The purpose of the PDU session authentication and authorization procedure is to enable the DN:
to authenticate the upper layers of the UE, when establishing the PDU session;
to authorize the upper layers of the UE, when establishing the PDU session;
both of the above; or
to re-authenticate the upper layers of the UE after establishment of the PDU session.
The PDU session authentication and authorization procedure can be performed only during or after the UE-requested PDU session procedure establishing a non-emergency PDU session. The PDU session authentication and authorization procedure shall not be performed during or after the UE-requested PDU session establishment procedure establishing an emergency PDU session.
The upper layers store the association between a DNN and corresponding credentials, if any, for the PDU session authentication and authorization.
If the UE is registered for onboarding services in SNPN the SMF may initiate the PDU session authentication and authorization procedure based on local policy with a DCS as specified in subclause I.9.2.4.1 of TS 33.501 or a DN-AAA server as specified in subclause I.9.2.4.2 of TS 33.501.
If the UE is registered for onboarding services in SNPN and the network initiates the PDU session authentication and authorization procedure, the UE shall use the default UE credentials for secondary authentication for the PDU session authentication and authorization procedure.
The network authenticates the UE using the Extensible Authentication Protocol (EAP) as specified in RFC 3748.
EAP has defined four types of EAP messages:
an EAP-request message;
an EAP-response message;
an EAP-success message; and
an EAP-failure message.
The EAP-request message is transported from the network to the UE using the PDU SESSION AUTHENTICATION COMMAND message of the PDU EAP message reliable transport procedure.
The EAP-response message to the EAP-request message is transported from the UE to the network using the PDU SESSION AUTHENTICATION COMPLETE message of the PDU EAP message reliable transport procedure.
If the PDU session authentication and authorization procedure is performed during the UE-requested PDU session establishment procedure:
and the DN authentication of the UE completes successfully, the EAP-success message is transported from the network to the UE as part of the UE-requested PDU session establishment procedure in the PDU SESSION ESTABLISHMENT ACCEPT message.
and the DN authentication of the UE completes unsuccessfully, the EAP-failure message is transported from the network to the UE as part of the UE-requested PDU session establishment procedure in the PDU SESSION ESTABLISHMENT REJECT message.
If the PDU session authentication and authorization procedure is performed after the UE-requested PDU session establishment procedure:
and the DN authentication of the UE completes successfully, the EAP-success message is transported from the network to the UE using the PDU SESSION AUTHENTICATION RESULT message of the PDU EAP result message transport procedure.
and the DN authentication of the UE completes unsuccessfully, the EAP-failure message is transported from the network to the UE using the PDU SESSION RELEASE COMMAND message of the network-requested PDU session release procedure.
There can be several rounds of exchange of an EAP-request message and a related EAP-response message for the DN to complete the authentication and authorization of the request for a PDU session (see example in Figure 6.3.1.1).
The SMF shall set the authenticator retransmission timer specified in Section 4.3 of RFC 3748 to infinite value.
In order to initiate the PDU EAP message reliable transport procedure, the SMF shall create a PDU SESSION AUTHENTICATION COMMAND message.
The SMF shall set the PTI IE of the PDU SESSION AUTHENTICATION COMMAND message to "No procedure transaction identity assigned".
The SMF shall set the EAP message IE of the PDU SESSION AUTHENTICATION COMMAND message to the EAP-request message provided by the DN or generated locally.
The SMF shall send the PDU SESSION AUTHENTICATION COMMAND message, and the SMF shall start timer T3590 (see example in Figure 6.3.1.1).
Upon receipt of the PDU SESSION AUTHENTICATION COMMAND message, if the UE provided a DNN during the PDU session establishment, the UE shall stop timer T3396, if it is running for the DNN provided by the UE. If the UE did not provide a DNN during the PDU session establishment, the UE shall stop the timer T3396 associated with no DNN if it is running. In an SNPN, the timer T3396 to be stopped includes:
the timer T3396 applied for all the equivalent SNPNs, associated with the RSNPN or an equivalent SNPN, and with the selected entry of the "list of subscriber data" or the selected PLMN subscription, if running; and
the timer T3396 applied for the registered SNPN, associated with the RSNPN, and, if the UE supports access to an SNPN using credentials from a credentials holder, associated with the selected entry of the "list of subscriber data" or the selected PLMN subscription, if running.
