Authentication and authorization in heterogeneous networks
First Claim
1. A method, comprising:
- detecting a roaming of the mobile terminal;
identifying a combination of network elements involved in the detected roaming;
selecting one of a plurality of authentication and authorization procedures to be performed based on the identified combination,wherein a home network has an authentication and authorization home server,wherein a foreign network has a plurality of domains each of which comprises at least one local server configured to authenticate, authorize, and account, andwherein each of the local servers is operationally connected to at least one network access server configured to handle access for mobile terminals roaming to or in the foreign network; and
performing an authentication and authorization based on the selected one of a plurality of authentication and authorization procedures,wherein the method, upon attaching of the mobile terminal to the foreign network, further comprisesallocating a temporary local identity to the mobile terminal by the local server, in the domain of which the mobile terminal first attaches to the foreign network;
defining and generating a local security information representing a binding of a user identity of the mobile terminal and the allocated temporary local identity by the local server; and
allocating the local security information to the mobile terminal by the local server,wherein the performing reuses the allocated local security information to authenticate and authorize in each of said plurality of domains.
2 Assignments
0 Petitions
Accused Products
Abstract
A method, system, and network elements for authentication and authorization of a mobile terminal (MT) roaming to or in a foreign network different from its home network is provided, the home network having an authentication and authorization home server (AAAH), and the foreign network having a plurality of domains each of which comprises at least one local server (AAAL1, AAAL2) for authentication, authorization and accounting, each of which local servers being connected to at least one network access server (NAS) for handling access for mobile terminals roaming to or in the foreign network, wherein an authentication and authorization of the mobile terminal is performed whenever the mobile terminal performs a roaming, wherein the authentication and authorization is performed according to a procedure pursuant to one of a plurality of hierarchy levels, whereby a combination of network elements involved in the roaming determines the hierarchy level to be used.
18 Citations
29 Claims
-
1. A method, comprising:
-
detecting a roaming of the mobile terminal; identifying a combination of network elements involved in the detected roaming; selecting one of a plurality of authentication and authorization procedures to be performed based on the identified combination, wherein a home network has an authentication and authorization home server, wherein a foreign network has a plurality of domains each of which comprises at least one local server configured to authenticate, authorize, and account, and wherein each of the local servers is operationally connected to at least one network access server configured to handle access for mobile terminals roaming to or in the foreign network; and performing an authentication and authorization based on the selected one of a plurality of authentication and authorization procedures, wherein the method, upon attaching of the mobile terminal to the foreign network, further comprises allocating a temporary local identity to the mobile terminal by the local server, in the domain of which the mobile terminal first attaches to the foreign network; defining and generating a local security information representing a binding of a user identity of the mobile terminal and the allocated temporary local identity by the local server; and allocating the local security information to the mobile terminal by the local server, wherein the performing reuses the allocated local security information to authenticate and authorize in each of said plurality of domains. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method, comprising:
-
detecting a roaming of the mobile terminal; identifying a combination of network elements involved in the detected roaming; selecting one of a plurality of authentication and authorization procedures to be performed based on the identified combination, wherein a home network has an authentication and authorization home server, wherein a foreign network has a plurality of domains each of which comprises at least one local server configured to authenticate, authorize, and account, wherein each of the local servers is operationally connected to at least one network access server configured to handle access for mobile terminals roaming to or in the foreign network; and performing an authentication and authorization based on the selected one of a plurality of authentication and authorization procedures, wherein the method, upon attaching of the mobile terminal to the foreign network, further comprises allocating a local identity to the mobile terminal by the local server, in the domain of which the mobile terminal attaches to the foreign network; defining and generating a local security information representing a binding of a user identity of the mobile terminal and the allocated temporary local identity by the local server; and allocating the local security information to the mobile terminal by the local server, wherein the performing uses the allocated local security information for authentication and authorization, wherein the local security information is generated in accordance with a used authentication technique, wherein the authentication and authorization is performed based on a procedure of a second hierarchy level upon the mobile terminal performing an inter-domain roaming from a first network access server which is operationally connected to a first local server of a first domain of the foreign network to a second network access server which is connected to a second local server of a second domain of the foreign network, the procedure comprising sending a request for the local security information of the mobile terminal from the second local server to the first local server; transmitting of the local security information of the mobile terminal from the first local server to the second local server; and using the local security information at the second local server for authentication and authorization of the mobile terminal within the local domain. - View Dependent Claims (8)
-
-
9. A method, comprising:
-
detecting a roaming of the mobile terminal; identifying a combination of network elements involved in the detected roaming; selecting one of a plurality of authentication and authorization procedures to be performed based on the identified combination, wherein a home network has an authentication and authorization home server, wherein a foreign network has a plurality of domains each of which comprises at least one local server configured to authenticate, authorize, and account, wherein each of the local servers is operationally connected to at least one network access server configured to handle access for mobile terminals roaming to or in the foreign network; and performing an authentication and authorization based on the selected one of a plurality of authentication and authorization procedures, wherein the method, upon attaching of the mobile terminal to the foreign network, further comprises allocating a local identity to the mobile terminal by the local server, in the domain of which the mobile terminal attaches to the foreign network; defining and generating a local security information representing a binding of a user identity of the mobile terminal and the allocated temporary local identity by the local server; and allocating the local security information to the mobile terminal by the local server, wherein the performing uses the allocated local security information for authentication and authorization, wherein the local security information is generated in accordance with a used authentication technique, wherein the authentication and authorization is performed based on a procedure of a third hierarchy level upon the mobile terminal performing an intra-domain roaming from a first network access server of a domain of the foreign network to a second network access server of the same domain, the procedure comprising sending a request for the local security information of the mobile terminal from the second network access server to the local server of the domain; transmitting of the local security information of the mobile terminal from the local server of the domain to the second network access server using a predetermined security association between the local server of the domain and the second network access server; and using the local security information at the second network access server for authentication and authorization of the mobile terminal within the local domain.
