Tech-invite3GPPspaceIETF RFCsSIP
Quick21222324252627282931323334353637384‑5x

Content for  TS 24.501  Word version:  17.5.0

Top   Top   Up   Prev   Next
1…   3…   4…   4.4…   4.4.3…   4.5…   4.5.3…   4.6…   4.7…   4.9…   4.15…   5…   5.2…   5.3…   5.3.2…   5.3.7…   5.3.19…   5.4…   5.4.1.3…   5.4.2…   5.4.4…   5.4.5…   5.4.6…   5.5…   5.5.1.2.4   5.5.1.2.5…   5.5.1.3…   5.5.1.3.4   5.5.1.3.5…   5.5.2…   5.6…   5.6.2…   6…   6.1.4…   6.2…   6.3…   6.3.2…   6.3.3…   6.4…   6.4.1.4…   6.4.2…   6.5…   7…   8…   8.2.9…   8.3…   9…   9.11.2…   9.11.2.10…   9.11.3…   9.11.3.4…   9.11.3.8…   9.11.3.14…   9.11.3.18C…   9.11.3.29…   9.11.3.33…   9.11.3.39…   9.11.3.45…   9.11.3.50…   9.11.3.53A…   9.11.3.68…   9.11.3.75…   9.11.4…   9.11.4.10…   9.11.4.13…   9.11.4.16…   9.11.4.30…   9.12   10…   A…   B…   C…   D…   D.6…   D.6.3…

 

6.3  Network-requested 5GSM proceduresWord‑p. 466

6.3.1  PDU session authentication and authorization procedureWord‑p. 466

6.3.1.1  GeneralWord‑p. 466

The purpose of the PDU session authentication and authorization procedure is to enable the DN:
  1. to authenticate the upper layers of the UE, when establishing the PDU session;
  2. to authorize the upper layers of the UE, when establishing the PDU session;
  3. both of the above; or
  4. to re-authenticate the upper layers of the UE after establishment of the PDU session.
The PDU session authentication and authorization procedure can be performed only during or after the UE-requested PDU session procedure establishing a non-emergency PDU session. The PDU session authentication and authorization procedure shall not be performed during or after the UE-requested PDU session establishment procedure establishing an emergency PDU session.
The upper layers store the association between a DNN and corresponding credentials, if any, for the PDU session authentication and authorization.
The network authenticates the UE using the Extensible Authentication Protocol (EAP) as specified in RFC 3748.
EAP has defined four types of EAP messages:
  1. an EAP-request message;
  2. an EAP-response message;
  3. an EAP-success message; and
  4. an EAP-failure message.
The EAP-request message is transported from the network to the UE using the PDU SESSION AUTHENTICATION COMMAND message of the PDU EAP message reliable transport procedure.
The EAP-response message to the EAP-request message is transported from the UE to the network using the PDU SESSION AUTHENTICATION COMPLETE message of the PDU EAP message reliable transport procedure.
If the PDU session authentication and authorization procedure is performed during the UE-requested PDU session establishment procedure:
  1. and the DN authentication of the UE completes successfully, the EAP-success message is transported from the network to the UE as part of the UE-requested PDU session establishment procedure in the PDU SESSION ESTABLISHMENT ACCEPT message.
  2. and the DN authentication of the UE completes unsuccessfully, the EAP-failure message is transported from the network to the UE as part of the UE-requested PDU session establishment procedure in the PDU SESSION ESTABLISHMENT REJECT message.
If the PDU session authentication and authorization procedure is performed after the UE-requested PDU session establishment procedure:
  1. and the DN authentication of the UE completes successfully, the EAP-success message is transported from the network to the UE using the PDU SESSION AUTHENTICATION RESULT message of the PDU EAP result message transport procedure.
  2. and the DN authentication of the UE completes unsuccessfully, the EAP-failure message is transported from the network to the UE using the PDU SESSION RELEASE COMMAND message of the network-requested PDU session release procedure.
There can be several rounds of exchange of an EAP-request message and a related EAP-response message for the DN to complete the authentication and authorization of the request for a PDU session (see example in Figure 6.3.1.1).
The SMF shall set the authenticator retransmission timer specified in Section 4.3 of RFC 3748 to infinite value.
Reproduction of 3GPP TS 24.501, Fig. 6.3.1.1: PDU session authentication and authorization procedure
Up

