认证,并在确定接入认证通过后,向公网核心网中的第二网元设备发送携带有所述身份标识信息的鉴权请求。Step 302: The first network element device performs access authentication on the public network user terminal based on the pre-stored public network user information, and after determining that the access authentication is passed, the second network in the public network core network is determined. The meta device sends an authentication request carrying the identity information.

其中,可由第一HSS基于预先存储的公网用户信息,对公网用户终端进行接入认证。其中,若确定本地预先存储有与所述身份标识信息对应的公网用户信息,则确定公网用户终端通过接入认证,相反,若确定本地没有预先存储与所述身份标识信息对应的公网用户信息,则确定公网用户终端没有通过接入认证。第一HSS在进行接入认证之后,可通过第一MME向基站代理模块发送认证结果信息,认证结果信息用于指示具有所述身份标识信息的公网用户终端是否通过接入认证。The access authentication of the public network user terminal may be performed by the first HSS based on the pre-stored public network user information. If it is determined that the public network user information corresponding to the identity identification information is pre-stored in the local area, the public network user terminal is determined to pass the access authentication, and if it is determined that the public network corresponding to the identity identification information is not pre-stored locally, The user information determines that the public network user terminal does not pass the access authentication. After the first HSS performs the access authentication, the first MME may send the authentication result information to the base station proxy module, where the authentication result information is used to indicate whether the public network user terminal having the identity identification information passes the access authentication.

进一步地,基站代理模块可根据认证结果信息,确定公网用户终端是否通过接入认证。并在确定接入认证通过后,向公网核心网中的第二网元设备发送携带有所述身份标识信息的鉴权请求。Further, the base station proxy module may determine, according to the authentication result information, whether the public network user terminal passes the access authentication. And after determining that the access authentication is passed, sending an authentication request carrying the identity identification information to the second network element device in the core network of the public network.

这里,考虑到专网中无法获知公网用户终端的鉴权密钥等信息,无法对公网用户终端进行鉴权,故本申请实施例中,第一网元设备与第二网元设备之间可通过开放标准协议接口S1接口,实现专网EPC网络与公网EPC网络的对接,进而由公网EPC网络中的第二网元设备完成对公网用户终端的鉴权。Here, in the embodiment of the present application, the first network element device and the second network element device are in the embodiment of the present application, and the information of the public network user terminal cannot be authenticated. The interface between the private network EPC network and the public network EPC network can be interconnected through the open standard protocol interface S1 interface. Then, the second network element device in the public network EPC network completes the authentication of the public network user terminal.

其中,基站代理模块向公网核心网中的第二网元设备发送携带所述身份标识信息的鉴权请求,具体可包括:基站代理模块将所述专网基站发送的所述接入请求中携带的所述专网基站的地址信息替换为预设的地址信息,将替换地址信息后的接入请求作为所述鉴权请求,并通过与所述第二网元设备预先协定的标准协议接口,向所述公网核心网中的第二网元设备发送所述鉴权请求。The base station proxy module sends the authentication request that carries the identity identification information to the second network element device in the public network core network, which may include: the base station proxy module sends the access request sent by the private network base station. The address information of the private network base station that is carried is replaced with the preset address information, and the access request after the replacement of the address information is used as the authentication request, and the standard protocol interface pre-agreed with the second network element device is used. Sending the authentication request to the second network element device in the public network core network.

并且,基站代理模块在将所述专网基站的地址信息替换为预设的地址信息之前,还可建立所述身份标识信息与所述专网基站的地址信息的映射关系,以便于后续在接收到第二网元设备发送的携带有所述身份标识信息的相关信息后,通过与该身份标识信息具有映射关系的专网基站,将相关信息发送给具有所述身份标识信息的公网用户终端。And the base station proxy module may further establish a mapping relationship between the identity identification information and the address information of the private network base station, so as to be subsequently received, before replacing the address information of the private network base station with the preset address information. After the information about the identity information carried by the second network element device is carried, the private network base station having the mapping relationship with the identity information is sent to the public network user terminal having the identity identification information. .

步骤303:所述第二网元设备基于预先存储的与所述身份标识信息对应的用户鉴权信息,对所述公网用户终端进行鉴权;并在鉴权成功后,向所述第一网元设备发送鉴权成功响应。Step 303: The second network element device authenticates the public network user terminal according to the user authentication information corresponding to the identity identification information, and after the authentication succeeds, the first The NE device sends an authentication success response.

具体地,第二网元设备中的第二MME可接收基站代理模块发送的携带有所述身份标识信息的鉴权请求,并将接收的鉴权请求转发给第二HSS。由于公网EPC网络中的第二HSS预先存储有公网用户的用户鉴权信息,故第二HSS可基于预先存储的与所述身份标识信息对应的用户鉴权信息,对公网用户终端进行鉴权,并可以在鉴权通过后,通过第二MME向第一网元设备的基站代理模块发送鉴权成功响应。至此,可完成对公网用户终端的鉴权。Specifically, the second MME in the second network element device may receive an authentication request that is sent by the base station proxy module and that carries the identity identification information, and forward the received authentication request to the second HSS. The second HSS in the public network EPC network pre-stores the user authentication information of the public network user, so the second HSS may perform the public network user terminal on the public network user terminal based on the user authentication information corresponding to the identity identification information that is stored in advance. The authentication succeeds, and after the authentication is passed, the second MME sends an authentication success response to the base station proxy module of the first network element device. At this point, the authentication of the public network user terminal can be completed.

另外,公网EPC网络侧的第二网元设备在发送鉴权成功响应时,可携带网络鉴权信息,以使公网用户终端在接收到鉴权成功响应后可基于网络鉴权信息对网络侧进行鉴权。这里,具体网络侧以及用户侧的鉴权过程可参照现有技术,本申请中不作具体阐述。In addition, the second network element device on the EPC network side of the public network may carry the network authentication information when the authentication success response is sent, so that the public network user terminal can use the network authentication information to the network after receiving the authentication success response. The side is authenticated. Here, the authentication process of the specific network side and the user side can refer to the prior art, and is not specifically described in this application.

步骤304:所述第一网元设备接收所述第二网元设备在鉴权成功后发送的鉴权成功响应,并通过所述专网基站向所述公网用户终端发送所述鉴权成功响应。Step 304: The first network element device receives an authentication success response sent by the second network element device after the authentication succeeds, and sends the authentication success to the public network user terminal by using the private network base station. response.

