System and method for managing access in a network

Abstract

The present disclosure provides system (108) and method (500) for managing access in a network (106). The method (500) includes receiving (502) user equipment (UE) attachment request corresponding to UE (104) from second network function. The method (500) includes extracting (504) slicing information from received UE attachment request. The method (500) further include initiating (506) session with edge node based on extracted slicing information. Upon initiating the session, the method (500) includes transmitting (508) Traffic Detection Function (TDF)-Session-Request (TSR) to edge node. The method (500) includes receiving (510) TDF session answer (TSA) from edge node. The method (500) includes receiving (512) UE detachment request from second network function. Upon receiving UE detachment request, the method (500) includes transmitting (514) Re- Authorization-Request (RAR) to edge node. Further, the method (500) includes receiving (516) Re- Authorization- Answer (RAA) from edge node. The RAA includes indication of removal of stored mapping information from internal database.

Description

SYSTEM AND METHOD FOR MANAGING ACCESS IN A NETWORKRESERVATION OF RIGHTS

[0001] A portion of the disclosure of this patent document contains material, which is subject to intellectual property rights such as, but are not limited to, copyright, design, trademark, Integrated Circuit (IC) layout design, and / or trade dress protection, belonging to Jio Platforms Limited (JPL) or its affiliates (hereinafter referred as owner). The owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the Patent and Trademark Office patent files or records, but otherwise reserves all rights whatsoever. All rights to such intellectual property are fully reserved by the owner.TECHNICAL FIELD

[0002] The present disclosure relates generally to the field of telecommunications. The present disclosure relates to a method and a system for managing access in a network. In particular, it relates to a system and a method for mapping the Internet Protocol (IP) of a device to a Subscription Permanent Identifier (SUPI) of a user in the network.DEFINITIONS

[0003] As used in the present disclosure, the following terms are generally intended to have the meaning as set forth below, except to the extent that the context in which they are used indicates otherwise.

[0004] The term “Network Function (NF)” used hereinafter in the specification refers to a component within a 5G network architecture that performs specific roles and services. The design of NFs in the 5G network allows for greater flexibility, scalability, and efficiency compared to previous generations of mobile networks. Each NF operates independently but can interconnect with other NFs to support a wide range of services. Examples of the network functions (NFs) include a User Plane Function (UPF), an Access and Mobility Management Function (AMF), a Session Management Function (SMF), a Network Exposure Function (NEF), and a Policy Control Function (PCF).

[0005] The term “Application Programming Interface (API)” used hereinafter in the specification refers to a set of defined protocols, tools, and rules that allow different software components or systems to communicate with each other in 5G networks.

[0006] The term “Secure Access Service Edge (SASE)” used hereinafter in the specification refers to a network architecture model that integrates network security functions with wide area networking (WAN) capabilities to support the dynamic and secure access needs of modem enterprises. The SASE combines various network and security services into a unified cloud-native platform, providing secure access to users, devices, and applications no matter their location.

[0007] The term “Uniform Resource Locator (URL)” used hereinafter in the specification refers to a reference or address used to access resources on the internet. The URL specifies the location of a resource, such as a webpage, file, or service, and the protocol used to retrieve it such as Hypertext Transfer Protocol (HTTP), Hypertext Transfer Protocol Secure (HTTPS), File Transfer Protocol (FTP), etc.).

[0008] The term “Subscription Permanent Identifier (SUPI)” used hereinafter in the specification refers to a unique identifier assigned to each subscriber in a 5G network. The SUPI is used to identify and authenticate users within the network, ensuring secure communication and proper network access control.

[0009] The term “Internet Protocol (IP) address” used hereinafter in the specification refers to a unique numerical identifier assigned to each device connected to a network that uses the Internet Protocol for communication. The IP address serves primary functions such as identifying the host or network interface and locating the device within the network.

[0010] The term “DIAMETER Sd Interface” used hereinafter in the specification refers to a standardized protocol used in telecom networks, specifically in the context of 5G and G networks, for communication between different network functions. TheDIAMETER Sd Interface is based on the DIAMETER protocol, which is an authentication, authorization, and accounting (AAA) protocol designed to replace the older RADIUS protocol, providing enhanced reliability and scalability.

[0011] The term “Policy Control Function (PCF)” used hereinafter in the specification refers to a network function in the 5G network, responsible for policy management and control over network services. The PCF makes decisions regarding Quality of Service (QoS) and enforces network policies that govern how data is treated across the network.

[0012] The term “Policy and Charging Function (PCRF)” used hereinafter in the specification refers to a network function in mobile networks, particularly in 4G network and 5G network, responsible for real-time policy control and charging decisions. The PCRF enforces network policies, such as Quality of Service (QoS), bandwidth management, and access control based on the user’s subscription profile and network conditions.

[0013] These definitions are in addition to those expressed in the art.BACKGROUND

[0014] The following description of related art is intended to provide background information pertaining to the field of the disclosure. This section may include certain aspects of the art that may be related to various features of the present disclosure. However, it should be appreciated that this section be used only to enhance the understanding of the reader with respect to the present disclosure, and not as admissions of prior art.

[0015] In network architectures, an efficient handling of user identification and traffic management is critical for ensuring seamless operation, particularly in secure enterprise environments. One of the key challenges in network security is associating user traffic with the user’s identity to enforce specific policies, such as URL filtering and access control. The issue becomes more complex when handling the user’s trafficsolely based on IP addresses, especially when network provisioning is done using identifiers such as the Subscription Permanent Identifier (SUPI) in 5G networks.

[0016] In context of a Secure Access Service Edge (SASE) network node, enterprise users require specific URL filtering capabilities to block access to certain websites or services. However, the traffic data that passes through the network typically contains only the user’s IP address, while the SUPI is needed to enforce URL filtering rules, as enterprise provisioning is done based on the SUPI. In such a scenario, the user’s IP address is insufficient for matching traffic to the correct subscriber, thereby preventing the efficient application of URL filtering policies.

[0017] Hence, a method and system that can address the shortcomings of existing solutions are needed.SUMMARY OF THE DISCLOSURE

[0018] In an exemplary embodiment, a method for managing access in a network is described. The method includes receiving a user equipment (UE) attachment request corresponding to at least one UE from a second network function. The method includes extracting slicing information from the received UE attachment request. The method further include initiating a session with an edge node based on the extracted slicing information. Upon initiating the session, the method includes transmitting a Traffic Detection Function (TDF)-Session-Request (TSR) to the edge node. The TSR includes an Internet Protocol (IP) address of the at least one UE and a Subscriber Permanent Identity (SUPI) of a user of the at least one UE. The method includes receiving a TDF session answer (TSA) from the edge node. The edge node is configured to perform mapping of the IP address and the SUPI associated with the at least one UE. The edge node is also configured to store mapping information comprising IP address- SUPI mapping in an internal database of the edge node, and the edge node is further configured to control user traffic based on the mapping information. The method includes receiving a UE detachment request from the second network function. Uponreceiving the UE detachment request, the method includes transmitting a Re- Authorization-Request (RAR) to the edge node. The RAR includes an indication of release of the session along with session release cause information. Further, the method includes receiving a Re- Authorization- Answer (RAA) from the edge node. The RAA includes an indication of removal of the stored mapping information from the internal database.

[0019] In an embodiment, the method further includes receiving a Credit Control Request-Terminate (CCR-T) to terminate the session from the edge node, wherein the CCR-T comprises a session identifier corresponding to the session. Upon receiving, the method includes transmitting a Credit Control Answer-Terminate (CCA-T). The CCA-T includes an indication corresponding to termination of the session.

[0020] In another embodiment, the first network function is a Policy Control Function (PCF) or a Policy and Charging Rules Function (PCRF) and the second network function is a Session Management Function (SMF) and, the edge node is a Secure Access Service Edge (SASE) node.

[0021] In another embodiment, the slicing information includes a slicing identifier (ID), the IP and the SUPI of the at least one UE.

[0022] In another embodiment, the session is a DIAMETER Sd session.

[0023] In another embodiment, the TSA includes an indication of successful mapping of the IP address and the SUPI at the edge node.

[0024] In another exemplary embodiment, a system for managing access in a network is described. The system includes a first network function. The first Network Function (NF) includes a receiving unit configured to receive a User Equipment (UE) attachment request corresponding to at least one UE from a second network function. Further, the first NF includes an extraction unit configured to extract slicing information from the received UE attachment request. The first NF includes an initiating unit configured toextract a session with an edge node based on the extracted slicing information. Further, the first NF includes a transmitting unit is configured to transmit a Traffic Detection Function (TDF)-Session-Request (TSR) to the edge node, upon initiating the session. The TSR includes an Internet Protocol (IP) address of the at least one UE and a Subscriber Permanent Identity (SUPI) of a user of the at least one UE. The receiving unit is configured to receive a TDF session answer (TSA) from the edge node. The edge node is configured to perform mapping of the IP address and the SUPI associated with the at least one UE. The edge node is also configured to store mapping information comprising IP address-SUPI mapping in an internal database of the edge node, and the edge node is further configured to control user traffic based on the mapping information. Further, the receiving unit is configured to receive a UE detachment request from the second network function. The transmitting unit is configured to transmit a Re- Authorization-Request (RAR) to the edge node. The RAR includes an indication of release of the session along with session release cause information. Further, the receiving unit configured to receive a Re- Authorization-Answer (RAA) from the edge node. The RAA includes an indication of removal of the stored mapping information from the internal database.

