The present invention generally relates to mobile communication networks and systems.

Descriptions of mobile networks and systems can be found in the literature, such as in particular in Technical Specifications published by standardization bodies such as for example 3GPP (3^rd Generation Partnership Project).

An example of 3GPP mobile system is EPS (Evolved Packet System). An EPS network comprises a Core Network called EPC (Evolved Packet Core) that can be accessed not only by 3GPP access, but also by non-3GPP access, such as in particular WLAN access will be considered more particularly in the following. WLAN access to EPC is specified in particular in 3GPP TS 23.402, and includes Trusted WLAN access and Untrusted WLAN access. An example of non-roaming architecture for 3GPP and Non 3GPP (Trusted or Untrusted) access to EPC is recalled in figure 1 taken from 3GPP TS 23.402. An example of roaming architecture for 3GPP and Non 3GPP (Trusted or Untrusted) access to EPC is recalled in figure 2 taken from 3GPP TS 23.402.

In a system such as EPS for example, a UE may connect to various external networks (referred to as Packet Data Network PDN, an example being an operator's IMS network), via EPC providing connectivity (referred to as PDN connectivity) services. User authentication and authorization procedures are generally performed before granting access and providing connectivity services at establishment of a PDN connection or EPC session.

Untrusted WLAN access to EPC involves entities such as ePDG (evolved Packet Data Gateway) and 3GPP AAA Server (and 3GPP AAA Proxy in case of rooming), and interfaces such as SWa interface between WLAN AN (WLAN Access Network) and 3GPP AAA Server(or between WLAN AN and 3GPP AAA Proxy in case of roaming), and SWm interface between ePDG and 3GPP AAA Server (or between ePDG and 3GPP AAA Proxy in case of roaming), as specified in particular by 3GPP TS 23.402. Authentication and authorization procedures and protocols for these procedures are specified in particular in 3GPP TS 33.402 and 3GPP TS 29.273.

Trusted WLAN access to EPC involves entities such as TWAN (Trusted WLAN Access Network) and 3GPP AAA Server (and 3GPP AAA Proxy in case of rooming), and interfaces such as STa interface between TWAN and 3GPP AAA Server (or between TWAN and 3GPP AAA Proxy in case of roaming), as specified in particular by 3GPP TS 23.402 and 3GPP TS 29.273. Authentication and authorization procedures and protocols for these procedures are specified in particular in 3GPP TS 33.402 and 3GPP TS 29.273.

In such systems, an IMEI (International Mobile Equipment Identity) has been defined for mobile equipment identification purpose. As specified in particular by 3GPP TS 23.002, an equipment may be classified as white-listed, grey-listed or black-listed or may be unclassified. Such lists are specified in particular in 3GPP TS 22.016. The white list is composed of all number series of equipment identities that are permitted for use. The black list contains all equipment identities that belong to equipment that need to be barred. Besides the black and white list, administrations have the possibility to use a grey list. Equipments on the grey list are not barred (unless on the black list or not on the white list), but are tracked by the network (for evaluation or other purposes).

IMEI checking procedures may be performed, whereby a mobile equipment (or UE) may provide its IMEI upon request, and the network may check the status of this IMEI with the EIR (Equipment Identity register).

As recognized by the inventors, and as will be explained with more details later, there is a need to enhance IMEI checking in such systems, in particular for WLAN access (Trusted or Untrusted) to EPC.

Embodiments of the present invention in particular address such needs.

WO2010013914 describes a technique for permitting a UE to conditionally access an EPC network, when the UE is requesting the access to the EPC network using a non-3GPP access network.

• There is hereby provided a 3GPP AAA server according to claim 1, a 3GPP AAA proxy according to claim 4, and methods according to claims 5 and 8.

