[go: up one dir, main page]

CN101094067B - A method and device for authenticating a user terminal in a CDMA system - Google Patents

A method and device for authenticating a user terminal in a CDMA system Download PDF

Info

Publication number
CN101094067B
CN101094067B CN200610112654A CN200610112654A CN101094067B CN 101094067 B CN101094067 B CN 101094067B CN 200610112654 A CN200610112654 A CN 200610112654A CN 200610112654 A CN200610112654 A CN 200610112654A CN 101094067 B CN101094067 B CN 101094067B
Authority
CN
China
Prior art keywords
user terminal
authentication
user
accounting server
packet data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN200610112654A
Other languages
Chinese (zh)
Other versions
CN101094067A (en
Inventor
许秀莉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN200610112654A priority Critical patent/CN101094067B/en
Priority to PCT/CN2007/002125 priority patent/WO2008025210A1/en
Publication of CN101094067A publication Critical patent/CN101094067A/en
Application granted granted Critical
Publication of CN101094067B publication Critical patent/CN101094067B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种CDMA系统中对用户终端进行鉴权的方法及其装置,该方法包括:用户终端请求接入分组数据服务网络,分组数据服务节点确定对所述用户终端进行鉴权处理;所述分组数据服务节点发送含有用户网络接入标识及用户标识的接入请求消息至鉴权、授权及计费服务器;所述鉴权、授权及计费服务器根据所述用户标识查找相应的用户终端的帐户信息,结合所述用户网络接入标识对所述用户终端进行鉴权处理,并返回鉴权处理结果至所述分组数据服务节点;所述分组数据服务节点根据所述鉴权处理结果确定向所述用户终端提供数据服务或中止所述用户终端接入。本发明实现了CDMA系统中对采用公有帐户接入的用户进行鉴权以及预付费业务的有效鉴权。

Figure 200610112654

The invention discloses a method and device for authenticating a user terminal in a CDMA system. The method includes: the user terminal requests to access a packet data service network, and the packet data service node determines to perform authentication processing on the user terminal; The packet data service node sends an access request message containing the user network access identifier and user identifier to the authentication, authorization and accounting server; the authentication, authorization and accounting server searches for the corresponding user according to the user identifier The account information of the terminal, combined with the user network access identifier, performs authentication processing on the user terminal, and returns the authentication processing result to the packet data service node; the packet data service node according to the authentication processing result Determine to provide data services to the user terminal or terminate access to the user terminal. The invention realizes the authentication of users accessing with public accounts and the effective authentication of prepaid services in the CDMA system.

Figure 200610112654

Description

一种CDMA系统中对用户终端进行鉴权的方法及其装置 A method and device for authenticating a user terminal in a CDMA system

技术领域technical field

本发明涉及通讯领域中用户鉴权的方法,特别是涉及在CDMA(CodeDivision Multiple Access,码分多址)系统中对采用公有帐户接入的用户进行鉴权的方法及其装置。The invention relates to a user authentication method in the communication field, in particular to a method and a device for authenticating a user accessing with a public account in a CDMA (Code Division Multiple Access) system.

背景技术Background technique

CDMA系统发展了二十余年,现在已经在世界各地广泛应用。CDMA系统因为其高带宽及可平滑过渡的特点,在数据业务开展过程中呈现出巨大的优势。随着数据业务的开展,出现了各种各样的需求,如BREW(Binary RuntimeEnvironment for Wireless,无线二进制运行环境)业务、WAP(WirelessApplication Protocol,无线应用协议)业务等。开展这些业务涉及到用户终端数据业务接入的鉴权问题。The CDMA system has been developed for more than 20 years and is now widely used all over the world. Because of its high bandwidth and smooth transition characteristics, the CDMA system has great advantages in the development of data services. With the development of data services, various requirements have emerged, such as BREW (Binary Runtime Environment for Wireless, wireless binary operating environment) services, WAP (Wireless Application Protocol, wireless application protocol) services, etc. Carrying out these services involves the authentication problem of user terminal data service access.

在数据通讯领域,NAI(Network Access Identifier,网络接入标识)用来唯一标识用户终端的身份,其表示为:user@realm。在CDMA系统中也是采用NAI作为用户终端接入数据业务的鉴权标识。一般情况下,当用户终端请求数据业务接入时,由分组数据服务节点(Packet Data Serving Node,PDSN)发送带NAI信息的鉴权请求消息给鉴权、授权及计费服务器(Authentication,Authorization&Accounting,AAA)对用户终端进行鉴权。若鉴权通过,则允许用户接入,若鉴权失败,则中止用户接入。In the field of data communication, NAI (Network Access Identifier, Network Access Identifier) is used to uniquely identify the identity of the user terminal, expressed as: user@realm. In the CDMA system, the NAI is also used as the authentication identifier for the user terminal to access the data service. Generally, when a user terminal requests data service access, the packet data serving node (Packet Data Serving Node, PDSN) sends an authentication request message with NAI information to the authentication, authorization and accounting server (Authentication, Authorization & Accounting, AAA) authenticates the user terminal. If the authentication passes, the user access is allowed, and if the authentication fails, the user access is terminated.

