CN114071465B - Access control method, device and communication equipment - Google Patents

Abstract

The embodiment of the application provides an access control method, an access control device and communication equipment, and relates to the technical field of communication. The access control method comprises the following steps: acquiring first information and/or second information; the first information includes at least one of: indication information of a first access mode, routing indication of a first type and network identification of the first type; the second information includes at least one of: a first type of network identification, a first type of routing indication, a first type of group identification, and identification information of a terminal; performing a first operation according to the first information and/or the second information; the first operation includes at least one of: selecting a first authentication service network element; a first type of group identity is determined, a first type of routing indication is determined or a first type of network identity is determined. By using the method of the embodiment of the application, the selection of the authentication service network element can be supported under the scene that the terminal accesses the first network in the first access mode.

Description

Access control method, device and communication equipment

Technical Field

The embodiments of the present application relate to the field of communication technology, and in particular, to an access control method, apparatus, and communication device.

Background technique

At present, in order to download the certificate for accessing the Standalone Non-public Network (SNPN) and access another network (this method can be called onboarding), the terminal needs to pass the authentication of the default certificate authentication server. However, at this time, the authentication service function (AUSF) of the other network may be irrelevant to the terminal and the contracted permanent identification of the terminal. In this case, how to select the authentication service network element is an urgent problem to be solved.

Summary of the invention

The embodiments of the present application provide an access control method, apparatus and communication device for solving the problem of how to select an authentication service network element.

In order to solve the above technical problems, this application is implemented as follows:

In a first aspect, an embodiment of the present application provides an access control method, applied to a first communication device, including:

Acquire first information and/or second information; wherein the first information includes at least one of the following: indication information of a first access mode, a first type of routing indication, and a first type of network identification; the second information includes at least one of the following: a first type of network identification, a first type of routing indication, a first type of group identification, and identification information of a terminal;

Perform a first operation according to the first information and/or the second information;

The first operation includes at least one of the following:

Select the first authentication service network element;

Determining a first type of group identifier, a first type of routing indication, information of a service provider, and/or a first type of network identifier;

Requesting to discover an authentication service network element according to the first type of group identifier, the first type of routing indication, the first type of network identifier, information of the service provider and/or indication information of the first access method;

The indication information of the first access mode is used to indicate at least one of the following: an access mode for accessing the first network in order to download a certificate for accessing the second network, an access mode for accessing the first network without a certificate capable of accessing the first network, an access mode capable of using only restricted services, and a certificate for the terminal to access the first network is a default certificate;

The first network and the second network are the same network or different networks;

The first authentication service network element includes at least one of the following: an authentication service network element for providing authentication services to terminals of the first access mode, and an authentication service network element for providing authentication services to terminals with default certificates;

The first type of group identifier includes: a group identifier of an authentication service network element used to provide authentication services to a terminal of the first access mode;

The first type of network identifier includes: a network identifier used for a first access mode;

The first type of routing indication includes: a routing indication for a first access mode;

The identification information of the terminal includes at least one of the following: a first identification of the terminal, a second identification of the terminal, and a third identification of the terminal;

The first identification of the terminal includes information of an authentication provider of the terminal;

The second identifier of the terminal includes a first type of network identifier and/or a first type of routing indication;

The third identifier of the terminal includes information of an authentication provider of the terminal, a first type of network identifier and/or a first type of routing indication.

In a second aspect, an embodiment of the present application provides an access control method, applied to a second communication device, including:

Sending the first message;

The first information includes at least one of the following: indication information of the first access mode, a first type of routing indication, a first type of network identification, and identification information of the terminal;

The first type of routing indication includes: a routing indication for a first access mode;

The first type of network identifier includes: a network identifier used for a first access mode;

The indication information of the first access mode is used to indicate at least one of the following: an access mode for accessing the first network in order to download a certificate for accessing the second network, an access mode for accessing the first network without a certificate capable of accessing the first network, an access mode capable of using only restricted services, and a certificate for the terminal to access the first network is a default certificate;

The first network and the second network are the same network or different networks;

The identification information of the terminal includes at least one of the following: a first identification of the terminal, a second identification of the terminal, and a third identification of the terminal;

The first identification of the terminal includes information of an authentication provider of the terminal;

The second identifier of the terminal includes a first type of network identifier and/or a first type of routing indication;

The third identifier of the terminal includes information of an authentication provider of the terminal, a first type of network identifier and/or a first type of routing indication.

In a third aspect, an embodiment of the present application provides an access control method, which is applied to a third communication device, including:

Acquire third information and/or fourth information; wherein the third information includes at least one of the following: a first type of group identifier, information of an authentication provider, a first type of routing indication, a first type of network identifier, and indication information of a first access method; the fourth information is used to indicate the attribution information of the authentication service network element, and the fourth information includes at least one of the following: a routing indication supported by the authentication service network element, a network identifier of a network to which the authentication service network element belongs, a group identifier to which the authentication service network element belongs, an access method supported by the authentication service network element, an authentication service type supported by the authentication service network element, and information of an authentication provider supported by the authentication service network element, and the authentication provider can authenticate a terminal with a default certificate;

Perform a third operation according to the third information and/or the fourth information;

The third operation includes at least one of the following:

finding an authentication service network element matching the third information, wherein the fourth information of the authentication service network element matches the third information;

Sending the discovered authentication service network element;

The authentication service type supported by the authentication service network element includes supporting authentication services for terminals with default certificates;

The indication information of the first access mode is used to indicate at least one of the following: an access mode for accessing the first network in order to download a certificate for accessing the second network, an access mode for accessing the first network without a certificate capable of accessing the first network, an access mode capable of using only restricted services, and a certificate for the terminal to access the first network is a default certificate;

The first network and the second network are the same network or different networks;

The first type of group identifier includes: a group identifier of an authentication service network element used to provide authentication services to a terminal of the first access mode;

The first type of routing indication includes: a routing indication for a first access mode;

The first type of network identifier includes: a network identifier used for a first access mode.

In a fourth aspect, an embodiment of the present application provides an access control method, which is applied to a fourth communication device, including:

Sending the fourth message;

The fourth information is used to indicate the attribution information of the authentication service network element; the fourth information includes at least one of the following: a routing indication supported by the authentication service network element, a network identifier of the network to which the authentication service network element belongs, a group identifier to which the authentication service network element belongs, an access mode supported by the authentication service network element, an authentication service type supported by the authentication service network element, and information of an authentication provider supported by the authentication service network element, and the authentication provider can authenticate a terminal with a default certificate;

The routing indication supported by the authentication service network element is a first type of routing indication;

The network identifier of the network to which the authentication service network element belongs is a network identifier of the first type;

The group identifier to which the authentication service network element belongs is a group identifier of the first type;

The access mode supported by the authentication service network element includes a first access mode;

The authentication service type supported by the authentication service network element includes supporting the provision of authentication services to terminals with default certificates;

The first access mode includes at least one of the following: an access mode for accessing the first network in order to download a certificate for accessing the second network, an access mode for accessing the first network without a certificate capable of accessing the first network, and an access mode capable of using only restricted services;

The first type of group identifier includes: a group identifier of an authentication service network element used to provide authentication services to a terminal of the first access mode;

The first type of network identifier includes: a network identifier used for a first access mode.

In a fifth aspect, an embodiment of the present application provides an access control apparatus, applied to a first communication device, including:

A first acquisition module, configured to acquire first information and/or second information; wherein the first information includes at least one of the following: indication information of a first access mode, a first type of routing indication, and a first type of network identification; the second information includes at least one of the following: a first type of network identification, a first type of routing indication, a first type of group identification, and identification information of a terminal;

A first execution module, configured to execute a first operation according to the first information and/or the second information;

The first operation includes at least one of the following:

Select the first authentication service network element;

Determining a first type of group identifier, a first type of routing indication, information of a service provider, and/or a first type of network identifier;

Requesting to discover an authentication service network element according to the first type of group identifier, the first type of routing indication, the first type of network identifier, information of the service provider and/or indication information of the first access method;

The indication information of the first access mode is used to indicate at least one of the following: an access mode for accessing the first network in order to download a certificate for accessing the second network, an access mode for accessing the first network without a certificate capable of accessing the first network, an access mode capable of using only restricted services, and a certificate for the terminal to access the first network is a default certificate;

The first network and the second network are the same network or different networks;

The first authentication service network element includes at least one of the following: an authentication service network element for providing authentication services to terminals of the first access mode, and an authentication service network element for providing authentication services to terminals with default certificates;

The first type of group identifier includes: a group identifier of an authentication service network element used to provide authentication services to a terminal of the first access mode;

The first type of network identifier includes: a network identifier used for a first access mode;

The first type of routing indication includes: a routing indication for a first access mode;

The identification information of the terminal includes at least one of the following: a first identification of the terminal, a second identification of the terminal, and a third identification of the terminal;

The first identification of the terminal includes information of an authentication provider of the terminal;

The second identifier of the terminal includes a first type of network identifier and/or a first type of routing indication;

The third identifier of the terminal includes information of an authentication provider of the terminal, a first type of network identifier and/or a first type of routing indication.

In a sixth aspect, an embodiment of the present application provides an access control device, applied to a second communication device, including:

A first sending module, used for sending first information;

The first information includes at least one of the following: indication information of the first access mode, a first type of routing indication, a first type of network identification, and identification information of the terminal;

The first type of routing indication includes: a routing indication for a first access mode;

The first type of network identifier includes: a network identifier used for a first access mode;

The indication information of the first access mode is used to indicate at least one of the following: an access mode for accessing the first network in order to download a certificate for accessing the second network, an access mode for accessing the first network without a certificate capable of accessing the first network, an access mode capable of using only restricted services, and a certificate for the terminal to access the first network is a default certificate;

The first network and the second network are the same network or different networks;

The identification information of the terminal includes at least one of the following: a first identification of the terminal, a second identification of the terminal, and a third identification of the terminal;

The first identification of the terminal includes information of an authentication provider of the terminal;

The second identifier of the terminal includes a first type of network identifier and/or a first type of routing indication;

The third identifier of the terminal includes information of an authentication provider of the terminal, a first type of network identifier and/or a first type of routing indication.