Some embodiments of apparatus and/or methods in accordance with embodiments of the present invention are now described, by way of example only, and with reference to the accompanying drawings, in which:

• Figure 1 is intended to recall an example of non-roaming architecture for 3GPP and Non 3GPP (Trusted or Untrusted) access to EPC,
• Figure 2 is intended to recall an example of roaming architecture for 3GPP and Non 3GPP (Trusted or Untrusted) access to EPC,
• Figure 3 is intended to illustrate an example of signaling flow for authentication and authorization procedure, for untrusted WLAN access to EPC,
• Figure 4 is intended to illustrate signaling flow for authentication and authorization procedure including IMEI checking, for untrusted WLAN access to EPC,
• Figure 5 is intended to illustrate signaling flow for authentication and authorization procedure including IMEI checking, for trusted WLAN access to EPC,
• Figure 6 is intended to illustrate signaling flow for authentication and authorization procedure including IMEI checking, for trusted WLAN access to EPC,
• Figure 7 is intended to illustrate signaling flow for authentication and authorization procedure including IMEI checking, for untrusted WLAN access to EPC,
• Figure 8 is intended to illustrate an example of signaling flow for authentication and authorization procedure including IMEI checking, for trusted WLAN access to EPC, according to embodiments of the invention,
• Figure 9 is intended to illustrate signaling flow for authentication and authorization procedure including IMEI checking, for untrusted WLAN access to EPC,
• Figure 10 is intended to illustrate an example of signaling flow for authentication and authorization procedure including IMEI checking, for trusted WLAN access to EPC, according to embodiments of the invention.

AAA

Authentication Authorization Accounting

AKA

Authentication and Key Agreement

DEA

Diameter EAP Answer

DER

Diameter EAP Request

EAP

Extensible Authentication Protocol

EPC

Evolved Packet Core

ePDG

Evolved Packet Data Gateway

EPS

Evolved Packet System

HPLMN

Home Public Land Mobile Network

HSS

Home Subscriber Server

IMSI

International Mobile Subscriber Identity

IMEI

International Mobile Equipment Identity

IMS

IP Multimedia Subsystem

LTE

Long Term Evolution

PDN

Packet Data Network

PDN GW

PDN Gateway

PLMN

Public Land Mobile Network

TWAN

Trusted WLAN Access Network

UWAN

Untrusted WLAN Access Network

UE

User Equipment

HPLMN

Visited Public Land Mobile Network

WLAN

Wireless Local Area Network

Description of various aspects and/or embodiments of the invention

IMEI(SV) checking is specified for 3GPP accesses for CS and PS domains in TS 23.002, TS 23.018, TS 23.060 and TS 23.401, as well as in appropriate stage 3 specifications. In order to check the IMEI(SV), the network needs to trigger the retrieval of the IMEI(SV) from the UE. NAS messages are specified for that. IMEI(SV) retrieval for non-3GPP accesses such as trusted and untrusted WLAN is specified but for such non-3GPP accesses IMEI(SV) checking in the EIR is not specified yet and a study is currently under progress in SA2 to define whether EIR should be interfaced to the TWAN (for trusted WLAN access) and to ePDG (for untrusted WLAN) or to the AAA server. All contributions up to now push for interfacing the EIR with the AAA server for various reasons, one reason being that the architecture would be common to both trusted and untrusted WLAN, another reason being that it reduces the number of interfaces to the EIR .

CT1 has recently agreed in CT1 two CRs that allow the network to retrieve the ME's IMEI(SV): 24.302 CR0460 for trusted WLAN and 24.302 CR0461 for untrusted WLAN. For the trusted WLAN case, the IMEI(SV) is retrieved from the UE by the AAA server (via EAP-AKA' new attribute AT_DEVICE_IDENTITY), while for the untrusted WLAN case the IMEI(SV) is retrieved from the UE by the ePDG (via a new IKEv2 attribute DEVICE_IDENTITY).

However, which entity should trigger the IMEI(SV) checking, and which entity should decide whether to continue the authorization process in case of black-listed, grey-listed or white-listed ME is not specified.

For non roaming PS sessions, the AAA server (in HPLMN) could be this entity. But for roaming sessions like emergency sessions, this might be in the VPLMN. The main reason is local regulatory policies which force the emergency sessions/calls to be handled by the VPLMN (or by the TWAN operator in the trusted WLAN access case) and thus to take decision on whether to accept emergency sessions issued by e.g. potentially stolen devices.

This would be in line with the mechanisms specified for the 3GPP accesses where the IMEI checking is fully performed in the VPLMN (by the MSC, SGSN, MME). See e.g. TS 23.401 clause 5.3.2.1, which specifies in step 5b:
"In order to minimise signalling delays, the retrieval of the ME Identity may be combined with NAS security setup in step 5a. The MME may send the ME Identity Check Request (ME Identity, IMSI) to the EIR. The EIR shall respond with ME Identity Check Ack (Result). Dependent upon the Result, the MME decides whether to continue with this Attach procedure or to reject the UE.