[0025] In another embodiment, a user equipment (UE) communicatively coupled with a system in a network. The coupling includes receiving a connection request. Further, the coupling includes sending an acknowledgment of the connection request to the user equipment. Further, the coupling includes transmitting a plurality of signals in response to the connection request. The system is configured to manage access in the network.

[0026]

[0026] In yet another embodiment, a computer program product including a non-transitory computer-readable medium including instructions that, when executed by one or more processors, cause the one or more processors to execute a method for managing access in a network is disclosed. The method includes receiving a user equipment (UE) attachment request corresponding to at least one UE from a second network function. The method includes extracting slicing information from thereceived UE atachment request. The method further include initiating a session with an edge node based on the extracted slicing information. Upon initiating the session, the method includes transmiting a Traffic Detection Function (TDF)-Session-Request (TSR) to the edge node. The TSR includes an Internet Protocol (IP) address of the at least one UE and a Subscriber Permanent Identity (SUPI) of a user of the at least one UE. The method includes receiving a TDF session answer (TSA) from the edge node. The edge node is configured to perform mapping of the IP address and the SUPI associated with the at least one UE. The edge node is also configured to store mapping information comprising IP address-SUPI mapping in an internal database of the edge node, and the edge node is further configured to control user traffic based on the mapping information. The method includes receiving a UE detachment request from the second network function. Upon receiving the UE detachment request, the method includes transmitting a Re-Authorization-Request (RAR) to the edge node. The RAR includes an indication of release of the session along with session release cause information. Further, the method includes receiving a Re-Authorization-Answer (RAA) from the edge node. The RAA includes an indication of removal of the stored mapping information from the internal database.OBJECTIVES OF THE DISCLOSURE

[0027] Some of the objectives of the present disclosure, which at least one embodiment herein satisfies, are as follows:

[0028] An objective of the present disclosure is to provide a system and a method for mapping a user's Internet Protocol (IP) address to their Subscription Permanent Identifier (SUPI) in real-time for managing traffic data that only contains the IP information, particularly in enterprise environments.

[0029] Another objective of the present disclosure is to provide a system and a method to provide Uniform Resource Locator (URL) filtering capabilities for users by mappingthe user's IP address to their SUPI, ensuring that security and access control policies can be enforced based on the user’s identity.

[0030] Another objective of the present disclosure is to provide a system and a method to leverage DIAMETER Sd interface for integrating a Secure Access Service Edge (SASE) with network functions such as Policy Control Function (PCF) or Policy and Charging Rules Function (PCRF), allowing seamless retrieval of SUPI and IP information upon network attachment.

[0031] Another objective of the present disclosure is to provide a system and a method to automatically establish and terminate sessions based on user attachment and detachment events, ensuring that SUPI-to-IP mapping is dynamically managed, including the clearing of mappings when the user disconnects from the network.

[0032] Another objective of the present disclosure is to provide a system and a method to enforce security policies such as URL blocking and manage traffic effectively based on user identity, thereby improving the overall security and operational efficiency in enterprise networks.

[0033] Other objectives and advantages of the present disclosure will be more apparent from the following description, which is not intended to limit the scope of the present disclosure.BRIEF DESCRIPTION OF THE ACCOMPANYING DRAWING

[0034] The accompanying drawings, which are incorporated herein, and constitute a part of this disclosure, illustrate exemplary embodiments of the disclosed methods and systems in which like reference numerals, refer to the same parts throughout the different drawings. Components in the drawings are not necessarily to scale; emphasis is instead being placed upon clearly illustrating the principles of the present disclosure. Some drawings may indicate the components using block diagrams and may not represent the internal circuitry of each component. It will be appreciated by thoseskilled in the art that disclosure of such drawings includes disclosure of electrical components, electronic components, or circuitry commonly used to implement such components.

[0035] FIG. 1 illustrates an exemplary network architecture of a system for managing access in a network, in accordance with an embodiment of the present disclosure.

[0036] FIG. 2 illustrates an exemplary block diagram of the system for managing access in the network, in accordance with an embodiment of the present disclosure.

[0037] FIG. 3 illustrates an exemplary system architecture for managing access in the network, in accordance with an embodiment of the present disclosure.

[0038] FIG. 4 illustrates an exemplary flow diagram of a method for managing access in the network, in accordance with an embodiment of the present disclosure.

[0039] FIG. 5 illustrates an exemplary method for managing access in the network, in accordance with an embodiment of the present disclosure.

[0040] FIG. 6 illustrates an example computer system in which or with which the embodiments of the present disclosure may be implemented.

[0041] The foregoing shall be more apparent from the following more detailed description of the disclosure.LIST OF REFERENCE NUMERALS100 - Network architecture102 - User(s)104 - User Equipments (UEs)106 - Network108 - System200 - Block diagram202 - Processor(s)204 - Memory 206 - Interface(s)208 - First NF210 - Database212 - Receiving unit214 - Extraction unit 216 - Initiating unit218 - Transmitting unit300 - System architecture302 - Network node (SASE)304 - Policy Control Function (PCF) / Policy and Charging Rules Function (PCRF) 400 - Flow Diagram402 - Session Management Function (SMF)500 - Method600 - Computer system610 - External Storage Device620 - Bus630 - Main Memory640 - Read Only Memory650 - Mass Storage Device660 - Communication Port670 - ProcessorDETAILED DESCRIPTION

[0042] In the following description, for the purposes of explanation, various specific details are set forth in order to provide a thorough understanding of embodiments of the present disclosure. It will be apparent, however, that embodiments of the present disclosure may be practiced without these specific details. Several features described hereafter can each be used independently of one another or with any combination of other features. An individual feature may not address any of the problems discussed above or might address only some of the problems discussed above. Some of the problems discussed above might not be fully addressed by any of the features described herein. Example embodiments of the present disclosure are described below, as illustrated in various drawings in which like reference numerals refer to the same parts throughout the different drawings.

[0043] The ensuing description provides exemplary embodiments only, and is not intended to limit the scope, applicability, or configuration of the disclosure. Rather, the ensuing description of the exemplary embodiments will provide those skilled in the art with an enabling description for implementing an exemplary embodiment. It should be understood that various changes may be made in the function and arrangement of elements without departing from the spirit and scope of the disclosure as set forth.

[0044] Specific details are given in the following description to provide a thorough understanding of the embodiments. However, it will be understood by one of ordinary skill in the art that the embodiments may be practiced without these specific details. For example, circuits, systems, networks, processes, and other components may be shown as components in block diagram form in order not to obscure the embodiments in unnecessary detail. In other instances, well-known circuits, processes, algorithms, structures, and techniques may be shown without unnecessary detail in order to avoid obscuring the embodiments.

[0045] Also, it is noted that individual embodiments may be described as a process that is depicted as a flowchart, a flow diagram, a data flow diagram, a structure diagram, or a block diagram. Although a flowchart may describe the operations as a sequential process, many of the operations can be performed in parallel or concurrently. In addition, the order of the operations may be re-arranged. A process is terminated when its operations are completed but could have additional steps not included in a figure. A process may correspond to a method, a function, a procedure, a subroutine, a subprogram, etc. When a process corresponds to a function, its termination can correspond to a return of the function to the calling function or the main function.

[0046] The word “exemplary” and / or “demonstrative” is used herein to mean serving as an example, instance, or illustration. For the avoidance of doubt, the subject matter disclosed herein is not limited by such examples. In addition, any aspect or design described herein as “exemplary” and / or “demonstrative” is not necessarily to be construed as preferred or advantageous over other aspects or designs, nor is it meant to preclude equivalent exemplary structures and techniques known to those of ordinary skill in the art. Furthermore, to the extent that the terms “includes,” “has,” “contains,” and other similar words are used in either the detailed description or the claims, such terms are intended to be inclusive like the term “comprising” as an open transition word without precluding any additional or other elements.

[0047] Reference throughout this specification to “one embodiment” or “an embodiment” or “an instance” or “one instance” means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present disclosure. Thus, the appearances of the phrases “in one embodiment” or “in an embodiment” in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.

[0048] The terminology used herein is to describe particular embodiments only and is not intended to be limiting the disclosure. As used herein, the singular forms “a”, “an”, and “the” are intended to include the plural forms as well, unless the context indicates otherwise. It will be further understood that the terms “comprises” and / or “comprising,” when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and / or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and / or groups thereof. As used herein, the term “and / or” includes any combinations of one or more of the associated listed items. It should be noted that the terms “mobile device”, “user equipment”, “user device”, “communication device”, “device” and similar terms are used interchangeably for the purpose of describing the invention. These terms are not intended to limit the scope of the invention or imply any specific functionality or limitations on the described embodiments. The use of these terms is solely for convenience and clarity of description. The invention is not limited to any particular type of device or equipment, and it should be understood that other equivalent terms or variations thereof may be used interchangeably without departing from the scope of the invention as defined herein.