In a seventh aspect, an embodiment of the present application provides an access control apparatus, applied to a third communication device, including:

A second acquisition module is used to acquire third information and/or fourth information; wherein the third information includes at least one of the following: a first type of group identifier, a first type of routing indication, a first type of network identifier, information of an authentication provider, and indication information of a first access method; the fourth information is used to indicate the attribution information of the authentication service network element, and the fourth information includes at least one of the following: a routing indication supported by the authentication service network element, a network identifier of a network to which the authentication service network element belongs, a group identifier to which the authentication service network element belongs, an access method supported by the authentication service network element, an authentication service type supported by the authentication service network element, and information of an authentication provider supported by the authentication service network element, and the authentication provider can authenticate a terminal with a default certificate;

A second execution module, configured to execute a third operation according to the third information and/or the fourth information;

The third operation includes at least one of the following:

finding an authentication service network element matching the third information, wherein the fourth information of the authentication service network element matches the third information;

Sending the discovered authentication service network element;

The authentication service type supported by the authentication service network element includes supporting authentication services for terminals with default certificates;

The indication information of the first access mode is used to indicate at least one of the following: an access mode for accessing the first network in order to download a certificate for accessing the second network, an access mode for accessing the first network without a certificate capable of accessing the first network, an access mode capable of using only restricted services, and a certificate for the terminal to access the first network is a default certificate;

The first network and the second network are the same network or different networks;

The first type of group identifier includes: a group identifier of an authentication service network element used to provide authentication services to a terminal of the first access mode;

The first type of routing indication includes: a routing indication for a first access mode;

The first type of network identifier includes: a network identifier used for a first access mode.

In an eighth aspect, an embodiment of the present application provides an access control device, applied to a fourth communication device, including:

A second sending module, used for sending fourth information;

The fourth information is used to indicate the attribution information of the authentication service network element; the fourth information includes at least one of the following: a routing indication supported by the authentication service network element, a network identifier of the network to which the authentication service network element belongs, a group identifier to which the authentication service network element belongs, an access mode supported by the authentication service network element, an authentication service type supported by the authentication service network element, and information of an authentication provider supported by the authentication service network element, and the authentication provider can authenticate a terminal with a default certificate;

The routing indication supported by the authentication service network element is a first type of routing indication;

The network identifier of the network to which the authentication service network element belongs is a network identifier of the first type;

The group identifier to which the authentication service network element belongs is a group identifier of the first type;

The access mode supported by the authentication service network element includes a first access mode;

The authentication service type supported by the authentication service network element includes supporting the provision of authentication services to terminals with default certificates;

The first access mode includes at least one of the following: an access mode for accessing the first network in order to download a certificate for accessing the second network, an access mode for accessing the first network without a certificate capable of accessing the first network, and an access mode capable of using only restricted services;

The first type of group identifier includes: a group identifier of an authentication service network element used to provide authentication services to a terminal of the first access mode;

The first type of network identifier includes: a network identifier used for a first access mode.

In a ninth aspect, an embodiment of the present application provides an access control method, applied to a fifth communication device, including:

When the fifth condition is met, performing a fifth operation;

The fifth operation includes at least one of the following:

not using the fifth information to select a network element for the terminal;

in,

The fifth condition includes at least one of the following: the terminal is in the first access mode;

The fifth information includes at least one of the following: a user identifier of the terminal, an MNC in the user identifier of the terminal, an MCC in the user identifier of the terminal, information in a realm in the user identifier of the terminal, a first network identifier NID in the user identifier of the terminal, and a network identifier in the user identifier of the terminal.

In a tenth aspect, an embodiment of the present application provides an access control device, applied to a second communication device, including:

A third execution module, configured to execute a fifth operation when a fifth condition is met;

The fifth operation includes at least one of the following:

not using the fifth information to select a network element for the terminal;

in,

The fifth condition includes at least one of the following: the terminal is in the first access mode;

The fifth information includes at least one of the following: a user identifier of the terminal, network identifier information in the user identifier of the terminal, and realm information in the user identifier of the terminal.

In the tenth aspect, an embodiment of the present application provides a communication device, comprising a processor, a memory, and a computer program stored in the memory and executable on the processor; the computer program, when executed by the processor, can implement the steps of the access control method provided in the first aspect, or the steps of the access control method provided in the second aspect, or the steps of the access control method provided in the third aspect, or the steps of the access control method provided in the fourth aspect, or the steps of the access control method provided in the ninth aspect.

In a first aspect, an embodiment of the present application provides a readable storage medium, on which a program or instruction is stored. When the program or instruction is executed by a processor, the steps of the access control method provided in the first aspect are implemented, or the steps of the access control method provided in the second aspect are implemented, or the steps of the access control method provided in the third aspect are implemented, or the steps of the access control method provided in the fourth aspect are implemented, or the steps of the access control method provided in the ninth aspect are implemented.

It is not difficult to understand that, through this embodiment, in the scenario where the terminal accesses the first network in the first access mode, selection of the authentication service network element can be supported.

BRIEF DESCRIPTION OF THE DRAWINGS

Various other advantages and benefits will become apparent to those of ordinary skill in the art by reading the detailed description of the preferred embodiments below. The accompanying drawings are only for the purpose of illustrating the preferred embodiments and are not to be considered as limiting the present application. Also, the same reference symbols are used throughout the accompanying drawings to represent the same components. In the accompanying drawings:

FIG1A is a schematic diagram of the architecture of a wireless communication system provided in an embodiment of the present application;

FIG1B is a schematic diagram of the relationship between network elements under the first access mode in this application;

FIG2 is a schematic diagram of a flow chart of an access control method according to an embodiment of the present application;

FIG3 is a schematic diagram of a flow chart of an access control method according to another embodiment of the present application;

FIG4 is a schematic diagram of a flow chart of an access control method according to another embodiment of the present application;

FIG5 is a schematic diagram of a flow chart of an access control method according to another embodiment of the present application;

6 is a flowchart of the indication process of service authentication in application scenario 1 of an embodiment of the present application;

FIG7 is a flowchart of a service selection process for application scenario 2 of an embodiment of the present application;

FIG8 is a flowchart of a service selection process for application scenario 3 of an embodiment of the present application;

FIG9 is a structural diagram of an access control device according to an embodiment of the present application;

FIG10 is a structural diagram of another access control device according to an embodiment of the present application;

FIG11 is a structural diagram of another access control device according to an embodiment of the present application;

FIG12 is a structural diagram of another access control device according to an embodiment of the present application;

FIG13 is a structural diagram of a communication device according to an embodiment of the present application.

Detailed ways

The following will be combined with the drawings in the embodiments of the present application to clearly and completely describe the technical solutions in the embodiments of the present application. Obviously, the described embodiments are part of the embodiments of the present application, not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of this application.

The terms "first", "second", etc. in the specification and claims of the present application are used to distinguish similar objects, and are not used to describe a specific order or sequence. It should be understood that the data used in this way can be interchangeable under appropriate circumstances, so that the embodiments of the present application can be implemented in an order other than those illustrated or described here, and the objects distinguished by "first" and "second" are generally of the same type, and the number of objects is not limited. For example, the first object can be one or more. In addition, "and/or" in the specification and claims represents at least one of the connected objects, and the character "/" generally represents that the objects associated with each other are in an "or" relationship.

FIG1A shows a block diagram of a wireless communication system applicable to an embodiment of the present application. The wireless communication system includes a terminal 11 and a network side device 12. Among them, the terminal 11 may include a relay supporting terminal functions and/or a terminal supporting relay functions. The terminal 11 may also be referred to as a terminal device or a user terminal (User Equipment, UE). The terminal 11 may be a mobile phone, a tablet computer (Tablet Personal Computer), a laptop computer (Laptop Computer) or a notebook computer, a personal digital assistant (Personal Digital Assistant, PDA), a mobile Internet device (Mobile Internet Device, MID), a handheld computer, a netbook, an ultra-mobile personal computer (ultra-mobile personal computer, UMPC), a mobile Internet device (Mobile Internet Device, MID), a wearable device (Wearable Device) or a vehicle-mounted device (Vehicle User Equipment, VUE), a pedestrian terminal (Pedestrian User Equipment, PUE) and other terminal side devices, and the wearable device includes: a bracelet, a headset, glasses, etc. It should be noted that the specific type of the terminal 11 is not limited in the embodiment of the present application. The network side device 12 can be a base station or a core network, wherein the base station can be referred to as a node B, an evolved node B, an access point, a base transceiver station (Base Transceiver Station, BTS), a radio base station, a radio transceiver, a basic service set (Basic Service Set, BSS), an extended service set (Extended Service Set, ESS), a B node, an evolved B node (eNB), a home B node, a home evolved B node, a WLAN access point, a WiFi node, a transmitting and receiving point (Transmitting Receiving Point, TRP) or some other suitable term in the field. As long as the same technical effect is achieved, the base station is not limited to a specific technical vocabulary. It should be noted that in the embodiment of the present application, only the base station in the NR system is taken as an example, but the specific type of the base station is not limited.

In some communication scenarios, there are scenarios where the communication device does not have a network certificate but needs to access the network, for example: when a standalone non-public network (SNPN) is deployed, the UE may not have a certificate and UE identity that can be used to access the SNPN. For example, the SNPN deployed in the factory and the terminal just purchased on the market, or the SNPN deployed at the concert site and the audience's terminal.

In order for this type of UE to obtain the certificate and UE identity for accessing the SNPN, the UE can access a certain network (hereinafter referred to as the first network) and download the certificate for accessing the SNPN. For example, the UE accesses the first network, establishes a data channel, and connects to the configuration server through the data channel, downloads the SNPN certificate from the configuration server, or the UE accesses the first network, and the control network element of the first network downloads the SNPN certificate from the configuration server on behalf of the UE.

Accessing the first network in order to download a certificate for accessing the second network may be called onboarding. The first network and the second network may be the same network.

When the UE does not have the certificate of the first network, the first network needs to authenticate the UE before downloading the certificate for the UE or establishing a data channel for downloading the certificate. The UE may have a default certificate. In this case, the first network can request the default certificate authentication server (DCS Default Credential Server) to authenticate the UE with the default certificate. The DCS can directly authenticate the UE or request other entities to authenticate the UE.

This type of authentication is similar to the authentication of UE when roaming to other networks, but is different from UE roaming authentication.

-In the case of roaming, the AMF of the network visited by the UE selects the Home-Authentication Server Function (AUSF) of the UE's home network for the UE and requests the home AUSF to authenticate the UE.

-In the onboarding mode, as shown in Figure 1B, the AMF of the first network can select an authentication proxy server (for example, an authentication server function (AUSF) or an AAA (Authentication Authorization Accounting Server) server agent) under the first network accessed by the UE for the UE, and the authentication proxy server requests the default authentication server (DCS) in another network to authenticate the UE. When the default certificate of the UE is a certificate of a communication network (such as a 3GPP network), the DCS can be the AUSF of the UE's home network. The NRF stores the relationship between network elements and can be called to query network elements.

