The NAI for SUPI shall have the form username@realm as specified in Section 2.2 of RFC 7542.
A SUPI containing a network specific identifier shall take the form of a Network Access Identifier (NAI). See clause 5.9.2 of TS 23.501 for the definition and use of the network specific identifier. In SNPN scenarios, the realm part of the NAI may include MCC, MNC and the NID of the SNPN (see clauses 5.30.2.3, 5.30.2.9, 6.3.4, and 6.3.8 of TS 23.501 for the realm part format see Home Network Domain for an SNPN in clause 28.2).
See clauses 28.15.2 and 28.16.2 for the NAI format for a SUPI containing a GCI or a GLI.
When the SUPI is defined as a Network Specific Identifier, the SUCI shall take the form of a Network Access Identifier (NAI). In this case, the NAI format of the SUCI shall have the form username@realm as specified in Section 2.2 of RFC 7542, where the realm part shall be identical to the realm part of the Network Specific Identifier. In SNPN scenarios, the realm part of the NAI may include MCC, MNC and the NID of the SNPN (see clauses 5.30.2.3, 5.30.2.9, 6.3.4, and 6.3.8 of TS 23.501 for the realm part format see Home Network Domain for an SNPN in clause 28.2).
When the SUPI is defined as an IMSI, the SUCI in NAI format shall have the form username@realm, where the realm part shall be constructed by converting the leading digits of the IMSI, i.e. MNC and MCC, into a domain name, as described in clause 28.2. In SNPN scenarios, the realm part shall additionally include the NID of the SNPN, if available. The resulting realm part of the NAI shall be in the form:
"5gc.mnc<MNC>.mcc<MCC>.3gppnetwork.org", or
"5gc.nid<NID>.mnc<MNC>.mcc<MCC>.3gppnetwork.org" (for SNPN scenarios where the NID is available).
The username part of the NAI shall take one of the following forms:
for the null-scheme:
type<supi type>.rid<routing indicator>.schid<protection scheme id>.userid<MSIN or Network Specific Identifier SUPI username>
for the Scheme Output for Elliptic Curve Integrated Encryption Scheme Profile A and Profile B:
type<supi type>.rid<routing indicator>.schid<protection scheme id>.hnkey<home network public key id>.ecckey<ECC ephemeral public key value>.cip<ciphertext value>.mac<MAC tag value>
for HPLMN proprietary protection schemes:
type<supi type>.rid<routing indicator>.schid<protection scheme id>.hnkey<home network public key id>. out<HPLMN defined scheme output>
See clause 2.2B for the definition and format of the different fields of the SUCI.
For an anonymous SUCI with modified username in trusted non-3GPP access connected to 5GCN of an SNPN, the username shall be set to a username of an anonymous SUCI which includes "anonymous", appended with a 64-bit random number generated and encoded using 16 (decimal) ASCII coded hexadecimal digits.
EXAMPLES:
Assuming the IMSI 234150999999999, where MCC=234, MNC=15 and MSISN=0999999999, the Routing Indicator 678, and a Home Network Public Key Identifier of 27, the NAI format for the SUCI takes the form:
for an anonymous SUCI with modified username in trusted non-3GPP access connected to 5GCN of an SNPN, assuming the 64-bit random number is 0123456789ABCDEF (hexadecimal):
for the Profile <A> protection scheme:
type0.rid678.schid1.hnkey27.ecckey<ECC ephemeral public key>.cip< encryption of 0999999999>.mac<MAC tag value>@5gc.mnc015.mcc234.3gppnetwork.org
Assuming the Network Specific Identifier user17@example.com, the Routing Indicator 678, and a Home Network Public Key Identifier of 27, the NAI format for the SUCI takes the form:
for the null-scheme:
type1.rid678.schid0.useriduser17@example.com
for an anonymous SUCI:
type1.rid678.schid0.useridanonymous@example.com (with username corresponding to "anonymous"), or
type1.rid678.schid0.userid@example.com (with username corresponding to an empty string)
for the Profile <A> protection scheme:
type1.rid678.schid1.hnkey27.ecckey<ECC ephemeral public key>.cip< encryption of user17>.mac<MAC tag value>@example.com
See clauses 28.15.5 and 28.16.5 for the NAI format for a SUCI containing a GCI or a GLI.