[0049] As used herein, an “electronic device”, or “portable electronic device”, or “user device” or “communication device” or “user equipment” or “device” refers to any electrical, electronic, electromechanical, and computing device. The user device iscapable of receiving and / or transmitting one or parameters, performing function / s, communicating with other user devices, and transmitting data to the other user devices. The user equipment may have a processor, a display, a memory, a battery, and an inputmeans such as a hard keypad and / or a soft keypad. The user equipment may be capable of operating on any radio access technology including but not limited to IP-enabled communication, Zig Bee, Bluetooth, Bluetooth Low Energy, Near Field Communication, Z-Wave, Wi-Fi, Wi-Fi direct, etc. For instance, the user equipment may include, but not limited to, a mobile phone, smartphone, virtual reality (VR) devices, augmented reality (AR) devices, laptop, a general-purpose computer, desktop, personal digital assistant, tablet computer, mainframe computer, or any other device as may be obvious to a person skilled in the art for implementation of the features of the present disclosure.

[0050] Further, the user device may also comprise a “processor” or “processing unit” includes processing unit, wherein processor refers to any logic circuitry for processing instructions. The processor may be a general-purpose processor, a special purpose processor, a conventional processor, a digital signal processor, a plurality of microprocessors, one or more microprocessors in association with a Digital Signalling Processing (DSP) core, a controller, a microcontroller, Application Specific Integrated Circuits, Field Programmable Gate Array circuits, any other type of integrated circuits, etc. The processor may perform signal coding data processing, input / output processing, and / or any other functionality that enables the working of the system according to the present disclosure. More specifically, the processor is a hardware processor.

[0051] While considerable emphasis has been placed herein on the components and component parts of the preferred embodiments, it will be appreciated that many embodiments can be made and that many changes can be made in the preferred embodiments without departing from the principles of the disclosure. These and other changes in the preferred embodiment, as well as other embodiments of the disclosure, will be apparent to those skilled in the art from the disclosure herein, whereby it is tobe distinctly understood that the foregoing descriptive matter is to be interpreted merely as illustrative of the disclosure and not as a limitation.

[0052] Wireless communication technology has rapidly evolved over the past few decades. The first generation of wireless communication technology was analog, offering only voice services. Further, text messaging and data services became possible when the second-generation (2G) technology was introduced. The third generation (3G) technology marked the introduction of high-speed internet access, mobile video calling, and location-based services. The fourth generation (4G) technology revolutionized the wireless communication with faster data speeds, improved network coverage, and security. Currently, fifth generation (5G) technology is being deployed, offering significantly faster data speeds, lower latency, and the ability to connect many devices simultaneously. Further, 6G successor to 5G is expected to provide significantly high data speed with reduced latency, which may offer improved connectivity for a vast number of devices concurrently. The capabilities of 6G enable new types of applications and services, such as advanced augmented reality (AR) and virtual reality (VR), holographic communications, and more immersive digital experiences. These advancements represent a significant leap forward from previous generations, enabling enhanced mobile broadband, improved Internet of Things (loT) connectivity, and more efficient use of network resources. The sixth generation (6G) technology promises to build upon these advancements, pushing the boundaries of wireless communication even further. While the 5G technology is still being rolled out globally, research and development into the 6G are rapidly progressing, with the aim of revolutionizing the way of connecting and interacting with technology.

[0053] In Fifth Generation (5G) network, accurate identification and management of user traffic is essential for implementing various security and service policies. Nowadays, enterprises are demanding more robust and flexible mechanisms to manage network access and to enforce security protocols such as Uniform Resource Locator (URL) filtering. In enterprise networks, provisioning for users is typically based ontheir Subscription Permanent Identifier (SUPI), but traffic data at the network level often contains only the Internet Protocol (IP) address of the user thereby creating a challenge to associate the user traffic with their identity, which is crucial for enforcing policy rules like URL blocking.

[0054] In existing enterprise environments, a user plane traffic only contains the user’s IP address. However, many critical security policies, such as URL filtering, are provisioned based on the user’s SUPI. Since SUPI is not present in the user plane traffic, there is no direct mechanism to enforce such policies based on user identity, presenting a significant challenge for enterprise security solutions like Secure Access Service Edge (SASE), which need to ensure that traffic from specific users can be controlled and filtered based on predefined rules.

[0055] In conventional methods, there is no direct or efficient way to map a user’s IP address to their SUPI in real-time. Typically, security policies, such as URL filtering for enterprise users, may need to be applied based solely on the IP addresses. However, the conventional method may not be ideal because IP addresses may be dynamic or shared between multiple users, making it challenging to enforce policies accurately. Additionally, conventional methods rely on separate provisioning of IP addresses and SUPIs, without the ability to integrate the two in real time for traffic management and policy enforcement.

[0056] The conventional methods often require manual intervention or complex configuration to map user traffic to the correct identity, leading to inefficiencies and potential errors in policy application. Moreover, existing solutions may not fully integrate with standard network protocols, requiring customizations that complicate deployment and scalability. The limitations have created a need for a more efficient, automated, and standardized solution that may seamlessly map IP addresses to the SUPIs, enabling real-time, identity-based policy enforcement in the enterprise network.Hence, there is a need to provide a method and a system that can address the shortcomings of the existing conventional methods.

[0057] The proposed disclosure proposed a method and a system to map the IP address to the SUPI in real time, enabling the application of security policies like URL blocking based on the user’s identity. The proposed disclosure leverages DIAMETER Sd interface to facilitate communication between the SASE and network functions such as PCF and PCRF. When a user attaches to the network, the network function receives the user attachment information from a Session Management Function (SMF), including the user’ s slicing information. The network function initiates a DIAMETER Sd session by sending a Traffic Detection Function (TDF)-Session-Request (TSR) to the SASE, containing both the IP address and the SUPI. Upon successful processing of the mapping information, the SASE enforces the necessary policies.

[0058] When the user detaches from the network, the SMF informs the network function, which terminates the session by sending a Re- Authorization-Request (RAR) to the SASE. The SASE then removes the IP-to-SUPI mapping and terminates the session with a Credit Control Request-Terminate (CCR-T) message. The proposed solution seamlessly integrates with existing network standards, requiring no customization, and improves the ability to enforce security policies based on identity in real time. The various embodiments throughout the disclosure will be explained in more detail with reference to FIGs. 1- 6.

[0059] FIG. 1 illustrates an exemplary network architecture (100) of a system (108) for managing access in a network (106), in accordance with an embodiment of the present disclosure.As illustrated in FIG. 1, the network architecture (100) may include one or more user equipments (UEs) (104-1, 104-2... 104-N) associated with one or more users (102- 1, 102-2... 102-N) in an environment. A person of ordinary skill in the art will understand that one or more users (102-1, 102-2... 102-N) may collectively referred toas the users (102). Similarly, a person of ordinary skill in the art will understand that one or more UEs (104-1, 104-2... 104-N) may be collectively referred to as the UE (104). Although only three UEs (104) are depicted in FIG. 1, however, any number of the UE (104) may be included without departing from the scope of the ongoing description.

[0060] In an embodiment, the UE (104) may include smart devices operating in a smart environment, for example, an Internet of Things (loT) system. In such an embodiment, the UE (104) may include, but is not limited to, smartphones, smart watches, smart sensors (e.g., mechanical, thermal, electrical, magnetic, etc.), networked appliances, networked peripheral devices, networked lighting system, communication devices, networked vehicle accessories, networked vehicular devices, smart accessories, tablets, smart television (TV), computers, smart security system, smart home system, other devices for monitoring or interacting with or for the users (102) and / or entities, or any combination thereof. A person of ordinary skill in the art will appreciate that the UE (104) may include, but not limited to, intelligent, multi-sensing, network-connected devices, that may integrate seamlessly with each other and / or with a central server or a cloud-computing system or any other device that is network-connected.

[0061] Additionally, in some embodiments, the UE (104) may include, but is not limited to, a handheld wireless communication device (e.g., a mobile phone, a smartphone, a tablet device, and so on), a wearable computer device (e.g., a headmounted display computer device, a head-mounted camera device, a wristwatch computer device, and so on), a Global Positioning System (GPS) device, a laptop computer, a tablet computer, or another type of portable computer, a media playing device, a portable gaming system, and / or any other type of computer device with wireless communication capabilities, and the like. In an embodiment, the UE (104) may include, but is not limited to, any electrical, electronic, electromechanical, or equipment, or a combination of one or more of the above devices, such as virtual reality (VR) devices, augmented reality (AR) devices, laptop, a general-purpose computer,desktop, personal digital assistant, tablet computer, mainframe computer, or any other computing device, wherein the UE (104) may include one or more in-built or externally coupled accessories including, but not limited to, a visual aid device such as a camera, an audio aid, a microphone, a keyboard, and input devices for receiving input from the user (102) or the entity such as touchpad, touch-enabled screen, electronic pen, and the like. A person of ordinary skill in the art will appreciate that the UE (104) may not be restricted to the mentioned devices and various other devices may be used.