A UE with a Public Land Mobile Network (PLMN) certificate can: 1) roam and access other PLMN networks through the PLMN certificate, 2) access the SNPN through the PLMN certificate, and 3) onboard to the first network for default certificate authentication. For method 1), the AMF of the UE access network contacts the AUSF of the UE's home network. For method 3), the AMF of the UE access network contacts the authentication proxy server (such as AUSF, or AAA server agent) of the access network, and the authentication proxy server contacts the AUSF of the UE's home network. For method 2), the authentication structure of method 1) may be used, and the authentication structure of method 3) may be used.

In order to support the authentication structure of method 3), the following problems must be solved:

Question 1: The current AUSF selection for the AMF connection is that the AMF selects the Home Network Identifier (Home Network Identifier) in the Subscription Permanent Identifier (SUPI) provided by the UE or the AUSF group ID (Group ID) associated with the SUPI. However, in the onboarding architecture, the AMF of the first network needs to select the AUSF in the first network for the UE, and the AUSF then selects the AUSF in the UE's home area for the UE. The AUSF of the first network has nothing to do with the UE and has nothing to do with the UE's SUPI. How to distinguish UEs of different access types and select different AUSFs has become a problem that needs to be solved.

In the embodiments of the present application, optionally, acquisition can be understood as acquisition from configuration, reception, reception after request, acquisition through self-learning, acquisition by deduction based on information not received, or acquisition after processing of received information, which can be determined according to actual needs and is not limited in the embodiments of the present application. For example, when a certain capability indication information sent by a device is not received, it can be deduced that the device does not support the capability.

Optionally, the sending may include broadcasting, broadcasting in system messages, and returning after responding to requests.

In one embodiment of the present application, non-public network is short for non-public network. Non-public network can be referred to as one of the following: non-public communication network. Non-public network can include at least one of the following deployment modes: physical non-public network, virtual non-public network, non-public network implemented on the public network. In one implementation mode, non-public network is a closed access group (Closed Access Group, CAG). A CAG can be composed of a group of terminals.

In one embodiment of the present application, non-public network service is the abbreviation of non-public network service. Non-public network service can also be referred to as one of the following: network service of non-public network, non-public communication service, non-public network communication service, network service of non-public network or other naming. It should be noted that in the embodiment of the present invention, there is no specific limitation on the naming method. In one implementation mode, the non-public network is a closed access group. In this case, the non-public network service is a network service of the closed access group.

In one embodiment of the present application, a non-public network may include or be referred to as a private network. A private network may be referred to as one of the following: a private communication network, a private network, a local area network (LAN), a private virtual network (PVN), an isolated communication network, a dedicated communication network, or other names. It should be noted that the naming method is not specifically limited in the embodiments of the present invention.

In one embodiment of the present application, the public network is the abbreviation of the public network. The public network can be called one of the following: a public communication network or other names. It should be noted that the naming method is not specifically limited in the embodiment of the present invention.

In an optional embodiment of the present application, the authentication service includes initiating an authentication request for the terminal to an authentication server (such as a DCS or a home AUSF). The authentication service network element may be an authentication agent that provides authentication services for the terminal. Optionally, the authentication service network element may include but is not limited to one of the following: AUSF, AAA agent.

In an optional embodiment of the present application, the indication information of the first access method is used to indicate at least one of the following: an access method for accessing the first network in order to download a certificate for accessing the second network, an access method for accessing the first network without a certificate capable of accessing the first network, an access method capable of using only restricted services, and the certificate for the terminal to access the first network is a default certificate.

In an optional embodiment of the present application, the certificate for the terminal to access the first network is a default certificate, which means that when the terminal accesses the first network, the certificate corresponding to the terminal identifier provided to the first network is the default certificate. In one implementation, the default certificate is not a certificate of the first network.

Optionally, the first network and the second network are the same network or different networks.

In an optional embodiment of the present application, the network type of the first network may include but is not limited to one of the following: a public network (such as PLMN), an independent non-public network (such as NPN), and a non-public network integrated with a public network (such as PNI NPN).

In an optional embodiment of the present application, not having a certificate capable of accessing the first network includes not having a certificate capable of accessing a non-restricted service of the first network.

1) In one implementation, the terminal directly has a certificate of the B network, and it can be considered that the terminal has a certificate that can access the B network.

2) In another implementation, there is an agreement (such as a roaming agreement) between service provider A (including A network) and B network that allows A's terminal to access B network and enjoy network services. In this case, it can be considered that A's terminal has a certificate that can access B network, that is, A's certificate. Here, the terminal of service provider A and the terminal of B network access B network, and it can be considered that the access is non-restricted service.

3) In another implementation, when a terminal of service provider C (including C network) accesses B network in order to download a certificate for accessing B network, the certificate of C possessed by the terminal can help B network request the authentication server in C to verify the terminal. In this case, the certificate of C possessed by the terminal is not a certificate that can access B network, but a certificate that B network can verify the terminal, which is generally called a default certificate. Here, when the terminal of service provider C accesses B network, it can be considered that the access is a restricted service.

In an optional embodiment of the present application, the authentication provider is a provider that can verify a terminal with a default certificate. In one implementation, the authentication provider does not include the home network of the terminal in a roaming scenario.

In an optional embodiment of the present application, the information of the authentication provider of the terminal includes at least one of the following: the network identifier of the network corresponding to the default certificate of the terminal, the network identifier in the identifier of the terminal corresponding to the default certificate of the terminal, the network identifier of the home network of the terminal, the index information of the default certificate verification provider, and the index information of the DCS. It is not difficult to understand. The certificate of the terminal corresponds to the identifier of the terminal. The information of the authentication provider of the terminal can be included in the identifier of the terminal.

In an optional embodiment of the present application, the first identifier of the terminal includes one of the following: a terminal identifier corresponding to a default certificate of the terminal, or a terminal identifier of the terminal in a DCS.

In one implementation, the identifier of the home network of the terminal is the identifier of the network in the identifier of the terminal corresponding to the default certificate of the terminal. In another implementation, the identifier of the home network of the terminal is the identifier of the verification provider network.

Optionally, the DCS is a device in the authentication provider of the terminal. When the DCS includes the AUSF to which the terminal belongs, the first identifier of the terminal is the terminal identifier of the terminal in the home network. At this time, the index information of the default certificate verifier or the index information of the DCS is the identifier of the home network of the terminal.

In an optional embodiment of the present application, the home network may be a network corresponding to a default certificate of the terminal. In one implementation, the home AUSF is an AUSF in the home network. The home NRF is an NRF in the home network. Other home network elements are network elements in the home network.

In an optional embodiment of the present application, the first type of network identifier includes a first type of home network identifier. The home network identifier used for the first access mode includes a home network identifier used for the first access mode. The first type of home network identifier includes: a home network identifier used for the first access mode.

In another optional embodiment of the present application, the first type of network identifier may be one of the following: a network identifier of an authentication provider, a network identifier corresponding to a default certificate of a terminal, and a network identifier in an identifier of a terminal corresponding to a default certificate of a terminal.

In an optional embodiment of the present application, the communication device may include at least one of the following: a communication network element and a terminal.

In one embodiment of the present application, the communication network element may include at least one of the following: a core network element and a wireless access network element.

In the embodiment of the present application, the core network element (CN element) may include but is not limited to at least one of the following: core network equipment, core network node, core network function, core network element, mobility management entity (Mobility Management Entity, MME), access mobility management function (Access Management Function, AMF), network storage function (Network Repository Function, NRF), session management function (Session Management Function, SMF), user plane function (User Plane Function, UPF), serving gateway (serving GW, SGW), PDN gateway (PDN Gate Way, PDN Gateway), policy control function (Policy Control Function, PCF), policy and charging rules function unit (Policy and Charging Rules Function, PCRF), GPRS service support node (Serving GPRS Support Node, SGSN), gateway GPRS support node (Gateway GPRS Support Node, GGSN), unified data management (Unified Data Management, UDM), unified data storage (Unified Data Repository, UDR), home subscriber server (Home Subscriber Server, HSS) and application function (Application Function, AF).

The access control method of the embodiment of the present application is described below.

Referring to FIG. 2 , an embodiment of the present application provides an access control method, which is applied to a first communication device; the first communication device includes an AMF. Optionally, the first communication device is a communication device in a first network. As shown in FIG. 2 , the method includes:

Step 21: Obtain the first information and/or the second information.

The first information includes but is not limited to at least one of the following: indication information of the first access mode, a first type of routing indication, and a first type of network identification. The second information includes but is not limited to at least one of the following: a first type of routing indication, a first type of network identification, a first type of group identification, and identification information of the terminal.

Optionally, the first type of group identifier includes: a group identifier of an authentication service network element used to provide authentication services to terminals of the first access mode.

Optionally, the first type of network identifier includes: a network identifier used for a first access mode.

Optionally, the first type of routing indication includes: a routing indication for a first access mode.

In one implementation, the first information may be received from the terminal. The first information may be included in an identifier of the terminal (such as SUCI or SUPI, etc.) and sent.

In another implementation, the second information may be acquired by local configuration of the first communication device.

The identification information of the terminal may include at least one of the following: a first identification of the terminal, a second identification of the terminal, and a third identification of the terminal.

1) The first identification of the terminal includes information of the authentication provider of the terminal. The authentication provider is a provider that can verify the terminal with the default certificate, or a provider that can authenticate the terminal (such as the home network of the terminal, the network corresponding to the default certificate of the terminal). In one embodiment, the authentication provider does not include the home network of the terminal in the roaming scenario.

The information of the authentication provider of the terminal includes at least one of the following: the network identifier of the network corresponding to the default certificate of the terminal, the network identifier in the identifier of the terminal corresponding to the default certificate of the terminal, the network identifier of the home network of the terminal, the index information of the default certificate verification provider, and the index information of the DCS. It is not difficult to understand. The certificate of the terminal corresponds to the identifier of the terminal. The information of the authentication provider of the terminal can be included in the identifier of the terminal.

The first identifier of the terminal includes one of the following: a terminal identifier corresponding to a default certificate of the terminal, or a terminal identifier of the terminal in the DCS.

Optionally, the DCS is a device in the authentication provider of the terminal. When the DCS includes the AUSF to which the terminal belongs, the first identifier of the terminal is the terminal identifier of the terminal in the home network. At this time, the index information of the default certificate verifier or the index information of the DCS is the identifier of the home network of the terminal.