6.3.1.2  PDU EAP message reliable transport procedureWord‑p. 468

6.3.1.2.1  PDU EAP message reliable transport procedure initiationWord‑p. 468
In order to initiate the PDU EAP message reliable transport procedure, the SMF shall create a PDU SESSION AUTHENTICATION COMMAND message.
The SMF shall set the PTI IE of the PDU SESSION AUTHENTICATION COMMAND message to "No procedure transaction identity assigned".
The SMF shall set the EAP message IE of the PDU SESSION AUTHENTICATION COMMAND message to the EAP-request message provided by the DN or generated locally.
The SMF shall send the PDU SESSION AUTHENTICATION COMMAND message, and the SMF shall start timer T3590 (see example in Figure 6.3.1.1).
Upon receipt of the PDU SESSION AUTHENTICATION COMMAND message, if the UE provided a DNN during the PDU session establishment, the UE shall stop timer T3396, if it is running for the DNN provided by the UE. If the UE did not provide a DNN during the PDU session establishment, the UE shall stop the timer T3396 associated with no DNN if it is running.
Upon receipt of the PDU SESSION AUTHENTICATION COMMAND message, if the UE provided an S-NSSAI and a DNN during the PDU session establishment, the UE shall stop timer T3584, if it is running for the [S-NSSAI of the PDU session, DNN] combination. If the UE provided a DNN but did not provide an S-NSSAI during the PDU session establishment, the UE shall stop timer T3584, if it is running for the same [no S-NSSAI, DNN] combination provided by the UE. If the UE provided an S-NSSAI but did not provide a DNN during the PDU session establishment, the UE shall stop timer T3584, if it is running for the same [S-NSSAI, no DNN] combination provided by the UE. If the UE provided neither a DNN nor an S-NSSAI during the PDU session establishment, the UE shall stop timer T3584, if it is running for the same [no S-NSSAI, no DNN] combination provided by the UE. The timer T3584 to be stopped includes the timer T3584 applied for all the PLMNs, if running, and the timer T3584 applied for the registered PLMN, if running.
Upon receipt of the PDU SESSION AUTHENTICATION COMMAND message, if the UE provided an S-NSSAI during the PDU session establishment, the UE shall stop timer T3585, if it is running for the S-NSSAI of the PDU session. If the UE did not provide an S-NSSAI during the PDU session establishment, the UE shall stop the timer T3585 associated with no S-NSSAI if it is running. The timer T3585 to be stopped includes the timer T3585 applied for all the PLMNs, if running, and the timer T3585 applied for the registered PLMN, if running.
Upon receipt of a PDU SESSION AUTHENTICATION COMMAND message and a PDU session ID, using the NAS transport procedure as specified in subclause 5.4.5, the UE passes to the upper layers the EAP message received in the EAP message IE of the PDU SESSION AUTHENTICATION COMMAND message. Apart from this action and the stopping of timers T3396, T3584 and T3485 (if running), the authentication and authorization procedure initiated by the DN is transparent to the 5GSM layer of the UE.
Up
6.3.1.2.2  PDU EAP message reliable transport procedure accepted by the UEWord‑p. 469
When the upper layers provide an EAP-response message responding to the received EAP-request message, the UE shall create a PDU SESSION AUTHENTICATION COMPLETE message.
The UE shall set the EAP message IE of the PDU SESSION AUTHENTICATION COMPLETE message to the EAP-response message.
The UE shall transport the PDU SESSION AUTHENTICATION COMPLETE message and the PDU session ID, using the NAS transport procedure as specified in subclause 5.4.5. Apart from this action, the authentication and authorization procedure initiated by the DN is transparent to the 5GSM layer of the UE.
Upon receipt of a PDU SESSION AUTHENTICATION COMPLETE message, the SMF shall stop timer T3590 and provides the EAP message received in the EAP message IE of the PDU SESSION AUTHENTICATION COMPLETE message to the DN or handles it locally.
Up
6.3.1.2.3  Abnormal cases on the network sideWord‑p. 470
The following abnormal cases can be identified:
  1. T3590 expired.
    The SMF shall, on the first expiry of the timer T3590, retransmit the PDU SESSION AUTHENTICATION COMMAND message and shall reset and start timer T3590. This retransmission is repeated four times, i.e. on the fifth expiry of timer T3590, the SMF shall abort the procedure.
  2. Collision of UE-requested PDU session release procedure and a PDU session authentication and authorization procedure.
    When the SMF receives a PDU SESSION RELEASE REQUEST message during the PDU session authentication and authorization procedure, and the PDU session indicated in the PDU SESSION RELEASE REQUEST message is the PDU session that the SMF had requested to authenticate, the SMF shall abort the PDU session authentication and authorization procedure and proceed with the UE-requested PDU session release procedure.
Up
6.3.1.2.4  Abnormal cases in the UEWord‑p. 470
The following abnormal cases can be identified:
  1. PDU session inactive for the received PDU session ID.
    If the PDU session ID in the PDU SESSION AUTHENTICATION COMMAND message belongs to any PDU session in state PDU SESSION INACTIVE in the UE, the UE shall send a 5GSM STATUS message with the 5GSM cause IE set to #43 "Invalid PDU session identity".
  2. Collision of UE-requested PDU session release procedure and a PDU session authentication and authorization procedure.
    When the UE receives a PDU SESSION AUTHENTICATION COMMAND message during the UE-requested PDU session release procedure, and the PDU session indicated in PDU SESSION AUTHENTICATION COMMAND message is the PDU session that the UE had requested to release, the UE shall ignore the PDU SESSION AUTHENTICATION COMMAND message and proceed with the UE-requested PDU session release procedure.
Up

