The PDU Session establishment authentication/authorization is optionally triggered by the SMF during a PDU Session establishment and performed transparently via a UPF or directly with the DN-AAA server without involving the UPF if the DN-AAA server is located in the 5GC and reachable directly, as described in TS 23.501, clause 5.6.6
In the case of Home Routed Roaming, unless specified otherwise, the SMF in the information flow defined in this clause is the H-SMF.
Steps 2, 3a, 3f and 4 are not defined in this specification. Steps 3 can be repeated depending on the mechanism used.
When the SMF directly communicates with the DN-AAA server without involving the UPF, Step 1 is skipped and Step 2, 3a, 3f, 4 and 6 are executed without involving the UPF.
The SMF determines that it needs to contact the DN-AAA server. The SMF identifies the DN-AAA server based on local configuration or using the DN-specific identity (TS 33.501
) provided by the UE inside the SM PDU DN Request Container provided by the UE in the PDU Session Establishment request or inside the EAP message in the PDU Session Authentication Complete message (TS 24.501
The content of the SM PDU DN Request Container is defined in TS 24.501
If there is no existing N4 session that can be used to carry DN-related messages between the SMF and the DN, the SMF selects a UPF and triggers N4 session establishment.
The SMF initiates the authentication procedure with the DN-AAA via the UPF to authenticate the DN-specific identity provided by the UE as specified in TS 29.561
When available, the SMF provides the GPSI in the signalling exchanged with the DN-AAA.
The UPF transparently relays the message received from the SMF to the DN-AAA server.
The DN-AAA server sends an Authentication/Authorization message towards the SMF. The message is carried via the UPF.
Transfer of DN Request Container information received from DN-AAA towards the UE.
In non-roaming and LBO cases, the SMF invokes the Namf_Communication_N1N2MessageTransfer
service operation on the AMF to transfer the DN Request Container information within N1 SM information sent towards the UE.
In the case of Home Routed roaming, the H-SMF initiates a Nsmf_PDUSession_Update
service operation to request the V-SMF to transfer DN Request Container to the UE and the V-SMF invokes the Namf_Communication_N1N2MessageTransfer
service operation on the AMF to transfer the DN Request Container information within N1 SM information sent towards the UE. In Nsmf_PDUSession_Update
Request, the H-SMF additionally includes the H-SMF SM Context ID.
The AMF sends the N1 NAS message to the UE
Transfer of DN Request Container information received from UE towards the DN-AAA.
When the UE responds with a N1 NAS message containing DN Request Container information, the AMF informs the SMF by invoking the Nsmf_PDUSession_UpdateSMContext
service operation. The SMF issues an Nsmf_PDUSession_UpdateSMContext
In the case of Home Routed roaming, the V-SMF relays the N1 SM information to the H-SMF using the information of PDU Session received in step 3b via a Nsmf_PDUSession_Update
The SMF (In HR case it is the H-SMF) sends the content of the DN Request Container information (authentication message) to the DN-AAA server via the UPF.
Step 3 may be repeated until the DN-AAA server confirms the successful authentication/authorization of the PDU Session.
The DN-AAA server confirms the successful authentication/authorization of the PDU Session. The DN-AAA server may provide:
an SM PDU DN Response Container to the SMF to indicate successful authentication/authorization;
DN Authorization Data as defined in TS 23.501, clause 5.6.6;
a request to get notified with the IP address(es) allocated to the PDU Session and/or with N6 traffic routing information or MAC address(es) used by the UE for the PDU Session; and
an IP address (or IPV6 Prefix) for the PDU Session.
The N6 traffic routing information is defined in TS 23.501, clause 5.6.7
After the successful DN authentication/authorization, a session is kept between the SMF and the DN-AAA. If the SMF receives a DN Authorization Data, the SMF uses the DN Authorization Profile Index to apply the policy and charging control (see TS 23.501, clause 5.6.6
The PDU Session establishment continues and completes. In the step 7b of the Figure 188.8.131.52.1-1, if the SMF receives the DN Authorization Profile Index in DN Authorization Data from the DN-AAA, it sends the DN Authorization Profile Index to retrieve the PDU Session related policy information (described in TS 23.503, clause 6.4
) and the PCC rule(s) (described in TS 23.503, clause 6.3
) from the PCF. If the SMF receives the DN authorized Session AMBR in DN Authorization Data from the DN-AAA, it sends the DN authorized Session AMBR within the Session AMBR to the PCF to retrieve the authorized Session AMBR (described in TS 23.503, clause 6.4
If requested so in step 4 or if configured so by local policies, the SMF notifies the DN-AAA with the IP/MAC address(es) and/or with N6 traffic routing information allocated to the PDU Session together with the GPSI.
Later on the SMF notifies the DN-AAA if the DN-AAA had requested to get notifications about:
allocation or release of an IPV6 Prefix for the PDU Session of IP type or addition or removal of source MAC addresses for the PDU Session of Ethernet type (e.g. using IPV6 multi-homing as defined in TS 23.501, clause 184.108.40.206),
Change of N6 traffic routing information.
When later on the PDU Session gets released as described in clause 4.3.4
, the SMF notifies the DN-AAA.
The DN-AAA server may revoke the authorization for a PDU Session or update DN authorization data for a PDU Session. According to the request from DN-AAA server, the SMF may release or update the PDU Session.
At any time after the PDU Session establishment, the DN-AAA server or SMF may initiate Secondary Re-authentication procedure for the PDU Session as specified in clause 11.1.3 of TS 33.501
. Step 3a to step 3f are performed to transfer the Secondary Re-authentication message between the UE and the DN-AAA server. The Secondary Re-authentication procedure may start from step 3a (DN-AAA initiated Secondary Re-authentication procedure) or step 3b (SMF initiated Secondary Re-authentication procedure). For the DN-AAA server initiated Secondary Re-authentication, the message in step 3a shall include GPSI, if available, and the IP/MAC address(es) of the PDU session, for SMF to identify the corresponding UE and PDU session.
DN-AAA may initiate DN-AAA Re-authorization without performing re-authentication based on local policy. DN-AAA Re-authorization procedure may start from step 4.
During Secondary Re-authentication/Re-authorization, if the SMF receives DN Authorization Profile Index and/or DN authorized Session AMBR, the SMF reports the received value(s) to the PCF (as described in TS 23.501
) by triggering the Policy Control Request Trigger as described in TS 23.503