2) The second identifier of the terminal includes a first type of network identifier and/or a first type of routing indication;

3) The third identifier of the terminal includes information of an authentication provider of the terminal, a first type of network identifier and/or a first type of routing indication.

It is not difficult to understand that the first type of network identifier and/or the first type of routing indication can be determined according to the second identifier of the terminal or according to the third identifier of the terminal.

1) In one implementation, a first identifier of the terminal and a first type of network identifier may be sent.

2) In another implementation, a first identifier of the terminal and a first type of routing indication may be sent.

3) In another implementation, the first identifier of the terminal and the second identifier of the terminal may be sent.

4) In another implementation, a third identifier of the terminal may be sent.

Step 22: Execute a first operation according to the first information and/or the second information.

The first operation may include at least one of the following:

Select the first authentication service network element;

Determining a first type of group identifier, a first type of routing indication, information of a service provider, and/or a first type of network identifier;

A request is made to discover an authentication service network element according to the first type of group identifier, the first type of routing indication, the first type of network identifier, information of a service provider and/or indication information of a first access method.

Optionally, the indication information of the first access method can be used to indicate at least one of the following: an access method for accessing the first network in order to download a certificate for accessing the second network, an access method for accessing the first network without a certificate capable of accessing the first network, an access method capable of using only restricted services, and the certificate for the terminal to access the first network is the default certificate.

Optionally, the first network and the second network are the same network or different networks.

In one implementation, the indication information of the first access method includes a first registration type. The first registration type may be used to indicate at least one of the following: a registration method for registering to access the first network in order to download a certificate for accessing the second network, and a registration method for registering the first network without having a certificate capable of accessing the first network.

Optionally, the certificate capable of accessing the first network includes a certificate capable of accessing unrestricted services of the first network. The certificate not capable of accessing the first network includes a certificate not capable of accessing unrestricted services of the first network.

1) In one implementation, the terminal directly has a certificate of the B network, and it can be considered that the terminal has a certificate that can access the B network.

2) In another implementation, there is an agreement (such as a roaming agreement) between service provider A (including A network) and B network that allows A's terminal to access B network and enjoy network services. In this case, it can be considered that A's terminal has a certificate that can access B network, that is, A's certificate. Here, the terminal of service provider A and the terminal of B network access B network, and it can be considered that the access is non-restricted service.

3) In another implementation, when a terminal of service provider C (including C network) accesses B network in order to download a certificate for accessing B network, the certificate of C possessed by the terminal can help B network request the authentication server in C to verify the terminal. In this case, the certificate of C possessed by the terminal is not a certificate that can access B network, but a certificate that B network can verify the terminal, which is generally called a default certificate. Here, when the terminal of service provider C accesses B network, it can be considered that the access is a restricted service.

Optionally, the above-mentioned first authentication service network element includes at least one of the following: an authentication service network element for providing authentication services to terminals of the first access mode, and an authentication service network element for providing authentication services to terminals with default certificates.

In one implementation, the authentication service includes initiating an authentication request for the terminal to an authentication server (such as a DCS or a home AUSF).

In the embodiment of the present application, the request to discover the authentication service network element according to the first type of group identifier, the first type of routing indication, the first type of network identifier, or the indication information of the first access method may include at least one of the following:

Sending the first type of group identifier to a first target end, where the first type of group identifier is used by the first target end to discover an authentication service network element matching the first type of group identifier;

Sending indication information of the first access method to a first target end, where the indication information of the first access method is used by the first target end to find an authentication service network element matching the indication information of the first access method;

The first type of routing indication is sent to a first target end, where the first type of routing indication is used by the first target end to discover an authentication service network element matching the first type of routing indication.

The first type of network identifier is sent to a first target end, where the first type of network identifier is used by the first target end to discover an authentication service network element matching the first type of network identifier.

Optionally, the first target end may include: a network element device responsible for querying network elements in the network, such as a network repository function (Network Repository Function, NRF).

Optionally, the authentication service network element may include but is not limited to one of the following: AUSF, AAA proxy. In one implementation, the authentication service network element may be an authentication proxy that provides authentication services for the terminal.

In one implementation, the AUSF discovery may be requested from the NRF via an AUSF group identifier dedicated to the first access method.

Optionally, the acquiring of the first information may include: acquiring the first information from a terminal. And/or, the acquiring of the second information may include: acquiring the second information according to a configuration on the first communication device.

Optionally, the obtaining of the first information and/or the second information may include at least one of the following:

Acquire indication information of a first access mode from a terminal;

According to the configuration on the first communication device, a first type of group identifier, a first type of routing indication or a first type of network identifier is acquired.

Further, performing the first operation according to the first information and/or the second information may include:

Determine, according to the indication information of the first access mode, a first type of group identifier, a first type of routing indication, or a first type of network identifier;

A request is made to discover an authentication service network element according to the first type of group identifier, the first type of routing indication and/or the first type of network identifier.

Optionally, the obtaining of the first information and/or the second information may include at least one of the following:

acquiring a first type of network identification and/or a first type of routing indication from the terminal,

Acquire a first type of group identifier according to a configuration on the first communication device;

Further, performing the first operation according to the first information and/or the second information may include:

Determining a first type of group identifier according to the first type of network identifier and/or the first type of routing indication;

According to the group identifier of the first type, a request is made to discover an authentication service network element.

Optionally, the first operation further includes at least one of the following:

receiving an authentication service network element requested for discovery;

Deriving a first type of network identifier and/or a first type of routing indication according to the second identifier of the terminal or the third identifier of the terminal;

Not sending the second identifier of the terminal to the first authentication service network element or the discovered authentication service network element;

deriving the first identifier of the terminal according to the third identifier of the terminal;

Sending the first identifier of the terminal to the first authentication service network element or the discovered authentication service network element.

It is not difficult to understand that, through this embodiment, in the scenario where the terminal accesses the first network in the first access mode, selection of the authentication service network element can be supported.

Referring to FIG3 , an embodiment of the present application provides an access control method, which is applied to a second communication device; the second communication device includes a UE. As shown in FIG3 , the method includes:

Step 31: Send the first message.

The first information packet may include at least one of the following: indication information of a first access mode, a first type of routing indication, a first type of network identification, and identification information of a terminal.

The first type of routing indication includes: a routing indication used for a first access mode.

The first type of network identifier includes: a network identifier used for a first access mode.

The indication information of the first access method is used to indicate at least one of the following: an access method for accessing the first network in order to download a certificate for accessing the second network, an access method for accessing the first network without a certificate capable of accessing the first network, an access method capable of using only restricted services, and the certificate for the terminal to access the first network is a default certificate.

The first network and the second network are the same network or different networks.

Optionally, the first information is sent to a first network accessed by the terminal. The way in which the terminal accesses the first network is the first access way. The above-mentioned first information may be included in an identifier of the terminal (such as SUCI, or SUPI, etc.) and sent.

Optionally, sending the first information may include: sending the first information when a first condition is met. The first condition may include at least one of the following:

The purpose of the second communication device accessing the first network is to download a certificate for accessing the second network;

The second communication device does not have a certificate capable of accessing the first network;

The second communication device can only use restricted services when accessing the first network.

The first network and the second network are the same network or different networks.

In one implementation, the network identifier used for the first access mode is sent via a user permanent identifier SUPI of the terminal.

It should be noted that the second communication device does not have a certificate capable of accessing the first network includes: the second communication device does not have a certificate for the first network or the second communication device does not have a certificate for a service provider capable of accessing the first network.

The certificate capable of accessing the first network may include a certificate capable of accessing unrestricted services of the first network. The certificate not capable of accessing the first network may include a certificate not capable of accessing unrestricted services of the first network.

1) In one implementation, the terminal directly has a certificate of the B network, and it can be considered that the terminal has a certificate that can access the B network.

2) In another implementation, there is an agreement (such as a roaming agreement) between service provider A (including A network) and B network that allows A's terminal to access B network and enjoy network services. In this case, it can be considered that A's terminal has a certificate that can access B network, that is, A's certificate. Here, the terminal of service provider A and the terminal of B network access B network, and it can be considered that the access is non-restricted service.

3) In another implementation, when a terminal of service provider C (including C network) accesses B network in order to download a certificate for accessing B network, the certificate of C possessed by the terminal can help B network request the authentication server in C to verify the terminal. In this case, the certificate of C possessed by the terminal is not a certificate that can access B network, but a certificate that B network can verify the terminal, which is generally called a default certificate. Here, when the terminal of service provider C accesses B network, it can be considered that the access is a restricted service.

Optionally, the identification information of the terminal may include at least one of the following: a first identification of the terminal, a second identification of the terminal, and a third identification of the terminal.

1) The first identification of the terminal includes information of an authentication provider of the terminal. The authentication provider is a provider that can verify a terminal with a default certificate, or a provider that can authenticate the terminal (such as the home network of the terminal).

The information of the authentication provider of the terminal includes at least one of the following: the network identifier of the network corresponding to the default certificate of the terminal, the network identifier in the identifier of the terminal corresponding to the default certificate of the terminal, the network identifier of the home network of the terminal, the index information of the default certificate verification provider, and the index information of the DCS. The information of the authentication provider of the terminal may be included in the identifier of the terminal.

It is not difficult to understand that the certificate of the terminal corresponds to the identifier of the terminal. The first identifier of the terminal includes one of the following: the terminal identifier corresponding to the default certificate of the terminal, or the terminal identifier of the terminal in the DCS.

Optionally, the DCS is a device in the authentication provider of the terminal. When the DCS includes the AUSF to which the terminal belongs, the first identifier of the terminal is the terminal identifier of the terminal in the home network. At this time, the index information of the default certificate verifier or the index information of the DCS is the identifier of the home network of the terminal.

2) The second identifier of the terminal includes a first type of network identifier and/or a first type of routing indication;

3) The third identifier of the terminal includes information of an authentication provider of the terminal, a first type of network identifier and/or a first type of routing indication.

It is not difficult to understand that the first type of network identifier and/or the first type of routing indication can be determined according to the second identifier of the terminal or according to the third identifier of the terminal.

1) In one implementation, a first identifier of the terminal and a first type of network identifier may be sent.

2) In another implementation, the first identifier of the terminal and the first type of routing indication may be sent.

3) In another implementation, the first identifier of the terminal and the second identifier of the terminal may be sent.

4) In another implementation, a third identifier of the terminal may be sent.