For an Emergency Attach, the IMEI check to the EIR may be performed. If the IMEI is blocked, operator policies determine whether the Emergency Attach procedure continues or is stopped."

In case of WLAN access to EPC, no solution is specified for triggering the IMEI(SV) checking and deciding whether to continue the Access authorization in case of in case of black-listed or grey-listed ME (Mobile Equipment) especially in case of roaming.

Only a partial solution for the HPLMN is disclosed:

• For untrusted WLAN case, the ePDG retrieves the IMEI(SV) from the UE per TS 29.273 CR0422. This can be done at step 6 of the authentication procedure described in TS 33.402 clause 8.2.2. The ePDG sends the IKE_AUTH
• Response message to the UE together with the EAP Payload for AKA-Challenge, and the UE responds with its IMEI(SV) together with the EAP payload for AKA-Challenge in step 8 as specified by TS 24.302 CR0461. The IMEI(SV) is provided in step 8 to the AAA Server, which can then complete authentication and check IMEI in step 8a. No additional exchange with the AAA server is required.

The signaling flows of Figures 4, 5 and 6 allow in roaming scenarios the ePDG orTWAN operator to request IMEI checking using an EIR (Equipment Identity Register) via the AAA server in the Home PLMN.

Unfortunately, the signaling flows of Figures 4, 5 and 6 are not applicable to all operators because, although some operators use a centralized EIR (e.g. the GSMA EIR), some other operators are willing to check the IMEI using an EIR that is local to their PLMN or to the country.

The signaling flows of Figures 7 to 10, in addition to allowing in roaming scenarios the ePDG orTWAN operator to request IMEI checking using an EIR (Equipment Identity Register) via the AAA server in the Home PLMN, allow the ePDG or the TWAN operator to request IMEI checking using an EIR located in the VPLMN country and connected to the 3GPP AAA proxy.

The signaling flows of Figures 4, 5 and 6 enhance the above mechanism for IMEI(SV) checking, which only allows the ePDG to decide whether to retrieve the IMEI(SV) from the UE, to allow the 3GPP AAA server to instruct the ePDG to retrieve the IMEI(SV) from the UE.

The signaling flows also include enhancing the above mechanism for IMEI(SV) checking, which only allows full IMEI checking procedure by the HPLMN, to allow the VPLMN or the TWAN operator to

• request to have IMEI checking performed

• - - decide on whether to continue or stop the authorization process depending on the result of IMEI checking e.g. in case of black-listed, grey-listed or white-listed ME

If it is required that the operator granting the access (VPLMN or TWAN operator) must decide whether to continue the Access authorization process in case of black-listed, grey-listed or white-listed ME (at least for emergency session with Local Break Out). The signaling flows, allowing in particular to minimize the number of AAA server exchanges and the number of interfaces to the EIR include one or more of:

• In untrusted WLAN case, after it receives the IKE_AUTH Request from the UE, the ePDG may add an "IMEI check request" indication in the subsequent Authentication & Authorization Request (Diameter DER) message to the AAA server.
• As the AAA server in HPLMN may want to carry out an IMEI check, it needs to ensure that the IMEI is requested from the UE. In TWAN case it is the AAA server that requests the IMEI from the UE. In the untrusted WLAN case, it is the ePDG that requests the IMEI from the UE. Thus the AAA server needs to be able to instruct the ePDG to retrieve the IMEI from the UE: in the untrusted WLAN case, the AAA server may add an "IMEI-request" indicator in the signaling to the ePDG.
• In trusted WLAN case, after it receives the first EAP-RSP/Identity message from the UE, the TWAN may add an "IMEI check request" indication in the subsequent Authentication & Authorization Request (Diameter DER) message to the AAA server.
• Then in both trusted and untrusted WLAN cases, the AAA server would request the EIR to check the IMEI.
• To allow the ePDG/TWAN to decide whether the call setup should continue or should be stopped, it is proposed to add another indication "action on IMEI check result" in the DER message. The Authentication & Authorization Answer (Diameter DEA) message would also contain a indication "IMEI check result" in order to inform the ePDG/TWAN whether the authorization for the emergency call was given to a user that uses a black-listed, grey-listed or white-listed ME. The ePDG/TWAN may then decide e.g. to inform the local authorities. This is depicted in the following two call flows.
• "action on IMEI check result" provides the AAA server with instructions on whether to continue or to stop the authorization process to the UE for each of the IMEI check result values provided by the EIR i.e. black-listed ME, grey-listed ME and white-listed ME. In the case of a trusted WLAN access, the instructions may also only allow to continue the authorization process for an emergency session (the UE indicates this is an emergency session in EAP signalling to the 3GPP AAA server, and the TWAN is not aware whether the authentication and authorization procedure initiated by the UE is to setup an emergency session till much later in the call flow).