[0062] Referring to FIG. 1, the UE (104) may communicate with the system (108) through the network (106) for sending or receiving various types of data. In an embodiment, the network (106) may include at least one of a fifth generation (5G) network, a sixth generation (6G) network, or the like. The network (106) may enable the UE (104) to communicate with other devices in the network architecture (100) and / or with the system (108). The network (106) may include a wireless card or some other transceiver connection to facilitate this communication. In another embodiment, the network (106) may be implemented as, or include any of a variety of different communication technologies such as a wide area network (WAN), a local area network (LAN), a wireless network, a mobile network, a Virtual Private Network (VPN), the Internet, the Public Switched Telephone Network (PSTN), or the like.

[0063] In an embodiment, the network (106) may include, by way of example but not limitation, at least a portion of one or more networks having one or more nodes that transmit, receive, forward, generate, buffer, store, route, switch, process, or a combination thereof, etc. one or more messages, packets, signals, waves, voltage or current levels, some combination thereof, or so forth. The network (106) may also include, by way of example but not limitation, one or more of a wireless network, a wired network, an internet, an intranet, a public network, a private network, a packet- switched network, a circuit-switched network, an ad hoc network, an infrastructure network, a Public-Switched Telephone Network (PSTN), a cable network, a cellular network, a satellite network, a fiber optic network, or some combination thereof.

[0064] In an embodiment, the UE (104) is communicatively coupled with the network (106). The network (106) may receive a connection request from the UE (104). The network ( 106) may send an acknowledgment of the connection request to the UE ( 104). The UE (104) may transmit a plurality of signals in response to the connection request.

[0065] In an embodiment, the system (108) receive a user equipment (UE) attachment request corresponding to at least one UE from a second network function. The system (108) extract slicing information from the received UE attachment request. Further, the system (108) initiate a session with an edge node based on the extracted slicing information. Upon initiating the session, the system (108) may transmit a Traffic Detection Function (TDF)-Session-Request (TSR) to the edge node. The TSR includes an Internet Protocol (IP) address of the at least one UE and a Subscriber Permanent Identity (SUPI) of a user of the at least one UE. The system (108) receive a TDF session answer (TSA) from the edge node. The edge node is configured to perform mapping of the IP address and the SUPI associated with the at least one UE. The edge node is also configured to store mapping information comprising IP address-SUPI mapping in an internal database of the edge node, and the edge node is further configured to control user traffic based on the mapping information. The system (108) may receive a UE detachment request from the second network function. Upon receiving the UE detachment request, the system (108) transmits a Re- Authorization-Request (RAR) to the edge node. The RAR includes an indication of release of the session along with session release cause information. Further, the system (108) may receive a ReAuthorization- Answer (RAA) from the edge node. The RAA includes an indication of removal of the stored mapping information from the internal database.

[0066] Although FIG. 1 shows exemplary components of the network architecture (100), in other embodiments, the network architecture (100) may include fewer components, different components, differently arranged components, or additional functional components than depicted in FIG. 1. Additionally, or alternatively, one ormore components of the network architecture (100) may perform functions described as being performed by one or more other components of the network architecture (100).

[0067] FIG. 2 illustrates an exemplary block diagram (200) of the system (108) for managing access in the network (106), in accordance with an embodiment of the present disclosure. FIG. 2 is explained in conjunction with the FIG. 1. In an embodiment, the system (108) may be configured inside the network node such as the SASE.

[0068] In an embodiment, the system (108) may include one or more processors (202). The one or more processors (202) may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, logic circuitries, and / or any devices that process data based on operational instructions. Among other capabilities, the one or more processors (202) may be configured to fetch and execute computer-readable instructions stored in a memory (204) of the system (108). The memory (204) may be configured to store one or more computer-readable instructions or routines in a non-transitory computer readable storage medium, which may be fetched and executed to create or share data packets over a network service. The memory (204) may include any non-transitory storage device including, for example, volatile memory such as random-access memory (RAM), or non-volatile memory such as erasable programmable read only memory (EPROM), flash memory, and the like.

[0069] In an embodiment, the system (108) may include an interface (206). The interface (206) may include a variety of interfaces, for example, interfaces for data input and output devices (I / O), storage devices, and the like. The interface (206) may facilitate communication through the system (108). The interface (206) may also provide a communication pathway for one or more components of the system (108). Examples of such components include, but are not limited to, one or more processors (202) and a database (210).

[0070] In an embodiment, the one or more processors (202) may be implemented as a combination of hardware and programming (for example, programmable instructions) to implement one or more functionalities of the first Network Function (NF) (208). In the examples described herein, such combinations of hardware and programming may be implemented in several different ways. For example, the programming for the one or more processors (202) may be processor-executable instructions stored on a non- transitory machine-readable storage medium and the hardware for the one or more processors (202) may comprise a processing resource (for example, one or more processors), to execute such instructions. In the present examples, the machine- readable storage medium may store instructions that, when executed by the processing resource, implement the one or more processors (202). In such examples, the system may comprise the machine-readable storage medium storing the instructions and the processing resource to execute the instructions, or the machine-readable storage medium may be separate but accessible to the system and the processing resource. In other examples, the one or more processors (202) may be implemented by electronic circuitry. In an embodiment, the first NF 208 may include a receiving unit (212), an extraction unit (214), an initiating unit (216), and a transmitting unit (218).

[0071] In an embodiment, the receiving unit (212) is configured to receive a user equipment (UE) attachment request corresponding to at least one UE from a second network function. The first network function is a Policy Control Function (PCF) or a Policy and Charging Rules Function (PCRF) and the second network function is a Session Management Function (SMF) and, the edge node is a Secure Access Service Edge (SASE) node. The UE attachment request may be a control-plane request message, such as a PDU session establishment or initial registration / attach procedure, indicating that the at least one UE intends to establish connectivity for exchanging userplane data over a mobile network. The first NF is responsible for determining and enforcing policy and charging rules for the UE sessions. The second network function manages PDU sessions, IP address allocation, and interaction with the PCF / PCRF overa service-based or DIAMETER-based interface. The first network function further cooperates with the SASE node, which is configured to provide security and traffic control functions such as URL filtering, access control, and inspection of user-plane traffic based at least on subscriber-related information provided by the first network function.

[0072] Further, the extraction unit (214) configured to extract slicing information from the received UE attachment request. The slicing information includes a slicing identifier (ID), the IP and the SUPI of the at least one UE. The slicing ID may be a logical network slice or service profile within a network slice, enabling differentiation of traffic and policy per slice. The IP address may be a layer-3 identifier allocated to the UE for routing user-plane packets. The SUPI may be a permanent subscription identifier of the user in the core network, on which subscription data, policies, and entitlements are configured. By extracting the slicing identifier, the IP address, and the SUPI together, the extraction unit (214) establishes a correlation between the network slice, the user-plane addressing, and the subscription identity, which is subsequently used to drive slice-specific and subscriber-specific policy enforcement at the edge node.

[0073] In an embodiment, the initiating unit (216) is configured to extract a session with an edge node, based on the extracted slicing information. The session is a DIAMETER Sd session. The DIAMETER Sd session is a logical association over the Sd reference point, where the Sd reference point follows DIAMETER protocol procedures defined for interaction between a policy function (such as a PCRF / PCF) and a Traffic Detection Function (TDF). The edge node, such as the SASE node, assumes a TDF-like role for observing and classifying user-plane traffic. The initiating unit (216) selects an appropriate edge node instance, for example based on the slicing identifier or deployment configuration, and performs DIAMETER session establishment, including exchange of DIAMETER messages to create a stateful policy session for the at least one UE.

[0074] Upon initiating the session, the transmitting unit (218) is configured to transmit a Traffic Detection Function (TDF)-Session-Request (TSR) to the edge node. The TSR includes an Internet Protocol (IP) address of the at least one UE and a Subscriber Permanent Identity (SUPI) of a user of the at least one UE. The TSR is a DIAMETER request message used to create or modify a IDF session and to convey session-related attributes. In some embodiments, the TSR may also include the slicing ID and additional service information. By transmitting the TSR with both the IP address and the SUPI, the transmitting unit (218) enables the edge node to establish an internal binding between the user-plane endpoint identified by the IP address and the subscription identity identified by the SUPI, such that subsequent user-plane packets bearing that IP address can be associated with the correct subscriber and corresponding policy rules.

[0075] Further, the receiving unit (212) is configured to receive a IDF session answer (TSA) from the edge node. The edge node is configured to perform mapping of the IP address and the SUPI associated with the at least one UE. The edge node is also configured to store mapping information including IP address-SUPI mapping in an internal database of the edge node, and the edge node is further configured to control user traffic based on the mapping information. The TSA includes an indication of successful mapping of the IP address and the SUPI at the edge node. The internal database may be implemented as a memory-resident or persistent data store containing per-session mapping records, which are used to drive traffic detection, classification, and enforcement of subscriber-specific rules. Using the mapping information, the edge node is further configured to control user traffic corresponding to the at least one UE, for example, by correlating observed IP flows with the SUPI and applying URL filtering, security inspection, or access control policies defined for that SUPI. The TSA includes a success result code and optional diagnostic AVPs, confirming that the IDF session has been correctly established.