在数据业务开展过程中,为了运营方便,同种业务的多个用户可采用相同的用户名/密码接入,也即是采用公有帐户接入,并以此公有帐户的帐户名区分用户接入到不同的ISP(Internet Service Provider,网络服务提供商)中。如所有的无线上网卡用户采用card/card用户名/密码的方式接入,请求连接到因特网中。In the process of data service development, for the convenience of operation, multiple users of the same service can use the same user name/password to access, that is, use public account access, and use the account name of the public account to distinguish user access To different ISP (Internet Service Provider, network service provider). For example, all wireless network card users use card/card user name/password to access and request to connect to the Internet.

在CDMA系统中,用户在接入数据业务前,需要事先到MSC(MobileSwitching Center,移动交换中心)进行鉴权,分配信道,并判断是否用户开通了数据业务。只有无线网络鉴权通过,并且用户开通了数据业务,系统才会将用户的接入请求转到分组数据服务节点处理,以进行下一步数据业务的接入处理。In the CDMA system, before the user accesses the data service, he needs to go to the MSC (Mobile Switching Center, Mobile Switching Center) to perform authentication in advance, allocate channels, and judge whether the user has opened the data service. Only when the wireless network authentication passes and the user activates the data service, the system will transfer the user's access request to the packet data service node for processing in the next step of data service access processing.

在实际运营中,可默认为所有的用户都开通数据业务的服务。这样,用户采用公有帐户接入系统时,可不对用户进行数据业务的鉴权,直接允许其接入。In actual operation, all users may subscribe to the data service by default. In this way, when a user accesses the system using a public account, the user may not be authenticated for data services, but directly allowed to access.

但采用公有帐户不进行鉴权的接入用户当前是否可进行数据业务,如用户帐户是否还有余额,用户是否为限制使用数据业务的用户,用户是否订购了相应的服务等,如果用户在接入时不进行鉴权,系统将不能合理地判断处理这些情况,以便为用户提供合理的服务。However, whether an access user using a public account without authentication can currently perform data services, such as whether the user account has a balance, whether the user is a user who is restricted from using data services, and whether the user has subscribed to the corresponding service. If authentication is not performed when entering, the system will not be able to reasonably judge and handle these situations in order to provide users with reasonable services.

为安全起见,采用公有帐户请求数据业务接入的用户也需要到相应的鉴权、授权及计费服务器进行数据业务的鉴权,系统可根据用户的帐户状态及信息,决定是否为用户提供数据服务或是否允许用户进行相应的数据业务。For safety reasons, users who use public accounts to request data service access also need to go to the corresponding authentication, authorization and billing server for data service authentication. The system can decide whether to provide users with data according to the user's account status and information. services or whether to allow users to perform corresponding data services.

此外,在系统提供预付费服务时,由于在用户接入时要去查看用户的帐户信息,并由PPS(PrePaid Server,预付费服务器)给用户分配一定的配额,因此如何对采用公有帐户接入的用户进行有效的鉴权是一个必须解决的问题.In addition, when the system provides prepaid services, since the user needs to check the user's account information when accessing, and the PPS (PrePaid Server, prepaid server) allocates a certain quota to the user, how to use public account access Effective authentication of users is a problem that must be solved.

通过检索,目前尚未发现解决上述问题的相关方法。Through retrieval, no relevant method for solving the above problems has been found at present.

发明内容Contents of the invention

本发明所要解决的技术问题在于提供一种CDMA系统中对用户终端进行鉴权的方法及其装置,用于实现对采用公有帐户接入的用户进行有效鉴权。The technical problem to be solved by the present invention is to provide a method and device for authenticating user terminals in a CDMA system, which are used to implement effective authentication for users accessing with public accounts.

为了实现上述目的,本发明提供了一种CDMA系统中对用户终端进行鉴权的方法,其特征在于,包括:In order to achieve the above object, the present invention provides a method for authenticating a user terminal in a CDMA system, which is characterized in that it includes:

步骤一,用户终端请求接入分组数据服务网络,分组数据服务节点确定对所述用户终端进行鉴权处理;Step 1, the user terminal requests access to the packet data service network, and the packet data service node determines to perform authentication processing on the user terminal;

步骤二,所述分组数据服务节点发送含有用户网络接入标识及用户标识的接入请求消息至鉴权、授权及计费服务器;Step 2, the packet data service node sends an access request message containing the user network access identifier and the user identifier to the authentication, authorization and accounting server;

步骤三,所述鉴权、授权及计费服务器根据所述用户标识查找相应的用户终端的帐户信息,结合所述用户网络接入标识对所述用户终端进行鉴权处理,并返回鉴权处理结果至所述分组数据服务节点;及Step 3, the authentication, authorization and billing server looks up the account information of the corresponding user terminal according to the user ID, performs authentication processing on the user terminal in combination with the user network access ID, and returns the authentication processing results to said packet data serving node; and

步骤四,所述分组数据服务节点根据所述鉴权处理结果确定向所述用户终端提供数据服务或中止所述用户终端接入。Step 4: The packet data service node determines to provide data services to the user terminal or terminate access of the user terminal according to the authentication processing result.

所述的CDMA系统中对用户终端进行鉴权的方法,其中,所述用户标识该用户标识为移动用户号码簿号码、国际移动用户识别码、移动用户识别码、用户国际漫游的行动识别码或移动设备标识。The method for authenticating a user terminal in the CDMA system, wherein the user identifier is a mobile subscriber directory number, an international mobile subscriber identification code, a mobile subscriber identification code, an action identification code for a user's international roaming, or Mobile device identification.