An example of call flow in case of Untrusted WLAN is depicted in figure 4. The IMEI retrieval has been recently agreed at 3GPP (i.e. IMEI Request parameter in step 6, IMEI parameter and the steps 8b and 8c in the figure). Figure 4 includes the addition of IMEI Request in step 5, IMEI Check Request and Action on IMEI Check Result

(black-listed, grey-listed or white-listed ME).

• The parameter "Action on IMEI check result" contains the action (Stop, Continue) for the case of regular attach/session requests and the action for the case of emergency attach/session requests. Or it may contain a single action (Stop, Continue, Continue Only for an emergency session)
• the call flow (AA-answer in step 9 contains EAP-Success) depicts the case where the terminal was detected by the EIR check as not black/grey listed or where the "Action on IMEI Check Result" was "Continue"
• In case where the terminal would be detected by the EIR check as black/grey listed and where the corresponding "Action on IMEI Check Result" would not be "Continue", the AA-answer in step 9 would contain an EAP-rejection.
• In both cases, if the "IMEI Check Result" indicates that the terminal was detected by the EIR check as black/grey listed, the ePDG may log information and inform the local authorities.

An example of signaling flow related to a possible solution in case of Trusted WLAN is depicted in figure 5.

The IMEI retrieval has been recently agreed at 3GPP (i.e. IMEI Request parameter, IMEI parameter and the steps 22c and 22d in the figure).

Figure 5 includes the addition of IMEI Request in steps 4 and 5, IMEI Check Request and Action on IMEI Check Result (black-listed, grey-listed or white-listed ME).

• The parameter "Action on IMEI check result" may contain the action (Stop, Continue) for the case of regular attach/session requests and the action for the case of emergency attach/session requests. Or it may contain a single action (Stop, Continue, Continue Only for an emergency session).
• IMEI Request parameter in steps 4 and 5 is intended to request the AAA server to retrieve the IMEI(SV) from the UE and to return it to the TWAN. The absence of this parameter does not preclude the AAA server to decide the retrieval of the IMEI(SV) from the UE and to provide it to the TWAN.

An alternative solution includes requesting IMEI Check as soon as possible i.e. in the EAP-RSP/Identity in step 4. An example of a corresponding call flow is depicted in figure 6.

Figure 6 includes the addition of IMEI Check Request and Action on IMEI Check Result (black-listed, grey-listed or white-listed ME).

• The parameter "Action on IMEI check result" may contain the action (Stop, Continue) for the case of regular attach/session requests and the action for the case of emergency attach/session requests. Or it may contain a single action (Stop, Continue, Continue Only for an emergency session).
• the "IMEI Request" in steps 4 and 5 of the other alternative (intended to request the AAA server to retrieve the IMEI(SV) from the UE and to return it to the TWAN ) could also be used in this alternative in case the TWAN wants to trigger the acquisition of the IMEI for other purposes than EIR check .
• the call flow (AA-answer in step 23 contains EAP-Success) depicts the case where the terminal was detected by the EIR check as not e.g. black or grey listed or where the "Action on IMEI Check Result" was "Continue".
• In case the terminal would be detected by the EIR check as e.g. black or grey listed and where the corresponding "Action on IMEI Check Result" would not be "Continue", the AA-answer in step 23 would contain an EAP-rejection.
• In both cases, if the "IMEI Check Result" indicates that the terminal was detected by the EIR check as black/grey listed, the TWAN may log information and inform the local authorities.

The signaling flows of Figures 7 to 10 allow the handling of IMEI checking assuming two cases i.e. where the EIR is in the visited country and where the EIR is in the home country. It is also assumed that the AAA server/proxy is interfaced with the EIR.

