Disclosure of Invention
The invention aims to provide an access control method, an access control device and a storage medium, which at least solve the problems of improving the flexibility and the security of access control and reducing the operation difficulty of a user.
In order to solve the above technical problems, the present invention provides an access control method, including:
constructing an access control device, configuring the connection relation between the access control device and other network elements in the system, and pre-configuring accessible resource information of each terminal;
receiving an access request message and/or an update message of the terminal by using the access control device;
inquiring and matching the corresponding accessible resource information according to the received access request message and/or the received update message, and generating an access control strategy;
And dynamically managing the authority of the authorized terminal to access the data network resource by using the access control device according to the state information of the terminal.
Optionally, in the access control method, the access request message includes an authentication request message and a charging request message; the update message comprises a charging message.
Optionally, in the access control method, the method for generating an access control policy according to the received access request message and/or the received update message includes:
acquiring terminal firmware information according to the received access request message and/or the received update message;
And inquiring and matching the corresponding accessible resource information according to the acquired firmware information of the terminal to generate a corresponding access control strategy, wherein strategy item parameters of the access control strategy comprise a source address, a source port, a target address, a target port and a protocol of network access.
Optionally, in the access control method, the method for generating an access control policy according to the received access request message and/or the received update message further includes:
the validity of the access control policy is dynamically maintained in a network state based on the terminal.
Optionally, in the access control method, the network state is determined according to an access request message and/or an update message, and the charging message includes a charging start message, a charging update message and a charging end message; the method for dynamically maintaining the validity of the access control strategy in the network state based on the terminal comprises the following steps:
when receiving the access request message or the charging message, the access control device generates an access control strategy according to the accessable resource information of the pre-configured terminal;
if the charging update message is received within the preset aging time, the effective state of the access control strategy is maintained;
And if the charging update message is not received or the charging end information is received within the preset aging time, the access control strategy is cancelled.
Optionally, in the access control method, the access request message and the update message are sent to the access control device by a core network session management network element in a main sending manner, or the access request message and the update message are sent to the access control device in a copy sending manner;
In the main transmission mode, the access control device performs access authentication, authorization and charging on the terminal, and dynamically manages the authority of the terminal to access the data network resource according to the received access request message and/or the received update message;
In the copy mode, the access control device dynamically manages the authority of the terminal to access the data network resources only according to the received access request message and/or the received update message, and does not participate in access authentication, authorization and charging of the terminal.
Optionally, in the access control method, the method for dynamically managing the authority of the authorized terminal to access the data network resource by using the access control device according to the state information of the terminal includes:
acquiring the geographic position and access time of the authorized terminal;
according to the geographic position and access time of the terminal, the access control device manages the authority of the terminal to access the data network resources in the appointed geographic position range and the appointed time range through the access control strategy.
Optionally, in the access control method, the method for dynamically managing the authority of the authorized terminal to access the data network resource by using the access control device according to the state information of the terminal further includes:
and when the charging message is not received or the charging ending message is received within the preset aging time, the access control device immediately cancels the access control strategy of the terminal.
In order to solve the technical problem, the invention also provides a terminal access control device which is applied to the access control method according to any one of the above, wherein the access control device comprises an authentication unit and an access control management unit; the authentication unit is used for performing access authentication, authorization and charging on the terminal when the terminal accesses the mobile network; the access control management unit is used for dynamically distributing the authority of each legal terminal for accessing the data network resources by inquiring the resource information which is configured in advance and can be accessed by each terminal in the system, and dynamically managing the access control strategy according to the network state of the terminal so as to realize the authority of the terminal which is dynamically managed and authorized to access the data network resources.
In order to solve the technical problem, the present invention also provides a storage medium storing an executable program; the executable program, when executed, implements the access control method as set forth in any one of the preceding claims.