具体地,第一网元设备通过所述专网基站向所述公网用户终端发送所述鉴权成功响应,具体可包括:基站代理模块获取所述鉴权成功响应中携带的所述身份标识信息,并基于预先建立的所述身份标识信息与所述专网基站的地址信息的映射关系,获取与所述身份标识信息对应的所述专网基站的地址信息;进而根据获取的所述专网基站的地址信息,通过所述专网基站向所述公网用户终端发送所述鉴权成功响应。Specifically, the first network element device sends the authentication success response to the public network user terminal by using the private network base station, which may include: the base station proxy module acquiring the identity identifier carried in the authentication success response. Obtaining, according to the mapping relationship between the identifier information and the address information of the private network base station, the address information of the private network base station corresponding to the identity identification information; The address information of the network base station is sent by the private network base station to the public network user terminal for the authentication success response.

由此可见,本申请中在专网核心网的第一网元设备中完成对所述公网用户终端的接入认证,在公网核心网的第二网元设备中完成对所述公网用户终端的鉴权并将鉴权结果通知给所述第一网元设备,可使专网完成对所述公网用户终端的接入以及鉴权,进而能够达到公网用户在不更换SIM卡的情况下,接入专网并进行正常通信的目的。Therefore, in the present application, the access authentication of the public network user terminal is completed in the first network element device of the private network core network, and the public network is completed in the second network element device of the public network core network. The authentication of the user terminal and the result of the authentication are notified to the first network element device, so that the private network can complete the access and authentication of the public network user terminal, thereby enabling the public network user not to replace the SIM card. In the case of accessing the private network and performing normal communication.

下面,结合上述实施例,给出一具体实施例对公网用户终端接入4G专网以及鉴权等过程进行详细说明,具体可参照如图4所示的场景示意图:In the following, with reference to the foregoing embodiments, a specific embodiment is described in detail for the process of accessing the 4G private network and the authentication of the public network user terminal. For details, refer to the scenario shown in FIG. 4:

其中,图中所示的①~⑨表示公网用户终端的入网以及鉴权流程,具体为:Among them, 1 to 9 shown in the figure indicate the network access and authentication process of the public network user terminal, specifically:

①公网用户终端向4G专网基站发送携带有IMSI的接入请求。1 The public network user terminal sends an access request carrying the IMSI to the 4G private network base station.

②4G专网基站将该接入请求转发给专网EPC中的第一MME。The 24G private network base station forwards the access request to the first MME in the private network EPC.

③专网EPC中的第一MME,将该公网用户终端的IMSI发送给第一HSS,由第一HSS进行接入认证;The first MME in the private network EPC sends the IMSI of the public network user terminal to the first HSS, and the first HSS performs access authentication;

第一HSS判断本地是否预先存储有该公网用户终端的IMSI,若是,则通知第一MME 允许该公网用户终端接入专网,否则,通知第一MME不允许该公网用户终端接入专网;The first HSS determines whether the IMSI of the public network user terminal is stored in advance, and if yes, notifying the first MME to allow the public network user terminal to access the private network; otherwise, notifying the first MME that the public network user terminal is not allowed to access the network. Private Network;

第一MME将接入认证结果通知给基站代理模块,基站代理模块在确定允许该公网用户终端接入专网后,通过开放的S1接口,向运营商EPC中的第二MME发送携带有IMSI的鉴权请求。The first MME notifies the base station proxy module of the access authentication result, and the base station proxy module sends the IMSI to the second MME in the operator EPC through the open S1 interface after determining that the public network user terminal is allowed to access the private network. Authentication request.

这里,需要注意的是,基站代理模块在发送鉴权请求时,会将源IP地址,即4G专网基站的IP地址信息更改为基站代理模块的IP地址,以使专网不直接访问运营商网络,达到降低专网设备的安全维护难度的目的。并且,为了后续接收到运营商EPC网络中发送的信息时,能够识别出将其经由哪个4G专网基站发送给公网用户终端,还可在接收到4G专网基站转发的接入请求后,建立公网用户终端的IMSI与4G专网基站的IP地址的映射关系。Here, it should be noted that when the base station proxy module sends the authentication request, the source IP address, that is, the IP address information of the 4G private network base station is changed to the IP address of the base station proxy module, so that the private network does not directly access the operator. The network achieves the purpose of reducing the difficulty of security maintenance of private network equipment. Moreover, in order to subsequently receive the information sent by the operator EPC network, it can identify which 4G private network base station to send to the public network user terminal, and after receiving the access request forwarded by the 4G private network base station, Establish a mapping relationship between the IMSI of the public network user terminal and the IP address of the 4G private network base station.

④第二MME向运营商网络中的第二HSS发送该公网用户终端的IMSI。4 The second MME sends the IMSI of the public network user terminal to the second HSS in the carrier network.

⑤第二HSS根据本地存储的与该公网用户终端的IMSI对应的用户鉴权信息,对该公网用户终端进行鉴权,若鉴权成功,则向第二MME反馈携带有网络鉴权信息以及该公网用户终端的IMSI的鉴权成功响应。The second HSS authenticates the public network user terminal according to the user authentication information corresponding to the IMSI of the public network user terminal, and if the authentication succeeds, the network authentication information is carried back to the second MME. And the authentication success response of the IMSI of the public network user terminal.

⑥第二MME向基站代理模块发送该鉴权成功响应;6: The second MME sends the authentication success response to the base station proxy module.

基站代理模块获取鉴权成功响应中携带的IMSI,并基于建立的IMSI与4G专网基站的IP地址的映射关系,获取与该IMSI对应的4G专网基站的IP地址,根据获取的IP地址,通过4G专网基站向公网用户终端发送鉴权成功响应。The base station proxy module obtains the IMSI carried in the authentication success response, and obtains the IP address of the 4G private network base station corresponding to the IMSI based on the mapping relationship between the established IMSI and the IP address of the 4G private network base station, according to the obtained IP address, The authentication success response is sent to the public network user terminal through the 4G private network base station.

其中,公网用户终端可基于鉴权成功响应中携带的网络鉴权信息,完成对网络侧的鉴权。The public network user terminal can complete the authentication on the network side based on the network authentication information carried in the authentication success response.

至此,可完成公网用户终端在由运营商网络切换至专网后的入网以及鉴权流程。当公网用户终端由专网在切换回运营商网络时,由于运营商网络中已完成了对该公网用户终端的鉴权,故公网用户终端可以在运营商网络中直接使用。At this point, the network access and authentication process of the public network user terminal after being switched from the carrier network to the private network can be completed. When the public network user terminal is switched back to the carrier network by the private network, the public network user terminal can be directly used in the operator network because the authentication of the public network user terminal has been completed in the carrier network.

此外,为了使公网用户终端能够使用运营商网络中的第二代移动通信技术(2th Generation Mobile Communication Technology,2G)网络以及第三代移动通信技术(3th Generation Mobile Communication Technology,3G)网络,还可进行如下操作:In addition, in order to enable the public network user terminal to use the 2th Generation Mobile Communication Technology (2G) network and the 3th Generation Mobile Communication Technology (3G) network in the carrier network, The following operations can be performed:

⑦运营商网络中的第二MME还可将公网用户终端的有关用于实现2G、3G通信的相关信息注册到运营商移动交换中心(Mobile Switching Center,MSC)中。The second MME in the carrier network can also register relevant information about the public network user terminal for implementing 2G and 3G communication into the operator Mobile Switching Center (MSC).