It is assumed that the EIR (specified in particular in TS 23.002) is interfaced with the AAA server (or proxy) and not directly to the ePDG/TWAN to minimize the number of interfaces and to avoid the duplication of the procedures in ePDG and TWAN.

As already indicated, the non-roaming case mechanism is straight forward, but the roaming case requires more analysis.

For 3GPP access, TS 23.401 clause 5.3.2.1 specifies in step 5b: "In order to minimise signalling delays, the retrieval of the ME Identity may be combined with NAS security setup in step 5a. The MME may send the ME Identity Check Request (ME Identity, IMSI) to the EIR. The EIR shall respond with ME Identity Check Ack (Result). Dependent upon the Result, the MME decides whether to continue with this Attach procedure or to reject the UE." Therefore, for 3GPP access, the decision for triggering the IMEI check procedure, as well as the decision for continuing the procedure is performed in the VPLMN.

Moreover, depending on local regulations, the EIR may be located in the visited country (local EIR, not always synchronized with an EIR outside the country) or centralized (e.g. GSMA EIR). The solution should work with both alternatives.

In embodiments of the invention, the operator who is granting the access (i.e. the VPLMN or the TWAN operator) takes the responsibility of the action plan i.e.

• determining whether to trigger IMEI checking,
• determining (via e.g. operator configuration) whether the EIR to be used is in the local country or in the home country, and
• deciding whether to continue the authorization process in case of black-listed, grey-listed or white-listed UE (at least for emergency session with Local Break Out).

In the untrusted WLAN case, the ePDG can retrieve the IMEI from the UE on its own. It is not the case for trusted WLAN case, in which only the 3GPP AAA server can do that. Hence, the solutions for untrusted WLAN and for trusted WLAN will necessarily be different.

Examples of signaling flows allowing in particular to minimize the number of AAA exchanges are illustrated in figures 7 to 10.

Examples of signaling flows illustrated in figures 7 (untrusted WLAN) and 8 (trusted WLAN) are first described.

For untrusted WLAN, an example of signaling allowing to keep the same number of 3GPP AAA exchanges is illustrated in figure 7:

• After it receives the IKE_AUTH Request from the UE, the ePDG first decides to retrieve the IMEI from the UE (step 6 of figure 7). In order to allow the 3GPP AAA proxy or server to check the IMEI via the EIR, the ePDG just has to add the following parameters in the subsequent Authentication & Authorization Request DER Diameter message to the 3GPP AAA server (step 8 of figure 7):
  • ∘ the IMEI retrieved from the UE (part of Terminal Information IE in Authentication and Authorization Request message) ,
  • ∘ an "IMEI check request" parameter that indicates whether the IMEI shall be checked by the visited country EIR, or by the home country EIR. The absence of this parameter indicates that IMEI check should not be performed.
• The ePDG also has to decide whether the authorization process should continue or should be stopped depending on the IMEI check result. Hence it is proposed to add another parameter "Action upon IMEI check" indicating whether the 3GPP AAA server shall continue or stop the authentication and authorization procedure for each of the potential IMEI check results from the EIR (e.g. unknown, black listed, grey listed, white listed).
• The 3GPP AAA Proxy always forwards the "Action upon IMEI check" and "IMEI check request" parameters to the 3GPP AAAA server. In addition, if the "IMEI check request" parameter indicates the visited country EIR, the 3GPP AAA proxy will then request the EIR to check the IMEI and to provide the "IMEI check result" returned by the EIR to the 3GPP AAA server (step 8c in figure 7).
• If the "IMEI check request" parameter indicates the home country EIR, the 3GPP AAA server requests the EIR to check the IMEI.
• Based on "Action upon IMEI check" and "IMEI check result" returned by the visited or home EIR, the AAA server determines whether the authentication and authorization procedure shall continue or shall be stopped.