This clause describes the format of the UE identification when UE is performing an emergency registration and IMSI is not available or not authenticated.
The Emergency NAI for Limited Service State shall take the form of an NAI, and shall have the form username@realm as specified in Section 2.2 of RFC 7542. The exact format shall be:
imei<IMEI>@sos.invalid
or if IMEI is not available,
mac<MAC>@sos.invalid
For example, if the IMEI is 219551288888888, the Emergency NAI for Limited Service State then takes the form of imei219551288888888@sos.invalid.
For example, if the MAC address is 44-45-53-54-00-AB, the Emergency NAI for Limited Service State then takes the form of mac4445535400AB@sos.invalid, where the MAC address is represented in hexadecimal format without separators.
The Alternative NAI shall take the form of a NAI, i.e. 'any_username@realm' as specified of RFC 7542. The Alternative NAI shall not be routable from any AAA server.
The Alternative NAI shall contain a username part that is not a null string.
The realm part of the NAI shall be "unreachable.3gppnetwork.org".
The result shall be an NAI in the form of:
While performing the EAP-authentication procedure when a UE attempts to register to 5GCN via a trusted non-3GPP access network in a selected PLMN (see clause 4.12a of TS 23.502), the UE shall derive a NAI from the identity of the selected PLMN in the following format:
the username part <any_non_null_string> is any non null string; and
the <MNC> and <MCC> identify the PLMN (either HPLMN or VPLMN) to which the UE attempts to connect via the trusted non-3GPP access network as described in clause 6.3.12 of TS 23.501.
While performing the EAP-authentication procedure when a UE attempts to register to 5GCN via a trusted non-3GPP access network in a selected SNPN (see clause 5.30.2.13 of TS 23.501), the UE shall derive a NAI from the identity of the selected SNPN in the following format:
the username part <any_non_null_string> is any non null string; and
the <MNC>, <MCC> and <NID> identify the SNPN to which the UE attempts to connect via the trusted non-3GPP access network.
While performing the EAP authentication procedure when a UE attempts to register to 5GCN via a trusted non-3GPP access network in a selected TNGF, the UE shall derive NAI from the identity of the selected TNGF in the following format:
"<any_non_mull_string>@tngfid<TNGF ID>.nai.5gc.mnc<MNC>.mcc<MCC>.3gppnetwork.org";
where:
The username part <any_non_mull_string> is any non null string; and
The <MNC> and <MCC> identify the PLMN (either HPLMN or VPLMN) to which the UE attempts to connect via the trusted non-3GPP access network; and
<TNGF ID> identifies the TNGF. The TNGF ID value shall comply with the syntax specified in Section 2.2 of RFC 7542 for a label in the realm part of a NAI.
While performing the EAP-authentication procedure when a UE attempts to register to 5GCN via a trusted non-3GPP access network in a selected SNPN and TNGF, the UE shall derive a NAI from the identity of the selected SNPN and TNGF in the following format:
"<any_non_null_string>@tngfid<TNGF ID>.nai.5gc.nid<NID>.mnc<MNC>.mcc<MCC>.3gppnetwork.org";
where:
the username part <any_non_null_string> is any non null string; and
the <MNC>, <MCC> and <NID> identify the SNPN to which the UE attempts to connect via the trusted non-3GPP access network; and
<TNGF ID> identifies the TNGF. The TNGF ID value shall comply with the syntax specified in Section 2.2 of RFC 7542 for a label in the realm part of a NAI.
When the UE is configured to behave as a UE with access identity 1 as defined in TS 24.501, and the UE is configured, as specified in TS 24.368, to apply NAI decoration for MPS, the username part of the NAI shall be appended with "#mps". This is needed to convey MPS configuration information to the network when connected via non-3GPP access.