⑧运营商MSC可在注册成功后,向第二MME发送注册成功响应。8 The operator MSC may send a registration success response to the second MME after the registration is successful.

⑨第二MME通过专网基站代理模块以及4G专网基站向公网用户终端返回注册成功响应。The second MME returns a registration success response to the public network user terminal through the private network base station proxy module and the 4G private network base station.

此外,对于已成功接入专网的公网用户终端,还可向专网的IMS网络发起IMS业务的注册流程,具体包括:In addition, for the public network user terminal that has successfully accessed the private network, the registration process of the IMS service may also be initiated to the IMS network of the private network, including:

A、公网用户终端通过4G专网基站以及专网EPC,向专网IMS网络侧发送IMS网络注册请求。A. The public network user terminal sends an IMS network registration request to the private network IMS network side through the 4G private network base station and the private network EPC.

B、专网IMS网络侧在将该公网用户终端成功注册到专网侧的IMS网络中后,可通过专网EPC以及4G专网基站向该公网用户终端发送注册成功响应。B. After the public network IMS network is successfully registered in the IMS network on the private network side, the private network EPC and the 4G private network base station can send a registration success response to the public network user terminal.

C、专网IMS网络侧可通过开放的SIP接口,将IMS网络注册请求转发给运营商中的IMS网络。C. The private network IMS network side can forward the IMS network registration request to the IMS network in the operator through an open SIP interface.

D、运营商IMS网络侧完成对该公网用户终端的注册后,向专网IMS网络侧反馈注册成功响应。D. After completing the registration of the public network user terminal, the IMS network side of the operator feeds back the registration success response to the private network IMS network side.

基于上述内容可知,公网用户终端在不影响正常通信的情况下,实现在专网以及运营商网络中的任意切换。并且,公网用户终端即使处于专网覆盖范围内,也可实现与运营商网络中的公网用户终端进行通信。Based on the above, it can be seen that the public network user terminal can perform arbitrary handover in the private network and the operator network without affecting normal communication. Moreover, the public network user terminal can communicate with the public network user terminal in the operator network even if it is within the coverage of the private network.

基于上述实施例,参阅图5所示,本申请实施例中,提供一种公网用户接入专网的实现设备(如,专网核心网的第一种网元设备),至少包括接收单元50,第一处理单元51和第二处理单元52,其中Based on the foregoing embodiment, referring to FIG. 5, in the embodiment of the present application, an implementation device for accessing a private network of a public network user (for example, a first network element device of a private network core network) is provided, and at least includes a receiving unit. 50, a first processing unit 51 and a second processing unit 52, wherein

接收单元50,用于接收处于专网覆盖范围内的公网用户终端通过专网基站发来的接入请求,所述接入请求中包含所述公网用户终端的身份标识信息;The receiving unit 50 is configured to receive, by the public network user terminal, the access request sent by the private network base station, where the access request includes the identity identification information of the public network user terminal;

第一处理单元51,用于基于预先存储的公网用户信息,对所述公网用户终端进行接入认证,并在确定接入认证通过后,向公网核心网中的第二网元设备发送携带有所述身份标识信息的鉴权请求,所述鉴权请求用于指示所述第二网元设备基于预先存储的与所述身份标识信息对应的用户鉴权信息,对所述公网用户终端进行鉴权;The first processing unit 51 is configured to perform access authentication on the public network user terminal based on the pre-stored public network user information, and after determining that the access authentication is passed, to the second network element device in the public network core network. Sending an authentication request carrying the identity information, where the authentication request is used to instruct the second network element device to perform user authentication information corresponding to the identity identification information, which is pre-stored, on the public network. User terminal performs authentication;

第二处理单元52,用于接收所述第二网元设备在鉴权成功后发送的鉴权成功响应,并通过所述专网基站向所述公网用户终端发送所述鉴权成功响应。The second processing unit 52 is configured to receive an authentication success response sent by the second network element device after the authentication succeeds, and send the authentication success response to the public network user terminal by using the private network base station.

可选的,基于预先存储的公网用户信息,对所述公网用户终端进行接入认证时,所述第一处理单元51用于:Optionally, when performing the access authentication on the public network user terminal based on the pre-stored public network user information, the first processing unit 51 is configured to:

若确定本地预先存储有与所述身份标识信息对应的公网用户信息,则确定所述公网用户终端通过接入认证。If it is determined that the public network user information corresponding to the identity information is pre-stored, the public network user terminal is determined to pass the access authentication.

可选的,向公网核心网中的第二网元设备发送携带有所述身份标识信息的鉴权请求时,所述第一处理单元51用于:Optionally, when the second network element device in the public network core network sends the authentication request that carries the identity information, the first processing unit 51 is configured to:

将所述专网基站发送的所述接入请求中携带的所述专网基站的地址信息替换为预设 的地址信息,将替换地址信息后的接入请求作为所述鉴权请求;And replacing the address information of the private network base station carried in the access request sent by the private network base station with the preset address information, and using the access request after replacing the address information as the authentication request;

通过与所述第二网元设备预先协定的标准协议接口,向所述公网核心网中的第二网元设备发送所述鉴权请求。And transmitting, by the standard protocol interface pre-agreed with the second network element device, the authentication request to the second network element device in the public network core network.

可选的,所述设备还包括建立单元53,所述建立单元53用于在将所述专网基站的地址信息替换为预设的地址信息之前,执行以下操作:Optionally, the device further includes an establishing unit 53, where the establishing unit 53 is configured to perform the following operations before replacing the address information of the private network base station with the preset address information:

建立所述身份标识信息与所述专网基站的地址信息的映射关系;Establishing a mapping relationship between the identity information and the address information of the private network base station;

通过所述专网基站向所述公网用户终端发送所述鉴权成功响应时,所述第二处理单元52用于:When the private network base station sends the authentication success response to the public network user terminal, the second processing unit 52 is configured to:

获取所述鉴权成功响应中携带的所述身份标识信息;Obtaining the identity identification information carried in the authentication success response;

基于建立的所述映射关系,获取与所述身份标识信息对应的所述专网基站的地址信息;Obtaining address information of the private network base station corresponding to the identity identification information, based on the established mapping relationship;

根据获取的所述专网基站的地址信息,通过所述专网基站向所述公网用户终端发送所述鉴权成功响应。And sending, by the private network base station, the authentication success response to the public network user terminal according to the obtained address information of the private network base station.