For trusted WLAN, an example of signaling flow which may require one more 3GPP AAA exchange is illustrated in figure 8. When the EIR is in the visited country, the TWAN cannot immediately provide the IMEI to the 3GPP AAA proxy. Hence, it may be necessary to have a preliminary step where the TWAN asks the 3GPP AAA server to retrieve the IMEI and to return it to the TWAN, before the 3GPP AAA proxy can check the IMEI via the local country EIR:

• After it receives the first EAP-RSP/Identity message from the UE, the TWAN adds to the subsequent Authentication & Authorization Request DER Diameter message to the 3GPP AAA server (via the 3GPP AAA Proxy in roaming cases) (steps 4 and 5 in figure 8):
  • ∘ The "IMEI check request" parameter indicates whether the IMEI shall be checked by the visited country EIR, or by the home country EIR. The absence of this parameter indicates that IMEI check should not be performed;
  • ∘ The "Action upon IMEI check" parameter indicates whether the 3GPP AAA server shall continue or stop the authentication and authorization procedure for each of the potential IMEI check results from the EIR (e.g. unknown, black listed, grey listed, white listed);
• If the 3GPP AAA server receives the "IMEI check request" parameter from a TWAN, it shall perform the IMEI retrieval (step 13 to 17 in figure 8).
• After the 3GPP AAA server has retrieved the IMEI,
  • ∘ If the "IMEI check request" parameter indicates the visited country EIR, the 3GPP AAA server shall return the IMEI to the TWAN in a new AAA-TWAN DEA Diameter message with EAP-Payload AVP absent, with the result code set to DIAMETER_MULTI_ROUND_AUTH and with a new "IMEI-in-VPLMN-Check" flag set to 1 in the DEA-Flags AVP (same mechanism as specified in TS 29.273 for TWAN SCM mode) (steps 19a and 19b in figure 8);
  • ∘ If the "IMEI check request" parameter indicates the home country EIR, the 3GPP AAA server requests the EIR to check the IMEI (steps 19c and 19d in figure 8);
  • ∘ If no IMEI check was required, the 3GPP AAA server should/may still provide the IMEI to the TWAN if available. This may be done via any message other than step 19a/19b, e.g. in step 23a/23b or any other intermediate message not shown in figure 8.
• If the TWAN receives the above AAA-TWAN DEA Diameter message with the "IMEI-in-VPLMN-Check" flag set to 1,
  • ∘ The TWAN re-issues a new DER command via the 3GPP AAA Proxy including the last EAP-Payload sent in the previous request, together with the "IMEI-in-VPLMN-Check" flag set to 1 in the DER-Flags AVP and the IMEI (step 20a in figure 8);
  • ∘ The 3GPP AAA Proxy requests the EIR to check the IMEI and forwards the "IMEI check result" returned by the EIR to the AAA server (steps 20b to 20d in figure 8).

The AAA server applies the IMEI check instructions received in the "Action upon IMEI check" i.e., based on the "Action upon IMEI check" and on the "IMEI check result" from the visited or home EIR, determines whether the authentication and authorization procedure shall continue or shall be stopped (step 21 in figure 8).

Examples of signaling flows illustrated in figures 9 (untrusted WLAN access) and 10 (trusted WLAN access) are now described.

For untrusted WLAN, an example of signaling flow allowing to keep the same number of 3GPP AAA exchanges is illustrated in figure 9:

• After it receives the IKE_AUTH Request from the UE, the ePDG first decides to retrieve the IMEI from the UE (step 6 of figure 9). In order to allow the 3GPP AAA proxy or server to check the IMEI via the EIR, the ePDG just has to add the following parameters in the subsequent Authentication & Authorization Request DER Diameter message to the 3GPP AAA server (step 8 of figure 9):
  • ∘ the IMEI retrieved from the UE (already existing and part of Terminal Information IE in Authentication and Authorization Request message),
  • ∘ an "IMEI check request" parameter that indicates whether the IMEI shall be checked by the visited country EIR, or by the home country EIR. The absence of this parameter indicates that IMEI check should not be performed.
• The ePDG also has to decide whether the authorization process should continue or should be stopped depending on the IMEI check result. Hence it is proposed to add another parameter "Action upon IMEI check" indicating whether the 3GPP AAA server or AAA proxy shall continue or stop the authentication and authorization procedure for each of the potential IMEI check results from the EIR (e.g. unknown, black listed, grey listed, white listed).
• If the "IMEI check request" parameter indicates the visited country EIR, the 3GPP AAA proxy will then have to request the EIR to check the IMEI and, based on the "Action upon IMEI check" provided by the ePDG, will determine whether the authentication and authorization procedure shall continue or shall be stopped. This indication will be provided to the 3GPP AAA server via the "Decision to Proceed" parameter.
  NOTE: An alternative could be that, instead of computing and sending the "Decision to Proceed" parameter, the 3GPP AAA Proxy signals to the 3GPP AAA server the result of the IMEI check (e.g. black, white ..) together with the "action upon IMEI check" parameter, leaving the 3GPP AAA server in the HPLMN behaving in a similar manner than if it did the IMEI check itself towards an EIR in the HPLMN.
• If the "IMEI check request" parameter indicates the home country EIR, the 3GPP AAA proxy forwards the ePDG request unchanged to the 3GPP AAA server.

