RELATED APPLICATIONS

[0001] The present application claims the benefits of priority of U.S. Provisional Patent Application No. 62/295,612, filed on February 16, 2016, and entitled "Roaming Management in Communication Systems," the disclosure of which hereby incorporated herein by reference in its entirety.

TECHNICAL FIELD

[0002] The present description generally relates to the management of roaming mobile terminals in communication systems.

BACKGROUND

[0003] In communication systems based on Third Generation Partnership Project (3 GPP) standards, wireless access to the core network, generally referred to as the evolved packet core (EPC) is typically provided by the evolved universal terrestrial radio access network (EUTRAN). EUTRAN is more commonly known as the long term evolution (LTE) radio access network. However, the EPC has been developed to also support other 3GPP radio access technologies such as GSM EDGE radio access network (GERAN), and UMTS terrestrial radio access network (UTRAN) as well as non-3 GPP radio access technologies such as wireless local area networks (WLANs) operating under the IEEE 802.11 standard, i.e. WiFi™.

[0004] 3GPP TS 23.402 describes the basic network architecture required to provide access to the EPC via a non-3GPP radio access technology. As illustrated in Fig. 1, the network architecture described in 3GPP TS 23.402 provides that a non-3GPP radio access network can be either trusted or untrusted. The decision to qualify a given non-3GPP radio access network as trusted or untrusted is made by the operator of the 3GPP communication network to which access is sought. When a given non-3GPP radio access network is qualified as trusted, the non-3GPP radio access network can directly access the packet data network gateway (PGW) located in the EPC, which provides access to packet data networks, the Internet, IP multimedia subsystem (IMS) networks, and other packet-based services. When the non-3GPP radio access network is considered untrusted however, access to the PGW is provided via an evolved packet data gateway (ePDG) also located in the EPC. The ePDG acts as an intermediate gateway node between the untrusted non-3GPP radio access network and the PGW. In that sense, the ePDG is generally responsible for establishing and maintaining a secured tunnel between the mobile terminal or user equipment, UE, attached to the untrusted non-3 GPP radio access network, and the ePDG.

[0005] To support certain services available over 3 GPP communication networks, access to an IMS network is necessary. One such service is Voice over LTE, VoLTE, which uses an IMS network available via the PGW to provide voice services over LTE networks. When a mobile terminal initiating a VoLTE call is located in its home network, the VoLTE call will normally be handled by the IMS network of the home network.

[0006] The situation is less clear when the mobile terminal initiating the VoLTE call is roaming in a visited network. In such cases, several solutions have been proposed. One such solution is to always use the IMS network of the home network even when the mobile terminal is located in a visited network. This solution is sometimes referred to as the S8 Home Routed (S8HR) solution since the mobile terminal, in the visited network, accesses the IMS network of the home network via the S8 interface between the serving gateway (SGW) of the visited network and the PGW of the home network.

[0007] When the roaming mobile terminal moves to an untrusted non-3 GPP radio access network however, access to the PGW of the home network is no longer provided by the SGW of the visited network. Indeed, as described in 3GPP TS 23.402, when a mobile terminal wishes to access the PGW of its home network via an untrusted non-3 GPP radio access network, it must do so via the ePDG. Furthermore, in the vast majority of cases, the ePDGto which the roaming mobile terminal connects is also located in the home network. In such situations however, the home network may no longer be able to verify and, if necessary, apply roaming restrictions to the services available for the mobile terminal since the roaming mobile terminal directly connects to the ePDG of the home network upon attachment to the untrusted non-3 GPP radio access network.

SUMMARY

[0008] Some embodiments provide techniques to allow the home communication network of a mobile terminal to validate the location of the mobile terminal when the mobile terminal is roaming into a visited communication network but requests service(s) provided by the home communication network while being attached to an untrusted radio access network. By being able to confirm the location of the roaming mobile terminal, the home communication network is able to verify whether roaming restrictions apply to the requested service(s) even if the mobile terminal is attached to an untrusted radio access network.

[0009] According to an aspect, some embodiments include a method to manage a connection request in an authentication server of a home communication network. The method comprises receiving an authentication and authorization request from a gateway node in the home communication network, the authentication and authorization request comprising at least an identification of a mobile terminal associated with the home communication network but located in a visited communication network, and an indication of the country in which the mobile terminal is located, the mobile terminal being attached to an untrusted radio access network. The method further comprises validating the location of the mobile terminal with respect to the visited communication network based at least in part on the information provided by the mobile terminal. The method then comprises transmitting an authentication and authorization response to the gateway node in the home communication network, the authentication and authorization response comprising at least an indication as to whether the location of the mobile terminal with respect to the visited communication network is valid.

[0010] In some embodiments, validating the location of the mobile terminal with respect to the visited communication network may comprise identifying the communication networks located in the country identified by the mobile terminal, and determining if the mobile terminal is located in any one of them. In some embodiments, determining if the mobile terminal is located in any one of the identified communication networks may comprise verifying with each of the identified communication networks if the mobile terminal is located in any one of them. In some embodiments, verifying with each of the identified communication networks may comprise transmitting a request to each of the identified communication networks, the request comprising at least the identification of the mobile terminal, and receiving a response, the response comprising an indication whether the mobile terminal is located in the given identified communication network.

[0011] In some embodiments, the authentication and authorization request may further comprise the IP address of the mobile terminal and an identification of the visited communication network. In such embodiments, validating the location of the mobile terminal with respect to the visited communication network may comprise determining a location of the mobile terminal using the IP address of the mobile terminal, determining a location of the visited communication network using the identification of the visited communication network, and determining whether the determined location of the mobile terminal and the determined location of the visited communication network match.

[0012] In some embodiments, the authentication and authorization request may further comprise the IP address of the mobile terminal, an identification of the visited communication network, and an identification of the access point in the untrusted radio access network. In such embodiments, validating the location of the mobile terminal with respect to the visited communication network may comprise determining a location of the mobile terminal using the IP address of the mobile terminal, determining a location of the visited communication network using the identification of the visited communication network, and/or determining a location of the untrusted radio access network using the identification of the access point, and determining whether the determined location of the mobile terminal and the determined location of the visited communication network and/or of the untrusted radio access network match.

[0013] In some embodiments, the authentication and authorization request may further comprise the IP address of the mobile terminal and an identification of the visited communication network. In such embodiments, validating the location of the mobile terminal with respect to the visited communication network may comprise transmitting a verification request to an authentication server of the identified visited communication network, the verification request comprising at least the identification of the mobile terminal, the IP address of the mobile terminal, and the identification of the visited communication network, and subsequently, receiving a verification response from the authentication server of the visited communication network, the verification response comprising at least an indication as to whether the location of the mobile terminal with respect to the visited communication network is valid.

[0014] In some embodiments, the authentication and authorization request may further comprise an identification of the visited communication network and an identification of the last cell seen by the mobile terminal. In such embodiments, validating the location of the mobile terminal with respect to the visited communication network may comprise transmitting a verification request to an authentication server of the identified visited communication network, the verification request comprising at least the identification of the mobile terminal, the identification of the visited communication network, and the identification of the last cell seen by the mobile terminal, and subsequently, receiving a verification response from the authentication server of the visited communication network, the verification response comprising at least an indication as to whether the location of the mobile terminal with respect to the visited communication network is valid.

[0015] According to another aspect, some embodiments include an authentication server configured, or operable, to perform one or more authentication server functionalities as described herein.

[0016] In some embodiments, the authentication server may comprise a communication interface configured to communicate with one or more communication networks and/or with one or more network nodes, and processing circuitry operatively connected to the communication interface, the processing circuitry being configured to perform authentication server functionalities as described herein. In some embodiments, the processing circuitry may comprise at least one processor and at least one memory storing instructions which, upon being executed by the processor, configure the processor to perform one or more authentication server functionalities as described herein.

[0017] In some embodiments, the authentication server may comprise one or more functional modules configured to perform one or more authentication server functionalities as described herein. In such embodiments, the authentication server may comprise a receiving module configured to receive an authentication and authorization request from a gateway node, the authentication and authorization request comprising at least an identification of a mobile terminal associated with a home communication network but located in a visited communication network, the mobile terminal being attached to an untrusted radio access network, and an indication of the country in which the mobile terminal is located. The authentication server also comprises a validating module configured to validate the location of the mobile terminal with respect to the visited communication network based at least in part on the information provided by the mobile terminal. The authentication server also comprises a transmitting module configured to transmit an authentication and authorization response to the gateway node, the authentication and authorization response comprising at least an indication as to whether the location of the mobile terminal with respect to the visited communication network is valid.

[0018] According to another aspect, some embodiments include a non-transitory computer- readable medium storing a computer program product comprising instructions which, upon being executed by processing circuitry (e.g., a processor) of the authentication server, configure the processing circuitry to perform one or more authentication server functionalities as described herein.

[0019] Other aspects and features will become apparent to those ordinarily skilled in the art upon review of the following description of exemplary embodiments in conjunction with the accompanying figures.

BRIEF DESCRIPTION OF THE DRAWINGS

[0020] A more complete understanding of the embodiments described herein, and the attendant advantages and features thereof, will be more readily understood by reference to the following detailed description when considered in conjunction with the accompanying drawings wherein:

[0021] Figure 1 illustrates a block diagram of a simplified network architecture in accordance with 3 GPP standards.

[0022] Figure 2 illustrates a block diagram of a simplified network architecture in accordance with the S8 Home Routed (S8HR) framework. [0023] Figure 3 illustrates a block diagram of a simplified network architecture in accordance with some embodiments.

[0024] Figures 4A to 4C illustrate signaling diagrams in accordance with some embodiments.

[0025] Figure 5 illustrates an exemplary flow chart of some of the operations of an authentication server in accordance with some embodiments.

[0026] Figures 6A and 6B illustrate exemplary flow charts of some of the operations of an authentication server in accordance with some embodiments.

[0027] Figure 7 illustrates a block diagram of an authentication server in accordance with some embodiments.

[0028] Figure 8 illustrates another block diagram of an authentication server in accordance with some embodiments.

DETAILED DESCRIPTION

[0029] The embodiments set forth below represent information to enable those skilled in the art to practice the embodiments. Upon reading the following description in light of the accompanying drawing figures, those skilled in the art will understand the concepts of the description and will recognize applications of these concepts not particularly addressed herein. It should be understood that these concepts and applications fall within the scope of the description.

[0030] In the following description, numerous specific details are set forth. However, it is understood that embodiments of the description may be practiced without these specific details. In other instances, well-known circuits, structures, and techniques have not been shown in detail in order not to obscure the understanding of this description. Those of ordinary skill in the art, with the included descriptions, will be able to implement appropriate functionality without undue experimentation.

[0031] References in the specification to "one embodiment," "an embodiment," "an example embodiment," etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to implement such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.

[0032] Several embodiments will be described in the context of 3GPP, IEEE and IETF standards and as such, the terminology of these standards will be used for the sake of clarity. However, references to 3GPP, IEEE and/or IETF standards and to their terminologies should not be construed as limiting the scope of the present description to such standards.

[0033] Before describing exemplary embodiments, some contextual explanations may be beneficial. When a mobile terminal (user equipment or UE in 3 GPP standards) associated with a home public land mobile network (HPLMN), hereafter home network, roams into a visited public land mobile network (VPLMN), hereafter visited network, services requiring an IMS network such as Voice over LTE may be provided according to the S8 Home Routed (S8HR) framework. According to this framework, the mobile terminal accesses the IMS network of the home network via the S8 interface between the serving gateway (SGW) of the visited network and the PGW of the home network. An exemplary reference architecture for the S8HR framework is illustrated in Fig. 2. As illustrated, the mobile terminal located in the visited network accesses the IMS network of the home network over the S8 interface.

[0034] Despite the fact that the IMS network is located in the home network while the mobile terminal is (temporarily) located in the visited network, the home network can still verify and, if necessary, apply, any roaming agreements between the home network and the visited network as the home network is aware of the location of the mobile terminal by virtue of the attachment of the mobile terminal to the visited network.

[0035] In some instances, however, the mobile terminal may decide to attach to an untrusted radio access network, for instance a WiFi™ network. The mobile terminal may switch from the LTE radio access network to the untrusted radio access network for various reasons. For instance, the mobile terminal may switch for lack of proper radio coverage, as part of an offloading process, as per operator policies, etc. Despite being attached to the untrusted radio access network, the mobile also may continue to stay attached to the LTE radio access network while deciding to use the untrusted radio access network to place voice calls via the IMS network. Regardless of the reasons, in such instances, the S8HR framework no longer applies. Indeed, as per 3GPP TS 23.402, when a mobile terminal wishes to access the PGW of the home network via the untrusted radio access network, to perform a Voice over WiFi call for example, it must do so via the ePDG which is also located in the home network. Without the S8 connection however, the home network may no longer be certain of the location of the mobile terminal as communication no longer transits via an interface, e.g. the S8 interface, between the visited network and the home network. An exemplary reference architecture of such a scenario is illustrated in Fig. 3. Notably, in the reference architecture of Fig. 3, the connection between the mobile terminal and the PGW of the home network (e.g. the SWh connection) bypasses the visited network altogether. [0036] In accordance with some embodiments, when a mobile terminal accesses its home network via an untrusted radio access network while roaming, the home network, and more particularly the authentication, authorization and accounting (AAA) server thereof, performs a verification of the location of the mobile terminal with respect to the visited network. Upon validating the location of the mobile terminal with respect to the visited network, the home network can verify, and possibly apply, roaming agreements between the home network and the visited network even though an untrusted radio access network is used in the visited network.

[0037] Referring to Fig. 4A, a signaling diagram of an embodiment is illustrated. The mobile terminal (MT) 50 first attaches to the visited network 30, in which it is roaming (step SI 02). During the attachment procedure, mobile terminal 50 exchanges credentials and information with the mobility management entity (MME) 32 of the visited network 30. An example of this attachment procedure is described in section 5.3.2.1 of 3GPP TS 23.401. Regardless, during this exchange, mobile terminal 50 transmits its identification, generally in the form of an IMSI, an IMEI or an MSISDN and receives the identification of the visited network 30, generally in the form of a VPLMN ID or any other identifying information that includes the VPLMN ID or can be used to derive it. For instance, MME 32 could transmit the cell global identification, CGI, as defined in section 4.3.1 of 3GPP TS 23.003, which comprises the mobile country code, MCC, the mobile network code, MNC, the location area identification, LAI, and the cell identity, CI.

[0038] At some point later, mobile terminal 50 attaches to an untrusted non-3GPP radio access network 40 such as a wireless local area network, WLAN, which may operate according to the IEEE 802.11 standards (step S104). Such an untrusted non-3GPP radio access network 40, which may be referred to as a WiFi™ network, generally comprises one or more access points (APs) 42. It will be appreciated that the mobile terminal 50 may access the untrusted radio access network 40 for various reasons with or without detaching from the radio access network of the visited network 30. During the attachment procedure between the mobile terminal 50 and the untrusted radio access network 40, the untrusted radio access network 40 authenticates and authorizes the mobile terminal 50 by exchanging information and credentials with a subscriber database such as a home subscriber server (HSS) 26 (step S106).

[0039] Upon successful attachment to the untrusted radio access network 40, the mobile terminal 50 handshakes with the ePDG 22 (step S108) located in the home network 20 prior to the establishment of a secured communication tunnel, e.g. an IPSec tunnel. This initial handshaking exchange between the mobile terminal 50 and the untrusted radio access network 40 is used, for instance, to negotiate cryptographic algorithms which may be needed during the establishment of the secured communication tunnel. Though various handshaking exchanges could be used, in some embodiments, an IKE_SA_INIT exchange, as described in IETF RFC 5996, is used.

[0040] Mobile terminal 50 then sends a connection request to the ePDG 22 (step SI 10). In some embodiments, this connection request may be an IKE AUTH Request as described in IETF RFC 5996 and in 3GPP TS 33.402. Regardless, the connection request comprises an identification of the mobile terminal, UE ID, (e.g. IMSI, MSISDN, FMEI, MAC address, etc.), the local IP address of the mobile terminal, UE IP address, and the country code, MCC, where the mobile terminal 50 is currently roaming. The connection request may also include additional information such as the identification of the visited network the mobile terminal is currently attached to, or was attached to in the visited country, VPLMN ID, the identification of the last cell most recently seen by the mobile terminal in the visited network, cell ID, to which the mobile terminal was attached to or is currently attached to, the identification of the access point 42 to which the mobile terminal is attached in the untrusted radio access network (e.g. MAC address of the access point, base station set identification, BSSID, etc.) and/or the access point name (APN) to which the mobile terminal 50 wishes to connect. For example, if mobile terminal 50 attaches to the untrusted radio access network 40 to perform a Voice over WiFi call, mobile terminal 50 may include the APN of the IMS network which will service the Voice over WiFi call. Notably, even if the mobile terminal 50 is no longer attached to the radio access network of the visited network 30, the mobile terminal 50 may still include the VPLMN ID of the last mobile network to which it was registered.

[0041] Upon receiving the connection request from the mobile terminal 50, the ePDG 22 transmits an authentication and authorization request (referred to as an AA Request in the figures) to an authentication server 24 of the home network 20 (step S 112). The authentication and authorization request comprises at least some of the information received in the connection request. In some embodiments, the authentication and authorization request comprises at least the identification of the mobile terminal (e.g. UE ID), the IP address of the mobile terminal, and the country code where the mobile terminal is currently roaming. The authentication and authorization request may also comprise some or all the additional information received by the ePDG 22 from the mobile terminal 50. The authentication and authorization request seeks to authenticate the identity of the mobile terminal and to determine whether the mobile terminal 50 is authorized to connect to the ePDG 22. In the present embodiment, the authentication server 24 is an authentication, authorization and accounting (AAA) server 24. To authenticate mobile terminal 50, the AAA server 24 exchanges authentication challenges and responses with it (step SI 14). In some embodiments, this authentication exchange may be the authentication exchange described in section 8.2.2 of 3GPP TS 33.402. [0042] Before, during or after the authentication exchange, AAA server 24 determines whether the location of the mobile terminal with respect to the visited network is valid. In other words, the AAA server 24 validates the visited network in which the mobile terminal 50 is currently roaming. This verification may be used, for instance, to determine which roaming agreements should be applied by the home network or if roaming is permitted at all for the mobile terminal 50.

[0043] In some embodiments, the AAA server 24 validates the location of the mobile terminal 50 with respect to the visited network based at least in part on the information provided by the mobile terminal 50 (step SI 16). In some embodiments, the AAA server 24 may perform this validation by identifying the communication networks located in the country identified by the mobile terminal 50, and determining if the mobile terminal is located in any one of them. For instance, the AAA server 24 may verify with each of the identified communication networks whether the mobile terminal 50 is located in any one of them. In some embodiments, the AAA server 24 may perform this verification by transmitting a request to each of the identified communication networks, the request comprising at least the identification of the mobile terminal, and receiving a response, the response comprising an indication whether the mobile terminal 50 is located in the given identified communication network. In some embodiments, if the authentication and authorization request comprises the identification of the visited network, VPLMN ID, then the AAA server 24 may validate the location of the mobile terminal 50 by comparing the country in which the mobile terminal is located (via the MCC provided by the mobile terminal) and the country in which the visited network is location (via the VPLMN ID) and determining if the two countries match.

[0044] Regardless of how the verification is performed, once the verification is complete, the AAA server 24 then transmits an authentication and authorization response to the ePDG 22 (step SI 18), the response comprising an indication as to whether the authentication and authorization was successful. The ePDG 22 then relays this to the mobile terminal 50 via a connection response (step S120). In some embodiments, the connection response may be an IKE AUTH Response as described in IETF RFC 5996 and in 3 GPP TS 33.402. Regardless, at this point, if the authentication and authorization was successful, the secured tunnel between mobile terminal 50 and home ePDG 22 is established.

[0045] Upon positively validating the location of the mobile terminal 50 with respect to the visited network 30, the AAA server 24 of the home network 20 may also transmit the identification of the visited network 30, VPLMN ID, in which the mobile terminal 50 is located, to the HSS 26 (step S122) which may confirm the proper reception of the identification via a confirmation message (step S124). [0046] Referring to Fig. 4B, a signaling diagram of another embodiment is illustrated. The embodiment illustrated is similar to the one illustrated in Fig. 4A except for the validation of the location of the mobile terminal with respect to the visited network and the other information provided by the mobile terminal 50. In Fig. 4B, the validation is performed with the assistance of the AAA server 34 of the visited network 30 which is located based on the VPLMN ID provided by the mobile terminal 50. As illustrated, after having received the authentication and authorization request, the AAA server 24 of the home network 20 transmits a verification request to the AAA server 34 of the visited network 30 identified by the mobile terminal 50 (step S126). The verification request comprises at least some of the information received in the authentication and authorization request. In some embodiments, the verification request comprises the identification of the mobile terminal (UE ID), the IP address of the mobile terminal, the country code where the mobile terminal is currently roaming, and the identification of the visited network (VPLMN ID). The AAA server 34 of the visited network 30 then validates whether the location of the mobile terminal 50, based, for instance, on its IP address or country code, with respect to the visited network identified by the mobile terminal 50 is valid (step S128). In that sense, the AAA server 34 of the visited network may verify whether the VPLMN ID received in the verification request actually matches the location of the mobile terminal 50, location which may be derived from the IP address or from the country code. If additional information is provided in the verification request, the AAA server 34 of the visited network may use one or more of these additional information to validate the location of the mobile terminal 50 with respect to the visited network 30. For instance, if the identification (e.g. MAC address, BSSID) of the access point 42 of the untrusted radio access network 40 (e.g. a WiFi™ network) is available and provided by the mobile terminal, the AAA server 34 can additionally validate if the IP address of the mobile terminal matches the location of the access point of the untrusted radio access network, location which can be determined from the access point identification (e.g. via public databases). Once the verification is complete, the AAA server 34 of the visited network 30 transmits a verification response back to the AAA server 24 of the home network 20 (step S130), the response comprising an indication as to whether the verification was successful (e.g. the location of the mobile terminal matches the location of the visited network) or unsuccessful (e.g. the location of the mobile terminal does not match the location of the visited network). The AAA server 24 then returns an authentication and authorization response to the ePDG 22 (step SI 18), which the ePDG 22 relays to the mobile terminal 50 via a connection response (step S120). In some embodiments, the connection response may be an IKE AUTH Response as described in IETF RFC 5996 and in 3GPP TS 33.402. Regardless, if the authentication and authorization was successful, the secured tunnel between mobile terminal 50 and home ePDG 22 is established.

[0047] In some embodiments, the validation performed by the AAA server 34 of the visited network 30 may comprise interactions with other nodes of the visited network 30. For instance, as shown in Fig. 4C, to validate whether the location of the mobile terminal 50 with respect to the visited network 30 identified by the mobile terminal 50 is valid, the AAA server 34 of the visited network 30 verifies if the identity of the last cell to which the mobile terminal 50 was or is still attached belongs to the visited network by interacting with the MME 32 of the visited network 30 for that purpose. Hence, as illustrated in Fig. 4C, upon receiving the verification request from the AAA server 24 of the home network 20, the AAA server 34 of the visited network 30 transmits the identification of the last cell (i.e. Cell ID) to MME 32 (step S132), and receives back a response (step SI 34) comprising an indication as to whether the transmitted cell identification was successfully, or unsuccessfully, validated by the MME 32. Understandably, this interaction is dependent on the availability of this information.

[0048] In some embodiments, if the VPLMN ID is not included, then the home AAA server 24 can identify communication networks in the roaming country, based on the received country code, and perform the above described verifications with the AAA server of each communication network. If everything is successful, a default VPLMN ID for a preferred communication network can be assumed and stored in the mobile terminal profile in the HSS 26. Another option when no VPLMN ID is available is to perform no query and perform the regular authentication and if successful, then a default VPLMN ID for a preferred communication network is stored in the mobile terminal profile. Finally, the home AAA server 24 may reject the request without performing any authentication if no VPLMN ID is available.

[0049] Figure 5 illustrates a flowchart of an exemplary process for managing a connection request received by an ePDG from a mobile terminal roaming in a visited network yet attached to an untrusted radio access network. The process starts with the AAA server of the home network receiving an authentication and authorization request from the ePDG of the home network, the authentication and authorization request comprising at least an identification of the mobile terminal attached to the untrusted radio access network, an IP address of the mobile terminal, and an indication of the country in which the mobile terminal is currently roaming (step S202). The AAA server of the home network then validates a location of the mobile terminal with respect to the visited network based at least in part on the information provided by the mobile terminal (step S204). The AAA server of the home network then transmits an authentication and authorization response to the home ePDG comprising at least an indication as to whether the location of the mobile terminal with respect to the visited network is valid (step S206). In some embodiments, upon successfully validating the location of the mobile terminal with respect to the visited network, the AAA server of the home network may further transmit the identification of the visited network to the HSS of the home network (step S208).

[0050] In some embodiments, as illustrated in Fig. 6A, validating the location of the mobile terminal with respect to the visited network may comprise identifying communication networks in the country identified by the mobile terminal (step S210), and determining whether the mobile terminal is located in any one of them (step S212). In some embodiments, determining whether the mobile terminal is located in any one of the identified communication networks may comprise verifying with each of the identified communication networks.

[0051] In some embodiments, as illustrated in Fig. 6B, if the AAA server of the home network receives or otherwise determines the identification of the visited network (e.g. VPLMN ID), validating the location of the mobile terminal with respect to the visited network may comprise transmitting a verification request to the AAA server of the identified visited network (step S214), and subsequently receiving a verification response from the AAA server of the visited network, the verification response comprising an indication as to whether the location of the mobile terminal with respect to the identified visited network 30 is valid (step S216).

[0052] In some embodiments, validating the location of the mobile terminal 50 with respect to the visited network 30 when the mobile terminal 50 accesses its home ePDG 22 via an untrusted radio access network 40 while roaming may be used by the IMS network of the home network 20 to validate whether IMS services such as Voice over WiFi may be provided to the mobile terminal 50 while it roams. For instance, when the mobile terminal 50, roaming in the visited network 30 yet attached to the untrusted radio access network 40, wishes to perform a Voice of WiFi call, the mobile terminal 50 connects to the IMS network of the home network 20 via the home ePDG and the home PGW as illustrated in Fig. 3. In such scenario, during the registration procedure between the mobile terminal and the FMS network, which is described in section 5.2.2.3 of 3GPP TS 23.228, the S-CSCF (Serving Call Session Control Function) may fetch the user profile of the mobile terminal from the HSS, user profile which contains the identification of the visited network previously identified and/or validated by the AAA server. Using the visited network identification, the S-CSCF may then determine whether the requested FMS network service, i.e. Voice over WiFi call, may be provided to the mobile terminal 50 while it roams in the identified visited network. In some embodiments, the determination may be performed by the S-CSCF may before, or as part of, or after the Service Control step. [0053] Understandably, the notion of home network and visited network is usually determined from the perspective of a given mobile terminal. The home network of a mobile terminal is the network the mobile terminal is a subscriber of, it is the network where the mobile terminal's subscriber profile is held. For its part, the visited network of a mobile terminal is a network the mobile terminal is not a subscriber of but from which the mobile terminal can still receive services in view of, for example, roaming agreements between the home network and the visited network. In that regard, the home network of one mobile terminal can be the visited network of another mobile terminal.