所述的CDMA系统中对用户终端进行鉴权的方法,其中,所述步骤三中,还包括:所述鉴权、授权及计费服务器根据所述用户终端的帐户信息判断当前是否允许所述用户终端接入的步骤,若是,则所述用户终端已开户且帐户处于可用状态,若否,则所述用户终端未开户或帐户处于不可用状态,所述鉴权、授权及计费服务器向所述分组数据服务节点发送接入拒绝消息。The method for authenticating a user terminal in the CDMA system, wherein, in the third step, it further includes: the authentication, authorization and billing server judges whether the user terminal is currently allowed to use the account information of the user terminal. The step of user terminal access, if yes, the user terminal has opened an account and the account is in an available state, if not, the user terminal has not opened an account or the account is in an unavailable state, and the authentication, authorization and charging server sends The packet data serving node sends an access rejection message.

所述的CDMA系统中对用户终端进行鉴权的方法,其中,所述步骤三中,当允许所述用户终端接入时,还包括:所述鉴权、授权及计费服务器根据所述用户网络接入标识判断接入请求的服务类型的步骤。The method for authenticating a user terminal in the CDMA system, wherein, in the step 3, when allowing the user terminal to access, it also includes: the authentication, authorization and charging server according to the user The step of judging the service type of the access request by the network access identifier.

所述的CDMA系统中对用户终端进行鉴权的方法,其中,所述步骤三中,还包括:所述鉴权、授权及计费服务器根据所述用户终端的帐户信息判断所述用户终端是否已订购与接入请求的服务类型相应的服务的步骤,若是,则所述鉴权、授权及计费服务器向所述分组数据服务节点发送接入接受消息;若否,则向所述分组数据服务节点发送接入拒绝消息。The method for authenticating a user terminal in the CDMA system, wherein, in the third step, further comprising: the authentication, authorization and billing server judging whether the user terminal is based on the account information of the user terminal The step of having subscribed to the service corresponding to the service type of the access request, if yes, the authentication, authorization and accounting server sends an access acceptance message to the packet data service node; if not, sends an access acceptance message to the packet data service node The serving node sends an Access Reject message.

所述的CDMA系统中对用户终端进行鉴权的方法,其中,所述步骤三中,还包括:所述鉴权、授权及计费服务器根据所述用户终端的帐户信息判断用户是否为合法的预付费数据用户的步骤,若是,则所述用户终端在所述鉴权、授权及计费服务器中已开户且订购了数据预付费业务,所述用户终端当前可使用预付费服务,所述鉴权、授权及计费服务器向预付费服务器发送含有用户标识的配额请求消息,若否,则所述鉴权、授权及计费服务器向所述分组数据服务节点发送接入拒绝消息。The method for authenticating a user terminal in the CDMA system, wherein, in the third step, it also includes: the authentication, authorization and billing server judges whether the user is legal according to the account information of the user terminal The step of the prepaid data user, if yes, the user terminal has opened an account in the authentication, authorization and billing server and subscribed to the data prepaid service, the user terminal can currently use the prepaid service, and the authentication The authorization, authorization and accounting server sends a quota request message containing the user ID to the prepaid server, and if not, the authentication, authorization and accounting server sends an access rejection message to the packet data service node.

所述的CDMA系统中对用户终端进行鉴权的方法,其中,所述步骤三中,还包括:所述预付费服务器接收所述鉴权、授权及计费服务器的预付费配额请求,根据所述用户标识为所述用户终端分配配额,确定配额相关信息,并将该配额信息发送给所述鉴权、授权及计费服务器,所述鉴权、授权及计费服务器向所述分组数据服务节点发送含有所述配额信息的鉴权结果的步骤.The method for authenticating a user terminal in the CDMA system, wherein, in the third step, further comprising: the prepaid server receives the prepaid quota request from the authentication, authorization and charging server, and according to the The user identifier allocates a quota for the user terminal, determines quota-related information, and sends the quota information to the authentication, authorization, and accounting server, and the authentication, authorization, and accounting server provides the packet data service A step in which the node sends an authentication result containing the quota information.

所述的CDMA系统中对用户终端进行鉴权的方法,其中,还包括:当所述用户终端接入后,所述鉴权、授权及计费服务器根据所述分组数据服务节点发送的用户计费信息及所述用户标识对所述用户终端进行计费的步骤。The method for authenticating a user terminal in the CDMA system further includes: after the user terminal accesses, the authentication, authorization and accounting server The step of charging the user terminal according to the charging information and the user identification.