[0076] In an embodiment, the receiving unit (212) is configured to receive a UE detachment request from the second network function. The UE detachment request is a control-plane signaling message indicating that the session associated with the at least one UE is to be released or terminated. Such a UE detachment request may correspond to PDU session release, UE deregistration, timeout, or another detach scenario in which the IP address assigned to the UE is to be reclaimed and the associated policy state is no longer required. Receipt of the UE detachment request at the receiving unit (212) triggers a corresponding release of the session and its related mapping information at the edge node so that no stale IP address-SUPI binding persists after session termination.

[0077] Upon receiving the UE detachment request, the transmitting unit (218) is configured to transmit a Re- Authorization-Request (RAR) to the edge node. The RAR is a DIAMETER request message used to modify or revoke an existing session at the edge node. The RAR includes an indication of release of the session along with session release cause information. The session release cause information may specify, by means of an AVP, whether the termination is due to normal release, network failure, operator action, or abnormal conditions, allowing the edge node to determine an appropriate strategy for deleting or managing the mapping information, for example immediate deletion versus temporary retention for logging or auditing purposes.

[0078] In an embodiment, the receiving unit (212) is configured to receive a ReAuthorization- Answer (RAA) from the edge node. The RAA includes an indication of removal of the stored mapping information from the internal database. The RAA is a DIAMETER answer message that indicates the result of processing the RAR at the edge node, for example, through a success result code and optional information elements confirming that the IP address-SUPI mapping for the at least one UE has been deleted. Further, the first network function is made aware that the edge node has cleared the subscriber-specific mapping and that no further policy enforcement will beapplied on the basis of the previously established IP address- SUPI association for that session.

[0079] In some embodiments, the receiving unit (212) is configured to receive a Credit Control Request- Terminate (CCR-T) to terminate the session from the edge node for terminating a DIAMETER credit-control or policy session. The CCR-T is a DIAMETER request message used to signal termination of an existing session and to release any associated resources. The CCR-T includes a session identifier (ID) corresponding to the session. By sending the CCR-T, the edge node notifies the first network function that, after removal of the mapping information, the Sd session state may also be terminated to avoid unnecessary resource consumption in both entities.

[0080] Upon receiving, the transmitting unit (218) is configured to transmit a Credit Control Answer-Terminate (CCA-T). The CCA-T includes an indication corresponding to termination of the session. The CCA-T is a DIAMETER answer message that acknowledges termination of the session identified by the session identifier in the CCR-T and includes an indication corresponding to successful termination of the session at the first network function. All control-plane state, IP address-SUPI mapping entries, and associated policy context for the at least one UE are released in a synchronized manner at both the first network function and the edge node, preventing stale state and ensuring consistent behavior upon future attachment of the same UE or reassignment of the same IP address.

[0081] In an embodiment, the database (210) includes data (e.g., user information, provisioning details, error logs, network configuration parameters, traffic data, parameters of traffic data of the network functions, etc.) that may be either stored or generated as a result of functionalities implemented by any of the components of the processor (202) or the first NF (208).

[0082] Although FIG. 2 shows exemplary components of the system (108), in other embodiments, the system (108) may include fewer components, different components,1 differently arranged components, or additional functional components than depicted in FIG. 2. Additionally, or alternatively, one or more components of the system (108) may perform functions described as being performed by one or more other components of the system (108).

[0083] FIG. 3 illustrates an exemplary system architecture (300) for managing access in the network (106), in accordance with an embodiment of the present disclosure. FIG. 3 is explained in conjunction with the FIGS. 1 and 2.

[0084] In an embodiment, the system architecture (300) may include a network node (302) and a Network function (304). In an aspect, the network node (302) may be analogous to the SASE of the system (108). Further, the Network function (304) may be analogous to one of the PCF / PCRF of the system (108).

[0085] In an embodiment, the SASE (302) (interchangeably used as SASE) combines network security functions and wide-area networking (WAN) capabilities into a unified, cloud- based platform. The SASE (302) is designed to provide secure access to users, devices, and applications regardless of their location. The SASE (302) integrates with network functions such as PCF and PCRF (304) to apply user-specific security policies such as URL filtering, traffic prioritization, or bandwidth management. The policies may be enforced based on user identity, location, or service requirements.

[0086] In an embodiment, the SASE (302) is connected to the PCF / PCRF (304) via a DIAMETER Sd Interface. The PCF (304) determines how network resources are allocated and managed based on specific rules and policies for different users, devices, or services. The PCF (304) makes real-time decisions regarding network policies, such as Quality of Service (QoS), bandwidth management, traffic prioritization, and service access control. The PCF (304) may enforce the policies by communicating with other network functions, such as the Access and Mobility Management Function (AMF), Session Management Function (SMF), and User Plane Function (UPF), to ensure that the policies are applied to user sessions and traffic flows. In an exemplary embodiment,the PCRF (304) may perform the same functions as the PCF (304) along with managing charging rules, but in the networks (for example, 4G, 5G, 6G, etc.). Further, the DIAMETER Sd Interface facilitates the exchange of user-specific information, such as the SUPI and the IP address, needed to enforce security policies like URL filtering and QoS control between the SASE (302) and the PCF / PCRF (304). In an aspect, the DIAMETER Sd interface is crucial for synchronizing the security enforcement at the SASE (302) with the PCF / PCRF (304) to ensure that user-specific security and traffic policies are applied correctly.

[0087] In an exemplary embodiment, whenever the UE (104) connects to a network such as the 5G network or the 4G network, the SMF sends a user session and attachment details to the PCF (in the 5G network) / PCRF (in the 4G network) (304). The PCF / PCRF (304) processes the information (for example, user session and attachment detail), including the user’s SUPI and IP address. Further, the SASE (302) requests user-specific policies such as traffic filtering, access control from the PCF / PCRF (304) over the DIAMETER Sd interface. The policy request may include requirements for controlling specific user traffic, for instance, based on the enterprise policy, user identity, or subscription details. Further, the PCF / PCRF (304) responds to the SASE (302) by sending the required policy control information, such as the user’s SUPI, traffic management rules, and QoS settings. The policy information allows the SASE (302) to associate user traffic (identified by IP address) with the specific user identity (SUPI) and enforce the required security policies.

[0088] Further, the SASE (302) enforces real-time security and traffic management rules based on the user’s subscription and identity. In an aspect, when the UE (104) detaches from the network (106), the SMF notifies the PCF / PCRF (304), which may further inform the SASE (302) to terminate the session and remove the IP-to-SUPI mapping, ensuring that the UE (104) session and associated policies are removed.

[0089] FIG. 4 illustrates an exemplary flow diagram of a method (400) for managing access in the network (106), in accordance with an embodiment of the present disclosure. The method (400) is performed by the system (108). FIG. 4 is explained in conjunction with FIGS. 1, 2, and 3.

[0090] At step 404, a UE (104) attachment request is transmitted by a Session Management Function (402) towards a Network function (PCF / PCRF) to create a PDU session at the Network function (304). The UE (104) attachment with the network (106) is crucial to access the resources of the network (106).

[0091] At step 406, a Traffic Detection Function (TDF)-Session-Request (TSR) is transmitted towards the network node (302). The TSR includes mapping information of the UE (104). The mapping information may include the Internet protocol (IP) address of the UE (104) along with the Subscriber Permanent Identity (SUPI) of the user (102) of the UE (104).

[0092] At step 408, a TDF session answer is received corresponding to processing of the mapping information at the network node (302). The network node (302) may be a Secure Access Service Edge (SASE) application. The SASE may save the mapping information and transmit the TDF session answer corresponding to the successful processing of the mapping information.

[0093] At step 410, a UE detachment request is transmitted towards the SMF (402) to release the session of the UE (104). The UE detachment request may be initiated either by the UE (104) or the network function (302).

[0094] At step 412, a Re- Authorization-Request (RAR) is transmitted towards the network node (302) along with session release cause information of the UE (104). The session release cause information indicates the reason for termination initiated by the network function (304). In an aspect, only the reason code UNSPECIFIED REASON is applicable for the PCRF-initiated Gxx session termination. The reason codeUNSPECIFIED REASON indicates that an event (such as termination of a session, removal of mapping information, or triggering of a procedure) has been initiated without an associated specific or more granular cause being available or selected. In particular, UNSPECIFIED REASON is used as a default or catch-all value when the system cannot determine, does not receive, or does not need to signal a detailed cause code (for example, user-triggered detach without explicit cause, internal housekeeping, or generic operator action). Further, the Gxx session may be a DIAMETER-based policy and charging control session established between the PCRF and the BBERF over the Gxx reference point. The Gxx session maintains state information for one or more bearers associated with the UE, including Quality of Service (QoS) parameters, charging rules, and event reporting triggers. The RAR is indicated by a Command- Code field set to 258 and the 'R' bit set in the Command Flags field, is sent by the PCRF to a Bearer Binding and Event Reporting Function (BBERF) in order to provision QoS rules using a PUSH procedure to initiate the provision of unsolicited QoS rules. The RAR is used to provision the QoS rules, event triggers and event report indications for the session. The unsolicited QoS rules may be one or more QoS rules that are provisioned by a policy control entity (for example, the PCRF, or the PCF) towards a bearer-handling entity (for example, a BBERF, P-GW, or UPF) without the QoS rules being explicitly requested by that bearer-handling entity or by a corresponding service request from the UE.