For example, when the UE is configured for access identity 1, if the username portion (the any_non_null_string) is "ABCXYZ", and the realm part is @nai.5gc.nid000007ed9d5.mnc012.mcc345.3gppnetwork.org, then the NAI takes the form:
While performing the EAP authentication procedure when a non 5G capable over WLAN (N5CW) device attempts to register to 5GCN via a trusted non-3GPP access network in a selected PLMN (see clause 4.12b of TS 23.502), the N5CW device shall derive a NAI from the identity of the selected PLMN in the following format:
the username part <5G_device_unique_identity> is to identify the N5CW device and contains either:
SUCI as defined as the username part of the NAI format in clause 28.7.3, if the UE is not registered to 5GCN via NG-RAN; or
5G-GUTI as defined as the username part of the NAI format in clause 28.7.8, if the N5CW device is registered to 5GCN via NG-RAN; and
the the label '5gc-nn' in the realm part indicates the NAI is used by N5CW devices via trusted non-3GPP access. <MNC> and <MCC> identify the PLMN (either HPLMN or VPLMN) to which the N5CW device attempts to connect via the trusted non-3GPP access network as described in clause 6.3.12 of TS 23.501.
While performing the EAP authentication procedure when a non 5G capable over WLAN (N5CW) device attempts to register to 5GCN via a trusted non-3GPP access network in a selected SNPN (see clause 5.30.2.13 of TS 23.501), the N5CW device shall derive a NAI from the identity of the selected SNPN in the following format:
the username part <5G_device_unique_identity> is to identify the N5CW device and contains either:
SUCI as defined as the username part of the NAI format in clause 28.7.3; or
5G-GUTI as defined as the username part of the NAI format in clause 28.7.8, if the N5CW device is registered to 5GCN via NG-RAN; and
the label '5gc-nn' in the realm part indicates the NAI is used by N5CW devices via trusted non-3GPP access. <MNC>, <MCC> and <NID> identify the SNPN to which the N5CW device attempts to connect via the trusted non-3GPP access network.
In roaming scenarios, the NAI shall use the decorated NAI format as specified in clause 28.7.7.1 or 28.7.7.2.
If the credentials holder is constructed based on SNPN, the Decorated NAI used for N5CW devices via trusted non-3GPP access for SNPN scenarios shall take the form:
where the <5G_device_unique_identity> is to identify the N5CW device as defined in clause 28.7.7.0, the <NID_Home> or <NID_visited> shall be encoded as hexadecimal digits as specified in clause 12.7, and the <NID_Home>, <homeMNC>, and <homeMCC> are used to identify the SNPN based credentials holder.
If the credentials holder is constructed based on PLMN, the Decorated NAI used for N5CW devices via trusted non-3GPP access for SNPN shall take the form:
where the <5G_device_unique_identity> is to identify the N5CW device as defined in clause 28.7.7.0, the <NID_visited> shall be encoded as hexadecimal digits as specified in clause 12.7, and the <homeMNC> and <homeMCC> are used to identify the PLMN based credentials holder.
The NAI format of the 5G-GUTI shall have the form username@realm as specified in Section 2.2 of RFC 7542.
The username part of the NAI shall take the following form:
tmsi<5G-TMSI>.pt<AMF Pointer>.set<AMF Set Id>.region<AMF Region Id>
<5G-TMSI>, <AMF Pointer>, <AMF Set Id> and <AMF Region Id> are the hexadecimal strings of the 5G-TMSI, AMF Pointer, AMF Set ID and AMF Region ID. If there are less than 8 significant digits in <5G-TMSI>, "0" digit(s) shall be inserted at the left side to fill the 8 digits coding. If there are less than 2 significant digits in <AMF Pointer> or <AMF Region Id>, "0" digit(s) shall be inserted at the left side to fill the 2 digits coding of the AMF Pointer or AMF Region Id respectively. If there are less than 3 significant digits in <AMF Set Id>, "0" digit(s) shall be inserted at the left side to fill the 3 digits coding.
Example:
Assuming 5G-TMSI = 06666666 (hexadecimal), AMF Pointer=12 (hexadecimal), AMF Set = 001 (hexadecimal), AMF Region = 48 (hexadecimal), the username part of the NAI is encoded as:
"tmsi06666666.pt12.set001.region48"
The NAI for an N5CW device in a PLMN (either HPLMN or VPLMN) with MNC=012 and MCC=345, to which the N5CW device attempts to connect via the trusted non-3GPP access, according to clause 28.7.7 is:
The Decorated NAI format for SUCI shall take the form of a NAI and shall have the form
'Homerealm!username@otherrealm'
as specified in Section 2.7 of RFC 4282.
The username part of Decorated NAI shall contain the username of the NAI format for SUCI as specified in clause 28.7.3.
