Tech-invite3GPPspaceIETF RFCsSIP
Quick21222324252627282931323334353637384‑5x

Content for  TS 23.502  Word version:  18.0.0

Top   Top   Up   Prev   None
1…   4.2.2.2.2   4.2.2.2.3…   4.2.3…   4.2.3.3   4.2.4…   4.2.6   4.2.7…   4.2.9…   4.3…   4.3.2.2.2   4.3.2.2.3…   4.3.3…   4.3.4…   4.3.5…   4.3.5.2…   4.3.5.4…   4.3.5.6…   4.3.6…   4.4…   4.5…   4.9…   4.9.1.3…   4.9.2…   4.11…   4.11.1.2.2…   4.11.1.3…   4.11.1.4…   4.11.1.5…   4.11.2…   4.11.3…   4.12…   4.12.6…   4.12a…   4.12b…   4.13…   4.13.4…   4.13.6…   4.14…   4.15…   4.15.3.2.5…   4.15.4…   4.15.6.7…   4.15.7…   4.16…   4.16.4…   4.16.8…   4.16.11…   4.17…   4.17.9…   4.18…   4.19…   4.23…   4.23.7…   4.23.7.3.3   4.23.7.3.4…   4.23.9…   4.23.9.4…   4.23.11…   4.24…   4.25…   4.26…   5…   5.2.3…   5.2.5…   5.2.6…   5.2.7…   5.2.8…   5.2.9…   5.2.12…   5.2.18…   A…   E…   F…   G   H…

 

H (Normative)  Support of EAP-based secondary authentication and authorization by DN-AAA over EPC |R18|p. 736

H.1  Introductionp. 736

Secondary authentication/authorization by a DN-AAA server during the establishment of a PDN connection over 3GPP access to EPC, is supported based on following principles:
  • A SMF+PGW-C shall be used to serve DNN(s) requiring secondary authentication/authorization by a DN-AAA server.
  • For secondary authentication/authorization by a DN-AAA server, the SMF+PGW-C runs the same procedures with PCF, UDM and DN-AAA and uses the same corresponding interfaces, as defined in clause 4.3.2, regardless of whether the UE is served by EPC or 5GC.
  • If the UE has included the PDU session ID in PCO, the UE may indicate in the PDN connection establishment request its support for EAP-based secondary authentication and authorization by DN-AAA over EPC. The SMF+PGW-C may reject the PDN connection establishment if the UE does not support EAP-based secondary authentication and authorization by DN-AAA over EPC while local policies tell that secondary authentication and authorization by DN-AAA is mandatory to access to the DN. When a PDU session is established, the UE may also indicate via PCO that it supports secondary DN authentication and authorization over EPC.
  • The interface towards the UE is different (usage of EPC NAS instead of 5GC NAS) between the EPC and 5GC cases.
  • The MME and SGW are not impacted by the procedure. Specific exchanges between the UE and the SMF+PGW-C for secondary authentication/authorization by a DN-AAA server are carried via PCO. This includes the support of EAP exchanges between the UE and the DN-AAA server.
  • As it is not possible to exchange PCO between the UE and the PGW without first establishing the PDN connection, the PDN connection is established before secondary authentication/authorization by a DN-AAA server takes place.
  • When secondary authentication/authorization by a DN-AAA server has successfully taken place, the SMF+PGW-C allows traffic exchange at the UPF and indicates to the UE that User plane traffic is now possible.
Up

H.2  Proceduresp. 736

H.2.1  Secondary authentication and authorization by DN-AAA at PDN Connection Establishmentp. 736