[0095] At step 414, a Re- Authorization- Answer (RAA) is received corresponding to removal of the mapping information at the network node (302). The RAA command, indicated by the Command-Code field set to 258 and the 'R' bit cleared in the Command Flags field, is sent by the BBERF to the PCRF in response to the RAR command.

[0096] At step 416, a Credit Control Request-Terminate (CCR-T) is received at the network function (304) to terminate the DIAMETER Sd session. The CCR command, indicated by the Command-Code field set to 272 and the 'R' bit set in the Command Flags field, is sent by the BBERF to the PCRF in order to request the QoS rules. TheCCR command is also sent by the BBERF to the PCRF in order to indicate the QoS rule related events or the termination of the Gateway Control session.

[0097] At step 418, a Credit Control Answer-Terminate (CCA-T) is transmitted towards the network node (302) corresponding to a response to the CCR-T. The CAA command, indicated by the Command-Code field set to 272 and the 'R' bit cleared in the Command Flags field, is sent by the PCRF to the BBERF in response to the CCR command. The CCA is used to provision QoS rules and event triggers for the bearer / session and to provide the selected bearer control mode for the Gateway Control session.

[0098] FIG. 5 illustrates an exemplary method (500) for managing access in the network (106), in accordance with an embodiment of the present disclosure. The method (500) is performed by the system (108). FIG. 5 is explained in conjunction with FIGS. 1, 2, 3, and 4.

[0099] At step 502, a user equipment (UE) attachment request corresponding to at least one UE is received from a second network function by a first network function. The first network function is a Policy Control Function (PCF) or a Policy and Charging Rules Function (PCRF), and the second network function is a Session Management Function (SMF). In an exemplary embodiment, when the enterprise UE first powers on and attempts to access the network, the UE triggers a PDU session establishment or registration procedure. The SMF, acting as the second network function, processes the procedure and sends a UE attachment / establishment request towards the PCF or PCRF, acting as the first network function. The UE attachment request includes parameters describing the UE’s subscription, requested data network, and session characteristics.

[0100] At step 504, slicing information is extracted from the received UE attachment request. The slicing information includes a slicing identifier (ID), the IP and the SUPI of the at least one UE. In an exemplary embodiment, the UE attachment request received from the SMF contains a slicing identifier (ID) indicating that the PDU sessionbelongs to an “enterprise internet access” slice, an IP address that has been allocated to the UE for data traffic, and a Subscription Permanent Identity (SUPI) that uniquely identifies the subscriber in the operator’s core network. The first network function parses the message and extracts the slicing information. Thus, for the enterprise UE, the PCF / PCRF obtains slice ID = “enterprise slice Ol”, IP address = “2001 :db8: 1234:: 10” (or an IPv4 address), and SUPI = “imsi-123456789012345”.

[0101] At step 506, a session is initiated with an edge node based on the extracted slicing information. The session is a DIAMETER Sd session. The edge node is a Secure Access Service Edge (SASE) node. In an exemplary embodiment, the PCF / PCRF determines, from the slice ID “enterprise slice Ol”, that traffic for this slice should be steered through a particular SASE cluster that enforces enterprise security policies. The first network function initiates a DIAMETER Sd session towards a selected SASE node, creating a DIAMETER session context, including a session identifier, and performing the necessary DIAMETER handshake over the Sd interface. Once the Sd session is established, the PCF / PCRF and the SASE node have a control-plane association over which policy and mapping information can be exchanged for the enterprise UE.

[0102] At step 508, a Traffic Detection Function (TDF)-Session-Request (TSR) is transmitted to the edge node, upon initiating the session. The TSR includes an Internet Protocol (IP) address of the at least one UE and a Subscriber Permanent Identity (SUPI) of a user of the at least one UE. In an exemplary embodiment, the PCF / PCRF constructs a TSR message that includes the UE’s IP address “2001 :db8: 1234:: 10” and the SUPI “imsi-123456789012345” encoded in DIAMETER AVPs and optionally includes the slice ID and service type indicating enterprise web access. The TSR is sent over the newly created Sd session to the SASE node.

[0103] At step 510, a TDF session answer (TSA) is received from the edge node. The edge node is configured to perform mapping of the IP address and the SUPI associatedwith the at least one UE. The edge node is also configured to store mapping information comprising IP address-SUPI mapping in an internal database of the edge node, and the edge node is further configured to control user traffic based on the mapping information. The TSA Includes an indication of successful mapping of the IP address and the SUPI at the edge node. In an exemplary embodiment, the SASE node receives the TSR, parses the IP address “2001 :db8: 1234:: 10” and the SUPI “imsi- 123456789012345”, and creates an internal mapping record binding the IP address to the corresponding subscriber identity. The mapping record is stored in an internal database of the SASE node, for example as a table entry keyed by IP address with a value containing the SUPI and slice ID. The SASE node configures its policy engine such that any outbound web traffic originating from “2001 :db8: 1234:: 10” is evaluated against URL filtering rules and access policies defined for that SUPI and slice. After completing these operations, the SASE node returns a TSA message to the PCF / PCRF, including a success indication that confirms the IP-SUPI mapping and TDF session are active.

[0104] At step 512, a UE detachment request is received from the second network function. In an exemplary embodiment, when the enterprise UE powers off, moves out of coverage, or the user manually disconnects from the network, the SMF initiates a session release procedure. Further, the SMF sends a UE detachment or PDU session release message to the PCF / PCRF indicating that the data session for “imsi- 123456789012345” with IP address “2001 :db8: 1234:: 10” is to be terminated.

[0105] At step 514, a Re- Authorization-Request (RAR) is transmitted to the edge node, upon receiving the UE detachment request. The RAR includes an indication of release of the session along with session release cause information. In an exemplary embodiment, the PCF / PCRF creates an RAR message on the existing Sd session, indicating a session release action for the enterprise UE. The RAR includes information identifying the session that is being terminated (for example, the session identifierand / or IP address) together with session release cause information such as “normal release” or “UE detached”.

[0106] At step 516, a Re- Authorization- Answer (RAA) is received from the edge node. The RAA includes an indication of removal of the stored mapping information from the internal database. In an exemplary embodiment, upon receiving the RAR, the SASE node locates the mapping entry for IP address “2001:db8: 1234:: 10” and SUPI “imsi- 123456789012345” in its database, deletes that entry, and deactivates any associated policy or session state. The SASE node then sends an RAA message back to the PCF / PCRF, containing a success result code and optionally an indication that the mapping information has been removed.

[0107] In an embodiment, a Credit Control Request-Terminate (CCR-T) is received to terminate the session from the edge node. The CCR-T includes a session identifier corresponding to the session. Further, a Credit Control Answer- Terminate (CCA-T) is transmitted. The CCA-T includes an indication corresponding to termination of the session. In an exemplary embodiment, after removing the mapping, the SASE node determines that there is no further need to maintain the underlying Sd session for this UE. The SASE node therefore sends a CCR-T message to the PCF / PCRF, including a session identifier corresponding to the DIAMETER Sd session used for this enterprise UE. The CCR-T requests termination of the credit-control or policy session between the PCF / PCRF and the SASE node and signals that all policy-related processing for that UE has completed. Further, the PCF / PCRF transmits a Credit Control Answer- Terminate (CCA-T), which includes an indication corresponding to successful termination of the session identified in the CCR-T.

[0108] FIG. 6 illustrates an exemplary computer system (600) in which or with which embodiments of the present disclosure may be implemented. FIG. 6 is explained in conjunction with FIGs. 1, 2, 3, 4, and 5.

[0109] As shown in FIG. 6, the computer system (600) may include an external storage device (610), a bus (620), a main memory (630), a read-only memory (640), a mass storage device (650), a communication port (660), and a processor (670). A person skilled in the art will appreciate that the computer system (600) may include more than one processor (670) and communication ports (660). The processor (670) may include various modules associated with embodiments of the present disclosure.

[0110] In an embodiment, the communication port (660) may be any of an RS-232 port for use with a modem- based dialup connection, a 10 / 100 Ethernet port, a Gigabit or 10 Gigabit port using copper or fibre, a serial port, a parallel port, or other existing or future ports. The communication port (660) may be chosen depending on the network (106), such a Local Area Network (LAN), Wide Area Network (WAN), or any network to which the computer system (600) connects.

[0111] In an embodiment, the memory (630) may be Random Access Memory (RAM), or any other dynamic storage device commonly known in the art. Read-only memory (640) may be any static storage device(s) e.g., but not limited to, a Programmable Read Only Memory (PROM) chips for storing static information e.g., start-up or Basic Input / Output System (BIOS) instructions for the processor (670).