Optionally, before the step of sending the first information, the method may further include at least one of the following:

Generate a second identifier of the terminal, that is, set the routing indication in the identifier of the terminal to the routing indication of the first type and/or set the home network identifier in the identifier of the terminal to the network identifier of the first type;

The third identifier of the terminal is generated, that is, the first type of network identifier is added to the identifier of the terminal and/or the first type of routing indication is added to the identifier of the terminal.

In one implementation, the operation of generating the second identifier of the terminal and/or generating the third identifier of the terminal is performed when a first condition is satisfied. The first condition is as described above and will not be described in detail herein.

It is not difficult to understand that, through this embodiment, in the scenario where the terminal accesses the first network in the first access mode, selection of the authentication service network element can be supported.

Please refer to FIG4 , an embodiment of the present application provides an access control method, which is applied to a third communication device; the third communication device includes an NRF. Optionally, the third communication device is a communication device in the first network. As shown in FIG4 , the method includes:

Step 41: Obtain third information and/or fourth information.

Optionally, the third information may include at least one of the following: a first type of group identifier, a first type of routing indication, a first type of network identifier, information of an authentication provider, and indication information of a first access method.

Optionally, the fourth information is used to indicate the attribution information of the authentication service network element. The fourth information may include at least one of the following: a routing indication supported by the authentication service network element, a network identifier of the network to which the authentication service network element belongs, a group identifier to which the authentication service network element belongs, an access mode supported by the authentication service network element, an authentication service type supported by the authentication service network element, and information of an authentication provider supported by the authentication service network element, and the authentication provider can authenticate a terminal with a default certificate.

Optionally, the indication information of the first access method can be used to indicate at least one of the following: an access method for accessing the first network in order to download a certificate for accessing the second network, an access method for accessing the first network without a certificate capable of accessing the first network, an access method capable of using only restricted services, and the certificate for the terminal to access the first network is the default certificate.

Optionally, the first network and the second network are the same network or different networks.

Optionally, the first type of routing indication includes: a routing indication for a first access mode.

In one implementation, the restricted service includes a service for downloading a certificate for accessing a network.

Optionally, the first type of group identifier includes: a group identifier of an authentication service network element used to provide authentication services to terminals of the first access mode.

In one implementation, the third information may be obtained from the AMF.

In another implementation, the fourth information, ie, the attribution information of the authentication service network element, may be obtained from an authentication service network element (such as an AUSF or an AAA agent).

Step 42: Perform a third operation according to the third information and/or the fourth information.

The third operation may include at least one of the following:

finding an authentication service network element that matches the third information, that is, the fourth information of the authentication service network element matches the third information;

Send the discovered authentication service network element.

The authentication service type supported by the authentication service network element includes supporting authentication service for terminals with default certificates.

In one implementation, the discovered authentication service network element is sent to the second target end. The second target end includes: AMF. In one implementation, the third information is received from the second target end.

Optionally, the authentication service network element may include one of the following: AUSF, AAA proxy.

In one implementation, the authentication service network element matching the third information is a first authentication service network element. The first authentication service network element includes: an authentication service network element configured to provide authentication services to a terminal of a first access mode.

In one implementation, the first type of group identifier includes one of the following: AUSF Group ID, AAA proxy group ID.

In one implementation, a request may be made to the NRF to discover the AUSF.

Optionally, in the operation of discovering an authentication service network element that matches the third information, when the third information includes indication information of a first access method, the access method supported by the discovered authentication service network element is the first access method; or, when the third information includes a first type of routing indication, the routing indication supported by the discovered authentication service network element is a first type of routing indication; or, when the third information includes a first type of network identifier, the network identifier of the network to which the discovered authentication service network element belongs is a first type of network identifier; or, when the third information includes a first type of group identifier, the group identifier to which the discovered authentication service network element belongs is a first type of group identifier; or, when the third information includes information of an authentication provider, the authentication provider information supported by the discovered authentication service network element includes the authentication provider information in the third information.

Alternatively, the discovered authentication service network element satisfies at least one of the following:

The routing indication supported by the discovered authentication service network element is a first type of routing indication;

The network identifier of the network to which the discovered authentication service network element belongs is a network identifier of the first type;

The group identifier to which the discovered authentication service network element belongs is a group identifier of the first type;

The access mode supported by the discovered authentication service network element is the first access mode;

The authentication service type supported by the discovered authentication service network element is supporting the provision of authentication services to terminals with default certificates.

It is not difficult to understand that, through this embodiment, in the scenario where the terminal accesses the first network in the first access mode, selection of the authentication service network element can be supported.

Referring to FIG5 , an embodiment of the present application provides an access control method, which is applied to a fourth communication device; the fourth communication device includes an AUSF. Optionally, the fourth communication device is a communication device in the first network. As shown in FIG5 , the method includes:

Step 51: Send the fourth message.

The fourth information is used to indicate the ownership information of the authentication service network element. The fourth information may include at least one of the following: a routing indication supported by the authentication service network element, a network identifier of the network to which the authentication service network element belongs, a group identifier to which the authentication service network element belongs, an access mode supported by the authentication service network element, an authentication service type supported by the authentication service network element, and information of an authentication provider supported by the authentication service network element, and the authentication provider can authenticate a terminal with a default certificate.

The routing indication supported by the authentication service network element is a first type of routing indication.

The network identifier of the network to which the authentication service network element belongs is a first type of network identifier.

The group identifier to which the authentication service network element belongs is a first type of group identifier.

The access methods supported by the authentication service network element include a first access method.

The authentication service types supported by the authentication service network element include supporting the provision of authentication services to terminals with default certificates (such as serving as an authentication agent).

The first access method includes at least one of the following: an access method for accessing the first network in order to download a certificate for accessing the second network, an access method for accessing the first network without a certificate capable of accessing the first network, an access method capable of using only restricted services, and a certificate for the terminal to access the first network is a default certificate.

The first type of group identifier includes: a group identifier of an authentication service network element used to provide authentication services to a terminal of a first access mode.

The first type of routing indication of the first type includes: a routing indication used for a first access mode.

The first type of network identifier includes: a network identifier used for a first access mode.

Optionally, the sending of the fourth information may include: sending the fourth information when a second condition is met; wherein the second condition includes: the authentication service network element is an authentication service network element for providing authentication services to terminals of the first access mode.

It is not difficult to understand that, through this embodiment, in the scenario where the terminal accesses the first network in the first access mode, selection of the authentication service network element can be supported.

The embodiment of the present application provides an access control method, which is applied to a fifth communication device; the fourth communication device includes at least one of the following: AMF, AUSF, UDM. Optionally, the fifth communication device is a communication device in the first network. The method includes:

When the fifth condition is met, performing a fifth operation;

The fifth operation includes at least one of the following:

not using the fifth information to select a network element for the terminal;

in,

The fifth condition includes at least one of the following: the terminal is in the first access mode;

The fifth information includes at least one of the following: a user identifier of the terminal, network identifier information in the user identifier of the terminal, and realm information in the user identifier of the terminal.

In one implementation, for a terminal that accesses the network through a non-first access method, selecting a network device for the terminal based on information in the terminal's user identifier is a default operation. Therefore, for a terminal that accesses the network through a non-first access method, an exception operation needs to be performed.

The network identification information in the terminal user identification includes at least one of the following: MNC in the terminal user identification, MCC in the terminal user identification, and network identification NID in the terminal user identification.

Optionally, before the step of performing the fifth operation when the fifth condition is met, the method further includes: obtaining first information, the first information including at least one of the following: indication information of the first access mode, a first type of routing indication, and a first type of network identification; the second information includes at least one of the following: a first type of network identification, a first type of routing indication, a first type of group identification, and identification information of the terminal; wherein,

The indication information of the first access mode is used to indicate at least one of the following: an access mode for accessing the first network in order to download a certificate for accessing the second network, an access mode for accessing the first network without a certificate capable of accessing the first network, an access mode capable of using only restricted services, and a certificate for the terminal to access the first network is a default certificate;

The first type of group identifier includes: a group identifier of an authentication service network element used to provide authentication services to a terminal of the first access mode;

The first type of network identifier includes: a network identifier used for a first access mode;

The first type of routing indication includes: a routing indication for a first access mode;

The identification information of the terminal includes at least one of the following: a first identification of the terminal, a second identification of the terminal, and a third identification of the terminal;

The first identification of the terminal includes information of an authentication provider of the terminal;

The second identifier of the terminal includes a first type of network identifier and/or a first type of routing indication;

The third identifier of the terminal includes information of an authentication provider of the terminal, a first type of network identifier and/or a first type of routing indication.

Optionally, after the step of obtaining the first information, it is determined based on the first information whether a fifth condition is satisfied.

Optionally, the network element includes at least one of the following: a core network element, an authentication service function AUSF, a unified data management UDM, and a unified data storage UDR.

In one implementation, the network element may be a network device.

The method provided in the embodiment of the present application is described below in conjunction with specific application scenarios.

Application scenario 1

In this application scenario 1, as shown in FIG6 , the service authentication indication process may include:

Step 61: The authentication service network element (hereinafter referred to as AUSF as an example) used to provide authentication services to the terminal of the first access mode initiates a registration request to the NRF, such as Nnrf_NF Management_NF Register.

Optionally, the registration request includes fourth information, and the fourth information is used to indicate the attribution information of the authentication service network element. The fourth information may include at least one of the following: the network identifier of the network to which the authentication service network element belongs, the group identifier to which the authentication service network element belongs, and the access method supported by the authentication service network element.

In one implementation, when the network identifier of the network to which the authentication service network element belongs is a first type of belonging network identifier, it can be indicated that the authentication service network element is used to provide authentication services to the terminal of the first access mode.

In another implementation manner, when the group identifier to which the authentication service network element belongs is a group identifier of the first type, it can be indicated that the authentication service network element is used to provide authentication services to the terminal of the first access mode.

Application scenario 2

In this application scenario 2, the UE registers the first network, and the registration type is the first access mode. The first network needs to request the DCS to authenticate the UE. AMF, NRF, and AUSF are communication devices in the first network, and the home NRF and home AUSF are devices in the UE's home network, and the home AUSF is an embodiment of the DCS. As shown in Figure 7, the process of selecting the AUSF may include:

Step 71: The UE initiates a registration request to the AMF, wherein the registration type of the registration request is indication information of the first access method (such as the first registration type).