The invention provides an access control method, a device and a storage medium, comprising the following steps: constructing an access control device, configuring the connection relation between the access control device and other network elements in the system, and pre-configuring the resource information accessible by each terminal; receiving an access request message and/or an update message of the terminal by using the access control device; inquiring and matching the corresponding accessible resource information according to the received access request message and/or the received update message, and generating an access control strategy; and dynamically managing the authority of the authorized terminal to access the data network resource by using the access control device according to the state information of the terminal. The access control device can dynamically and flexibly manage the authorized terminal according to the access request message and/or the update message on the mobile network side, thereby improving the flexibility of access control; meanwhile, the access control device can replace the existing AAA secondary authentication and zero trust authentication, does not need to install any software while ensuring the security of the data network, does not need to manually participate in the terminal authentication and authentication process, and does not need to change the existing network system on a large scale, so that the system is easy to upgrade and simple to operate by a user, and the problems of how to improve the flexibility and the security of access control and reduce the operation difficulty of the user are solved.
Detailed Description
The access control method and the terminal access control system provided by the invention are further described in detail below with reference to the accompanying drawings and the specific embodiments. It should be noted that the drawings are in a very simplified form and are all to a non-precise scale, merely for convenience and clarity in aiding in the description of embodiments of the invention. Furthermore, the structures shown in the drawings are often part of actual structures. In particular, the drawings are shown with different emphasis instead being placed upon illustrating the various embodiments.
It is noted that "first", "second", etc. in the description and claims of the present invention and the accompanying drawings are used to distinguish similar objects so as to describe embodiments of the present invention, and not to describe a specific order or sequence, it should be understood that the structures so used may be interchanged under appropriate circumstances. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
First, abbreviations of terms used in the present application are explained as follows:
AUSF: authentication Server Function, authentication service function;
UDM: unified DATA MANAGEMENT, unifying data management functions;
AMF: ACCESS AND MANAGEMENT Function, access and mobility management functions;
SMF: session Management Function session management functions;
P-SMF: policy-SMF, intelligent session management function (original for the application);
I-SMF: an intermediate session management function;
UE: user Equipment, user terminal (abbreviated as terminal in the present application);
RAN: radio Access Network, radio access network;
UPF: user Plane Function, user plane functions;
P-UPF: policy-UPF, intelligent user plane function (inventive for the present application);
I-UPF: an intermediate user plane function;
URSP: UE Route Selection Policy, user routing policies;
PCF: policy Control Function, policy control functions;
PDU: protocol Data Unit protocol data units;
S-NSSAI: single-Network Slice Selection Assistance Information, single network slice selection auxiliary information;
NRF: NF Repository Function, network storage functions;
GTP-U: GPRS Tunneling Protocol for the user plane GPRS tunneling protocol at user plane
RSD: route Selection Descriptor, routing descriptors;
TD: traffic Descriptor, traffic descriptors;
DN: data Network, data Network;
MSISDN: mobile Station international ISDN number, mobile station international ISDN number; ISDN: INTEGRATED SERVICES DIGITAL Network, integrated service digital Network;
IMSI: international Mobile Subscriber Identity, international mobile subscriber identity;
IMEI: international Mobile Equipment Identity, international mobile equipment identification codes;
PDU: protocol Data Unit protocol data units;
EAP: extensive Authentication Protocol, extensible authentication protocol;
NAS: non-Access Stratum, non-Access Stratum.
Based on the problems in the prior application mentioned in the background art, the present embodiment provides an access control method, as shown in fig. 2, including:
S1, constructing an access control device, configuring the connection relation between the access control device and other network elements in a system, and pre-configuring accessible resource information of each terminal;
S2, receiving an access request message and/or an update message of the terminal by using the access control device;
S3, inquiring and matching the corresponding accessible resource information according to the received access request message and/or the received update message, and generating an access control strategy;
S4, dynamically managing the authority of the authorized terminal to access the resources in the data network by using the access control device according to the state information of the terminal.
According to the access control method, the access control device is constructed, so that access authority of the authorized terminal can be dynamically and flexibly managed on the mobile network side according to the access request message and/or the update message, and the flexibility of access control is improved; meanwhile, the access control device can replace the existing AAA secondary authentication and zero trust authentication, does not need to install any software while ensuring the security of the data network, does not need to manually participate in the terminal authentication and authentication process, and does not need to change the existing network system on a large scale, so that the system is easy to upgrade and simple to operate by a user, and the problems of how to improve the flexibility and the security of access control and reduce the operation difficulty of the user are solved.