基于上述实施例,参阅图6所示,本申请实施例中,还提供一种公网用户接入专网的实现设备(如,公网核心网的第二网元设备),至少包括接收单元60和鉴权单元61,其中Based on the foregoing embodiment, referring to FIG. 6, in the embodiment of the present application, a device for implementing a public network access private network (for example, a second network element device of a public network core network) is provided, and at least includes a receiving unit. 60 and an authentication unit 61, wherein

接收单元60,用于接收专网核心网中的第一网元设备发送的鉴权请求;其中,所述鉴权请求中包含处于专网覆盖范围内的公网用户终端的身份标识信息,且所述鉴权请求为所述第一网元设备在基于预先存储的公网用户信息对所述公网用户终端进行接入认证,并确定接入认证通过后发送的;The receiving unit 60 is configured to receive an authentication request sent by the first network element device in the private network core network, where the authentication request includes the identity identification information of the public network user terminal that is in the coverage of the private network, and The authentication request is that the first network element device performs access authentication on the public network user terminal based on the pre-stored public network user information, and determines that the access authentication is passed;

鉴权单元61,用于基于预先存储的与所述身份标识信息对应的用户鉴权信息,对所述公网用户终端进行鉴权;并在鉴权成功后,向所述第一网元设备发送鉴权成功响应。The authentication unit 61 is configured to perform authentication on the public network user terminal based on the user authentication information corresponding to the identity identification information, and after the authentication succeeds, to the first network element device. Send authentication successfully responded.

参见图7,本申请实施例中,还提供一种公网用户接入专网的实现设备,即一种电子设备,包括:一个或多个处理器500;以及一个或多个计算机可读介质,例如存储器520。Referring to FIG. 7, an embodiment of the present application further provides an implementation device for a public network user access private network, that is, an electronic device, including: one or more processors 500; and one or more computer readable media For example, the memory 520.

当图7所示设备用于实现专网核心网中的第一网元设备功能时:When the device shown in Figure 7 is used to implement the function of the first network element device in the private network core network:

处理器500,用于读取存储器520中的程序,执行下列过程:The processor 500 is configured to read a program in the memory 520 and perform the following process:

接收处于专网覆盖范围内的公网用户终端通过专网基站发来的接入请求,所述接入请求中包含所述公网用户终端的身份标识信息;Receiving, by the public network user terminal, the access request sent by the private network base station, where the access request includes the identity identification information of the public network user terminal;

基于预先存储的公网用户信息,对所述公网用户终端进行接入认证,并在确定接入认证通过后,向公网核心网中的第二网元设备发送携带有所述身份标识信息的鉴权请求,所述鉴权请求用于指示所述第二网元设备基于预先存储的与所述身份标识信息对应的用户鉴权信息,对所述公网用户终端进行鉴权;Performing access authentication on the public network user terminal based on the pre-stored public network user information, and transmitting the identity identification information to the second network element device in the core network of the public network after determining that the access authentication is passed. The authentication request is used to instruct the second network element device to perform authentication on the public network user terminal based on pre-stored user authentication information corresponding to the identity identification information;

接收所述第二网元设备在鉴权成功后发送的鉴权成功响应,并通过所述专网基站向所述公网用户终端发送所述鉴权成功响应。Receiving an authentication success response sent by the second network element device after the authentication succeeds, and sending the authentication success response to the public network user terminal by using the private network base station.

收发机510,用于在处理器500的控制下接收和发送数据。The transceiver 510 is configured to receive and transmit data under the control of the processor 500.

可选地,基于预先存储的公网用户信息,对所述公网用户终端进行接入认证,包括:Optionally, performing access authentication on the public network user terminal based on the pre-stored public network user information, including:

若确定本地预先存储有与所述身份标识信息对应的公网用户信息,则确定所述公网用户终端通过接入认证。If it is determined that the public network user information corresponding to the identity information is pre-stored, the public network user terminal is determined to pass the access authentication.

可选地,向公网核心网中的第二网元设备发送携带有所述身份标识信息的鉴权请求,包括:Optionally, the sending, by the second network element device in the public network, the authentication request that carries the identity information, includes:

所述专网基站发送的所述接入请求中携带的所述专网基站的地址信息替换为预设的地址信息,将替换地址信息后的接入请求作为所述鉴权请求;The address information of the private network base station carried in the access request sent by the private network base station is replaced with preset address information, and the access request after replacing the address information is used as the authentication request;

通过与所述第二网元设备预先协定的标准协议接口,向所述公网核心网中的第二网元设备发送所述鉴权请求。And transmitting, by the standard protocol interface pre-agreed with the second network element device, the authentication request to the second network element device in the public network core network.

可选地,在将所述专网基站的地址信息替换为预设的地址信息之前,所述方法还包括:Optionally, before the replacement of the address information of the private network base station with the preset address information, the method further includes:

建立所述身份标识信息与所述专网基站的地址信息的映射关系;Establishing a mapping relationship between the identity information and the address information of the private network base station;

通过所述专网基站向所述公网用户终端发送所述鉴权成功响应,包括:Sending, by the private network base station, the authentication success response to the public network user terminal, including:

获取所述鉴权成功响应中携带的所述身份标识信息;Obtaining the identity identification information carried in the authentication success response;

基于建立的所述映射关系,获取与所述身份标识信息对应的所述专网基站的地址信息;Obtaining address information of the private network base station corresponding to the identity identification information, based on the established mapping relationship;

根据获取的所述专网基站的地址信息,通过所述专网基站向所述公网用户终端发送所述鉴权成功响应。And sending, by the private network base station, the authentication success response to the public network user terminal according to the obtained address information of the private network base station.

当图7所示的设备用于实现公网核心网的第二网元设备功能时:When the device shown in Figure 7 is used to implement the second network element device function of the public network core network:

处理器500,用于读取存储器520中的程序,执行下列过程:The processor 500 is configured to read a program in the memory 520 and perform the following process:

接收专网核心网中的第一网元设备发送的鉴权请求;其中,所述鉴权请求中包含处于专网覆盖范围内的公网用户终端的身份标识信息,且所述鉴权请求为所述第一网元设备在基于预先存储的公网用户信息对所述公网用户终端进行接入认证,并确定接入认证通过后发送的;Receiving an authentication request sent by the first network element device in the core network of the private network; wherein the authentication request includes identity identification information of the public network user terminal that is in the coverage of the private network, and the authentication request is The first network element device performs access authentication on the public network user terminal based on the pre-stored public network user information, and determines that the access authentication is sent after the access authentication is passed;

基于预先存储的与所述身份标识信息对应的用户鉴权信息,对所述公网用户终端进行鉴权;并在鉴权成功后,向所述第一网元设备发送鉴权成功响应。And authenticating the public network user terminal according to the user authentication information corresponding to the identity identification information, and sending an authentication success response to the first network element device after the authentication succeeds.