[0112] In an embodiment, the mass storage device (650) may be any current or future mass storage solution, which may be used to store information and / or instructions. Exemplary mass storage solutions include, but are not limited to, Parallel Advanced Technology Attachment (PATA) or Serial Advanced Technology Attachment (SATA) hard disk drives or solid-state drives (internal or external, e.g., having Universal Serial Bus (USB) and / or Firewire interfaces), one or more optical discs, Redundant Array of Independent Disks (RAID) storage, e.g., an array of disks (e.g., SATA arrays).

[0113] In an embodiment, the bus (620) communicatively couples the processor(s) (670) with the other memory, storage, and communication blocks. The bus (620) may be, e.g., a Peripheral Component Interconnect (PCI) / PCI Extended (PCI-X) bus, SmallComputer System Interface (SCSI), Universal Serial Bus (USB) or the like, for connecting expansion cards, drives and other subsystems as well as other buses, such a front side bus (FSB), which connects the processor (670) to the computer system (600).

[0114] Optionally, operator and administrative interfaces, e.g., a display, keyboard, joystick, and cursor control device, may also be coupled to the bus (620) to support direct operator interaction with the computer system (600). Other operator and administrative interfaces may be provided through network connections connected through the communication port (660). The components described above are meant only to exemplify various possibilities. In no way should the aforementioned exemplary computer system (600) limit the scope of the present disclosure.

[0115] In an exemplary embodiment, a method for managing access in a network is described. The method includes receiving a user equipment (UE) attachment request corresponding to at least one UE from a second network function. The method includes extracting slicing information from the received UE attachment request. The method further include initiating a session with an edge node based on the extracted slicing information. Upon initiating the session, the method includes transmitting a Traffic Detection Function (TDF)-Session-Request (TSR) to the edge node. The TSR includes an Internet Protocol (IP) address of the at least one UE and a Subscriber Permanent Identity (SUPI) of a user of the at least one UE. The method includes receiving a TDF session answer (TSA) from the edge node. The edge node is configured to perform mapping of the IP address and the SUPI associated with the at least one UE. The edge node is also configured to store mapping information comprising IP address- SUPI mapping in an internal database of the edge node, and the edge node is further configured to control user traffic based on the mapping information. The method includes receiving a UE detachment request from the second network function. Upon receiving the UE detachment request, the method includes transmitting a Re- Authorization-Request (RAR) to the edge node. The RAR includes an indication ofrelease of the session along with session release cause information. Further, the method includes receiving a Re- Authorization- Answer (RAA) from the edge node. The RAA includes an indication of removal of the stored mapping information from the internal database.

[0116] In another exemplary embodiment, a system for managing access in a network is described. The system includes a first network function. The first Network Function (NF) includes a receiving unit configured to receive a User Equipment (UE) attachment request corresponding to at least one UE from a second network function. Further, the first NF includes an extraction unit configured to extract slicing information from the received UE attachment request. The first NF includes an initiating unit configured to extract a session with an edge node based on the extracted slicing information. Further, the first NF includes a transmitting unit is configured to transmit a Traffic Detection Function (TDF)-Session-Request (TSR) to the edge node, upon initiating the session. The TSR includes an Internet Protocol (IP) address of the at least one UE and a Subscriber Permanent Identity (SUPI) of a user of the at least one UE. The receiving unit is configured to receive a TDF session answer (TSA) from the edge node. The edge node is configured to perform mapping of the IP address and the SUPI associated with the at least one UE. The edge node is also configured to store mapping information comprising IP address-SUPI mapping in an internal database of the edge node, and the edge node is further configured to control user traffic based on the mapping information. Further, the receiving unit is configured to receive a UE detachment request from the second network function. The transmitting unit is configured to transmit a Re- Authorization-Request (RAR) to the edge node. The RAR includes an indication of release of the session along with session release cause information. Further, the receiving unit configured to receive a Re- Authorization-Answer (RAA) from the edge node. The RAA includes an indication of removal of the stored mapping information from the internal database.

[0117] In another embodiment, a user equipment (UE) communicatively coupled with a system in a network. The coupling includes receiving a connection request. Further, the coupling includes sending an acknowledgment of the connection request to the user equipment. Further, the coupling includes transmitting a plurality of signals in response to the connection request. The system is configured to manage access in the network.

[0118]

[0118] In yet another embodiment, a computer program product including a non-transitory computer-readable medium including instructions that, when executed by one or more processors, cause the one or more processors to execute a method for managing access in a network is disclosed. The method includes receiving a user equipment (UE) attachment request corresponding to at least one UE from a second network function. The method includes extracting slicing information from the received UE attachment request. The method further include initiating a session with an edge node based on the extracted slicing information. Upon initiating the session, the method includes transmitting a Traffic Detection Function (TDF)-Session-Request (TSR) to the edge node. The TSR includes an Internet Protocol (IP) address of the at least one UE and a Subscriber Permanent Identity (SUPI) of a user of the at least one UE. The method includes receiving a TDF session answer (TSA) from the edge node. The edge node is configured to perform mapping of the IP address and the SUPI associated with the at least one UE. The edge node is also configured to store mapping information comprising IP address-SUPI mapping in an internal database of the edge node, and the edge node is further configured to control user traffic based on the mapping information. The method includes receiving a UE detachment request from the second network function. Upon receiving the UE detachment request, the method includes transmitting a Re-Authorization-Request (RAR) to the edge node. The RAR includes an indication of release of the session along with session release cause information. Further, the method includes receiving a Re-Authorization-Answer (RAA) from the edge node. The RAA includes an indication of removal of the stored mapping information from the internal database.

[0119] While the foregoing describes various embodiments of the invention, other and further embodiments of the invention may be devised without departing from the basic scope thereof. The scope of the invention is determined by the claims that follow. The invention is not limited to the described embodiments, versions or examples, which are included to enable a person having ordinary skill in the art to make and use the invention when combined with information and knowledge available to the person having ordinary skill in the art.

[0120] The method and system of the present disclosure may be implemented in a number of ways. For example, the methods and systems of the present disclosure may be implemented by software, hardware, firmware, or any combination of software, hardware, and firmware. The above-described order for the steps of the method is for illustration only, and the steps of the method of the present disclosure are not limited to the order specifically described above unless specifically stated otherwise. Further, in some embodiments, the present disclosure may also be embodied as programs recorded in a recording medium, the programs including machine-readable instructions for implementing the methods according to the present disclosure. Thus, the present disclosure also covers a recording medium storing a program for executing the method according to the present disclosure.

[0121] While considerable emphasis has been placed herein on the preferred embodiments, it will be appreciated that many embodiments can be made and that many changes can be made in the preferred embodiments without departing from the principles of the disclosure. These and other changes in the preferred embodiments of the disclosure will be apparent to those skilled in the art from the disclosure herein, whereby it is to be distinctly understood that the foregoing descriptive matter is to be implemented merely as illustrative of the disclosure and not as a limitation.

[0122] The present disclosure provides significant technical advancements in enforcing subscriber-specific policies, such as URL filtering, for enterprise users byenabling deterministic mapping between an Internet Protocol (IP) address observed in the user plane and a Subscription Permanent Identity (SUPI) provisioned in the policy domain. In conventional deployments, Secure Access Service Edge (SASE) or similar edge nodes see only IP information in user traffic, while policy provisioning and entitlement data are anchored on subscriber identifiers such as the SUPI. As a result, existing solutions either duplicate policy configuration on a per-IP basis, rely on offline correlation of logs, or use complex deep-packet inspection or external lookup systems to infer subscriber identity, which increases signalling overhead, introduces latency, and is prone to stale or inconsistent mappings when UEs move, change IP addresses, or detach from the network. To overcome these limitations, the present disclosure establishes a DIAMETER Sd session between a policy function such as a Policy Control Function (PCF) or Policy and Charging Rules Function (PCRF) and an edge node such as a SASE node. When the policy function receives a UE attachment from a Session Management Function (SMF) together with slicing information including a slice identifier, IP address and SUPI, it initiates a TDF-Session-Request (TSR) towards the SASE node carrying the mapping information. The SASE node parses the TSR, extracts IPv4 / IPv6 address and SUPI, creates or updates an internal IP-to-SUPI mapping in its database, and returns a TDF-Session-Answer (TSA) indicating successful processing. Upon UE detachment, the policy function sends a Re- Authorization-Request (RAR) with session release cause information to the SASE node, which removes the stored mapping and completes session termination by exchanging Credit Control Request-Terminate (CCR-T) and Credit Control Answer- Terminate (CCA-T) messages, maintaining an up-to-date and standards-compliant mapping lifecycle tightly coupled to UE attach / detach procedures.