Step 72: The AMF performs an AUSF selection operation according to the indication information of the first access mode provided by the UE (such as the first registration type), including at least one of the following:

(1) selecting a locally configured AUSF for the first access mode;

(2) Selecting a locally configured AUSF group ID for the first access mode, and requesting the NRF to discover the AUSF according to the AUSF group ID;

(3) Sending indication information of the first access method to the NRF through a network function discovery request, such as Nnrf_NF Discovery_Request, to request discovery of an AUSF that supports the first access method;

It is not difficult to understand that before this, AUSF must provide the access methods it supports when registering NRF, such as the first access method.

(4) Sending a first type of network identifier (Home Network ID) to the NRF through a network function discovery request, such as Nnrf_NF Discovery_Request;

It is not difficult to understand that before this, when the AUSF supporting the first access mode registers the NRF, the network identifier of the network to which the network element providing the authentication service belongs must be the network identifier of the first access mode, for example, a network identifier dedicated to the first access mode.

(5) Sending a first type of group identifier to the NRF through a network function discovery request, such as Nnrf_NF Discovery_Request;

It is not difficult to understand that before this, when the AUSF supporting the first access mode registers with the NRF, it needs to provide the group identifier of the authentication network element as the network identifier of the first access mode, such as the group identifier of the authentication service network element dedicated to the first access mode.

Step 73: The NRF performs a third operation according to the acquired third information and/or fourth information.

The third information may include at least one of the following: a first type of group identifier, a first type of network identifier, and indication information of a first access method. The fourth information is used to indicate the attribution information of the authentication service network element. The fourth information may include at least one of the following: a network identifier of a network to which the authentication service network element belongs, a group identifier to which the authentication service network element belongs, and an access method supported by the authentication service network element.

The third operation includes at least one of the following:

Finding an authentication service network element matching the third information (hereinafter described using AUSF as an example);

Send the discovered authentication service network element to AMF.

Step 74: AMF sends a UE authentication request to AUSF, such as Nausf_UEAuthentication_Authenticate Request, where the request may include the first identifier of the terminal (the real first SUCI or first SUPI of the UE).

Step 75 to step 78: AUSF discovers the belonging AUSF through NRF and the belonging NRF based on the first identifier of the terminal, the belonging network identifier in the first UE identifier, or the AUSF group identifier corresponding to the first UE identifier.

Specifically, in step 75, the AUSF sends a network function discovery request, such as Nnrf_NF Discovery_Request, to the NRF, wherein the discovery request may include one of the following: the first identifier of the terminal, the home network identifier HomeNetwork ID of the terminal, the AUSF group identifier related to the first identifier of the terminal, and the like.

In step 76, the NRF sends a network function discovery request, such as Nnrf_NF Discovery_Request, to the home NRF, wherein the discovery request may include the first identifier of the terminal, or the home network identifier in the first UE identifier, or the AUSF group identifier corresponding to the first UE identifier, etc.

In step 77, the home NRF returns a network function discovery response, such as Nnrf_NF Discovery_Response, to the NRF.

In step 78, the NRF returns a network function discovery response, such as Nnrf_NF Discovery_Response, to the AUSF.

Step 79: The AUSF initiates a UE authentication request to the home AUSF, such as Nausf_UE Authentication_Authenticate Request, wherein the request includes the generated second SUCI or first SUPI, SN-name, indication information of the first access mode, etc.

Afterwards, the home AUSF may initiate an authentication process towards the UE.

Application scenario three

In this application scenario three, the UE registers the first network and provides the terminal's identification information. The first network needs to request the DCS to authenticate the UE. AMF, NRF, and AUSF are communication devices in the first network, and the home NRF and home AUSF are devices in the UE's home network, and the home AUSF is an embodiment of the DCS. As shown in Figure 8, the process of selecting the AUSF may include:

Step 81: The UE initiates a registration request to the AMF. Optionally, the registration request includes first information, such as identification information of the terminal.

The identification information of the terminal may include at least one of the following: a first identification of the terminal, a second identification of the terminal, and a third identification of the terminal;

The first identification of the terminal includes information of an authentication provider of the terminal;

The second identifier of the terminal includes a first type of network identifier and/or a first type of routing indication;

The third identifier of the terminal includes information of an authentication provider of the terminal, a first type of network identifier and/or a first type of routing indication.

The AMF may execute: deriving a first type of network identifier and/or a first type of routing indication according to the second identifier of the terminal or the third identifier of the terminal;

The first type of network identifier is a specific value dedicated to the first access mode, such as 111.

The first type of routing indication is a specific value dedicated to the first access mode.

1) In one implementation, the registration request includes a first identifier of the terminal and a first type of network identifier.

2) In another implementation manner, the registration request includes a first identifier of the terminal and a second identifier of the terminal.

3) In another implementation manner, the registration request includes a third identifier of the terminal.

When the first identifier (SUPI or SUPI) of the terminal indicates a subscription to a PLMN or SNPN, the DCS index information includes the real Home Network ID of the SUPI of the UE.

Step 82: AMF sends a network function discovery request such as Nnrf_NF Discovery_Request to NRF, that is, requests NRF to query AUSF according to the home network identifier of the first access method to obtain AUSF.

Optionally, the request includes the Home Network ID and/or Group ID of the AUSF.

Step 83: NRF returns the discovered authentication service network element, i.e. AUSF, to AMF.

Step 84: AMF sends a UE authentication request to AUSF, such as Nausf_UEAuthentication_Authenticate Request.

Optionally, the AMF may perform at least one of the following:

Not sending the second identifier of the terminal to the first authentication service network element or the discovered authentication service network element;

deriving a first identifier of the terminal according to a third identifier of the terminal;

Sending the first identifier of the terminal to the first authentication service network element or the discovered authentication service network element.

Steps 85 to 89 are the same as steps 75 to 79 in application scenario 2 and will not be repeated here.

Referring to FIG. 9 , an embodiment of the present application provides an access control device, which is applied to a first communication device. As shown in FIG. 9 , the access control device 90 includes:

The first acquisition module 91 is used to acquire the first information and/or the second information; wherein the first information includes at least one of the following: indication information of the first access mode, a first type of routing indication, and a first type of network identification; the second information includes at least one of the following: a first type of network identification, a first type of routing indication, a first type of group identification, and identification information of the terminal;

A first execution module 92, configured to execute a first operation according to the first information and/or the second information;

The first operation includes at least one of the following:

Select the first authentication service network element;

Determining a first type of group identifier, a first type of routing indication, information of a service provider, and/or a first type of network identifier;

Requesting to discover an authentication service network element according to the first type of group identifier, the first type of routing indication, the first type of network identifier, information of the service provider and/or indication information of the first access method;

The indication information of the first access mode is used to indicate at least one of the following: an access mode for accessing the first network in order to download a certificate for accessing the second network, an access mode for accessing the first network without a certificate capable of accessing the first network, an access mode capable of using only restricted services, and a certificate for the terminal to access the first network is a default certificate;

The first network and the second network are the same network or different networks;

The first authentication service network element includes at least one of the following: an authentication service network element for providing authentication services to terminals of the first access mode, and an authentication service network element for providing authentication services to terminals with default certificates;

The first type of group identifier includes: a group identifier of an authentication service network element used to provide authentication services to a terminal of the first access mode;

The first type of network identifier includes: a network identifier used for a first access mode;

The first type of routing indication includes: a routing indication for a first access mode;

The identification information of the terminal includes at least one of the following: a first identification of the terminal, a second identification of the terminal, and a third identification of the terminal;

The first identification of the terminal includes information of an authentication provider of the terminal;

The second identifier of the terminal includes a first type of network identifier and/or a first type of routing indication;

The third identifier of the terminal includes information of an authentication provider of the terminal, a first type of network identifier and/or a first type of routing indication.

Optionally, the first execution module 92 is further configured to execute at least one of the following:

Sending the first type of group identifier to a first target end, where the first type of group identifier is used by the first target end to discover an authentication service network element matching the first type of group identifier;

Sending indication information of the first access method to a first target end, where the indication information of the first access method is used by the first target end to find an authentication service network element matching the indication information of the first access method;

The first type of routing indication is sent to a first target end, where the first type of routing indication is used by the first target end to discover an authentication service network element matching the first type of routing indication.

The first type of network identifier is sent to a first target end, where the first type of network identifier is used by the first target end to discover an authentication service network element matching the first type of network identifier.

Optionally, the first acquisition module 91 is specifically used to: acquire first information from a terminal.

Optionally, the first acquisition module 91 is specifically used to: acquire the second information according to the configuration on the first communication device.

Optionally, the first acquisition module 91 is specifically used for at least one of the following:

Acquire indication information of a first access mode from a terminal;

Acquire a first type of group identifier, a first type of routing indication, or a first type of network identifier according to a configuration on the first communication device;

The performing of the first operation according to the first information and/or the second information includes at least one of the following:

Determine, according to the indication information of the first access mode, a first type of group identifier, a first type of routing indication, or a first type of network identifier;

A request is made to discover an authentication service network element according to the first type of group identifier, the first type of routing indication and/or the first type of network identifier.

Optionally, the first acquisition module 91 is specifically used for at least one of the following:

acquiring a first type of network identification and/or a first type of routing indication from the terminal,

Acquire a first type of group identifier according to a configuration on the first communication device;

The performing of the first operation according to the first information and/or the second information includes at least one of the following:

Determining a first type of group identifier according to the first type of network identifier and/or the first type of routing indication;

According to the group identifier of the first type, a request is made to discover an authentication service network element.

Optionally, the first operation further includes at least one of the following:

receiving an authentication service network element requested for discovery;

deriving a first type of network identifier and/or a first type of routing indication according to the second identifier of the terminal or the third identifier of the terminal;

Not sending the second identifier of the terminal to the first authentication service network element or the discovered authentication service network element;

deriving the first identifier of the terminal according to the third identifier of the terminal;

Sending a first identifier of the terminal to the first authentication service network element or the discovered authentication service network element.

In this embodiment, the access control device 90 can implement each process implemented in the method embodiment shown in FIG. 2 of the present application, and achieve the same beneficial effects, which will not be described again here to avoid repetition.