Specifically, in this embodiment, step S1, an access control device is constructed, and a connection relationship between the access control device and other network elements in the system is configured, and resource information accessible by each terminal is preconfigured, where, as shown in fig. 3, the constructed access control device includes an authentication unit and an access control management unit; the authentication unit is used for performing access authentication, authorization and charging when the terminal accesses the mobile network; the access control management unit is used for dynamically distributing the authority of each legal terminal for accessing the data network resources by inquiring the resource information which is configured in advance and can be accessed by each terminal in the system, and dynamically managing the access control strategy according to the network state of the terminal so as to realize the authority of the terminal which is dynamically managed and authorized to access the data network resources.
Preferably, in practical application, the authentication unit not only authenticates and manages the terminal requesting access, but also has the capability of managing the state of the network terminal. For example, the authentication unit can perform access authentication and management on the terminal according to the information such as the position information, the user identity information, the device fingerprint, the time point and the like of the terminal, and the manager can manually manage the network state of the terminal through the authentication unit, such as forcing the terminal to be off line; in addition, the manager can configure a blacklist or a whitelist in the authentication unit to enable the authentication unit to manage the specified terminal in a specified mode. Thus, the legal terminal which successfully accesses the network after passing the authentication of the authentication unit can dynamically manage the network access authority of the terminal, and release the behavior of the terminal for accessing the authorized resource.
The access control management unit is provided with a terminal access control authority configuration interface, and resource information accessible by each terminal can be preconfigured in a manual configuration mode or in a mode of receiving by using an API interface.
In a specific embodiment, as shown in fig. 4, the access control device is respectively connected with the UPF and the data network in a communication manner, so as to realize secondary authentication on the terminal, wherein the access control device is connected with the UPF in a communication manner through an N6 interface. For other network elements, networking architectures such as AUSF, UDM, AMF and SMF mainly include: the user terminal UE is in communication connection with the AMF through an N1 interface; the AMF is in communication connection with AUSF through an N12 interface, is in communication connection with the UDM through an N8 interface, is in communication connection with the SMF through an N11 interface, and is in communication connection with the RAN through an N2 interface; AUSF is in communication connection with the UDM through an N13 interface; the UDM is in communication connection with the SMF through an N10 interface; the SMF is in communication connection with the UPF through an N4 interface; the RAN is communicatively connected to the UPF via an N3 interface.
Therefore, the user terminal UE firstly needs to complete the main authentication with the UDM and AUSF through the AMF before accessing the data network; and then the SMF network element decides whether to initiate secondary identity authentication according to subscription information when establishing a user plane data channel for the SMF network element, namely, the SMF network element performs secondary authentication by the SMF network element and the UPF network element to an access control device constructed by the application.
In order to implement the authentication method proposed by the present application, in this embodiment, as shown in fig. 5, the method for configuring the connection relationship of other network elements in the system further includes:
a1, the SMF and UPF are deployed so that the user terminal supports URSP strategies.
Specifically, in this embodiment, there are two ways to deploy SMF and UPF:
One such way, as shown in fig. 6, includes: the P-SMF and the P-UPF are respectively and independently deployed according to the requirements, so that the P-SMF has the I-SMF function and the P-UPF has the I-UPF function; maintaining the existing deployment mode of other 5G network elements; establishing a signaling plane connection between the P-SMF and other 5G network elements; user plane connections are established between the P-UPF and the base station, and between the P-UPF and other UPFs.
Another way, as shown in fig. 7, includes: upgrading the existing SMF and UPF to enable the SMF to have a P-SMF function and an I-SMF function, and enabling the UPF to have a P-UPF function and an I-UPF function; the existing deployment mode of other 5G network elements is maintained.
The two modes are the original P-SMF and P-UPF of the embodiment, and the user terminal can perform routing and network management based on UPRS strategy without supporting URSP strategy by having both the I-SMF function and the I-UPF function.
A2, configuring execution strategies of AMF, SMF and UPF.