为了实现上述目的,本发明还提供了一种CDMA系统中对用户终端进行鉴权的装置,其特征在于,包括:一用户终端、一分组数据服务节点及一鉴权、授权及计费服务器;In order to achieve the above object, the present invention also provides a device for authenticating a user terminal in a CDMA system, which is characterized in that it includes: a user terminal, a packet data service node, and an authentication, authorization and accounting server;

所述分组数据服务节点用于确定是否对所述用户终端进行鉴权,当确定进行鉴权时,向所述鉴权、授权及计费服务器发送含有用户网络接入标识及用户标识的接入请求消息,并根据接收的鉴权处理结果确定向所述用户终端提供数据服务或中止所述用户终端接入;The packet data service node is used to determine whether to perform authentication on the user terminal, and when it is determined to perform authentication, send an access request containing the user network access identifier and user identifier to the authentication, authorization and accounting server message, and determine to provide data services to the user terminal or suspend access to the user terminal according to the received authentication processing result;

所述鉴权、授权及计费服务器用于根据所述用户标识查找相应的用户终端的帐户信息,结合所述用户网络接入标识对所述用户终端进行鉴权处理,并返回鉴权处理结果至所述分组数据服务节点。The authentication, authorization and billing server is used to look up the account information of the corresponding user terminal according to the user identifier, perform authentication processing on the user terminal in combination with the user network access identifier, and return an authentication processing result to the packet data serving node.

所述的CDMA系统中对用户终端进行鉴权的装置,其中,还包括一预付费服务器,用于接收所述鉴权、授权及计费服务器的预付费配额请求,并根据所述用户标识为所述用户终端分配配额,确定配额相关信息,并将该配额信息发送给所述鉴权、授权及计费服务器。The device for authenticating a user terminal in the CDMA system further includes a prepaid server for receiving the prepaid quota request from the authentication, authorization and charging server, and according to the user identification as The user terminal allocates a quota, determines quota-related information, and sends the quota information to the authentication, authorization and accounting server.

本发明解决了现有CDMA系统中对采用公有帐户接入的用户进行鉴权的问题,为用户安全地使用数据业务提供了一种便利方法。由于用户使用数据预付费业务必须对用户进行有效的鉴权,本发明也从另一个方面解决了采用公有帐户接入的用户使用数据预付费业务的问题。The invention solves the problem of authenticating users who use public accounts to access in the existing CDMA system, and provides a convenient method for users to safely use data services. Since the user must effectively authenticate the user to use the data prepaid service, the present invention also solves the problem of using the data prepaid service by the user accessing the public account from another aspect.

以下结合附图和具体实施例对本发明进行详细描述,但不作为对本发明的限定。The present invention will be described in detail below in conjunction with the accompanying drawings and specific embodiments, but not as a limitation of the present invention.

附图说明Description of drawings

图1为现有CDMA系统的网络结构图;Fig. 1 is the network structural diagram of existing CDMA system;

图2为本发明对采用公有帐户接入的用户进行数据业务接入鉴权的系统结构图;Fig. 2 is a system structure diagram of the present invention for performing data service access authentication on users using public account access;

图3为本发明对采用公有帐户接入的用户进行数据业务接入鉴权的系统流程图;Fig. 3 is a system flow chart of the present invention for performing data service access authentication on users using public account access;

图4为本发明对采用公有帐户接入的用户进行预付费数据业务接入鉴权的系统流程图。Fig. 4 is a system flow chart of the present invention for performing prepaid data service access authentication on users using public account access.

具体实施方式Detailed ways

请参阅图1所示,为现有CDMA系统的网络结构图。该结构包括:用户终端MS(Mobile Station)11、无线接入网络/分组控制功能(Radio AccessNetwork/Packet Control Function,RAN/PCF)12、移动交换中心/拜访位置寄存器(Mobile Switch Center/Visit Location Register,MSC/VLR)13、分组数据服务节点PDSN 14、鉴权、授权及计费服务器AAA 15。Please refer to FIG. 1 , which is a network structure diagram of an existing CDMA system. The structure includes: user terminal MS (Mobile Station) 11, radio access network/packet control function (Radio AccessNetwork/Packet Control Function, RAN/PCF) 12, mobile switching center/visit location register (Mobile Switch Center/Visit Location Register , MSC/VLR) 13, packet data service node PDSN 14, authentication, authorization and accounting server AAA 15.

MS 11采用公有帐户接入CDMA分组域。MS 11 uses a public account to access the CDMA packet domain.

RAN/PCF 12将用户的数据业务接入请求转发给PDSN 14。RAN/PCF 12 forwards the user's data service access request to PDSN 14.

PDSN 14为MS11提供数据接入服务,在MS 11接入时为用户提供鉴权,同时,PDSN 14在为MS 11提供数据接入服务时,收集用户的计费信息。PDSN14通过IP(Internal Protocol,互联网协议)网络19连接归属代理HA(HomeAgent)18上。PDSN 14 provides data access services for MS 11, and provides authentication for users when MS 11 accesses. At the same time, PDSN 14 collects user charging information when providing data access services for MS 11. PDSN14 is connected to home agent HA (HomeAgent) 18 through IP (Internal Protocol, Internet Protocol) network 19.

MSC/VLR 13为MS 11提供无线接入网络的鉴权功能。其通过SS7(Signaling System 7,7号信令系统)网络16连接至归属位置寄存器(HomeLocation Register,HLR)17。The MSC/VLR 13 provides the authentication function of the wireless access network for the MS 11. It is connected to a Home Location Register (HomeLocation Register, HLR) 17 through a SS7 (Signaling System 7, No. 7 signaling system) network 16 .

AAA 15为MS 11提供鉴权、授权及计费服务;在收到PDSN 14通过IP网络19发送的用户接入请求时,将对MS 11进行鉴权并进行相应的授权。AAA 15 provides authentication, authorization and billing services for MS 11; when receiving the user access request sent by PDSN 14 through IP network 19, it will authenticate and authorize MS 11 accordingly.