Referring to FIG. 10 , an embodiment of the present application provides an access control device, which is applied to a second communication device. As shown in FIG. 10 , the access control device 100 includes:

A first sending module 101, configured to send first information;

The first information includes at least one of the following: indication information of the first access mode, a first type of routing indication, a first type of network identification, and identification information of the terminal;

The first type of routing indication includes: a routing indication for a first access mode;

The first type of network identifier includes: a network identifier used for a first access mode;

The indication information of the first access mode is used to indicate at least one of the following: an access mode for accessing the first network in order to download a certificate for accessing the second network, an access mode for accessing the first network without a certificate capable of accessing the first network, an access mode capable of using only restricted services, and a certificate for the terminal to access the first network is a default certificate;

The first network and the second network are the same network or different networks;

The identification information of the terminal includes at least one of the following: a first identification of the terminal, a second identification of the terminal, and a third identification of the terminal;

The first identification of the terminal includes information of an authentication provider of the terminal;

The second identifier of the terminal includes a first type of network identifier and/or a first type of routing indication;

The third identifier of the terminal includes information of an authentication provider of the terminal, a first type of network identifier and/or a first type of routing indication.

Optionally, the first sending module 101 is specifically configured to: send the first information when a first condition is met;

The first condition includes at least one of the following:

The purpose of the second communication device accessing the first network is to download a certificate for accessing the second network;

The second communication device does not have a certificate capable of accessing the first network;

The second communication device can only use restricted services when accessing the first network.

Optionally, the access control device 100 further includes:

a generating module, configured to generate a second identifier of the terminal, set a routing indication in the identifier of the terminal to a routing indication of the first type and/or set a home network identifier in the identifier of the terminal to a network identifier of the first type; and/or

A third identifier of the terminal is generated, and a first type of network identifier is added to the identifier of the terminal and/or a first type of routing indication is added to the identifier of the terminal.

In this embodiment, the access control device 100 can implement each process implemented in the method embodiment shown in FIG. 3 of the present application, and achieve the same beneficial effects, which will not be described again here to avoid repetition.

Please refer to FIG. 11 , an embodiment of the present application provides an access control device, which is applied to a second communication device. As shown in FIG. 11 , the access control device 110 includes:

The second acquisition module 111 is used to acquire third information and/or fourth information; wherein the third information includes at least one of the following: a first type of group identifier, a first type of routing indication, a first type of network identifier, information of an authentication provider, and indication information of a first access method; the fourth information is used to indicate the attribution information of the authentication service network element, and the fourth information includes at least one of the following: a routing indication supported by the authentication service network element, a network identifier of the network to which the authentication service network element belongs, a group identifier to which the authentication service network element belongs, an access method supported by the authentication service network element, an authentication service type supported by the authentication service network element, and information of an authentication provider supported by the authentication service network element, and the authentication provider can authenticate a terminal with a default certificate;

A second execution module 112, configured to execute a third operation according to the third information and/or the fourth information;

The third operation includes at least one of the following:

finding an authentication service network element matching the third information, wherein the fourth information of the authentication service network element matches the third information;

Sending the discovered authentication service network element;

The authentication service type supported by the authentication service network element includes supporting authentication services for terminals with default certificates;

The indication information of the first access mode is used to indicate at least one of the following: an access mode for accessing the first network in order to download a certificate for accessing the second network, an access mode for accessing the first network without a certificate capable of accessing the first network, an access mode capable of using only restricted services, and a certificate for the terminal to access the first network is a default certificate;

The first network and the second network are the same network or different networks;

The first type of group identifier includes: a group identifier of an authentication service network element used to provide authentication services to a terminal of the first access mode;

The first type of routing indication includes: a routing indication for a first access mode;

The first type of network identifier includes: a network identifier used for a first access mode.

Optionally, in the operation of finding an authentication service network element matching the third information,

When the third information includes indication information of the first access method, the access method supported by the discovered authentication service network element is the first access method;

Alternatively, when the third information includes a first type of routing indication, the routing indication supported by the discovered authentication service network element is a first type of routing indication;

Alternatively, when the third information includes a first type of network identifier, the network identifier of the network to which the discovered authentication service network element belongs is a first type of network identifier;

Alternatively, when the third information includes a first type of group identifier, the group identifier to which the discovered authentication service network element belongs is a first type of group identifier.

Alternatively, when the third information includes information of an authentication provider, the authentication provider information supported by the discovered authentication service network element includes the authentication provider information in the third information;

Alternatively, the discovered authentication service network element satisfies at least one of the following:

The routing indication supported by the discovered authentication service network element is a first type of routing indication;

The network identifier of the network to which the discovered authentication service network element belongs is a network identifier of the first type;

The group identifier to which the discovered authentication service network element belongs is a group identifier of the first type;

The access mode supported by the discovered authentication service network element is the first access mode;

The authentication service type supported by the discovered authentication service network element is supporting the provision of authentication services to terminals with default certificates.

In this embodiment, the access control device 110 can implement each process implemented in the method embodiment shown in FIG. 4 of the present application, and achieve the same beneficial effects, which will not be described again here to avoid repetition.

Please refer to FIG. 12 , an embodiment of the present application provides an access control device, which is applied to a second communication device. As shown in FIG. 12 , the access control device 120 includes:

The second sending module 121 is used to send fourth information;

The fourth information is used to indicate the attribution information of the authentication service network element; the fourth information includes at least one of the following: a routing indication supported by the authentication service network element, a network identifier of the network to which the authentication service network element belongs, a group identifier to which the authentication service network element belongs, an access mode supported by the authentication service network element, an authentication service type supported by the authentication service network element, and information of an authentication provider supported by the authentication service network element, and the authentication provider can authenticate a terminal with a default certificate;

The routing indication supported by the authentication service network element is a first type of routing indication;

The network identifier of the network to which the authentication service network element belongs is a network identifier of the first type;

The group identifier to which the authentication service network element belongs is a group identifier of the first type;

The access mode supported by the authentication service network element includes a first access mode;

The authentication service type supported by the authentication service network element includes supporting the provision of authentication services to terminals with default certificates;

The first access mode includes at least one of the following: an access mode for accessing the first network in order to download a certificate for accessing the second network, an access mode for accessing the first network without a certificate capable of accessing the first network, an access mode capable of using only restricted services, and a certificate for the terminal to access the first network is a default certificate;

The first type of group identifier includes: a group identifier of an authentication service network element used to provide authentication services to a terminal of the first access mode;

The first type of network identifier includes: a network identifier used for a first access mode.

Optionally, the second sending module 121 is further used to: send the fourth information when the second condition is met;

The second condition includes: the authentication service network element is an authentication service network element used to provide authentication services to terminals of the first access mode.

In this embodiment, the access control device 120 can implement each process implemented in the method embodiment shown in FIG. 5 of the present application, and achieve the same beneficial effects, which will not be described again here to avoid repetition.

The present application also provides an access control device, applied to a fifth communication device, including:

A third execution module, configured to execute a fifth operation when a fifth condition is met;

The fifth operation includes at least one of the following:

not using the fifth information to select a network element for the terminal;

in,

The fifth condition includes at least one of the following: the terminal is in the first access mode;

The fifth information includes at least one of the following: a user identifier of the terminal, network identifier information in the user identifier of the terminal, and realm information in the user identifier of the terminal.

In one implementation, for a terminal that accesses the network through a non-first access method, selecting a network device for the terminal based on information in the terminal's user identifier is a default operation. Therefore, for a terminal that accesses the network through a non-first access method, an exception operation needs to be performed.

The network identification information in the terminal user identification includes at least one of the following: MNC in the terminal user identification, MCC in the terminal user identification, and network identification NID in the terminal user identification.

Optionally, the device further comprises:

The third acquisition module is used to obtain first information, wherein the first information includes at least one of the following: indication information of the first access mode, a first type of routing indication, and a first type of network identification; the second information includes at least one of the following: a first type of network identification, a first type of routing indication, a first type of group identification, and identification information of the terminal; wherein,

The indication information of the first access mode is used to indicate at least one of the following: an access mode for accessing the first network in order to download a certificate for accessing the second network, an access mode for accessing the first network without a certificate capable of accessing the first network, an access mode capable of using only restricted services, and a certificate for the terminal to access the first network is a default certificate;

The first type of group identifier includes: a group identifier of an authentication service network element used to provide authentication services to a terminal of the first access mode;

The first type of network identifier includes: a network identifier used for a first access mode;

The first type of routing indication includes: a routing indication for a first access mode;

The identification information of the terminal includes at least one of the following: a first identification of the terminal, a second identification of the terminal, and a third identification of the terminal;

The first identification of the terminal includes information of an authentication provider of the terminal;

The second identifier of the terminal includes a first type of network identifier and/or a first type of routing indication;

The third identifier of the terminal includes information of an authentication provider of the terminal, a first type of network identifier and/or a first type of routing indication.

Optionally, the device further comprises:

A determination module is used to determine whether a fifth condition is satisfied according to the first information.

Optionally, the network element includes at least one of the following: a core network element, an AUSF, a UDM and a UDR.

In one implementation, the network element may be a network device.

Refer to Figure 13, which is a structural diagram of another communication device provided in an embodiment of the present application. As shown in Figure 13, the communication device 130 includes: a processor 131, a memory 132, and a computer program stored in the memory 132 and executable on the processor. The various components in the communication device 130 are coupled together through a bus interface 133. When the computer program is executed by the processor 131, it can implement the various processes implemented in the method embodiment shown in Figure 2 above, or implement the various processes implemented in the method embodiment shown in Figure 3 above, or implement the various processes implemented in the method embodiment shown in Figure 4 above, or implement the various processes implemented in the method embodiment shown in Figure 5 above, and can achieve the same technical effect. In order to avoid repetition, it will not be repeated here.

The embodiment of the present application also provides a computer-readable storage medium, on which a computer program is stored. When the computer program is executed by a processor, it implements the various processes implemented in the method embodiment shown in FIG. 2, or the various processes implemented in the method embodiment shown in FIG. 3, or the various processes implemented in the method embodiment shown in FIG. 4, or the various processes implemented in the method embodiment shown in FIG. 5, and can achieve the same technical effect. To avoid repetition, it is not repeated here. The computer-readable storage medium is, for example, a read-only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk.

It should be noted that, in this article, the terms "include", "comprises" or any other variations thereof are intended to cover non-exclusive inclusion, so that a process, method, article or device including a series of elements includes not only those elements, but also other elements not explicitly listed, or also includes elements inherent to such process, method, article or device. In the absence of further restrictions, an element defined by the sentence "comprises a ..." does not exclude the existence of other identical elements in the process, method, article or device including the element.

Through the description of the above implementation methods, those skilled in the art can clearly understand that the above-mentioned embodiment methods can be implemented by means of software plus a necessary general hardware platform, and of course by hardware, but in many cases the former is a better implementation method. Based on such an understanding, the technical solution of the present application, or the part that contributes to the prior art, can be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, a disk, or an optical disk), and includes a number of instructions for a terminal (which can be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to execute the methods described in each embodiment of the present application.