Upon receipt of the PDU SESSION AUTHENTICATION COMMAND message, if the UE provided an S-NSSAI and a DNN during the PDU session establishment, the UE shall stop timer T3584, if it is running for the [S-NSSAI of the PDU session, DNN] combination. If the UE provided a DNN but did not provide an S-NSSAI during the PDU session establishment, the UE shall stop timer T3584, if it is running for the same [no S-NSSAI, DNN] combination provided by the UE. If the UE provided an S-NSSAI but did not provide a DNN during the PDU session establishment, the UE shall stop timer T3584, if it is running for the same [S-NSSAI, no DNN] combination provided by the UE. If the UE provided neither a DNN nor an S-NSSAI during the PDU session establishment, the UE shall stop timer T3584, if it is running for the same [no S-NSSAI, no DNN] combination provided by the UE. The timer T3584 to be stopped includes:
in a PLMN:
the timer T3584 applied for all the PLMNs, if running; and
the timer T3584 applied for the registered PLMN, if running; or
in an SNPN:
the timer T3584 applied for all the equivalent SNPNs, and associated with the RSNPN or an equivalent SNPN and with the selected entry of the "list of subscriber data" or the selected PLMN subscription, if running; and
the timer T3584 applied for the registered SNPN, associated with the RSNPN and, if the UE supports access to an SNPN using credentials from a credentials holder, equivalent SNPNs or both, associated with the selected entry of the "list of subscriber data" or the selected PLMN subscription, if running.
Upon receipt of the PDU SESSION AUTHENTICATION COMMAND message, if the UE provided an S-NSSAI during the PDU session establishment, the UE shall stop timer T3585, if it is running for the S-NSSAI of the PDU session. If the UE did not provide an S-NSSAI during the PDU session establishment, the UE shall stop the timer T3585 associated with no S-NSSAI if it is running. The timer T3585 to be stopped includes:
in a PLMN:
the timer T3585 applied for all the PLMNs and for the access over which the PDU SESSION AUTHENTICATION COMMAND message is received, if running;
the timer T3585 applied for all the PLMNs and for both 3GPP access type and non-3GPP access type, if running;
the timer T3585 applied for the registered PLMN and for the access over which the PDU SESSION AUTHENTICATION COMMAND message is received, if running; and
the timer T3585 applied for the registered PLMN and for both 3GPP access type and non-3GPP access type, if running; or
in an SNPN:
the timer T3585 applied for all the equivalent SNPNs and for the access over which the PDU SESSION AUTHENTICATION COMMAND message is received, associated with the RSNPN or an equivalent SNPN and with the selected entry of the "list of subscriber data" or the selected PLMN subscription, if running;
the timer T3585 applied for all the equivalent SNPNs and for both 3GPP access type and non-3GPP access type, associated with the RSNPN or an equivalent SNPN and with the selected entry of the "list of subscriber data" or the selected PLMN subscription, if running;
the timer T3585 applied for the registered SNPN and for the access over which the PDU SESSION AUTHENTICATION COMMAND message is received, associated with the RSNPN and, if the UE supports access to an SNPN using credentials from a credentials holder, equivalent SNPNs or both, associated with the selected entry of the "list of subscriber data" or the selected PLMN subscription, if running; and
the timer T3585 applied for the registered PLMN and for both 3GPP access type and non-3GPP access type, associated with the RSNPN and, if the UE supports access to an SNPN using credentials from a credentials holder, equivalent SNPNs or both, associated with the selected entry of the "list of subscriber data" or the selected PLMN subscription, if running.
Upon receipt of a PDU SESSION AUTHENTICATION COMMAND message and a PDU session ID, using the NAS transport procedure as specified in subclause 5.4.5, the UE passes to the upper layers the EAP message received in the EAP message IE of the PDU SESSION AUTHENTICATION COMMAND message. Apart from this action and the stopping of timers T3396, T3584 and T3485 (if running), the authentication and authorization procedure initiated by the DN is transparent to the 5GSM layer of the UE.
The UE shall create a PDU SESSION AUTHENTICATION COMPLETE message when the upper layers provide an EAP-response message responding to the received EAP-request message.
The UE shall set the EAP message IE of the PDU SESSION AUTHENTICATION COMPLETE message to the EAP-response message.
The UE shall transport the PDU SESSION AUTHENTICATION COMPLETE message and the PDU session ID, using the NAS transport procedure as specified in subclause 5.4.5. Apart from this action, the authentication and authorization procedure initiated by the DN is transparent to the 5GSM layer of the UE.