其中,在图7中,总线架构可以包括任意数量的互联的总线和桥,具体由处理器500代表的一个或多个处理器和存储器520代表的存储器的各种电路链接在一起。总线架构还可以将诸如外围设备、稳压器和功率管理电路等之类的各种其他电路链接在一起,这些都 是本领域所公知的,因此,本文不再对其进行进一步描述。总线接口提供接口。收发机510可以是多个元件,即包括发送机和收发机,提供用于在传输介质上与各种其他装置通信的单元。处理器500负责管理总线架构和通常的处理,存储器520可以存储处理器500在执行操作时所使用的数据。Here, in FIG. 7, the bus architecture may include any number of interconnected buses and bridges, specifically linked by one or more processors represented by processor 500 and various circuits of memory represented by memory 520. The bus architecture can also link various other circuits, such as peripherals, voltage regulators, and power management circuits, as is well known in the art and, therefore, will not be further described herein. The bus interface provides an interface. Transceiver 510 can be a plurality of components, including a transmitter and a transceiver, providing means for communicating with various other devices on a transmission medium. The processor 500 is responsible for managing the bus architecture and general processing, and the memory 520 can store data used by the processor 500 when performing operations.

处理器500可以是中央处埋器(CPU)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现场可编程门阵列(Field-Programmable Gate Array,FPGA)或复杂可编程逻辑器件(Complex Programmable Logic Device,CPLD)。The processor 500 can be a central buried device (CPU), an application specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or a complex programmable logic device (Complex Programmable Logic Device). , CPLD).

本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that embodiments of the present application can be provided as a method, system, or computer program product. Thus, the present application can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment in combination of software and hardware. Moreover, the application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.

本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (system), and computer program products according to embodiments of the present application. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG. These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device. Means for implementing the functions specified in one or more of the flow or in a block or blocks of the flow chart.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。The computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device. The apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device. The instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.

尽管已描述了本申请的优选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例作出另外的变更和修改。所以,所附权利要求意欲解释为包括优选实施例以及落入本申请范围的所有变更和修改。While the preferred embodiment of the present application has been described, it will be apparent that those skilled in the art can make further changes and modifications to the embodiments. Therefore, the appended claims are intended to be interpreted as including the preferred embodiments and the modifications and

显然,本领域的技术人员可以对本申请实施例进行各种改动和变型而不脱离本申请实 施例的精神和范围。这样,倘若本申请实施例的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。It is apparent that those skilled in the art can make various modifications and variations to the embodiments of the present application without departing from the spirit and scope of the embodiments of the present application. Thus, it is intended that the present invention cover the modifications and variations of the embodiments of the present invention.

Claims (14)