请参阅图2所示,为本发明对采用公有帐户接入的用户进行数据业务接入鉴权的系统结构图。该系统结构包括:用户终端MS 11、分组数据服务节点PDSN 14、鉴权、授权及计费服务器AAA 15。Please refer to FIG. 2 , which is a system structure diagram of the present invention for performing data service access authentication on users using public account access. The system structure includes: user terminal MS 11, packet data service node PDSN 14, authentication, authorization and accounting server AAA 15.

用户终端MS 11请求接入分组数据服务网络,分组数据服务节点PDSN 14用于确定是否对用户终端进行鉴权;当确定对用户终端MS 11进行鉴权时,分组数据服务节点PDSN 14发送接入请求消息给鉴权、授权及计费服务器AAA 15,该消息中至少携带用户NAI及用户标识;The user terminal MS 11 requests access to the packet data service network, and the packet data service node PDSN 14 is used to determine whether to authenticate the user terminal; when it is determined that the user terminal MS 11 is authenticated, the packet data service node PDSN 14 sends an access request The message is sent to the authentication, authorization and accounting server AAA 15, which at least carries the user NAI and the user identification;

该用户标识可以为MDN(Mobile Directory Number,移动用户号码簿号码),或IMSI(International Mobile Subscriber Identity,国际移动用户识别码),或MIN(Mobile Identification Number,移动用户识别码),或IRM(InternationalRoaming Mobile Identification Number,用户国际漫游的行动识别码),或MEID(Mobile Equipment Identifier,移动设备标识);The subscriber identity can be MDN (Mobile Directory Number, mobile subscriber directory number), or IMSI (International Mobile Subscriber Identity, international mobile subscriber identity code), or MIN (Mobile Identification Number, mobile subscriber identity code), or IRM (International Roaming Mobile Identification Number, user's mobile identification code for international roaming), or MEID (Mobile Equipment Identifier, mobile equipment identifier);

鉴权、授权及计费服务器AAA 15根据用户标识查找相应用户终端的帐户信息,并结合用户NAI进行鉴权处理,然后将鉴权结果返回给分组数据服务节点PDSN 14;The authentication, authorization and billing server AAA 15 looks up the account information of the corresponding user terminal according to the user identification, and performs authentication processing in combination with the user NAI, and then returns the authentication result to the packet data service node PDSN 14;

分组数据服务节点PDSN 14根据鉴权、授权及计费服务器AAA 15返回的授权信息,确定为用户终端MS 11提供相应的数据服务或终止用户终端11的接入。The packet data service node PDSN 14 determines to provide corresponding data services for the user terminal MS 11 or terminate the access of the user terminal 11 according to the authorization information returned by the authentication, authorization and accounting server AAA 15.

请参阅图3所示,为本发明对采用公有帐户接入的用户进行数据业务接入鉴权的系统流程图。结合图2所示,该流程具体包括步骤如下:Please refer to FIG. 3 , which is a system flow chart of the present invention for performing data service access authentication on users using public account access. As shown in Figure 2, the process specifically includes the following steps:

步骤301,用户终端11请求接入分组数据服务网络,分组数据服务节点14确定为用户终端11进行鉴权;Step 301, the user terminal 11 requests access to the packet data service network, and the packet data service node 14 determines to perform authentication for the user terminal 11;

步骤302,分组数据服务节点11发送接入请求消息给鉴权、授权及计费服务器15,该消息中至少携带用户NAI及用户标识;Step 302, the packet data service node 11 sends an access request message to the authentication, authorization and accounting server 15, and the message carries at least the user NAI and the user identifier;

步骤303,鉴权、授权及计费服务器15根据用户标识查找相应用户终端11的帐户信息;Step 303, the authentication, authorization and billing server 15 looks up the account information of the corresponding user terminal 11 according to the user identification;

步骤304,鉴权、授权及计费服务器15根据用户终端11的帐户信息判断当前是否允许用户终端11接入,即判断用户是否开户并且帐户是否处于可用状态;如果允许用户终端11接入,此时用户已开户且帐户处于可用状态,则转入步骤305执行;否则,此时用户未开户或帐户处于不可用状态,执行步骤307;Step 304, the authentication, authorization and billing server 15 judges whether the user terminal 11 is currently allowed to access according to the account information of the user terminal 11, that is, judges whether the user has opened an account and whether the account is in an available state; if the user terminal 11 is allowed to access, then If the user has opened an account and the account is available, then proceed to step 305; otherwise, if the user has not opened an account or the account is not available, perform step 307;

步骤305,鉴权、授权及计费服务器15根据用户NAI,进一步判断接入请求的服务类型,根据用户终端11的帐户信息判断用户终端11是否订购了该类型的服务,若订购了该类型的服务,则转入步骤306执行;否则,执行步骤307;Step 305, the authentication, authorization and billing server 15 further judges the service type of the access request according to the user NAI, and judges whether the user terminal 11 has subscribed to this type of service according to the account information of the user terminal 11, if subscribed to this type of service service, proceed to step 306 for execution; otherwise, execute step 307;

步骤306,鉴权、授权及计费服务器15发送接入接受消息给分组数据服务节点14,系统为用户终端11提供相应类型的服务;流程结束。Step 306, the authentication, authorization and accounting server 15 sends an access acceptance message to the packet data service node 14, and the system provides corresponding types of services for the user terminal 11; the process ends.