Upon receipt of a PDU SESSION AUTHENTICATION COMPLETE message, the SMF shall stop timer T3590 and provides the EAP message received in the EAP message IE of the PDU SESSION AUTHENTICATION COMPLETE message to the DN or handles it locally.
T3590 expired.
The SMF shall, on the first expiry of the timer T3590, retransmit the PDU SESSION AUTHENTICATION COMMAND message and shall reset and start timer T3590. This retransmission is repeated four times, i.e. on the fifth expiry of timer T3590, the SMF shall abort the procedure.
Collision of UE-requested PDU session release procedure and a PDU session authentication and authorization procedure.
When the SMF receives a PDU SESSION RELEASE REQUEST message during the PDU session authentication and authorization procedure, and the PDU session indicated in the PDU SESSION RELEASE REQUEST message is the PDU session that the SMF had requested to authenticate, the SMF shall abort the PDU session authentication and authorization procedure and proceed with the UE-requested PDU session release procedure.
PDU session inactive for the received PDU session ID.
If the PDU session ID in the PDU SESSION AUTHENTICATION COMMAND message belongs to any PDU session in state PDU SESSION INACTIVE in the UE, the UE shall send a 5GSM STATUS message with the 5GSM cause IE set to #43 "Invalid PDU session identity".
Collision of UE-requested PDU session release procedure and a PDU session authentication and authorization procedure.
When the UE receives a PDU SESSION AUTHENTICATION COMMAND message during the UE-requested PDU session release procedure, and the PDU session indicated in PDU SESSION AUTHENTICATION COMMAND message is the PDU session that the UE had requested to release, the UE shall ignore the PDU SESSION AUTHENTICATION COMMAND message and proceed with the UE-requested PDU session release procedure.
PDU EAP result message transport procedure is initiated by the SMF if the PDU session authentication and authorization procedure is performed after the PDU session is established and the DN authentication of the UE completes successfully.
In order to initiate the PDU EAP result message transport procedure, the SMF shall create a PDU SESSION AUTHENTICATION RESULT message.
The SMF shall set the PTI IE of the PDU SESSION AUTHENTICATION RESULT message to "No procedure transaction identity assigned".
The SMF shall set the EAP message IE of the PDU SESSION AUTHENTICATION RESULT message to the EAP-success message provided by the DN.
The SMF shall send the PDU SESSION AUTHENTICATION RESULT message.
Upon receipt of a PDU SESSION AUTHENTICATION RESULT message and a PDU session ID, using the NAS transport procedure as specified in subclause 5.4.5, the UE passes to the upper layers the EAP message received in the EAP message IE of the PDU SESSION AUTHENTICATION RESULT message. Apart from this action, the authentication and authorization procedure initiated by the DN is transparent to the 5GSM layer of the UE.
PDU session inactive for the received PDU session ID.
If the PDU session ID in the PDU SESSION AUTHENTICATION RESULT message belongs to any PDU session in state PDU SESSION INACTIVE in the UE, the UE shall send a 5GSM STATUS message with the 5GSM cause IE set to #43 "Invalid PDU session identity".
Collision of UE-requested PDU session release procedure and a PDU EAP result message transport procedure.
When the UE receives a PDU SESSION AUTHENTICATION RESULT message during the UE-requested PDU session release procedure, and the PDU session indicated in PDU SESSION AUTHENTICATION RESULT message is the PDU session that the UE had requested to release, the UE shall ignore the PDU SESSION AUTHENTICATION RESULT message and proceed with the UE-requested PDU session release procedure.
The purpose of the service-level authentication and authorization (service-level-AA) procedure is to enable the DN using NEF services for authentication:
to authenticate the upper layers of the UE, when establishing the PDU session;
to authorize the upper layers of the UE, when establishing the PDU session;
both of the above; or
to re-authenticate the upper layers of the UE after establishment of the PDU session.
The service-level authentication and authorization procedure is used for UUAA as specified in TS 23.256.
The service-level authentication and authorization procedure can be performed only during or after the UE-requested PDU session procedure establishing a non-emergency PDU session. The service-level authentication and authorization procedure shall not be performed during or after the UE-requested PDU session establishment procedure establishing an emergency PDU session.