'Homerealm' shall be the realm of the NAI format for SUCI as specified in clause 28.7.3, unless specified otherwise in relevant clauses.
The realm part of Decorated NAI consists of 'otherrealm', see the RFC 4282. Otherrealm' is the realm built using the PLMN ID (visited MCC + visited MNC) of the visited PLMN selected by the UE. In case of the SNPN senarios, the "Otherrealm" is the realm build using the SNPN ID (PLMN ID + NID, where PLMN ID + NID are MCC + MNC + NID of the non-subscribed SNPN).
The 'Homerealm' and the 'otherealm' may be preceded by one or more labels for specific use cases of the Decorated NAI format for SUCI, e.g. for 5G NSWO (see clause 28.7.9.2).
The result is a decorated NAI should take the form as mentioned below:
<one or more labels>.mnc<homeMNC>.mcc<homeMCC>.3gppnetwork.org!<username of SUCI in NAI format>@<one or more labels>.mnc<visitedMNC>.mcc<visitedMCC>.3gppnetwork.org
For the SNPN scenarios where the credential holder is a subscribed SNPN, the decorated NAI should have the form as mentioned below:
<one or more labels>.nid<subscribedSNPNNID>.mnc<subscribedSNPNMNC>.mcc<subscribedSNPNMCC>.3gppnetwork.org!<username of SUCI in NAI format>@<one or more labels>.nid<nonsubscribedSNPNNID>.mnc<nonsubscribedSNPNMNC>.mcc<nonsubscribedSNPNMCC>.3gppnetwork.org
For the SNPN scenarios where the credential holder is an HPLMN, the decorated NAI should have the form as mentioned below:
<one or more labels>.mnc< homeMNC>.mcc< homeMNC>.3gppnetwork.org!<username of SUCI in NAI format>@<one or more labels>.nid<nonsubscribedSNPNNID>.mnc<nonsubscribedSNPNMNC>.mcc<nonsubscribedSNPNMCC>.3gppnetwork.org
5gc-nswo.mnc<homeMNC>.mcc<homeMCC>.3gppnetwork.org!<username of SUCI in NAI format>@5gc-nswo.mnc<visitedMNC>.mcc<visitedMCC>.3gppnetwork.org
For the SNPN scenarios where the credential holder is a subscribed SNPN, the decorated NAI should have the form as mentioned below:
5g-nswo.nid<subscribedSNPNNID>.mnc<subscribedSNPNMNC>.mcc<subscribedSNPNMCC>.3gppnetwork.org!<username of SUCI in NAI format>@5g-nswo.nid<nonsubscribedSNPNNID>.mnc<nonsubscribedSNPNMNC>.mcc<nonsubscribedSNPNMCC>.3gppnetwork.org
For the SNPN scenarios where the credential holder is an HPLMN, the decorated NAI should have the form as mentioned below:
5g-nswo.mnc<homeMNC >.mcc<homeMCC>.3gppnetwork.org!<username of SUCI in NAI format>@5g-nswo.nid<nonsubscribedSNPNNID>.mnc<nonsubscribedSNPNMNC>.mcc<nonsubscribedSNPNMCC>.3gppnetwork.org
For the SNPN scenarios where the credential holder is a credential holder with AAA server, the decorated NAI based on configured SUPI should have the form as mentioned below:
5g-nswo.<realm of SUPI in NAI format>!<username of SUPI in NAI format>@5g-nswo.nid<nonsubscribedSNPNNID>.mnc<nonsubscribedSNPNMNC>.mcc<nonsubscribedSNPNMCC>.3gppnetwork.org
For the SNPN scenarios where the credential holder is a credential holder with AAA server, the decorated NAI based on anonymous SUPI should have the form as mentioned below:
5g-nswo.<realm of SUPI in NAI format>!anonymous@5g-nswo.nid<nonsubscribedSNPNNID>.mnc<nonsubscribedSNPNMNC>.mcc<nonsubscribedSNPNMCC>.3gppnetwork.org
or
5g-nswo.<realm of SUPI in NAI format>!@5g-nswo.nid<nonsubscribedSNPNNID>.mnc<nonsubscribedSNPNMNC>.mcc<nonsubscribedSNPNMCC>.3gppnetwork.org
EXAMPLE:
Assuming the IMSI 234150999999999, where MCC=234, MNC=15 and MSISN=0999999999, the Routing Indicator 678, a Home Network Public Key Identifier of 27, the null-scheme, and the Visited PLMN ID (MCC = 610, MNC = 71):