一种公网用户接入专网的实现方法,其特征在于,包括:A method for implementing a public network access private network, which is characterized by: 专网核心网中的第一网元设备接收处于专网覆盖范围内的公网用户终端通过专网基站发来的接入请求,所述接入请求中包含所述公网用户终端的身份标识信息;The first network element device in the core network of the private network receives the access request sent by the public network user terminal in the private network coverage area, and the access request includes the identity identifier of the public network user terminal. information; 所述第一网元设备基于预先存储的公网用户信息,对所述公网用户终端进行接入认证,并在确定接入认证通过后,向公网核心网中的第二网元设备发送携带有所述身份标识信息的鉴权请求,所述鉴权请求用于指示所述第二网元设备基于预先存储的与所述身份标识信息对应的用户鉴权信息,对所述公网用户终端进行鉴权;The first network element device performs access authentication on the public network user terminal based on the pre-stored public network user information, and sends the second network element device in the public network core network after determining that the access authentication is passed. An authentication request carrying the identity information, where the authentication request is used to instruct the second network element device to use the user authentication information corresponding to the identity identification information that is pre-stored to the public network user. The terminal performs authentication; 所述第一网元设备接收所述第二网元设备在鉴权成功后发送的鉴权成功响应,并通过所述专网基站向所述公网用户终端发送所述鉴权成功响应。The first network element device receives the authentication success response sent by the second network element device after the authentication succeeds, and sends the authentication success response to the public network user terminal by using the private network base station. 如权利要求1所述的方法,其特征在于,所述第一网元设备基于预先存储的公网用户信息,对所述公网用户终端进行接入认证,包括:The method according to claim 1, wherein the first network element device performs access authentication on the public network user terminal based on the pre-stored public network user information, including: 所述第一网元设备若确定本地预先存储有与所述身份标识信息对应的公网用户信息,则确定所述公网用户终端通过接入认证。If the first network element device determines that the public network user information corresponding to the identity identification information is pre-stored, the first network element device determines that the public network user terminal passes the access authentication. 如权利要求1所述的方法,其特征在于,所述第一网元设备向公网核心网中的第二网元设备发送携带有所述身份标识信息的鉴权请求,包括:The method of claim 1, wherein the first network element device sends an authentication request carrying the identity identification information to the second network element device in the public network core network, including: 所述第一网元设备将所述专网基站发送的所述接入请求中携带的所述专网基站的地址信息替换为预设的地址信息,将替换地址信息后的接入请求作为所述鉴权请求;The first network element device replaces the address information of the private network base station carried in the access request sent by the private network base station with the preset address information, and replaces the access request after the address information Claiming authentication request; 所述第一网元设备通过与所述第二网元设备预先协定的标准协议接口,向所述公网核心网中的第二网元设备发送所述鉴权请求。The first network element device sends the authentication request to a second network element device in the public network core network by using a standard protocol interface pre-agreed with the second network element device. 如权利要求3所述的方法,其特征在于,所述第一网元设备在将所述专网基站的地址信息替换为预设的地址信息之前,所述方法还包括:The method of claim 3, wherein the method further includes: before the first network element device replaces the address information of the private network base station with the preset address information, the method further includes: 所述第一网元设备建立所述身份标识信息与所述专网基站的地址信息的映射关系;The first network element device establishes a mapping relationship between the identity identification information and address information of the private network base station; 所述第一网元设备通过所述专网基站向所述公网用户终端发送所述鉴权成功响应,包括:The first network element device sends the authentication success response to the public network user terminal by using the private network base station, including: 所述第一网元设备获取所述鉴权成功响应中携带的所述身份标识信息;The first network element device acquires the identity identification information carried in the authentication success response; 所述第一网元设备基于建立的所述映射关系,获取与所述身份标识信息对应的所述专网基站的地址信息;And acquiring, by the first network element device, address information of the private network base station corresponding to the identity identification information, according to the established mapping relationship; 所述第一网元设备根据获取的所述专网基站的地址信息,通过所述专网基站向所述公网用户终端发送所述鉴权成功响应。The first network element device sends the authentication success response to the public network user terminal by using the private network base station according to the obtained address information of the private network base station. 一种公网用户接入专网的实现方法,其特征在于,包括:A method for implementing a public network access private network, which is characterized by: 公网核心网中的第二网元设备接收专网核心网中的第一网元设备发送的鉴权请求;其中,所述鉴权请求中包含处于专网覆盖范围内的公网用户终端的身份标识信息,且所述鉴权请求为所述第一网元设备在基于预先存储的公网用户信息对所述公网用户终端进行接入认证,并确定接入认证通过后发送的;The second network element device in the core network of the public network receives the authentication request sent by the first network element device in the core network of the private network; wherein the authentication request includes the public network user terminal that is in the coverage of the private network. Identity identification information, and the authentication request is that the first network element device performs access authentication on the public network user terminal based on the pre-stored public network user information, and determines that the access authentication is passed; 所述第二网元设备基于预先存储的与所述身份标识信息对应的用户鉴权信息,对所述公网用户终端进行鉴权;并在鉴权成功后,向所述第一网元设备发送鉴权成功响应。The second network element device authenticates the public network user terminal based on the user authentication information corresponding to the identity identification information, and after the authentication succeeds, the first network element device Send authentication successfully responded. 一种公网用户接入专网的实现设备,其特征在于,包括:An implementation device for accessing a private network by a public network user, which is characterized by: 接收单元,用于接收处于专网覆盖范围内的公网用户终端通过专网基站发来的接入请求,所述接入请求中包含所述公网用户终端的身份标识信息;a receiving unit, configured to receive an access request sent by a public network user terminal in a private network coverage area, where the access request includes identity information of the public network user terminal; 第一处理单元,用于基于预先存储的公网用户信息,对所述公网用户终端进行接入认证,并在确定接入认证通过后,向公网核心网中的第二网元设备发送携带有所述身份标识信息的鉴权请求,所述鉴权请求用于指示所述第二网元设备基于预先存储的与所述身份标识信息对应的用户鉴权信息,对所述公网用户终端进行鉴权;The first processing unit is configured to perform access authentication on the public network user terminal based on the pre-stored public network user information, and send the second network element device in the public network core network after determining that the access authentication is passed An authentication request carrying the identity information, where the authentication request is used to instruct the second network element device to use the user authentication information corresponding to the identity identification information that is pre-stored to the public network user. The terminal performs authentication; 第二处理单元,用于接收所述第二网元设备在鉴权成功后发送的鉴权成功响应,并通过所述专网基站向所述公网用户终端发送所述鉴权成功响应。The second processing unit is configured to receive an authentication success response sent by the second network element device after the authentication succeeds, and send the authentication success response to the public network user terminal by using the private network base station. 如权利要求6所述的设备,其特征在于,基于预先存储的公网用户信息,对所述公网用户终端进行接入认证时,所述第一处理单元用于:The device according to claim 6, wherein when the public network user terminal performs access authentication based on the pre-stored public network user information, the first processing unit is configured to: 若确定本地预先存储有与所述身份标识信息对应的公网用户信息,则确定所述公网用户终端通过接入认证。If it is determined that the public network user information corresponding to the identity information is pre-stored, the public network user terminal is determined to pass the access authentication. 如权利要求6所述的设备,其特征在于,向公网核心网中的第二网元设备发送携带有所述身份标识信息的鉴权请求时,所述第一处理单元用于:The device according to claim 6, wherein when the authentication request carrying the identity identification information is sent to the second network element device in the public network, the first processing unit is configured to: 将所述专网基站发送的所述接入请求中携带的所述专网基站的地址信息替换为预设的地址信息,将替换地址信息后的接入请求作为所述鉴权请求;And replacing the address information of the private network base station carried in the access request sent by the private network base station with the preset address information, and using the access request after replacing the address information as the authentication request; 通过与所述第二网元设备预先协定的标准协议接口,向所述公网核心网中的第二网元设备发送所述鉴权请求。And transmitting, by the standard protocol interface pre-agreed with the second network element device, the authentication request to the second network element device in the public network core network. 如权利要求8所述的设备,其特征在于,所述设备还包括建立单元,所述建立单元用于在将所述专网基站的地址信息替换为预设的地址信息之前,执行以下操作:The device according to claim 8, wherein the device further comprises an establishing unit, wherein the establishing unit is configured to perform the following operations before replacing the address information of the private network base station with the preset address information: 建立所述身份标识信息与所述专网基站的地址信息的映射关系;Establishing a mapping relationship between the identity information and the address information of the private network base station; 通过所述专网基站向所述公网用户终端发送所述鉴权成功响应时,所述第二处理单元用于:When the private network base station sends the authentication success response to the public network user terminal, the second processing unit is configured to: 获取所述鉴权成功响应中携带的所述身份标识信息;Obtaining the identity identification information carried in the authentication success response; 基于建立的所述映射关系,获取与所述身份标识信息对应的所述专网基站的地址信息;Obtaining address information of the private network base station corresponding to the identity identification information, based on the established mapping relationship; 根据获取的所述专网基站的地址信息,通过所述专网基站向所述公网用户终端发送所述鉴权成功响应。And sending, by the private network base station, the authentication success response to the public network user terminal according to the obtained address information of the private network base station. 一种公网用户接入专网的实现设备,其特征在于,包括:An implementation device for accessing a private network by a public network user, which is characterized by: 接收单元,用于接收专网核心网中的第一网元设备发送的鉴权请求;其中,所述鉴权请求中包含处于专网覆盖范围内的公网用户终端的身份标识信息,且所述鉴权请求为所述第一网元设备在基于预先存储的公网用户信息对所述公网用户终端进行接入认证,并确定接入认证通过后发送的;a receiving unit, configured to receive an authentication request sent by a first network element device in a private network core network, where the authentication request includes identity identification information of a public network user terminal that is in a private network coverage area, and The authentication request is performed by the first network element device performing access authentication on the public network user terminal based on the pre-stored public network user information, and determining that the access authentication is passed; 鉴权单元,用于基于预先存储的与所述身份标识信息对应的用户鉴权信息,对所述公网用户终端进行鉴权;并在鉴权成功后,向所述第一网元设备发送鉴权成功响应。An authentication unit, configured to authenticate the public network user terminal based on the user authentication information corresponding to the identity identification information, and send the information to the first network element device after the authentication succeeds The authentication was successfully responded. 一种电子设备,其特征在于,包括:一个或多个处理器;以及An electronic device, comprising: one or more processors; 一个或多个计算机可读介质,所述可读介质上存储有用于实现公网用户接入专网的程序,其中,所述程序被所述一个或多个处理器执行时,实现如权利要求1至4中任一项所述的方法的步骤。One or more computer readable media having stored thereon a program for implementing a public network user access private network, wherein the program is executed by the one or more processors, as claimed The method of any one of 1 to 4. 一种计算机可读介质,其特征在于,所述可读介质上存储有用于实现公网用户接入专网的程序,其中,所述程序被一个或多个处理器执行时,使得处理器执行如权利要求1至4中任一项所述的方法。A computer readable medium, wherein the readable medium stores a program for implementing a public network user access private network, wherein when the program is executed by one or more processors, causing the processor to execute A method according to any one of claims 1 to 4. 一种电子设备,其特征在于,包括:一个或多个处理器;以及An electronic device, comprising: one or more processors; 一个或多个计算机可读介质,所述可读介质上存储有用于实现公网用户接入专网的程序,其中,所述程序被所述一个或多个处理器执行时,实现如权利要求5所述的方法的步骤。One or more computer readable media having stored thereon a program for implementing a public network user access private network, wherein the program is executed by the one or more processors, as claimed The steps of the method described in 5. 一种计算机可读介质,其特征在于,所述可读介质上存储有用于实现公网用户接入专网的程序,其中,所述程序被一个或多个处理器执行时,使得处理器执行如权利要求5所述的方法。A computer readable medium, wherein the readable medium stores a program for implementing a public network user access private network, wherein when the program is executed by one or more processors, causing the processor to execute The method of claim 5.
PCT/CN2018/101519 2017-09-26 2018-08-21 Method and device for public network user accessing private network Ceased WO2019062384A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710884782.3A CN109561430A (en) 2017-09-26 2017-09-26 A kind of implementation method and equipment of public network user access private network
CN201710884782.3 2017-09-26