If the service-level authentication and authorization procedure is performed during the UE-requested PDU session establishment procedure:
and the service-level-AA procedure of the UE completes successfully, the service-level-AA response is transported from the network to the UE as a part of the UE-requested PDU session establishment procedure in the PDU SESSION ESTABLISHMENT ACCEPT message; or
and the service-level-AA procedure of the UE completes unsuccessfully, the service-level-AA response is transported from the network to the UE as a part of the UE-requested PDU session establishment procedure in the PDU SESSION ESTABLISHMENT REJECT message.
If the service-level authentication and authorization procedure is performed for the established PDU session with re-authentication purpose:
and the service-level-AA procedure of the UE completes successfully, the service-level-AA response is transported from the network to the UE as a part of the network-requested PDU session modification procedure in the PDU SESSION MODIFICATION COMMAND message; or
and the service-level-AA procedure of the UE completes unsuccessfully, the service-level-AA response is transported from the network to the UE as a part of the network-requested PDU session release procedure in the PDU SESSION RELEASE COMMAND message.
There can be several rounds of exchange of a service-level-AA payload for the service to complete the service-level authentication and authorization of the request for a PDU session (see example in Figure 6.3.1A.1-1).
If the UE receives the service-level-AA response in the PDU SESSION ESTABLISHMENT ACCEPT message or the PDU SESSION ESTABLISHMENT REJECT message, the UE passes it to the upper layer.
In order to initiate the service-level authentication and authorization procedure, the SMF shall create a SERVICE-LEVEL AUTHENTICATION COMMAND message.
The SMF shall set the PTI IE of the SERVICE-LEVEL AUTHENTICATION COMMAND message to "No procedure transaction identity assigned".
The SMF shall set the service-level-AA payload in the Service-level-AA container IE of the SERVICE-LEVEL AUTHENTICATION COMMAND message to the payload provided by the DN via the NEF. If a payload type associated with the payload is provided by the DN via the NEF, the SMF shall set the service-level-AA payload type with the value set to the payload type.
The SMF shall send the SERVICE-LEVEL AUTHENTICATION COMMAND message, and the SMF shall start timer T3594 (see example in Figure 6.3.1A.1-1).
Upon receipt of the SERVICE-LEVEL AUTHENTICATION COMMAND message, if the UE provided a DNN during the PDU session establishment, the UE shall stop timer T3396, if it is running for the DNN provided by the UE. If the UE did not provide a DNN during the PDU session establishment, the UE shall stop the timer T3396 associated with no DNN if it is running. In an SNPN, the timer T3396 to be stopped includes:
the timer T3396 applied for all the equivalent SNPNs, associated with the RSNPN or an equivalent SNPN, and with the selected entry of the "list of subscriber data" or the selected PLMN subscription, if running; and
the timer T3396 applied for the registered SNPN, associated with the RSNPN, and, if the UE supports access to an SNPN using credentials from a credentials holder, associated with the selected entry of the "list of subscriber data" or the selected PLMN subscription, if running.
Upon receipt of the SERVICE-LEVEL AUTHENTICATION COMMAND message, if the UE provided an S-NSSAI and a DNN during the PDU session establishment, the UE shall stop timer T3584, if it is running for the [S-NSSAI of the PDU session, DNN] combination. If the UE provided a DNN but did not provide an S-NSSAI during the PDU session establishment, the UE shall stop timer T3584, if it is running for the same [no S-NSSAI, DNN] combination provided by the UE. If the UE provided an S-NSSAI but did not provide a DNN during the PDU session establishment, the UE shall stop timer T3584, if it is running for the same [S-NSSAI, no DNN] combination provided by the UE. If the UE provided neither a DNN nor an S-NSSAI during the PDU session establishment, the UE shall stop timer T3584, if it is running for the same [no S-NSSAI, no DNN] combination provided by the UE. The timer T3584 to be stopped includes:
in a PLMN:
the timer T3584 applied for all the PLMNs, if running, and
the timer T3584 applied for the registered PLMN, if running; or
in an SNPN:
the timer T3584 applied for all the equivalent SNPNs, and associated with the RSNPN or an equivalent SNPN and with the selected entry of the "list of subscriber data" or the selected PLMN subscription, if running; and
the timer T3584 applied for the registered SNPN, associated with the RSNPN and, if the UE supports access to an SNPN using credentials from a credentials holder, equivalent SNPNs or both, associated with the selected entry of the "list of subscriber data" or the selected PLMN subscription, if running.