In the Figure H.2.1-1, the execution of the secondary authentication and authorization by DN-AAA is specified. The procedure assumes that:
  • The APN is associated with the selection of a SMF+PGW-C to serve APN(s) that require secondary authentication and authorization by DN-AAA at PDN connection establishment.
  • The SMF+PGW-C is configured with local policies indicating that the APN requires secondary authentication and authorization by DN-AAA at PDN connection establishment.
Reproduction of 3GPP TS 23.502, Fig. H.2.1-1: EAP-based secondary authentication and authorization by DN-AAA at PDN connection establishment
Up
Step 0.
As steps 1 - 13 in TS 23.401 Figure 5.3.2.1-1 (Attach Request) or as steps 1 to 3 in TS 23.401 Figure 5.10.2-1 (UE requested PDN connectivity) with following modifications: The UE may indicate in PCO its capability to support EAP-based secondary DN authentication over EPC if the UE included the PDU Session Id in PCO
Step 1.
The SMF+PGW-C gets subscription data from UDM as defined in step 4 of Figure 4.3.2.2.1-1 (not shown in Figure H.2.1-1). The procedure assumes that SMF configuration or subscription data from UDM require EAP-based secondary authentication and authorization by DN-AAA.
Secondary DN authorization may be invoked as described in TS 29.561. During this step the DN-AAA may provide an IP address for the UE and other DN authorization data as described in clause 5.6.6 of TS 23.501.
Step 2a.
If dynamic PCC is to be used for the PDU Session, the SMF+PGW-C performs an SM Policy Association Establishment procedure as defined in clause 4.16.4 and, if Secondary DN authorization has been invoked in step 1, provides to the PCF the PDN Connection parameters received from the DN AAA at step 1 as described in step 5 of Figure 4.3.2.3-1. In this step the SMF+PGW-C may retrieve the PDU Session related policy information and the PCC rule(s) from the PCF, e.g. the authorized Session AMBR.
Step 2b.
UPF selection and N4 session establishment is executed with the difference that the SMF+PGW-C configures the UPF+PGW-U to block any UE traffic over the PDN Connection (until the Secondary DN authentication and authorization has been done and is successful).
Step 3.
Steps 15-24 in Figure 5.3.2.1-1 of TS 23.401 or steps 5-16 in Figure 5.10.2-1 of TS 23.401.
During the Attach procedure, at step 15 in Figure 5.3.2.1-1 of TS 23.401 or during UE requested PDN connectivity in step 5 in Figure 5.10.2-1 of TS 23.401, the SMF+PGW-C includes in PCO, an Indication to the UE that "UpLink Data is NOT ALLOWED" on the PDN connection. The UE shall not send Uplink data to the network, until it receives an indication further from the network that "UpLink Data is ALLOWED".
Step 4.
[Conditional] The PGW-C+SMF initiates EAP-based authentication by sending EAP-Request as described in step 2 of Figure 4.3.2.3-1.
Step 5.
Multiple round-trip messages as required by the authentication method used by DN-AAA may follow. The PCO including the authentication message from the DN-AAA is transferred to the UE by the SMF+PGW-C in Update Bearer Request and then over S1 by Downlink NAS Transport (steps 4b-4d). The response from the UE is transferred to the SMF+PGW-C in an Uplink NAS Transport over S1 and Update Bearer Response (steps 4e-4g) over EPS.
Step 6.
Secondary authentication and authorization by DN-AAA procedure continues as described in step 4 of Figure 4.3.2.3-1.
Step 7.
The SMF+PGW-C updates the N4 rules in the UPF+PGW-U to allow traffic over the PDN Connection. If dynamic PCC is to be used for the PDU Session and the SMF+PGW-C received DN Authorization information from the DN-AAA as part of step 5 or 6 that is different compared to the value received in step 2, the SMF+PGW-C contacts the PCF to update the PDN Connection as described in step 5 of Figure 4.3.2.3-1
Step 8.
The SMF+PGW-C updates the UE by invoking the PDN GW initiated bearer modification without QoS update procedure (Figure 5.4.3-1 of TS 23.401) initiated by sending an Update Bearer Request message to the SGW. The PCO includes an indication that "UpLink Data is ALLOWED". The UE confirms the update (see clause 5.4.3 of TS 23.401).
If the UE IP address is to be delivered to the UE over user plane (via Router advertisement or DHCP) then the UE IP address is only delivered to the UE after step 8.
Step 9.
As in step 6 of Figure 4.3.2.3-1.
The DN-AAA Server may revoke the authorization for a PDN connection or update DN authorization data for a PDN connection. According to the request from DN-AAA Server, the SMF+PGW-C may release or update the PDN connection.
At any time after the PDN connection establishment, the DN-AAA Server or SMF+PGW-C may initiate Secondary Re-authentication procedure for the PDN connection as described in clause 4.3.2.3. Steps 4a-4h are performed to transfer the Secondary Re-authentication message between the DN-AAA Server and the UE. The Secondary Re-authentication procedure may start from step 4a (DN-AAA initiated Secondary Re-authentication procedure) or step 4b (SMF+PGW-C initiated Secondary Re-authentication procedure).
During Secondary Re-authentication, if the SMF+PGW-C receives an indication from the MME that the UE is unreachable then it informs the DN-AAA Server that UE is not reachable for re-authentication. Based on this indication from SMF+PGW-C, the DN-AAA Server may decide to keep the PDN connection or request to release it.
DN-AAA may initiate DN-AAA Re-authorization without performing re-authentication based on local policy. DN-AAA Re-authorization procedure may involve steps 5 and 6 of Figure H.2.1-1 above.
During Secondary Re-authentication/Re-authorization, if the SMF+PGW-c receives DN Authorization Profile Index and/or DN authorized Session AMBR, the SMF+PGW-c reports the received value(s) to the PCF (as described in TS 23.501) by triggering the Policy Control Request Trigger as described in TS 23.503.
Up

$  Change historyp. 739


Up   Top