步骤307,鉴权、授权及计费服务器15发送接入拒绝消息给分组数据服务节点14,流程结束。Step 307, the authentication, authorization and accounting server 15 sends an access rejection message to the packet data service node 14, and the process ends.

该流程中,分组数据服务节点14将收集的用户计费信息发送至鉴权、授权及计费服务器15,鉴权、授权及计费服务器15根据用户标识实现相应用户的计费。In this process, the packet data service node 14 sends the collected user charging information to the authentication, authorization and charging server 15, and the authentication, authorization and charging server 15 implements charging for the corresponding user according to the user identifier.

请参阅图4所示,为本发明对采用公有帐户接入的用户进行预付费数据业务接入鉴权的系统流程图。结合图2所示,该流程具体包括步骤如下:Please refer to FIG. 4 , which is a system flow chart of the present invention for performing prepaid data service access authentication on users using public account access. As shown in Figure 2, the process specifically includes the following steps:

步骤401,用户终端11请求接入分组数据服务网络,分组数据服务节点14确定为用户终端11进行鉴权;Step 401, the user terminal 11 requests access to the packet data service network, and the packet data service node 14 determines to perform authentication for the user terminal 11;

步骤402,分组数据服务节点14发送接入请求消息给鉴权、授权及计费服务器15,该消息中至少携带用户NAI及用户标识;Step 402, the packet data service node 14 sends an access request message to the authentication, authorization and accounting server 15, the message at least carries the user NAI and the user identifier;

步骤403,鉴权、授权及计费服务器15根据用户标识查找相应用户终端的帐户信息,并根据该帐户信息判断用户是否为合法的预付费数据用户,即用户是否已经在鉴权、授权及计费服务器15中开户且订购了数据预付费业务;若用户终端11的帐户信息表示用户为合法的预付费数据用户,即用户已在鉴权、授权及计费服务器15中开户,用户当前可使用数据预付费服务,则发送带有用户标识的配额请求消息给预付费服务器PPS 20,继续步骤404;否则,发送接入拒绝消息给分组数据服务节点14,转入步骤406执行;Step 403, the authentication, authorization and billing server 15 looks up the account information of the corresponding user terminal according to the user identification, and judges whether the user is a legal prepaid data user according to the account information, that is, whether the user has been authenticated, authorized and billed. Open an account in the fee server 15 and subscribe to the data prepaid service; if the account information of the user terminal 11 indicates that the user is a legal prepaid data user, that is, the user has opened an account in the authentication, authorization and billing server 15, the user can currently use Data prepaid service, then send the quota request message with user identification to the prepaid server PPS 20, continue step 404; Otherwise, send the access rejection message to the packet data service node 14, go to step 406 and execute;

步骤404,预付费服务器PPS 20接收鉴权、授权及计费服务器15的预付费配额请求,根据用户标识查找用户终端11的帐户信息,并根据用户标识为用户终端11分配配额,确定配额相关信息,并将此信息发送给鉴权、授权及计费服务器15;Step 404, the prepaid server PPS 20 receives the prepaid quota request from the authentication, authorization and billing server 15, searches for the account information of the user terminal 11 according to the user identification, and allocates quotas for the user terminal 11 according to the user identification, and determines quota-related information , and send this information to the authentication, authorization and accounting server 15;

步骤405,鉴权、授权及计费服务器15将携带预付费配额相关信息的鉴权结果发送给分组数据服务节点14;Step 405, the authentication, authorization and charging server 15 sends the authentication result carrying the prepaid quota related information to the packet data service node 14;

步骤406,分组数据服务节点14根据鉴权、授权及计费服务器15返回的鉴权结果,确定为用户终端11提供数据服务或终止用户接入;Step 406, the packet data service node 14 determines to provide data services for the user terminal 11 or terminate user access according to the authentication result returned by the authentication, authorization and accounting server 15;

该步骤中,当确定为用户终端11提供数据服务后,还进一步包括:分组数据服务节点14将收集的用户计费信息发送给预付费服务器PPS 20,预付费服务器PPS 20根据用户标识实现相应用户的扣费。In this step, after it is determined to provide data services for the user terminal 11, it further includes: the packet data service node 14 sends the collected user billing information to the prepaid server PPS 20, and the prepaid server PPS 20 implements the corresponding user charging information according to the user identification. deduction.

本发明为采用公有帐户接入的用户提供了一种鉴权方法,使得用户终端能够更加安全地接入CDMA系统,同时,也为采用公有帐户接入的用户终端实现预付费业务提供了便利。The present invention provides an authentication method for users accessing with public accounts, so that user terminals can access the CDMA system more safely, and at the same time, it also provides convenience for the user terminals accessing with public accounts to realize prepaid services.

当然,本发明还可有其他多种实施例,在不背离本发明精神及其实质的情况下,熟悉本领域的技术人员当可根据本发明作出各种相应的改变和变形,但这些相应的改变和变形都应属于本发明所附的权利要求的保护范围。Of course, the present invention can also have other various embodiments, and those skilled in the art can make various corresponding changes and deformations according to the present invention without departing from the spirit and essence of the present invention, but these corresponding Changes and deformations should belong to the scope of protection of the appended claims of the present invention.