Upon receipt of the SERVICE-LEVEL AUTHENTICATION COMMAND message, if the UE provided an S-NSSAI during the PDU session establishment, the UE shall stop timer T3585, if it is running for the S-NSSAI of the PDU session. If the UE did not provide an S-NSSAI during the PDU session establishment, the UE shall stop the timer T3585 associated with no S-NSSAI if it is running. The timer T3585 to be stopped includes:
in a PLMN:
the timer T3585 applied for all the PLMNs and for the access over which the SERVICE-LEVEL AUTHENTICATION COMMAND message is received, if running;
the timer T3585 applied for all the PLMNs and for both 3GPP access type and non-3GPP access type, if running;
the timer T3585 applied for the registered PLMN and for the access over which the SERVICE-LEVEL AUTHENTICATION COMMAND message is received, if running; and
the timer T3585 applied for the registered PLMN and for both 3GPP access type and non-3GPP access type, if running; or
in an SNPN:
the timer T3585 applied for all the equivalent SNPNs and for the access over which the PDU SESSION AUTHENTICATION COMMAND message is received, associated with the RSNPN or an equivalent SNPN and with the selected entry of the "list of subscriber data" or the selected PLMN subscription, if running;
the timer T3585 applied for all the equivalent SNPNs and for both 3GPP access type and non-3GPP access type, associated with the RSNPN or an equivalent SNPN and with the selected entry of the "list of subscriber data" or the selected PLMN subscription, if running;
the timer T3585 applied for the registered SNPN and for the access over which the PDU SESSION AUTHENTICATION COMMAND message is received, associated with the RSNPN and, if the UE supports access to an SNPN using credentials from a credentials holder, equivalent SNPNs or both, associated with the selected entry of the "list of subscriber data" or the selected PLMN subscription, if running; and
the timer T3585 applied for the registered PLMN and for both 3GPP access type and non-3GPP access type, associated with the RSNPN and, if the UE supports access to an SNPN using credentials from a credentials holder, equivalent SNPNs or both, associated with the selected entry of the "list of subscriber data" or the selected PLMN subscription, if running.
Upon receipt of a SERVICE-LEVEL AUTHENTICATION COMMAND message and a PDU session ID, using the NAS transport procedure as specified in subclause 5.4.5, the UE passes to the upper layers the Service-level-AA payload received in the service-level-AA container IE of the SERVICE-LEVEL AUTHENTICATION COMMAND message. Apart from this action, the service-level authentication and authorization procedure initiated by the DN is transparent to the 5GSM layer of the UE.
When the upper layers provide a service-level-AA payload, the UE shall create a SERVICE-LEVEL AUTHENTICATION COMPLETE message and set the service-level-AA payload of the Service-level-AA container IE to the service-level-AA payload received from the upper layers, and if the service-level-AA payload type is received in the SERVICE-LEVEL AUTHENTICATION COMMAND message from the SMF, set the service-level-AA payload type of the Service-level-AA container IE to the service-level-AA payload type received from the SMF.
The UE shall transport the SERVICE-LEVEL AUTHENTICATION COMPLETE message and the PDU session ID, using the NAS transport procedure as specified in subclause 5.4.5. Apart from this action, the service-level authentication and authorization procedure initiated by the DN is transparent to the 5GSM layer of the UE.
Upon receipt of a SERVICE-LEVEL AUTHENTICATION COMPLETE message, the SMF shall stop timer T3594 and provides the service-level-AA payload received in the Service-level-AA container IE of the SERVICE-LEVEL AUTHENTICATION COMPLETE message to the DN.
Expiry of timer T3594.
On the first expiry of the timer T3594, the SMF shall resend the SERVICE-LEVEL AUTHENTICATION COMMAND message and shall reset and restart timer T3594. This retransmission is repeated four times, i.e., on the fifth expiry of timer T3594, the SMF shall abort the procedure and send PDU SESSION ESTABLISHMENT REJECT message with the 5GSM cause #29 "user authentication or authorization failed" as specified in subclause 6.4.1.4.1.
Collision of UE-requested PDU session release procedure and a service-level authentication and authorization procedure.
When the UE receives a SERVICE-LEVEL AUTHENTICATION COMMAND message during the UE-requested PDU session release procedure, and the PDU session indicated in SERVICE-LEVEL AUTHENTICATION COMMAND message is the PDU session that the UE has requested to release, the UE shall ignore the SERVICE-LEVEL AUTHENTICATION COMMAND message and proceed with the UE-requested PDU session release procedure.