the NAI format for the SUCI for 5G NSWO takes the form:
type0.rid678.schid0.userid0999999999@5gc-nswo.mnc015.mcc234.3gppnetwork.org
the Decorated NAI format for the SUCI for 5G NSWO roaming takes the form:
5gc-nswo.mnc015.mcc234.3gppnetwork.org!type0.rid678.schid0.userid0999999999@5gc-nswo.mnc071.mcc610.3gppnetwork.org
For SNPN scenarios, decorated NAI format for SUCI for 5G-NSWO roaming shall take the following form:
Assuming the IMSI 234150999999999, where the subscribed SNPN that has MCC 234, MNC 015, and NID 345678ABCD and the non-subscribed SNPN (MCC =999, MNC =012, and NID 45678ABCDE).5gc-nswo.nid345678ABCD.mnc015.mcc234.3gppnetwork.org!type0.rid678.schid0.userid0999999999@5gc-nswo.nid45678ABCDE.mnc012.mcc999.3gppnetwork.org
Assuming the IMSI 234150999999999, where the HPLMN that has MCC 234 and MNC 015 and the non-subscribed SNPN (MCC =999, MNC =012, and NID 45678ABCDE).
Assuming the SUPI of the network-specified identifier SUPI type is user@example.com, and the non-subscribed SNPN (MCC =999, MNC =012, and NID 45678ABCDE), then the decorated NAI based on configured SUPI is:
When the UE decides to use 5G NSWO to connect to the WLAN access network using its 5GS credentials but without registration to 5GS, the NAI format for 5G NSWO in non-roaming scenarios is used. See clause 28.7.9.2 for the NAI format for 5G NSWO in roaming scenarios.
In the 5G NSWO use case, the UE shall use a NAI in the following format:
For PLMNs:
"<username>@5gc-nswo.mnc<MNC>.mcc<MCC>.3gppnetwork.org"
For SNPNs:
"<username>@5gc-nswo.nid<NID>.mnc<MNC>.mcc<MCC>.3gppnetwork.org"
In the above use cases:
When:
the UE does not operate in SNPN access operation mode for 5G NSWO;
the UE operates in SNPN access operation mode for 5G NSWO and the PLMN subscription is selected; or
the UE operates in SNPN access operation mode for 5G NSWO and an indication to use SUPI which is associated with the selected entry of the "list of subscriber data", is not configured in the ME.
then the entire NAI is constructed by the definition of the username part in clause 28.7.3, along with the realm mentioned in this section.
When:
the UE operates in SNPN access operation mode for 5G NSWO; and
an indication to use SUPI which is associated with the selected entry of the "list of subscriber data", is configured in the ME;
then the entire NAI is constructed by the definition of the username part in clause 28.7.2, along with the realm mentioned in this section.
the label '5gc-nswo' in the realm part indicates that the NAI is used for 5G NSWO. For PLMNs, <MNC> and <MCC> identify the PLMN, and for SNPNs, <NID>, <MNC> and <MCC> identify the SNPN, to which the UE attempts to connect via the 5G NSWO as described in clause 4.2.15 of TS 23.501.
For an anonymous SUCI in the 5G NSWO use case, assuming that, a MCC=234, MNC=15 and the Routing Indicator 678, the UE shall use the NAI in the following format:
type1.rid678.schid0.useridanonymous@5gc-nswo.nid<NID>.mnc015.mcc234.3gppnetwork.org (with username corresponding to "anonymous"), or
type1.rid678.schid0.userid@5gc-nswo.nid<NID>.mnc015.mcc234.3gppnetwork.org (with username corresponding to an empty string)
For an anonymous SUPI in the 5G NSWO use case, assuming that, a MCC=234, MNC=15 and the Routing Indicator 678, the UE shall use the NAI in the following format:
anonymous@5gc-nswo.nid<NID>.mnc015.mcc234.3gppnetwork.org (with username corresponding to "anonymous"), or
@5gc-nswo.nid<NID>.mnc015.mcc234.3gppnetwork.org (with username corresponding to an empty string)