Publications (1)

Publication Number Publication Date
WO2019062384A1 true WO2019062384A1 (en) 2019-04-04

Family

ID=65863113

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/101519 Ceased WO2019062384A1 (en) 2017-09-26 2018-08-21 Method and device for public network user accessing private network

Country Status (2)

Country Link
CN (1) CN109561430A (en)
WO (1) WO2019062384A1 (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111565432A (en) * 2020-04-15 2020-08-21 中国联合网络通信集团有限公司 A communication method and access network device
CN111835875A (en) * 2019-04-22 2020-10-27 普天信息技术有限公司 A communication method and device between a private network terminal and an industry terminal
CN112187898A (en) * 2020-09-18 2021-01-05 佳都新太科技股份有限公司 Data access system, method and device based on public security network
WO2021056131A1 (en) * 2019-09-23 2021-04-01 Oppo广东移动通信有限公司 Radio communication method, terminal device, and network device
CN113596837A (en) * 2021-07-09 2021-11-02 长安大学 Method and system for determining core network selection
CN113765874A (en) * 2020-11-09 2021-12-07 北京沃东天骏信息技术有限公司 Private network and dual-mode networking method based on 5G mobile communication technology
CN113891370A (en) * 2021-11-08 2022-01-04 中国电信股份有限公司 Time slot interference processing method, device, medium and electronic equipment
CN114339837A (en) * 2021-12-31 2022-04-12 中国联合网络通信集团有限公司 Private network access control method, device, electronic device and storage medium
CN116233890A (en) * 2023-01-06 2023-06-06 中国联合网络通信集团有限公司 5G private network configuration method and device, electronic equipment and medium
US12160738B2 (en) 2019-10-02 2024-12-03 British Telecommunications Public Limited Company Wireless telecommunications network authentication

Families Citing this family (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112333707B (en) * 2019-07-16 2022-08-12 中国移动通信集团浙江有限公司 Public private network collaborative optimization method, device, equipment and computer storage medium
CN110557753B (en) * 2019-08-13 2023-05-09 成都电科慧安科技有限公司 DNS redirection method based on relay access for public security network access
US20210112411A1 (en) * 2019-10-10 2021-04-15 Cisco Technology, Inc. Multi-factor authentication in private mobile networks
CN111163499B (en) * 2019-11-29 2022-01-04 联通物联网有限责任公司 Access method, device, electronic equipment and storage medium
CN113438647A (en) * 2020-03-05 2021-09-24 大唐移动通信设备有限公司 Method for accessing public network user to private network, call service processing method and equipment
CN111414645B (en) * 2020-03-19 2022-07-05 中国电子科技集团公司第三十研究所 A secure HSS/UDM design method and system for realizing privacy protection function
CN111465001B (en) * 2020-04-01 2023-05-02 中国联合网络通信集团有限公司 Registration method and device
CN111464963B (en) * 2020-04-01 2021-11-09 中国联合网络通信集团有限公司 Registration method of card-free terminal and identity registration server
CN111565435B (en) * 2020-04-15 2022-07-08 中国联合网络通信集团有限公司 A communication method and access network device
CN114189853B (en) * 2020-08-24 2023-12-12 海能达通信股份有限公司 Communication control method and device of terminal and EPC
CN114339716A (en) * 2020-09-29 2022-04-12 中国电信股份有限公司 Contract data transmission method, system and server
CN112423301B (en) * 2020-11-02 2023-12-22 中国联合网络通信集团有限公司 Private network registration management method and AMF network element
CN114584936B (en) * 2020-11-30 2024-11-05 中国电信股份有限公司 Method, system, and storage medium for realizing short message intercommunication between private network terminals and public network terminals
CN114760674A (en) * 2021-01-14 2022-07-15 南通大学 Shipborne private network CPE design and communication method based on shipborne communication-in-motion antenna
CN113573378B (en) * 2021-07-19 2024-09-27 腾讯科技(深圳)有限公司 An e-sports data processing method, device, equipment and storage medium
CN113993130B (en) * 2021-10-29 2024-09-24 中国电信股份有限公司 Terminal access control method, terminal and storage medium
CN114531279B (en) * 2022-01-25 2023-12-22 中国联合网络通信集团有限公司 Private network access method, server and storage medium
CN115529342B (en) * 2022-04-27 2025-08-19 中国移动通信集团设计院有限公司 Service access processing method, device, equipment and storage medium
CN114900794B (en) * 2022-06-14 2024-04-09 中国联合网络通信集团有限公司 Communication method, device, system and storage medium
CN115150830B (en) * 2022-09-02 2022-11-29 北京首信科技股份有限公司 Method and system for guaranteeing terminal public network access when 5G private network access authentication fails
CN116095663A (en) * 2022-12-28 2023-05-09 中国电信股份有限公司卫星通信分公司 Roaming service registration method, device and system
CN116032879B (en) * 2022-12-30 2024-09-20 中国联合网络通信集团有限公司 Intervisit method of intranet equipment and extranet equipment, routing equipment and server
CN118509860B (en) * 2024-07-16 2024-11-19 上海芯袖微电子科技有限公司 Public private network control method and device, private network and intelligent network

