5.4.7 Network slice-specific authentication and authorization procedure

24.5013GPPNon-Access-Stratum (NAS) protocol for 5G System (5GS)Release 17Stage 3TS

5.4.7.1 General

The purpose of the network slice-specific authentication and authorization procedure is to enable the authentication, authorization and accounting server (AAA-S) via the Network Slice Specific and SNPN Authentication and Authorization Function (NSSAAF) to (re-)authenticate or (re-)authorize the upper layers of the UE.

The network slice-specific authentication and authorization procedure can be invoked for a UE supporting network slice-specific authentication and authorization procedure and for a HPLMN S-NSSAI (see subclause 5.15.10 in 3GPP TS 23.501 [8] and subclause 4.2.9.2 of 3GPP TS 23.502 [9]).

The network (re-)authenticates the UE using the EAP as specified in IETF RFC 3748 [34].

EAP has defined four types of EAP messages:

a) an EAP-request message;

b) an EAP-response message;

c) an EAP-success message; and

d) an EAP-failure message.

The EAP-request message is transported from the network to the UE using the NETWORK SLICE-SPECIFIC AUTHENTICATION COMMAND message of the network slice-specific EAP message reliable transport procedure.

The EAP-response message to the EAP-request message is transported from the UE to the network using the NETWORK SLICE-SPECIFIC AUTHENTICATION COMPLETE message of the network slice-specific EAP message reliable transport procedure.

If the (re-)authentication of the UE completes successfully or unsuccessfully, the EAP-success message or the EAP-failure message, respectively, is transported from the network to the UE using the NETWORK SLICE-SPECIFIC AUTHENTICATION RESULT message of the network slice-specific result message transport procedure.

There can be several rounds of exchange of an EAP-request message and a related EAP-response message for the AAA-S via the NSSAAF to complete the (re-)authentication and (re-)authorization of the request for an S-NSSAI (see example in figure 5.4.7.1.1).

The AMF shall set the authenticator retransmission timer specified in subclause 4.3 of IETF RFC 3748 [34] to infinite value.

NOTE: The network slice-specific authentication and authorization procedure provides a reliable transport of EAP messages and therefore retransmissions at the EAP layer of the AMF do not occur.

Figure 5.4.7.1.1: Network slice-specific authentication and authorization procedure

5.4.7.2 Network slice-specific EAP message reliable transport procedure

5.4.7.2.1 Network slice-specific EAP message reliable transport procedure initiation

In order to initiate the network slice-specific EAP message reliable transport procedure, the AMF shall create a NETWORK SLICE-SPECIFIC AUTHENTICATION COMMAND message.

The AMF shall set the EAP message IE of the NETWORK SLICE-SPECIFIC AUTHENTICATION COMMAND message to the EAP-request message which is generated by the AMF or provided by the AAA-S via the NSSAAF.

The AMF shall set the S-NSSAI IE of the NETWORK SLICE-SPECIFIC AUTHENTICATION COMMAND message to the HPLMN S-NSSAI to which the EAP-request message is related.

The AMF shall send the NETWORK SLICE-SPECIFIC AUTHENTICATION COMMAND message and start timer T3575 per S-NSSAI (see example in figure 5.4.7.1.1).

Upon receipt of a NETWORK SLICE-SPECIFIC AUTHENTICATION COMMAND message, the UE shall stop timer T3346 if running. The UE shall pass:

a) the EAP-request message received in the EAP message IE; and

b) the HPLMN S-NSSAI in the S-NSSAI IE;

to the upper layers. Apart from this action, the network slice-specific authentication and authorization procedure is transparent to the 5GMM layer of the UE.

5.4.7.2.2 Network slice-specific EAP message reliable transport procedure accepted by the UE

When the upper layers provide an EAP-response message associated with the HPLMN S-NSSAI, the UE shall create a NETWORK SLICE-SPECIFIC AUTHENTICATION COMPLETE message.

The UE shall set the EAP message IE of the NETWORK SLICE-SPECIFIC AUTHENTICATION COMPLETE message to the EAP-response message.

The UE shall set the S-NSSAI IE of the NETWORK SLICE-SPECIFIC AUTHENTICATION COMPLETE message to the HPLMN S-NSSAI associated with the EAP-response message.

The UE shall send the NETWORK SLICE-SPECIFIC AUTHENTICATION COMPLETE message. Apart from this action, the network slice-specific authentication and authorization procedure is transparent to the 5GMM layer of the UE.

Upon receipt of a NETWORK SLICE-SPECIFIC AUTHENTICATION COMPLETE message, the AMF shall stop timer T3575 and:

a) pass the EAP-response message received in the EAP message IE of the NETWORK SLICE-SPECIFIC AUTHENTICATION COMPLETE message associated with the HPLMN S-NSSAI in the S-NSSAI IE to the upper layers; or

b) provide the EAP-response message received in the EAP message IE of the NETWORK SLICE-SPECIFIC AUTHENTICATION COMPLETE message associated with the HPLMN S-NSSAI in the S-NSSAI IE to the AAA-S via the NSSAAF.