6.3.1.3  PDU EAP result message transport procedureWord‑p. 470

6.3.1.3.1  PDU EAP result message transport procedure initiationWord‑p. 470
PDU EAP result message transport procedure is initiated by the SMF if the PDU session authentication and authorization procedure is performed after the PDU session is established and the DN authentication of the UE completes successfully.
In order to initiate the PDU EAP result message transport procedure, the SMF shall create a PDU SESSION AUTHENTICATION RESULT message.
The SMF shall set the PTI IE of the PDU SESSION AUTHENTICATION RESULT message to "No procedure transaction identity assigned".
The SMF shall set the EAP message IE of the PDU SESSION AUTHENTICATION RESULT message to the EAP-success message provided by the DN.
The SMF shall send the PDU SESSION AUTHENTICATION RESULT message.
Upon receipt of a PDU SESSION AUTHENTICATION RESULT message and a PDU session ID, using the NAS transport procedure as specified in subclause 5.4.5, the UE passes to the upper layers the EAP message received in the EAP message IE of the PDU SESSION AUTHENTICATION RESULT message. Apart from this action, the authentication and authorization procedure initiated by the DN is transparent to the 5GSM layer of the UE.
Up
6.3.1.3.2  Abnormal cases in the UE |R17|Word‑p. 471
The following abnormal cases can be identified:
  1. PDU session inactive for the received PDU session ID.
    If the PDU session ID in the PDU SESSION AUTHENTICATION RESULT message belongs to any PDU session in state PDU SESSION INACTIVE in the UE, the UE shall send a 5GSM STATUS message with the 5GSM cause IE set to #43 "Invalid PDU session identity".
  2. Collision of UE-requested PDU session release procedure and a PDU EAP result message transport procedure.
    When the UE receives a PDU SESSION AUTHENTICATION RESULT message during the UE-requested PDU session release procedure, and the PDU session indicated in PDU SESSION AUTHENTICATION RESULT message is the PDU session that the UE had requested to release, the UE shall ignore the PDU SESSION AUTHENTICATION RESULT message and proceed with the UE-requested PDU session release procedure.
Up

6.3.1A  Service-level authentication and authorization procedure |R17|Word‑p. 471