Specifically, the execution policy for the AMF configuration includes:
When the policy issuing URSP to the user terminal fails, the AMF stores the current URSP policy and marks the user terminal as a first user, wherein the first user is a user needing a network side to realize URSP;
when a first user initiates a PDU setup request, the AMF selects a P-SMF to establish a PDU session for the first user and transmits URSP policies of the first user to the P-SMF.
And, the execution policy for the SMF configuration (mainly the execution policy for the P-SMF configuration) includes:
causing the P-SMF to store and identify URSP policies;
Based on S-NSSAI in the URSP policy, the P-SMF queries the NRF for SMF serving the S-NSSAI and triggers a PDU establishment request, wherein S-NSSAI is specifically S-NSSAI in the RSD in the URSP policy;
Upon receipt of the SMF response, the P-SMF indicates that the P-UPF establishes a GTP-U channel with the UPF serving S-NSSAI, wherein the SMF response includes N9 interface information for the UPF serving S-NSSAI.
And, the execution policy for the UPF configuration (mainly the execution policy for the P-UPF configuration) includes:
causing the P-UPF to store and identify URSP policies;
based on the indication of the P-SMF, the P-UPF establishes a GTP-U channel with the UPF serving the S-NSSAI;
The P-UPF analyzes and identifies the uplink flow of the user terminal, and directs the flow to a GTP-U channel based on URSP strategies;
the P-UPF aggregates the downlink traffic of the user terminal and transmits the downlink traffic to a PDU channel established between the user and the P-UPF.
Through the configuration of the execution strategy, each functional network element can act according to the configured execution strategy in service management, so that the dynamic and flexible routing and network management for user traffic based on URSP are realized under the condition that the user terminal does not support URSP.
A3, signing at least one execution strategy according to the service scene of the user terminal.
Specifically, in this embodiment, according to the service scenario of the user terminal, the PCF may sign up for the user terminal for a policy combination of multiple TDs and RSDs, for example, the traffic route of the IP segment 1/APP1 is routed to S-NSSAI1, and the traffic route of the IP segment 2/APP2 is routed to S-NSSAI.
Thus, the networking architecture corresponding to the access control method provided by the application is completed, and then, the access control to the terminal can be realized according to the networking architecture.
Further, in this embodiment, step S2, an access request message and/or an update message of the terminal is received by the access control device.
Specifically, in this embodiment, the access request message mainly includes an authentication request message and a charging request message; the update message mainly comprises a charging message. Of course, in practical application, other information can be added as an access request message or an update message according to practical requirements, so that the accuracy of authentication is improved.
Still further, in this embodiment, S3, the method for generating the access control policy according to the received access request message and/or the received update message includes:
s31, obtaining the firmware information of the terminal according to the received access request message and/or the received update message.
The firmware information comprises information such as MSISDN, IMSI, temporary IP address, IMEI, geographic position and the like of the terminal; the temporary IP address is dynamically allocated, i.e. the IP address allocated by the user terminal may be different for each access.
S32, inquiring and matching the corresponding accessible resource information according to the acquired firmware information of the terminal, and generating a corresponding access control strategy.
Specifically, in this embodiment, the access control policy may be a five-tuple access control policy, that is, the access control policy includes elements such as a source address, a source port, a target address, a target port, and a protocol of network access. Of course, in practical application, the access control policy may further include other elements, and the selection of each element may be set according to the actual requirement, but the number of elements is at least 2, so as to ensure the validity of access control.
It should be noted that "generating" an access control policy as described herein refers not only to never generating an access control policy, but also includes dynamically adjusting an existing access control policy.
In practical application, access authentication, authorization and charging can be performed on the terminal according to the state information of the terminal.
Different from the secondary authentication and the zero trust authentication of the AAA, the access authentication, authorization and accounting mode provided by the embodiment not only can carry out access authentication, authorization and accounting on the mobile network side of the user terminal, but also can match the accessible target network and resources according to the identity information of the terminal on the mobile network side, and control the access authority of the terminal in a linkage way; the access control strategy can be dynamically managed under the condition of dynamic IP, so that the access right corresponding to the terminal is correctly matched; in addition, the embodiment can automatically perform authentication and access policy control without installing any software or plug-in for authentication only based on terminal number card information (such as a terminal SIM card, an eSIM card, a iSIM card and the like) when a user is prevented from logging in, namely, the authentication process is not needed to be manually participated, and the convenience and the efficiency of authentication are improved.