5.4.7.2.3 Abnormal cases on the network side

The following abnormal cases can be identified:

a) T3575 expiry

The AMF shall, on the first expiry of the timer T3575, retransmit the NETWORK SLICE-SPECIFIC AUTHENTICATION COMMAND message and shall reset and start timer T3575. This retransmission is repeated four times, i.e. on the fifth expiry of timer T3575, the AMF shall abort the network slice-specific authentication and authorization procedure for the S-NSSAI. The AMF shall consider that the network slice-specific authentication and authorization procedure for the S-NSSAI is completed as a failure.

b) Lower layers indication of non-delivered NAS PDU due to handover

If the NETWORK SLICE-SPECIFIC AUTHENTICATION COMMAND message could not be delivered due to an intra AMF handover and the target TAI is included in the TAI list, then upon successful completion of the intra AMF handover the AMF shall retransmit the NETWORK SLICE-SPECIFIC AUTHENTICATION COMMAND message. If a failure of handover procedure is reported by the lower layer and the N1 NAS signalling connection exists, the AMF shall retransmit the NETWORK SLICE-SPECIFIC AUTHENTICATION COMMAND message.

c) Network slice-specific authentication and authorization procedure and de-registration procedure collision

If the network receives a DEREGISTRATION REQUEST message before the ongoing network slice-specific authentication and authorization procedure has been completed and the access type included in the DEREGISTRATION REQUEST message is the same as the one for which the network slice-specific authentication and authorization procedure is ongoing, the network shall abort the network slice-specific authentication and authorization procedure and shall progress the UE-initiated de-registration procedure. The AMF may initiate the network slice-specific authentication and authorization procedure for the S-NSSAI which is completed as a failure, if available. If the access type included in the DEREGISTRATION REQUEST message is different from the one for which the network slice-specific authentication and authorization procedure is ongoing, the network shall proceed with both procedures.

5.4.7.2.4 Abnormal cases in the UE

The following abnormal cases can be identified:

a) Transmission failure of the NETWORK SLICE-SPECIFIC AUTHENTICATION COMPLETE message with TAI change from lower layers

If the current TAI is not in the TAI list, the network slice-specific authentication and authorization procedure shall be aborted and:

– if the UE is in 5GMM-REGISTERED state, a registration procedure for mobility and periodic registration update indicating "mobility registration updating" in the 5GS registration type IE of the REGISTRATION REQUEST message shall be initiated; and

– otherwise a registration procedure for initial registration shall be initiated.

b) Transmission failure of NETWORK SLICE-SPECIFIC AUTHENTICATION COMPLETE message indication without TAI change from lower layers

It is up to the UE implementation how to re-run the ongoing procedure that triggered the network slice-specific authentication and authorization procedure..

c) Network slice-specific authentication and authorization procedure and de-registration procedure collision

If the UE receives NETWORK SLICE-SPECIFIC AUTHENTICATION COMMAND message after sending a DEREGISTRATION REQUEST message and the access type included in the DEREGISTRATION REQUEST message is the same as the access in which the NETWORK SLICE-SPECIFIC AUTHENTICATION COMMAND message is received, then the UE shall ignore the NETWORK SLICE-SPECIFIC AUTHENTICATION COMMAND message and proceed with the de-registration procedure. Otherwise, the UE shall proceed with both procedures.

5.4.7.3 Network slice-specific EAP result message transport procedure

5.4.7.3.1 Network slice-specific EAP result message transport procedure initiation

In order to initiate the network slice-specific EAP result message transport procedure, the AMF shall create a NETWORK SLICE-SPECIFIC AUTHENTICATION RESULT message.

The AMF shall set the EAP message IE of the NETWORK SLICE-SPECIFIC AUTHENTICATION RESULT message to the EAP-success or EAP-failure message provided by the AAA-S via the NSSAAF.

The AMF shall set the S-NSSAI IE of the NETWORK SLICE-SPECIFIC AUTHENTICATION RESULT message to the HPLMN S-NSSAI to which the EAP-success or EAP-failure message is related.

The AMF shall send the NETWORK SLICE-SPECIFIC AUTHENTICATION RESULT message. The AMF shall retain the authentication result for the UE and the HPLMN S-NSSAI while the UE is registered to the PLMN (see subclause 5.15.10 in 3GPP TS 23.501 [8]).

Upon receipt of a NETWORK SLICE-SPECIFIC AUTHENTICATION RESULT message, the UE shall pass:

a) the EAP-success or EAP-failure message received in the EAP message IE; and

b) the HPLMN S-NSSAI in the S-NSSAI IE;

to the upper layers. Apart from this action, the network slice-specific authentication and authorization procedure is transparent to the 5GMM layer of the UE.