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102833846A (en) * 2012-08-21 2012-12-19 大唐移动通信设备有限公司 Method and device for realizing registration and service call of user equipment (UE)
JP5126258B2 (en) * 2010-03-15 2013-01-23 日本電気株式会社 ACCESS CONTROL SYSTEM, ACCESS CONTROL DEVICE, ACCESS CONTROL METHOD USED FOR THEM, AND PROGRAM THEREOF
CN102905254A (en) * 2012-10-15 2013-01-30 西安大唐电信有限公司 Method for using user equipment of mobile public network in mobile private network
CN107040495A (en) * 2016-02-03 2017-08-11 重庆小目科技有限责任公司 It is a kind of to be applied to industrial communication and the multi-stage combination identity identifying method of business

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101043264B (en) * 2007-04-17 2010-05-26 华为技术有限公司 Method for establishing mobile network tunnel, mobile network and relay node
WO2011039784A2 (en) * 2009-09-30 2011-04-07 Vinjamuri Venkata Ravindra A system and method for dual-mode authentication in hybrid networks
GB2475236A (en) * 2009-11-09 2011-05-18 Skype Ltd Authentication arrangement for a packet-based communication system covering public and private networks
CN102368768B (en) * 2011-10-12 2014-04-02 北京星网锐捷网络技术有限公司 Identification method, equipment and system as well as identification server
CN105530185B (en) * 2014-09-29 2018-12-25 优视科技有限公司 Covering route network, method for routing and router based on covering route network
CN105636006B (en) * 2015-12-24 2019-04-30 阳光凯讯(北京)科技有限公司 Under terminal roaming to 4G private network with 2G/3G core net circuit domain interoperability methods and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5126258B2 (en) * 2010-03-15 2013-01-23 日本電気株式会社 ACCESS CONTROL SYSTEM, ACCESS CONTROL DEVICE, ACCESS CONTROL METHOD USED FOR THEM, AND PROGRAM THEREOF
CN102833846A (en) * 2012-08-21 2012-12-19 大唐移动通信设备有限公司 Method and device for realizing registration and service call of user equipment (UE)
CN102905254A (en) * 2012-10-15 2013-01-30 西安大唐电信有限公司 Method for using user equipment of mobile public network in mobile private network
CN107040495A (en) * 2016-02-03 2017-08-11 重庆小目科技有限责任公司 It is a kind of to be applied to industrial communication and the multi-stage combination identity identifying method of business

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111835875A (en) * 2019-04-22 2020-10-27 普天信息技术有限公司 A communication method and device between a private network terminal and an industry terminal
WO2021056131A1 (en) * 2019-09-23 2021-04-01 Oppo广东移动通信有限公司 Radio communication method, terminal device, and network device
US12160738B2 (en) 2019-10-02 2024-12-03 British Telecommunications Public Limited Company Wireless telecommunications network authentication
CN111565432A (en) * 2020-04-15 2020-08-21 中国联合网络通信集团有限公司 A communication method and access network device
CN111565432B (en) * 2020-04-15 2021-12-07 中国联合网络通信集团有限公司 A communication method and access network device
CN112187898B (en) * 2020-09-18 2023-05-16 佳都科技集团股份有限公司 Data access system, method and device based on public security network
CN112187898A (en) * 2020-09-18 2021-01-05 佳都新太科技股份有限公司 Data access system, method and device based on public security network
CN113765874A (en) * 2020-11-09 2021-12-07 北京沃东天骏信息技术有限公司 Private network and dual-mode networking method based on 5G mobile communication technology
CN113765874B (en) * 2020-11-09 2023-12-05 北京沃东天骏信息技术有限公司 Private network and dual-mode networking method based on 5G mobile communication technology
CN113596837A (en) * 2021-07-09 2021-11-02 长安大学 Method and system for determining core network selection
CN113596837B (en) * 2021-07-09 2023-05-26 长安大学 Method and system for determining core network selection
CN113891370B (en) * 2021-11-08 2024-05-21 中国电信股份有限公司 Time slot interference processing method, device, medium and electronic equipment
CN113891370A (en) * 2021-11-08 2022-01-04 中国电信股份有限公司 Time slot interference processing method, device, medium and electronic equipment
CN114339837A (en) * 2021-12-31 2022-04-12 中国联合网络通信集团有限公司 Private network access control method, device, electronic device and storage medium
CN114339837B (en) * 2021-12-31 2023-12-22 中国联合网络通信集团有限公司 Private network access control method and device, electronic equipment and storage medium
CN116233890A (en) * 2023-01-06 2023-06-06 中国联合网络通信集团有限公司 5G private network configuration method and device, electronic equipment and medium

Also Published As

Publication number Publication date
CN109561430A (en) 2019-04-02

Similar Documents

Publication Publication Date Title
WO2019062384A1 (en) Method and device for public network user accessing private network
CN110800331B (en) Network verification method, related equipment and system
US9831903B1 (en) Update of a trusted name list
US9113332B2 (en) Method and device for managing authentication of a user
CN104767715B (en) Access control method and equipment
CN104244227A (en) Terminal access authentication method and device in internet of things system
US20220398080A1 (en) METHOD FOR INTEROPERATING BETWEEN BUNDLE DOWNLOAD PROCESS AND eSIM PROFILE DOWNLOAD PROCESS BY SSP TERMINAL
CN114697945B (en) Method and device for generating discovery response message and method for processing discovery message
EP3029908B1 (en) Service authority determination method and device
KR20120026178A (en) Communication supporting method and apparatus using non-access stratum protocol in mobile telecommunication system
US20100099426A1 (en) Telecommunication network
CN113873491B (en) Communication device, system and computer readable storage medium
CN102984646A (en) Providing method and system of mobile phone client-side location services
CN101945388A (en) Wireless roaming authentication method, wireless roaming method and device thereof
JP2023519997A (en) Method and communication apparatus for securing terminal parameter updates
CN111132305B (en) Method for 5G user terminal to access 5G network, user terminal equipment and medium
US9220117B2 (en) IMS cross carrier supportability
CN108616805B (en) An emergency number configuration, acquisition method and device
US10069738B2 (en) One cellular radio to support multiple phone lines and data at a location
WO2016179966A1 (en) Method for realizing network access, terminal and computer storage medium
CN106792627A (en) A kind of implementation method of many equipment connected communications and realize system
CN103973648B (en) Application data method for pushing, apparatus and system
CN108112015B (en) A kind of voice service switching method, device and mobile terminal
CN111093196A (en) Method for 5G user terminal to access 5G network, user terminal equipment and medium
WO2015135278A1 (en) Authentication method and system, prose functional entity, and ue

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18862969

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18862969

Country of ref document: EP

Kind code of ref document: A1