The UE selects a PLMN and a TNAN for connecting to this PLMN by using the Trusted Non-3GPP Access Network selection procedure specified in TS 23.501, clause 6.3.12
. During this procedure, the UE discovers the PLMNs with which the TNAN supports trusted connectivity (e.g. "5G connectivity").
A layer-2 connection is established between the UE and the TNAP. In the case of IEEE 802.11 , this step corresponds to an 802.11 Association. In the case of PPP, this step corresponds to a PPP LCP negotiation. In other types of non-3GPP access (e.g. Ethernet), this step may not be required.
An EAP procedure is initiated. EAP messages are encapsulated into layer-2 packets, e.g. into IEEE 802.3/802.1x packets, into IEEE 802.11/802.1x packets, into PPP packets, etc. The NAI provided by the UE indicates that the UE requests "5G connectivity" to a specific PLMN, e.g. NAI = "<any_username>@nai.5gc. mnc<MNC>.mcc<MCC>.3gppnetwork.org". This NAI triggers the TNAP to send an AAA request to a TNGF, which operates as an AAA proxy. Between the TNAP and TNGF the EAP packets are encapsulated into AAA messages. The AAA request also include the TNAP identifier, which can be treated as the User Location Information.
An EAP-5G procedure is executed as the one specified in clause 18.104.22.168
for the untrusted non-3GPP access with the following modifications:
A TNGF key (instead of an N3IWF key) is created in the UE and in the AMF after the successful authentication. The TNGF key is transferred from the AMF to TNGF in step 10a (within the N2 Initial Context Setup Request). The TNGF derives a TNAP key, which is provided to the TNAP. The TNAP key depends on the non-3GPP access technology (e.g. it is a Pairwise Master Key in the case of IEEE 802.11 ). How these security keys are created, it is specified in TS 33.501.
In step 5 the UE shall include the Requested NSSAI in the AN parameters only if allowed, according to the conditions defined in TS 23.501, clause 5.15.9, for the trusted non-3GPP access.
In step 9b the UE receives the "TNGF Contact Info" which includes the IP address of TNGF.
The TNAP key is used to establish layer-2 security between the UE and TNAP. In the case of IEEE 802.11 , a 4-way handshake is executed, which establishes a security context between the WLAN AP and the UE that is used to protect unicast and multicast traffic over the air.
The UE receives IP configuration from the TNAN, e.g. with DHCP.
At this point, the UE has successfully connected to the TNAN and has obtained IP configuration. The UE sets up a secure NWt connection with the TNGF as follows:
The UE initiates an IKE_INIT exchange using the IP address of TNGF received during the EAP-5G signalling, in step 9b. Subsequently, the UE initiates an IKE_AUTH exchange and provides its identity. The identity provided by the UE in the IKEv2 signalling should enable the TNGF to locate the TNGF key that was created before for this UE, during the authentication in step 8. The TNGF key is used for mutual authentication. NULL encryption is negotiated between the UE and the TNGF, as specified in RFC 2410 .
In step 13c, the TNGF provides to UE (a) an "inner" IP address, (b) a NAS_IP_ADDRESS and a TCP port number and (c) a DSCP value. After this step, an IPsec SA is established between the UE and TNGF. This is referred to as the "signalling IPsec SA" and operates in Tunnel mode. Operation in Tunnel mode enables the use of MOBIKE  for re-establishing the IPsec SAs when the IP address of the UE changes during mobility events. All IP packets exchanged between the UE and TNGF via the "signalling IPsec SA" shall be marked with the above DSCP value. The UE and the TNAP may map the DSCP value to a QoS level (e.g. to an EDCA Access Class ) supported by the underlying non-3GPP access network. The mapping of a DSCP value to a QoS level of the non-3GPP access network is outside the scope of 3GPP.
Right after the establishment of the "signalling IPsec SA", the UE shall setup a TCP connection with the TNGF by using the NAS_IP_ADDRESS and the TCP port number received in step 13c. The UE shall send NAS messages within TCP/IP packets with source address the "inner" IP address of the UE and destination address the NAS_IP_ADDRESS. The TNGF shall send NAS messages within TCP/IP packets with source address the NAS_IP_ADDRESS and destination address the "inner" IP address of the UE.
This concludes the setup of the NWt connection between the UE and the TNGF. All subsequent NAS messages between UE and TNGF-CP are carried over this NWt connection (i.e. encapsulated in TCP/IP/ESP).
After the NWt connection is successfully established, the TNGF responds to AMF with an N2 Initial Context Setup Response message.
Finally, the NAS Registration Accept message is sent by the AMF and is forwarded to UE via the established NWt connection. Now the UE can use the TNAN (a) to transfer non-seamless offload traffic and (b) to establish one or more PDU Sessions.