-
-
10. A method, comprising:
-
detecting a roaming of the mobile terminal; identifying a combination of network elements involved in the detected roaming; selecting one of a plurality of authentication and authorization procedures to be performed based on the identified combination, wherein a home network has an authentication and authorization home server, wherein a foreign network has a plurality of domains each of which comprises at least one local server configured to authenticate, authorize, and account, wherein each of the local servers is operationally connected to at least one network access server configured to handle access for mobile terminals roaming to or in the foreign network; and performing an authentication and authorization based on the selected one of a plurality of authentication and authorization procedures, wherein the method, upon attaching of the mobile terminal to the foreign network, further comprises allocating a local identity to the mobile terminal by the local server, in the domain of which the mobile terminal attaches to the foreign network; defining and generating a local security information representing a binding of a user identity of the mobile terminal and the allocated temporary local identity by the local server; and allocating the local security information to the mobile terminal by the local servers; wherein the performing uses the allocated local security information for authentication and authorization, wherein the local security information is generated in accordance with a used authentication technique, wherein the authentication and authorization is performed based on a procedure of a fourth hierarchy level upon the mobile terminal performing an intra-domain roaming from a first network access server of an authentication and authorization area of the foreign network to a second network access server of the same authentication and authorization area, wherein the first network access server knows the local security information of the mobile terminal, the procedure comprising sending a request for the local security information of the mobile terminal from the second network access server to the first network access server; transmitting of the local security information of the mobile terminal from the first network access server to the second network access server; and using the local security information at the second network access server for authentication and authorization of the mobile terminal within the local domain. - View Dependent Claims (11)
-
-
12. A system, comprising:
-
an authentication and authorization home server in a home network; at least one local server configured to authenticate, authorize, and account in each of a plurality of domains of a foreign network; at least one network access server configured to handle access of mobile terminals roaming to or in the foreign network, each of which network access servers are operationally connectable to one of the local servers; a detector configured to detect a roaming of a mobile terminal; an identifier configured to identify a combination of network elements involved in the roaming being detected by the detector; a selector configured to select one of a plurality of authentication and authorization procedures to be performed based on the combination being identified by the identifier; and an authentication and authorization processor configured to perform authentication and authorization of the mobile terminal based on the selected one of the plurality of authentication and authorization procedure, wherein the local server, in the domain of which the mobile terminal first attaches to the foreign network, allocates a temporary local identity to the mobile terminal and allocates a local security information to the mobile terminal, and wherein the authentication and authorization processor is further configured to reuse the local security information for authentication and authorization in each of said plurality of domains. - View Dependent Claims (13)
-
-
14. An apparatus, comprising:
-
an authentication and authorization processor configured to authenticate and authorize a mobile terminal, which processor is operable according to a procedure which is selectable based on an identified combination of network elements which are involved in a detectable roaming of the mobile terminal, wherein the apparatus is a local server of the domain to which the mobile terminal is attachable, which mobile terminal is registered with a home server of its home network, wherein the apparatus is operationally connectable to at least one network access server configured to handle access of mobile terminals roaming to or in the network; an allocating device configured to allocate a temporary local identity to the mobile terminal, when the mobile terminal first attaches to the network, and to allocate a local security information to the mobile terminal; a generator configured to define and generate the local security information representing a binding of a user identity of the mobile terminal and the temporary local identity allocated by the allocating device; a storing device configured to store the temporary local identity and the local security information of the terminal; and a mapping device configured to map the local security information to a real user account, wherein the authentication and authorization processor is further configured to reuse the local security information for authentication and authorization in each of a plurality of domains of a foreign network. - View Dependent Claims (15, 16, 17)
-
-
18. An apparatus, comprising:
-
an accessing device configured to handle access of a mobile terminal to a network; and a transceiver configured to transmit and receive a local security information of the mobile terminal and other information to and from an operationally connectable local server, another operationally connectable apparatus and an operationally connectable mobile terminal; an authentication and authorization processor configured to authenticate and authorize according to a procedure which is selectable based on an identified combination of network elements which are involved in a detectable roaming of the mobile terminal, wherein the apparatus is operationally connectable to a local server of a domain of the network, wherein the local server allocates a temporary local identity to the mobile terminal, and allocates the local security information to the mobile terminal, and wherein the authentication and authorization processor is further configured to reuse the local security information for authentication and authorization in each of a plurality of domains of a foreign network. - View Dependent Claims (19, 20, 21, 22, 23)
-
-
24. An apparatus, comprising:
-