6.3.1A.1  GeneralWord‑p. 471

The purpose of the service-level authentication and authorization (service-level-AA) procedure is to enable the DN using NEF services for authentication:
  1. to authenticate the upper layers of the UE, when establishing the PDU session;
  2. to authorize the upper layers of the UE, when establishing the PDU session;
  3. both of the above; or
  4. to re-authenticate the upper layers of the UE after establishment of the PDU session.
The service-level authentication and authorization procedure is used for UUAA as specified in TS 23.256.
The service-level authentication and authorization procedure can be performed only during or after the UE-requested PDU session procedure establishing a non-emergency PDU session. The service-level authentication and authorization procedure shall not be performed during or after the UE-requested PDU session establishment procedure establishing an emergency PDU session.
If the service-level authentication and authorization procedure is performed during the UE-requested PDU session establishment procedure:
  1. and the service-level-AA procedure of the UE completes successfully, the service-level-AA response is transported from the network to the UE as a part of the UE-requested PDU session establishment procedure in the PDU SESSION ESTABLISHMENT ACCEPT message; or
  2. and the service-level-AA procedure of the UE completes unsuccessfully, the service-level-AA response is transported from the network to the UE as a part of the UE-requested PDU session establishment procedure in the PDU SESSION ESTABLISHMENT REJECT message.
If the service-level authentication and authorization procedure is performed for the established PDU session with re-authentication purpose:
  1. and the service-level-AA procedure of the UE completes successfully, the service-level-AA response is transported from the network to the UE as a part of the network-requested PDU session modification procedure in the PDU SESSION MODIFICATION COMMAND message; or
  2. and the service-level-AA procedure of the UE completes unsuccessfully, the service-level-AA response is transported from the network to the UE as a part of the network-requested PDU session release procedure in the PDU SESSION RELEASE COMMAND message.
There can be several rounds of exchange of a service-level-AA payload for the service to complete the service-level authentication and authorization of the request for a PDU session (see example in Figure 6.3.1A.1-1).
If the UE receives the service-level-AA response in the PDU SESSION ESTABLISHMENT ACCEPT message or the PDU SESSION ESTABLISHMENT REJECT message, the UE passes it to the upper layer.
Reproduction of 3GPP TS 24.501, Fig. 6.3.1A.1-1: Service-level authentication and authorization procedure
Up

6.3.1A.2  Service-level authentication and authorization procedure initiationWord‑p. 472

In order to initiate the service-level authentication and authorization procedure, the SMF shall create a SERVICE-LEVEL AUTHENTICATION COMMAND message.
The SMF shall set the PTI IE of the SERVICE-LEVEL AUTHENTICATION COMMAND message to "No procedure transaction identity assigned".
The SMF shall set the Service-level-AA payload IE in the Service-level-AA container IE of the SERVICE-LEVEL AUTHENTICATION COMMAND message to the Service-level-AA payload provided by the DN via the NEF.
The SMF shall send the SERVICE-LEVEL AUTHENTICATION COMMAND message, and the SMF shall start timer T3xyz (see example in Figure 6.3.1A.1-1).
Upon receipt of a SERVICE-LEVEL AUTHENTICATION COMMAND message and a PDU session ID, using the NAS transport procedure as specified in subclause 5.4.5, the UE passes to the upper layers the Service-level-AA payload received in the Service-level-AA container IE of the SERVICE-LEVEL AUTHENTICATION COMMAND message. Apart from this action, the service-level authentication and authorization procedure initiated by the DN is transparent to the 5GSM layer of the UE.
Up

6.3.1A.3  Service-level authentication and authorization procedure accepted by the UEWord‑p. 473

When the upper layers provide a Service-level-AA payload, the UE shall create a SERVICE-LEVEL AUTHENTICATION COMPLETE message and set the Service-level-AA payload IE of the Service-level-AA container to the Service-level-AA payload received from the upper layer.
The UE shall transport the SERVICE-LEVEL AUTHENTICATION COMPLETE message and the PDU session ID, using the NAS transport procedure as specified in subclause 5.4.5. Apart from this action, the service-level authentication and authorization procedure initiated by the DN is transparent to the 5GSM layer of the UE.
Upon receipt of a SERVICE-LEVEL AUTHENTICATION COMPLETE message, the SMF shall stop timer T3xyz and provides the Service-level-AA payload received in the Service-level-AA container IE of the SERVICE-LEVEL AUTHENTICATION COMPLETE message to the DN.
Up

6.3.1A.4  Abnormal cases on the network sideWord‑p. 473

6.3.1A.5  Abnormal cases in the UEWord‑p. 473

The following abnormal case can be identified:
  1. Collision of UE-requested PDU session release procedure and a service-level authentication and authorization procedure.
    When the UE receives a SERVICE-LEVEL AUTHENTICATION COMMAND message during the UE-requested PDU session release procedure, and the PDU session indicated in SERVICE-LEVEL AUTHENTICATION COMMAND message is the PDU session that the UE has requested to release, the UE shall ignore the SERVICE-LEVEL AUTHENTICATION COMMAND message and proceed with the UE-requested PDU session release procedure.
Up

Up   Top   ToC