Claims (9)

1. adopt publicly-owned account to insert the method for carrying out authentication to user terminal in a cdma system, it is characterized in that, comprising:
Step 1, user terminal requests accessing group data service network, packet data serving node are determined described user terminal is carried out authentication process;
Step 2, described packet data serving node transmission contain user network and insert the access request message of sign and user ID to authentication, mandate and accounting server;
Step 3, described authentication, mandate and accounting server are searched the account information of relevant user terminals according to described user ID, judge the current step that whether allows described user terminal to insert according to the account information of described user terminal, if, then described user terminal has been opened an account and the account is in upstate, if not, then described user terminal is not opened an account or the account is in down state, and described authentication, mandate and accounting server send access-reject message to described packet data serving node; And described authentication, mandate and accounting server insert sign in conjunction with described user network described user terminal are carried out authentication process, and return the authentication process result to described packet data serving node; And
Step 4, described packet data serving node is determined data, services to be provided or to end described user terminal access to described user terminal according to described authentication process result.
2. in the cdma system according to claim 1 user terminal is carried out the method for authentication, it is characterized in that described user ID is the action recognition sign indicating number or the mobile device sign of Mobile Directory Number, international mobile subscriber identity, mobile identification number, user international roaming.
3. adopt publicly-owned account to insert the method for carrying out authentication to user terminal in the cdma system according to claim 1, it is characterized in that, in the described step 3, when allowing described user terminal to insert, also comprise: described authentication, mandate and accounting server insert sign according to described user network and judge the step that inserts the requested service type.
4. adopt publicly-owned account to insert the method for carrying out authentication to user terminal in the cdma system according to claim 3, it is characterized in that, in the described step 3, also comprise: described authentication, mandate and accounting server judge according to the account information of described user terminal the step of the corresponding service of requested service type has been ordered and inserted to described user terminal whether, if then described authentication, mandate and accounting server send to described packet data serving node and accept message; If not, then send access-reject message to described packet data serving node.
5. adopt publicly-owned account to insert the method for carrying out authentication to user terminal in the cdma system according to claim 1, it is characterized in that, in the described step 3, also comprise: described authentication, authorize and accounting server judges that according to the account information of described user terminal whether the user is legal prepaid data user's step, if, then described user terminal is in described authentication, authorize and accounting server in opened an account and ordered the data prepayment service, the current prepaid services of using of described user terminal, described authentication, mandate and accounting server send the quota request message that contains user ID to prepaid server, if not, then described authentication, mandate and accounting server send access-reject message to described packet data serving node.
6. adopt publicly-owned account to insert the method for carrying out authentication to user terminal in the cdma system according to claim 5, it is characterized in that, in the described step 3, also comprise: described prepaid server receives described authentication, the pre-payment quota request of mandate and accounting server, according to described user ID is described user terminal allocated quotas, determine the quota relevant information, and this quota information sent to described authentication, authorize and accounting server described authentication, mandate and accounting server send the step of the authenticating result that contains described quota information to described packet data serving node.
7. adopt publicly-owned account to insert the method for carrying out authentication to user terminal in the cdma system according to claim 1, it is characterized in that, also comprise: after described user terminal inserts, the step that described authentication, mandate and accounting server charge to described user terminal according to the customer charging information and the described user ID of described packet data serving node transmission.
8. adopt publicly-owned account to insert the device that carries out authentication to user terminal in a cdma system, it is characterized in that, comprising: a user terminal, a packet data serving node and an authentication, mandate and accounting server;
Described packet data serving node is used to determine whether described user terminal is carried out authentication, when determining to carry out authentication, contain the access request message that user network inserts sign and user ID to described authentication, mandate and accounting server transmission, and determine data, services to be provided or to end described user terminal access to described user terminal according to the authentication process result who receives;
Described authentication, mandate and accounting server are used for searching according to described user ID the account information of relevant user terminals, insert sign in conjunction with described user network described user terminal is carried out authentication process, and return the authentication process result to described packet data serving node.
9. adopt publicly-owned account to insert the device that carries out authentication to user terminal in the cdma system according to claim 8, it is characterized in that, also comprise a prepaid server, be used to receive the pre-payment quota request of described authentication, mandate and accounting server, and be described user terminal allocated quotas according to described user ID, determine the quota relevant information, and this quota information is sent to described authentication, mandate and accounting server.
CN200610112654A 2006-08-28 2006-08-28 A method and device for authenticating a user terminal in a CDMA system Active CN101094067B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN200610112654A CN101094067B (en) 2006-08-28 2006-08-28 A method and device for authenticating a user terminal in a CDMA system
PCT/CN2007/002125 WO2008025210A1 (en) 2006-08-28 2007-07-11 A method and apparatus for authenticating the user terminal in the cdma system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200610112654A CN101094067B (en) 2006-08-28 2006-08-28 A method and device for authenticating a user terminal in a CDMA system

Publications (2)

Publication Number Publication Date
CN101094067A CN101094067A (en) 2007-12-26
CN101094067B true CN101094067B (en) 2010-05-12