a registering device configured to register with a home server in its home network, and is attachable to a foreign network using a network access server of the foreign network, wherein the foreign network comprises a plurality of domains each of which comprises at least one local server configured to authenticate, authorize, and account, wherein each of the local servers are operationally connectable to at least one of the network access servers; an authentication and authorization processor configured to perform an authentication and authorization according to a procedure which is selectable based on an identified combination of network elements which are involved in a detectable roaming of the apparatus; a transceiver configured to transmit and receive information to and from one of the network access servers of the foreign network; and a storing device configured to keep a list of local security information of each network having been attached to, wherein the local security information is allocable to the apparatus by one of the local servers of the foreign networks, wherein the local server, in the domain of which the apparatus first attaches to the foreign network, allocates a temporary local identity to the apparatus; and wherein the authentication and authorization processor is further configured to reuse the local security information for authentication and authorization in each of said plurality of domains. - View Dependent Claims (25)
-
-
26. A system comprising:
-
an authentication and authorization home server in a home network; at least one local server for authentication, authorization and accounting in each of a plurality of domains of a foreign network; at least one network access server for handling access of mobile terminals roaming to or in the foreign network, each of which network access servers are operationally connectable to one of the local servers; detecting means for detecting a roaming of a mobile terminal; identifying means for identifying a combination of network elements involved in the roaming being detected by the detecting means; selecting means for selecting one of a plurality of authentication and authorization procedures to be performed based on the combination being identified by the identifier; and authentication and authorization means for authenticating and authorizing of the mobile terminal based on the selected one of the plurality of authentication and authorization procedure, wherein the local server, in the domain of which the mobile terminal first attaches to the foreign network, allocates a temporary local identity to the mobile terminal and allocates a local security information to the mobile terminal, and wherein the authentication and authorization means reuses the local security information for authentication and authorization in each of said plurality of domains.
-
-
27. An apparatus, comprising:
-
authentication and authorization means for authenticating and authorizing a mobile terminal, which is operable according to a procedure which is selectable based on an identified combination of network elements which are involved in a detectable roaming of the mobile terminal, wherein the apparatus is a local server of the domain to which the mobile terminal is attachable, which mobile terminal is registered with a home server of its home network, and wherein the apparatus is operationally connectable to at least one network access server for handling access of mobile terminals roaming to or in a network; allocating means for allocating a temporary local identity to the mobile terminal, when the mobile terminal first attaches to the network, and for allocating a local security information to the mobile terminal; defining and generating means for defining and generating the local security information representing a binding of a user identity of the mobile terminal and the temporary local identity allocated by the allocating device; storing means for storing the temporary local identity and the local security information of the terminal; and mapping means for mapping the local security information to a real user account, wherein the authentication and authorization means reuses the local security information for authentication and authorization in each of a plurality of domains of a foreign network.
-
-
28. An apparatus, comprising:
-
accessing means for handling access of a mobile terminal to a network; and transmitting and receiving means for transmitting and receiving a local security information of the mobile terminal and other information to and from an operationally connectable local server, another operationally connectable apparatus and an operationally connectable mobile terminal, wherein the apparatus comprises authentication and authorization means for authenticating and authorizing according to a procedure which is selectable based on an identified combination of network elements which are involved in a detectable roaming of the mobile terminal, wherein the apparatus is connectable to a local server of a domain of the network, wherein the local server allocates a temporary local identity to the mobile terminal, and allocates the local security information to the mobile terminal, and wherein the authentication and authorization means reuses the local security information for authentication and authorization in each of a plurality of domains of a foreign network.
-
-
29. A computer program, embodied on a computer readable medium, configured to control a processor to implement a method, the method comprising:
-
detecting a roaming of the mobile terminal; identifying a combination of network elements involved in the detected roaming; selecting one of a plurality of authentication and authorization procedures to be performed based on the identified combination, wherein a home network has an authentication and authorization home server, wherein a foreign network has a plurality of domains each of which comprises at least one local server configured to authenticate, authorize, and account, and wherein each of the local servers is operationally connected to at least one network access server configured to handle access for mobile terminals roaming to or in the foreign network; and performing an authentication and authorization based on the selected one of a plurality of authentication and authorization procedures, wherein the method, upon attaching of the mobile terminal to the foreign network, further comprises allocating a temporary local identity to the mobile terminal in the domain of which the mobile terminal first attaches to the foreign network; defining and generating a local security information representing a binding of a user identity of the mobile terminal and the allocated temporary local identity; and allocating the local security information to the mobile terminal, wherein the performing reuses the allocated local security information to authenticate and authorize in each of said plurality of domains.
-
Specification