The embodiments of the present application are described above in conjunction with the accompanying drawings, but the present application is not limited to the above-mentioned specific implementation methods. The above-mentioned specific implementation methods are merely illustrative and not restrictive. Under the guidance of the present application, ordinary technicians in this field can also make many forms without departing from the purpose of the present application and the scope of protection of the claims, all of which are within the protection of the present application.

Claims (21)

1. An access control method applied to a first communication device, comprising:

acquiring first information; the first information comprises identification information of a terminal, the identification information of the terminal comprises a third identification of the terminal, and the third identification of the terminal comprises a routing indication for a first access mode and index information of DCS;

Executing a first operation according to the first information;

wherein the first operation comprises:

selecting a first authentication service network element;

Wherein the first authentication service network element comprises at least one of: an authentication service network element for providing authentication service for the terminal of the first access mode, and an authentication service network element for providing authentication service for the terminal with the default certificate;

wherein the first access manner includes at least one of: an access method for accessing the first network for downloading a certificate for accessing the second network, an access method for accessing the first network without having a certificate capable of accessing the first network, an access method capable of using only limited services, and a certificate for accessing the first network by the terminal are default certificates.

2. The method of claim 1, wherein the first information further comprises: indication information of a first access mode;

the indication information of the first access mode is used for indicating at least one of the following: an access method for accessing the first network for downloading a certificate for accessing the second network, an access method for accessing the first network without having a certificate capable of accessing the first network, an access method capable of using only limited services, and a certificate for accessing the first network by the terminal are default certificates;

The first network and the second network are the same network or different networks.

3. The method according to claim 1 or 2, wherein the method further comprises:

obtaining second information, wherein the second information comprises: a group identification of a first type;

The group identification of the first type includes: and the authentication service network element group identification is used for providing authentication service for the terminal of the first access mode.

4. The method of claim 3, wherein the step of,

The acquiring the first information includes: acquiring first information from a terminal;

And/or the number of the groups of groups,

The acquiring the second information includes: and acquiring second information according to the configuration on the first communication equipment.

5. A method according to claim 3, wherein the acquiring the first information:

Acquiring the indication information of the first access mode from a terminal;

And/or the number of the groups of groups,

The acquiring the second information includes:

And acquiring the group identifier of the first type according to the configuration on the first communication equipment.

6. A method according to claim 3, wherein the obtaining the first information comprises:

Acquiring a network identifier for a first access mode and the routing indication for the first access mode from a terminal;

And/or

The acquiring the second information includes:

a group identity of a first type is obtained according to a configuration on a first communication device.

7. The method of claim 1, wherein the first operation further comprises:

And according to the third identification of the terminal, deriving a network identification for the first access mode and a routing indication for the first access mode.

8. An access control method applied to a second communication device, comprising:

transmitting first information;

The first information comprises identification information of a terminal, wherein the identification information of the terminal comprises a third identification of the terminal, and the third identification of the terminal comprises a routing indication for a first access mode and index information of DCS;

wherein the first access manner includes at least one of: an access method for accessing the first network for downloading a certificate for accessing the second network, an access method for accessing the first network without having a certificate capable of accessing the first network, an access method capable of using only limited services, and a certificate for accessing the first network by the terminal are default certificates.

9. The method of claim 8, wherein the first information further comprises: indication information of a first access mode;

the indication information of the first access mode is used for indicating at least one of the following: an access method for accessing the first network for downloading a certificate for accessing the second network, an access method for accessing the first network without having a certificate capable of accessing the first network, an access method capable of using only limited services, and a certificate for accessing the first network by the terminal are default certificates;

The first network and the second network are the same network or different networks.

10. The method of claim 8, wherein the transmitting the first information comprises:

transmitting the first information when a first condition is satisfied;

wherein the first condition includes at least one of:

The purpose of the second communication device accessing the first network is to download credentials for accessing the second network;

the second communication device does not have a certificate capable of accessing the first network;

the second communication device accessing the first network is only able to use the restricted service.

11. The method of claim 8, wherein prior to the step of transmitting the first information, the method further comprises at least one of:

generating a third identifier of the terminal, adding the network identifier for the first access mode to the identifier of the terminal and/or adding the routing indication for the first access mode to the identifier of the terminal.

12. An access control method applied to a third communication device, comprising:

acquiring third information and fourth information; wherein the third information includes a routing indication for the first access mode and at least one of: a group identifier of a first type, a network identifier for a first access mode, information of an authentication provider, and indication information of the first access mode; the fourth information includes: an access mode supported by the authentication service network element;

Performing a third operation according to the third information and the fourth information;

Wherein the third operation includes:

Finding an authentication service network element matched with the third information, wherein fourth information of the authentication service network element is matched with the third information;

transmitting the discovered authentication service network element;

wherein the first access manner includes at least one of: an access method for accessing the first network for downloading a certificate for accessing the second network, an access method for accessing the first network without having a certificate capable of accessing the first network, an access method capable of using only limited services, and a certificate for accessing the first network by the terminal are default certificates.

13. The method of claim 12, wherein the indication information of the first access manner is used to indicate at least one of: an access method for accessing the first network for downloading a certificate for accessing the second network, an access method for accessing the first network without having a certificate capable of accessing the first network, an access method capable of using only limited services, and a certificate for accessing the first network by the terminal are default certificates;

the first network and the second network are the same network or different networks;

The group identification of the first type includes: and the authentication service network element group identification is used for providing authentication service for the terminal of the first access mode.

14. The method according to claim 13, wherein, in the operation of discovering an authentication service network element matching the third information,

When the third information includes the indication information of the first access mode, the found access mode supported by the authentication service network element is the first access mode;

Or when the third information includes a routing instruction for the first access mode, the routing instruction supported by the discovered authentication service network element is the routing instruction for the first access mode;

or when the third information includes a network identifier for the first access mode, the network identifier of the network to which the discovered authentication service network element belongs is the network identifier for the first access mode;

Or when the third information includes a group identifier of the first type, the group identifier to which the discovered authentication service network element belongs is the group identifier of the first type;

Or when the third information comprises information of an authentication provider, the information of the authentication provider supported by the discovered authentication service network element comprises information of the authentication provider in the third information;

Or the discovered authentication service network element satisfies at least one of the following:

the routing indication supported by the discovered authentication service network element is the routing indication for the first access mode;

The network identifier of the network to which the discovered authentication service network element belongs is a network identifier for a first access mode;

the group identifier to which the discovered authentication service network element belongs is a first type group identifier;

the found access mode supported by the authentication service network element is a first access mode;

the authentication service type supported by the discovered authentication service network element is used for supporting the authentication service provided for the terminal with the default certificate.

15. An access control method applied to a fourth communication device, comprising:

sending a registration request to a third communication device, the registration request including fourth information;

wherein the fourth information includes: an access mode supported by the authentication service network element; the access modes supported by the authentication service network element comprise a first access mode;

The first access mode comprises at least one of the following: an access method for accessing the first network for downloading a certificate for accessing the second network, an access method for accessing the first network without having a certificate capable of accessing the first network, an access method capable of using only limited services, and a certificate for accessing the first network by the terminal are default certificates.

16. An access control apparatus for use with a first communication device, comprising:

The first acquisition module is used for acquiring first information; wherein the first information includes: the method comprises the steps that identification information of a terminal comprises a third identification of the terminal, and the third identification of the terminal comprises a route indication and index information of DCS (distributed control system) for a first access mode;

the first execution module is used for executing a first operation according to the first information;

wherein the first operation comprises:

selecting a first authentication service network element;

Wherein the first authentication service network element comprises at least one of: an authentication service network element for providing authentication service for the terminal of the first access mode, and an authentication service network element for providing authentication service for the terminal with the default certificate;

wherein the first access manner includes at least one of: an access method for accessing the first network for downloading a certificate for accessing the second network, an access method for accessing the first network without having a certificate capable of accessing the first network, an access method capable of using only limited services, and a certificate for accessing the first network by the terminal are default certificates.

17. An access control apparatus applied to a second communication device, comprising:

the first sending module is used for sending the first information;

wherein the first information includes: the terminal identification information comprises a third identification of the terminal, wherein the third identification of the terminal comprises a routing indication for a first access mode and index information of DCS;

wherein the first access manner includes at least one of: an access method for accessing the first network for downloading a certificate for accessing the second network, an access method for accessing the first network without having a certificate capable of accessing the first network, an access method capable of using only limited services, and a certificate for accessing the first network by the terminal are default certificates.

18. An access control apparatus applied to a third communication device, comprising:

The second acquisition module is used for acquiring third information and fourth information; wherein the third information includes a routing indication for the first access mode and at least one of: a group identifier of a first type, a network identifier for a first access mode, information of an authentication provider, and indication information of the first access mode; the fourth information includes: an access mode supported by the authentication service network element;

The second execution module is used for executing a third operation according to the third information and the fourth information;

Wherein the third operation includes:

Finding an authentication service network element matched with the third information, wherein fourth information of the authentication service network element is matched with the third information;

transmitting the discovered authentication service network element;

wherein the first access manner includes at least one of: an access method for accessing the first network for downloading a certificate for accessing the second network, an access method for accessing the first network without having a certificate capable of accessing the first network, an access method capable of using only limited services, and a certificate for accessing the first network by the terminal are default certificates.

19. An access control apparatus applied to a fourth communication device, comprising:

The second sending module is used for sending a registration request to the third communication equipment, wherein the registration request comprises fourth information;

wherein the fourth information includes: an access mode supported by the authentication service network element;

the access modes supported by the authentication service network element comprise a first access mode;

The first access mode comprises at least one of the following: an access method for accessing the first network in order to download a certificate for accessing the second network, an access method for accessing the first network without a certificate capable of accessing the first network, and an access method capable of using only limited services.

20. A communication device comprising a processor, a memory and a computer program stored on the memory and executable on the processor, which when executed by the processor performs the steps of the access control method according to any one of claims 1 to 7, or the steps of the access control method according to any one of claims 8 to 11, or the steps of the access control method according to claims 12-14, or the steps of the access control method according to claim 15.

21. A readable storage medium, characterized in that the readable storage medium has stored thereon a program or instructions which, when executed by a processor, implement the steps of the access control method according to any one of claims 1 to 7, or the steps of the access control method according to any one of claims 8 to 11, or the steps of the access control method according to claims 12-14, or the steps of the access control method according to claim 15.