[0123] By combining DIAMETER Sd-based signalling, slice-aware session initiation, and an internal IP-to-SUPI mapping database at the edge node, the present disclosure achieves multiple technical benefits. First, the present disclosure enables accurate, realtime association of each user-plane packet with the correct subscriber identity at theSASE node, allowing URL filtering and other policy controls that are provisioned against SUPI to be enforced directly on traffic identified only by source IP, without duplicating or transforming the policy model. Second, the present disclosure improves robustness and consistency of policy enforcement by creating, updating, and deleting mapping entries strictly based on UE attach and detach events signalled via TSR and RAR messages, avoiding stale mappings when IP addresses are reassigned or when sessions are abnormally released. Third, the present disclosure enhances performance and scalability of the SASE node by storing the IP-SUPI association in a local internal database, so that subsequent traffic classification and policy lookups may be performed at line rate without repeated external queries or log correlation. Further, the present disclosure supports both IPv4 and IPv6 addressing and allows centralized policy provisioning at the subscriber level, simplifying operations, reducing configuration errors, and enabling fine-grained, subscriber-centric access control for enterprise users in large-scale deployments.TECHNICAL ADVANTAGES

[0124] The present disclosure, as described above, offers several significant technical advantages that enhance the functionality and efficiency of the network.

[0125] Internet Protocol (IP) address to Subscriber permanent Identity (SUPI) mapping: The present disclosure provides a method to map the user's IP address to their Subscription Permanent Identifier (SUPI), enabling seamless identification of users for traffic management and policy enforcement when only IP information is available in the user plane traffic.

[0126] Real-Time Policy Enforcement: By integrating with network functions such as Policy Control Function (PCF) via a DIAMETER Sd interface, the system allows realtime enforcement of policies like Uniform Resource Locator (URL) filtering for enterprise users based on the SUPI, improving the accuracy and relevance of security measures.

[0127] Automation of Session Lifecycle: The present disclosure automates the session management process by dynamically establishing and terminating sessions based on user attachment and detachment events, thereby reducing manual intervention while ensuring that mapping data (IP-to-SUPI) is always up to date.

[0128] Enhanced Security for Users: The ability to apply security policies such as URL blocking based on the SUPI ensures that security measures are identity-based, providing better security control and preventing unauthorized access or malicious activities.

[0129] Standardized Solution: The system uses the existing DIAMETER Sd interface to retrieve SUPI and IP information, making the present disclosure compatible with existing network infrastructures while avoiding the need for custom modifications or non-standard interfaces.

Claims

We Claim:

1. A method (500) for managing access in a network (106), the method (500) comprising: receiving (502), by a first network function (208), a user equipment (UE) attachment request corresponding to at least one UE (104) from a second network function; extracting (504), by the first network function (208), slicing information from the received UE attachment request; based on the extracted slicing information, initiating (506), by the first network function (208), a session with an edge node; upon initiating the session, transmitting (508), by the first network function (208), a Traffic Detection Function (TDF)-Session-Request (TSR) to the edge node, wherein the TSR comprises an Internet Protocol (IP) address of the at least one UE (104) and a Subscriber Permanent Identity (SUPI) of a user of the at least one UE (104); receiving (510), by the first network function (208), a TDF session answer (TSA) from the edge node, wherein the edge node is configured to perform mapping of the IP address and the SUPI associated with the at least one UE (104), wherein the edge node is also configured to store mapping information comprising IP address-SUPI mapping in an internal database of the edge node, and wherein the edge node is further configured to control user traffic based on the mapping information; receiving (512), by the first network function (208), a UE detachment request from the second network function; upon receiving the UE detachment request, transmitting (514), by the first network function (208), a Re- Authorization-Request (RAR) to the edge node, whereinthe RAR comprises an indication of release of the session along with session release cause information; and receiving (516), by the first network function (208), a Re- Authorization- Answer (RAA) from the edge node, wherein the RAA comprises an indication of removal of the stored mapping information from the internal database.

2. The method (500) as claimed in claim 1, further comprises: receiving, by the first network function (208), a Credit Control Request- Terminate (CCR-T) to terminate the session from the edge node, wherein the CCR-T comprises a session identifier corresponding to the session; and upon receiving, transmitting (208), by the first network function (208), a Credit Control Answer-Terminate (CCA-T), wherein the CCA-T comprises an indication corresponding to termination of the session.

3. The method (500) as claimed in claim 1, wherein the first network function (208) is a Policy Control Function (PCF) or a Policy and Charging Rules Function (PCRF) (304) and the second network function is a Session Management Function (SMF) (304) and, wherein the edge node is a Secure Access Service Edge (SASE) node (402).

4. The method (500) as claimed in claim 1, wherein the slicing information comprises a slicing identifier (ID), the IP and the SUPI of the at least one UE (104).

5. The method (500) as claimed in claim 1, wherein the session is a DIAMETER Sd session.

6. The method (500) as claimed in claim 1, wherein the TSA comprises an indication of successful mapping of the IP address and the SUPI at the edge node.

7. A system (108) for managing access in a network (106), the system (108)comprising a first network function (208), the first network (208)function comprising:a receiving unit (210 Configured to receive a user equipment (UE) attachment request corresponding to at least one UE (104) from a second network function; an extraction unit (212) configured to extract slicing information from the received UE attachment request; based on the extracted slicing information, an initiating unit (214) is configured to extract a session with an edge node; upon initiating the session, a transmitting unit (218) is configured to transmit a Traffic Detection Function (TDF)-Session-Request (TSR) to the edge node, wherein the TSR comprises an Internet Protocol (IP) address of the at least one UE (104) and a Subscriber Permanent Identity (SUPI) of a user of the at least one UE (104); the receiving unit (210) configured to: receive a TDF session answer (TSA) from the edge node, wherein the edge node is configured to perform mapping of the IP address and the SUPI associated with the at least one UE (104), wherein the edge node is also configured to store mapping information comprising IP address- SUPI mapping in an internal database of the edge node, and wherein the edge node is further configured to control user traffic based on the mapping information; and receive a UE detachment request from the second network function; upon receiving the UE detachment request, the transmitting unit (218) is configured to transmit a Re- Authorization-Request (RAR) to the edge node, wherein the RAR comprises an indication of release of the session along with session release cause information; andthe receiving unit (210) configured to receive a Re- Authorization- Answer (RAA) from the edge node, wherein the RAA comprises an indication of removal of the stored mapping information from the internal database.

8. The system (108) as claimed in claim 7, wherein the receiving unit (210) configured to receive a Credit Control Request- Terminate (CCR-T) to terminate the session from the edge node, wherein the CCR-T comprises a session identifier (ID) corresponding to the session; and upon receiving, the transmitting unit (218) is configured to transmit a Credit Control Answer-Terminate (CCA-T), wherein the CCA-T comprises an indication corresponding to termination of the session.

9. The system (108) as claimed in claim 7, wherein the first network function (208) is a Policy Control Function (PCF) or a Policy and Charging Rules Function (PCRF) (302) and the second network function is a Session Management Function (SMF) (304) and, wherein the edge node is a Secure Access Service Edge (SASE) node (402).

10. The system (108) as claimed in claim 7, wherein the slicing information comprises a slicing identifier (ID), the IP and the SUPI of the at least one UE (104).

11. The system (108) as claimed in claim 7, wherein the session is a DIAMETER Sd session.

12. The system (108) as claimed in claim 7, wherein the TSA comprises an indication of successful mapping of the IP address and the SUPI at the edge node.

13. A user equipment (UE) (104) communicatively coupled with a system (108) in a network (106), the coupling comprises steps of: receiving, by the system (108), a connection request;sending, by the system (108), an acknowledgment of the connection request to the UE (104); and transmitting a plurality of signals in response to the connection request, wherein the system (108) is configured to manage access in the network (106) as claimed in claim 7.

14. A computer program product comprising a non-transitory computer-readable medium comprising instructions that, when executed by one or more processors (202), cause the one or more processors (202) to execute a method (500) for managing access in a network (106), the method (500) comprising: receiving (502), by a first network function (208), a user equipment (UE) attachment request corresponding to at least one UE (104) from a second network function; extracting (504), by the first network function (208), slicing information from the received UE attachment request; based on the extracted slicing information, initiating (506), by the first network function (208), a session with an edge node; upon initiating the session, transmitting (508), by the first network function (208), a Traffic Detection Function (TDF)-Session-Request (TSR) to the edge node, wherein the TSR comprises an Internet Protocol (IP) address of the at least one UE (104) and a Subscriber Permanent Identity (SUPI) of a user of the at least one UE (104); receiving (510), by the first network function (208), a TDF session answer (TSA) from the edge node, wherein the edge node is configured to perform mapping of the IP address and the SUPI associated with the at least one UE (104), wherein the edge node is also configured to store mapping information comprising IP address-SUPImapping in an internal database of the edge node, and wherein the edge node is further configured to control user traffic based on the mapping information; receiving (512), by the first network function (208), a UE detachment request from the second network function; upon receiving the UE detachment request, transmitting (514), by the first network function (208), a Re- Authorization-Request (RAR) to the edge node, wherein the RAR comprises an indication of release of the session along with session release cause information; and receiving (516), by the first network function (208), a Re- Authorization- Answer (RAA) from the edge node, wherein the RAA comprises an indication of removal of the stored mapping information from the internal database.

Images