Family

ID=38992121

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200610112654A Active CN101094067B (en) 2006-08-28 2006-08-28 A method and device for authenticating a user terminal in a CDMA system

Country Status (2)

Country Link
CN (1) CN101094067B (en)
WO (1) WO2008025210A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101651946B (en) 2009-09-25 2012-07-18 青岛海信移动通信技术股份有限公司 Authentication method of EVDO network of code division multiple access (CDMA) data system as well as mobile terminals
CN101945370B (en) * 2010-09-25 2015-03-25 中兴通讯股份有限公司 Method and system for implementing dynamic strategy control
CN102075328A (en) * 2010-12-23 2011-05-25 大唐移动通信设备有限公司 Method and device for processing electronic data
CN103888944B (en) * 2012-12-19 2018-03-13 中国电信股份有限公司 Cdma network replicates card test method and system
CN107548088B (en) * 2016-06-25 2021-06-22 深圳壹账通智能科技有限公司 Mobile equipment identity identification method and service server
WO2025017608A1 (en) * 2023-07-14 2025-01-23 Jio Platforms Limited Method and system to configure one or more services available on service platform

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1474535A (en) * 2002-08-08 2004-02-11 深圳市中兴通讯股份有限公司 Authority discrimination charging method based on combined radio local area web and CDMA system
CN1555159A (en) * 2003-12-22 2004-12-15 中兴通讯股份有限公司 A mobile terminal access method combining CDMA2000 1X and wireless local area network
CN1567794A (en) * 2003-07-01 2005-01-19 华为技术有限公司 Method for implementing packet pre-payment in CDMA
CN1625867A (en) * 2002-04-18 2005-06-08 诺基亚公司 Method system and equipment for service selection through radio local area network
CN1815956A (en) * 2005-02-05 2006-08-09 华为技术有限公司 Method for identifying authority in wireless group business
CN1815955A (en) * 2005-02-05 2006-08-09 华为技术有限公司 Method for identifying authority of user

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6970693B2 (en) * 2002-09-06 2005-11-29 Telefonaktiebolaget Lm Ericsson (Publ) Method, system and telecommunication node for alternative prepaid support
KR100578375B1 (en) * 2004-03-09 2006-05-11 주식회사 케이티프리텔 User terminal authentication method and system in high speed packet data communication system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1625867A (en) * 2002-04-18 2005-06-08 诺基亚公司 Method system and equipment for service selection through radio local area network
CN1474535A (en) * 2002-08-08 2004-02-11 深圳市中兴通讯股份有限公司 Authority discrimination charging method based on combined radio local area web and CDMA system
CN1567794A (en) * 2003-07-01 2005-01-19 华为技术有限公司 Method for implementing packet pre-payment in CDMA
CN1555159A (en) * 2003-12-22 2004-12-15 中兴通讯股份有限公司 A mobile terminal access method combining CDMA2000 1X and wireless local area network
CN1815956A (en) * 2005-02-05 2006-08-09 华为技术有限公司 Method for identifying authority in wireless group business
CN1815955A (en) * 2005-02-05 2006-08-09 华为技术有限公司 Method for identifying authority of user

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
许秀莉,沈国强.一种cdma2000-1x网络与无线局域网结合的鉴权与计费机制.电信技术2002 11.2002,2002(11),72-74.
许秀莉,沈国强.一种cdma2000-1x网络与无线局域网结合的鉴权与计费机制.电信技术2002 11.2002,2002(11),72-74. *

Also Published As

Publication number Publication date
WO2008025210A1 (en) 2008-03-06
CN101094067A (en) 2007-12-26

Similar Documents

Publication Publication Date Title
KR101296048B1 (en) Online charging architecture in lte/epc communication networks
JP5373057B2 (en) Online billing for roaming users in visited network proxy online billing system
US20070297583A1 (en) Method and System for Third Party Charging
CN103428666A (en) Charging method and device
CN102868998A (en) Method and device for visiting businesses of internet of things
KR20150120422A (en) Method, apparatus and system for aggregating charging information
CN104335641A (en) Data service processing method, device and system in roaming scenario
US20100058447A1 (en) Service authorization method, server, and system
US7752128B2 (en) Charging network, charging agent apparatus and charging method
CN106162595A (en) The service data transmission method of virtual user identification module card, terminal and charge system
WO2008025210A1 (en) A method and apparatus for authenticating the user terminal in the cdma system
WO2010063176A1 (en) Calling charging method based on online charging system and communication system
CN110324801A (en) The method and apparatus of charging
WO2005083933A1 (en) Method and systems for implementing data service prepayment in a cdma network
WO2012084062A1 (en) System, method, network entity and device for connecting a device to a communications network
CN1859114A (en) Method for internet access by using data card
CN110324153A (en) Charging method and system
CN106332040B (en) Method and device for account resource sharing
CN100558135C (en) Method and system for realizing prepaid service in communication network
KR20100050618A (en) System and method for reporting an expiry of the limited fare
CN111542005B (en) Charging method, device, equipment and storage medium
CN104732384A (en) Processing method and system for application software online payment
CN103906025B (en) A kind of processing method of third party charging business, apparatus and system
CN106936602A (en) Network charging method and device based on internet of things equipment
KR20100010415A (en) As expiration of packet limit, system and method for producing data service

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant