Network access is the means for the user to connect to 5G CN. Network access control comprises the following functionality:

• Network selection,
• Identification and authentication,
• Authorisation,
• Access control and barring,
• Policy control,
• Lawful Interception.

In order to determine to which PLMN to attempt registration, the UE performs network selection. The network selection procedure comprises two main parts, PLMN selection and access network selection. The requirements for the PLMN selection are specified in TS 22.011 and the procedures are in TS 23.122. The access network selection part for the 3GPP access networks is specified in TS 36.300 for E-UTRAN and in TS 38.300 for the NR. The network selection for the Disaster Roaming is described in TS 23.122 and TS 24.501.

The network may authenticate the UE during any procedure establishing a NAS signalling connection with the UE. The security architecture is specified in TS 33.501. The network may optionally perform an PEI check with 5G-EIR.

The authorisation for connectivity of the subscriber to the 5GC and the authorization for the services that the user is allowed to access based on subscription (e.g. Operator Determined Barring, Roaming restrictions, Access Type and RAT Type currently in use) is evaluated once the user is successfully identified and authenticated. This authorization is executed during UE Registration procedure.

When the UE needs to transmit an initial NAS message, the UE shall request to establish an RRC Connection first and the NAS shall provide the RRC establishment related information to the lower layer. The RAN handles the RRC Connection with priority during and after RRC Connection Establishment procedure, when UE indicates priority in Establishment related information Under high network load conditions, the network may protect itself against overload by using the Unified Access Control functionality for 3GPP access specified in TS 22.261, TS 24.501 and TS 38.300 to limit access attempts from UEs. Depending on network configuration, the network may determine whether certain access attempt should be allowed or blocked based on categorized criteria, as specified in TS 22.261 and TS 24.501. The NG-RAN may broadcast barring control information associated with Access Categories and Access Identities as specified in TS 38.300. The NG-RAN node may initiate such Unified Access Control when:

• AMFs request to restrict the load for UEs that access the network by sending OVERLOAD START message containing conditions defined in clause 5.19.5.2, or
• requested by OAM, or
• triggered by NG-RAN itself.

If the NG-RAN node takes a decision to initiate UAC because of the reception of the N2 interface OVERLOAD START messages, the NG-RAN should only initiate such procedure if all the AMFs relevant to the request contained in the OVERLOAD START message and connected to this NG-RAN node request to restrict the load for UEs that access the network. If the UE supports both N1 and S1 modes NAS and, as defined in TS 23.401, the UE is configured for Extended Access Barring (EAB) but is not configured with a permission for overriding Extended Access Barring (EAB), when the UE wants to access the 5GS it shall perform Unified Access Control checks for Access Category 1 on receiving an indication from the upper layers as defined in TS 24.501, TS 38.331, TS 36.331. If the UE supports both N1 and S1 modes NAS and, as defined in TS 23.401, the UE is configured with a permission for overriding Extended Access Barring (EAB), when the UE wants to access the 5GS it shall ignore Unified Access Control checks for Access Category 1 on receiving an indication from the upper layers, as defined in TS 24.501. Operator may provide one or more PLMN-specific Operator-defined access category definitions to the UE using NAS signalling, and the UE handles the Operator-defined access category definitions stored for the Registered PLMN, as specified in TS 24.501. The access control for the Disaster Roaming is described in TS 23.122 and TS 24.501.

Network access control including service authorization may be influenced by Policy control, as specified in clause 5.14.

For definition and functionality of Lawful Interception, please see TS 33.126.