Preferably, in the present embodiment, step S3, the method for generating the access control policy according to the received access request message and/or the received update message further includes:
s33, the validity of the access control strategy is dynamically maintained in a network state based on the terminal.
Specifically, in this embodiment, the network state is determined according to the access request message and/or the update message, where the charging message in the update message includes information such as a charging message type, a geographic location, and a temporary IP address, and the charging message type mainly includes types such as a charging start message, a charging update message, and a charging end message. The network state can be determined through the access request and the charging message, and then the validity maintenance is carried out on the access control strategy according to the network state, wherein the method comprises the following steps:
A. When receiving the access request or the charging message, the access control device generates an access control strategy according to the preset terminal access data network authority, wherein the terminal access data network authority can be collected and stored in the access control device in advance so as to conveniently call the corresponding data.
B. if the charging update message is received within the preset aging time, the effective state of the access control strategy is maintained, wherein the preset aging time can be reasonably set according to the actual requirement, and the application is not limited to the effective state.
C. if the charging update message is not received or the charging end message is received within the preset aging time, the access control strategy is cancelled, so that the security of network access is ensured.
In the practical application process, the access request message and the update message may be sent to the access control device by the core network session management network element in a main sending manner, that is, as shown in fig. 4, the SMF sends the access request message and/or the update message to the access control device via the UPF. At this time, the access control device performs access authentication, authorization and charging on the terminal, and dynamically manages the authority of the terminal to access the data network resource according to the received access request message and/or the received update message.
In the main transmission mode, the process of performing the secondary authentication by the access control device in the actual application generally includes: the user terminal signed with executing strategy registers the network, triggers PCF to issue URSP strategy to AMF; the AMF issues URSP strategies to the user terminal, and if the user terminal does not support URSP, strategy updating failure information is returned to the AMF; the AMF marks the user terminal as a user needing network side URSP and stores the current URSP strategy; when the user initiates a PDU establishment request, the AMF sends a PDU session establishment request to the SMF and transmits URSP strategy of the user to the SMF; after receiving the PDU session establishment request and URSP strategies, SMF stores URSP strategies and selects UPF to establish PDU session for the user, so that the access control device receives the access request message and the update message, and further realizes access authentication, authorization and charging for the terminal and dynamically manages the authority of the terminal to access the data network resources.
Or in other application processes, the access request message and the update message may be sent to the access control device in a copy mode, that is, the access control device does not process the access request message and the update message, but only reads the information of interest in the message. At this time, the access control device dynamically manages the authority of the terminal to access the data network resource only according to the received access request message and/or the update message, and does not participate in access authentication, authorization and charging of the terminal.
In the copy mode, in practical application, access authentication, authorization and charging of the terminal equipment are completed by other functional modules in the mobile communication system, and the authentication unit of the access control device is only used for receiving terminal access request messages and update messages (mainly comprising access authentication messages and charging messages) which are copied by other functional modules, and the authentication unit extracts interested information from the messages so as to trigger the access control management unit to control network access of the terminal.
Further, in this embodiment, S4, according to the state information of the terminal, the method for dynamically managing the authority of the authorized terminal to access the data network resource by using the access control device includes:
S41, acquiring the geographic position and access time of the authorized terminal.
Specifically, in practical application, when in an application scenario of a private mobile communication network, authentication information and charging information of a network terminal need to be sent or copied to a core network, and these information need to carry terminal identity information, location information, a timestamp, a terminal IP address and the like, where the identity information includes MSISDN, IMSI, IMEI and the like.
S42, according to the geographic position and access time of the terminal, the access control device manages the authority of the terminal to access the data network resources in the appointed geographic position range and the appointed time range according to the state information of the terminal through an access control strategy.