For trusted WLAN, an example of signaling flow which may require one more 3GPP AAA exchange is illustrated in figure 10. When the EIR is in the visited country, the TWAN cannot immediately provide the IMEI to the 3GPP AAA proxy. Hence, it may be necessary to have a preliminary step where the TWAN asks the 3GPP AAA server to retrieve the IMEI and to return it to the TWAN, before the 3GPP AAA proxy can check the IMEI via the local country EIR:

• After it receives the first EAP-RSP/Identity message from the UE, the TWAN just have to add the "IMEI check request" parameter in the subsequent Authentication & Authorization Request DER Diameter message to the 3GPP AAA server (step 4 of figure 10). If the "IMEI check request" parameter indicates the home country EIR, the parameter "Action upon IMEI check" is also added.
  • ∘ If the 3GPP AAA server receives the "IMEI check request" parameter from a TWAN, it shall perform the IMEI retrieval.
  • ∘ After IMEI retrieval:
    • ▪ If the "IMEI check request" parameter indicates the visited country EIR, the 3GPP AAA server returns the IMEI to the TWAN and postpones the final decision on Authentication and Authorization until explicit indication from the TWAN or the 3GPP AAA proxy (see further steps).
    • ▪ If the "IMEI check request" parameter indicates the home country EIR, the 3GPP AAA server requests the EIR to check the IMEI (steps 19c and 19d in figure 10);
• After the 3GPP AAA server has retrieved the IMEI and if the "IMEI check request" parameter indicates the visited country EIR, it shall return it to the TWAN in a new AAA-TWAN DEA Diameter message with EAP-Payload AVP absent, with the result code set to DIAMETER MULTI ROUND AUTH and with a new "IMEI-in-VPLMN-Check" flag set to 1 in the DEA-Flags AVP (same mechanism as specified in TS 29.273 for TWAN SCM mode).
• The TWAN then re-issues a new DER command including the last EAP-Payload sent in the previous request, together with the "IMEI-in-VPLMN-Check" flag set to 1 in the DER-Flags AVP, the IMEI, the "IMEI check request" parameter and the "Action upon IMEI check" parameter.
  • ∘ The "IMEI check request" parameter indicates that the IMEI shall be checked by the visited country EIR
  • ∘ The "Action upon IMEI check" parameter indicates whether the 3GPP AAA server or AAA proxy shall continue or stop the authentication and authorization procedure for each of the potential IMEI check results from the EIR (e.g. unknown, black listed, grey listed, white listed).
  • ∘ The "IMEI-in-VPLMN-Check" flag set to 1 in the DER-Flags AVP indicates to the AAA server that the EAP-Payload can be discarded since already sent in previous DER (same principle as for TS 29.273 for TWAN SCM mode).
• When the TWAN receives the IMEI from the 3GPP AAA server, the process continues in the same way as in the ePDG case:
  If the "IMEI check request" parameter indicates the visited country EIR, the 3GPP AAA proxy requests the EIR to check the IMEI and, based on the "Action upon IMEI check", determines whether the authentication and authorization procedure shall continue or shall be stopped. This indication is provided to the 3GPP AAA server via the "Decision to proceed" parameter.

A person of skill in the art would readily recognize that steps of various above-described methods can be performed by programmed computers. Herein, some embodiments are also intended to cover program storage devices, e.g., digital data storage media, which are machine or computer readable and encode machine-executable or computer-executable programs of instructions, wherein said instructions perform some or all of the steps of said above-described methods. The program storage devices may be, e.g., digital memories, magnetic storage media such as a magnetic disks and magnetic tapes, hard drives, or optically readable digital data storage media. The embodiments are also intended to cover computers programmed to perform said steps of the above-described methods.