[0054] Referring now to Figs. 7 and 8, block diagrams of embodiments of an authentication server such as a AAA server 24 that can be used in one or more of the non-limiting example embodiments described are illustrated. In Fig. 7, the authentication server 24 comprises processing circuitry 80, which may comprise one or more processors 82, hardware circuits (e.g. application-specific integrated circuit (ASIC), field-programmable gate array (FPGA), etc.), firmware, or a combination thereof. Processing circuitry 80, in some embodiments, operates in conjunction with memory 84 that stores instructions for execution by one or more processors 82 of the processing circuitry 80. Memory 84 may comprise one or more volatile and/or non-volatile memory devices. Program code for controlling the overall operations of the authentication server 24 is, in some embodiments, stored in a non-volatile memory, such as a read-only memory or flash memory. Temporary data generated during operations may be stored in random access memory. The program code stored in memory, when executed by the processing circuitry 80 causes, or otherwise configures, the processing circuitry 80 to perform one or more of the methods described above in relation to the authentication server 24. The authentication server 24 also comprises one or more communication interfaces 86 for communicating with one or more networks and/or one or more network nodes (e.g. mobile terminal or UE, ePDG, AAA, MME, etc.). The communication interface(s) 86 may include transceiver circuitry that, for example, comprise transmitter circuitry and receiver circuitry that operate according to known communication standards (e.g. 3GPP standards, IEEE standards, etc.).

[0055] In Fig. 8, the authentication server 24 is shown as comprising a plurality of functional modules which may, in some embodiments, be implemented as hardware or software, or combination thereof. For instance, in some embodiments, the authentication server 24 comprises a receiving module 90 configured to receive an authentication and authorization request from a gateway node (e.g. an ePDG), the authentication and authorization request comprising at least an identification of a mobile terminal associated with a home network but located in a visited communication network, the mobile terminal being attached to an untrusted radio access network, and an indication of the country in which the mobile terminal is located. The authentication server also comprises a validating module 92 configured to determine whether the location of the mobile terminal with respect to the visited network is valid. The authentication server also comprises a transmitting module 94 configured to transmit an authentication and authorization response to the gateway node, the authentication and authorization response comprising an indication as to whether the location of the mobile terminal with respect to the visited network is valid. In some embodiments, the transmitting and receiving modules may be combined or implemented as one transceiving module.

[0056] It will be appreciated that mobile terminal is a non-limiting expression comprising any device equipped with a wireless interface allowing for receiving and transmitting radio signals. Some non-limiting examples of a mobile terminal, in a general sense, are a user equipment (UE), a laptop, a wireless device, a machine-to-machine (M2M) device, a device capable of device-to- device (D2D) communication, etc.

[0057] Some embodiments may be represented as a software product stored in a machine-readable medium (also referred to as a computer-readable medium, a processor-readable medium, or a computer usable medium having a computer readable program code embodied therein). The machine-readable medium may be any suitable tangible medium including a magnetic, optical, or electrical storage medium including a diskette, compact disk read only memory (CD-ROM), digital versatile disc read only memory (DVD-ROM) memory device (volatile or non-volatile), or similar storage mechanism. The machine-readable medium may contain various sets of instructions, code sequences, configuration information, or other data, which, when executed, cause a processor to perform steps in a method according to some embodiments. Those of ordinary skill in the art will appreciate that other instructions and operations necessary to implement the described embodiments may also be stored on the machine-readable medium. Software running from the machine-readable medium may interface with circuitry to perform the described tasks.

[0058] The above-described embodiments are intended to be examples only. Alterations, modifications and variations may be effected to the particular embodiments by those of skill in the art without departing from the scope of the description.