Specifically, in this embodiment, the target resource that can be accessed by the terminal is determined based on the terminal identity information, then an access control policy list based on two-to-five tuples is generated in combination with the terminal IP address, and then the authority of the terminal to access the resources in the data network in the specified geographic location range and the specified time range can be dynamically and flexibly controlled based on the terminal location and the access time.
Because the IP address of the terminal is changed every time the terminal accesses the network, the access control strategy corresponding to the terminal needs to be dynamically managed, so that on one hand, the counterfeit terminal can be ensured to use the IP access resource of the off-line legal terminal, and on the other hand, the terminal can be ensured to match the correct access control strategy every time the terminal accesses the network to access the corresponding resource.
S43, after the terminal is off line, the access control device immediately cancels the access control strategy of the terminal. Therefore, by shrinking the access rights, the risk of the attack and invasion of the data network is reduced, and the security of network access is ensured.
In this embodiment, as shown in fig. 4, in the process of accessing the terminal to the 5G private network, UDM master authentication is performed first to ensure that the terminal accessing the 5G private network has access rights, thereby ensuring the security of the 5G private network. For a specific network (for example, an enterprise intranet) with high security requirements, if the terminal accesses the specific network, the terminal can use the access control device to perform secondary authentication and dynamic access control after accessing the 5G private network, so that the security of the specific network is further ensured.
Specifically, in the actual application process, after the user terminal registers the network and passes the main authentication, the PDU session is initiated. The secondary identity authentication of the 5G terminal follows EAP, the authentication information is carried by NAS signaling, wherein the terminal UE is used as an authenticated terminal, the SMF network element is used as an authentication terminal, the access control device provided by the invention is used as an authentication server, and meanwhile, the access control device provided by the invention is also used as a gateway for the terminal to access a data network, and all traffic which is accessed to an intranet and needs to pass through the system is forbidden by default.
In this way, the access control method provided in this embodiment avoids the shortages in the technical schemes of the patent application number 202311211162.5, the access right adjustment method, the device and the storage medium in the background art. As shown in fig. 4, the access control device provided in this embodiment has the capability of terminal access authentication, authorization and charging, and after the SMF starts the main sending mode of authentication and charging information, when the SMF times out and does not receive the response information of the access control device, an alarm message can be generated to remind the system administrator to troubleshoot, so as to avoid the problem that failure cannot be perceived.
The embodiment also provides a terminal access control system, which is used for implementing the access control method as described above, as shown in fig. 8, where the terminal access control system includes a service module, a service management module, an access control module, a dynamic policy management module, an audit module and a data forwarding module. The service module is used for receiving the Radius message through the Radius interface, and the dynamic policy management module stores the terminal access right which is recorded in the system; then the access control module inquires the resource authority of the terminal with access from the dynamic policy management module through the information such as MSISDN or IMSI in the Radius message, and dynamically manages the service management module according to the pre-configured resource access authority, so that the service management module controls the data forwarding module to forward the data; the auditing module can record the behavior log of the terminal accessing the intranet resource, and trace and audit the intranet.
The terminal access control system provided by the embodiment can provide a safe and login-free noninductive authentication access data network mode for the terminal, and simultaneously provide real-time protection capability for the data network, so that the capability of safely accessing to a 5G private network and efficiently accessing to data network services under the conditions of not increasing user operation, not affecting the performance of the 5G network and being compatible with various 5G terminals is realized.
And, the present embodiment also provides a storage medium storing an executable program; the executable program, when executed, implements the access control method as described above.
The embodiment also provides an electronic device, which comprises a memory, a processor and an executable program stored on the memory and capable of being run by the processor; the processor, when running the executable program, performs the access control method as described above.
And, the present embodiment also provides a chip or a chip module, where the chip or the chip module is coupled to a memory, and is configured to execute the computer program stored in the memory, so as to execute the access control method as described above.
In this specification, each embodiment is described in a progressive manner, and each embodiment focuses on the difference from other embodiments, so that the same similar parts of each embodiment are referred to each other.
The above description is only illustrative of the preferred embodiments of the present invention and is not intended to limit the scope of the present invention, and any alterations and modifications made by those skilled in the art based on the above disclosure shall fall within the scope of the appended claims.