Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TS 24.502  Word version:  18.6.0

Top   Top   Up   Prev   Next
1…   4…   5…   5.3B…   6…   7…   7.2.5…   7.3…   7.3A…   7.4…   7.6…   7.9…   7.10…   8…   9…   9.3…   9.3.2…   9.3.2.2.3…   9.3.3…

 

6  UE - 5GC network protocolsp. 29

6.1  Generalp. 29

This clause specifies the related procedures performed between the UE and untrusted or trusted non-3GPP access network or wireline access network.

6.2Void

6.3  Authentication and authorization for accessing 5GS via non-3GPP access networkp. 30

6.3.1  Generalp. 30

In order to register to the 5G core network (5GCN) via untrusted non-3GPP IP access, the UE first needs to be configured with a local IP address from the untrusted non-3GPP access network (N3AN).
Once the UE is configured with a local IP address, the UE shall select the Non-3GPP InterWorking Function (N3IWF) as described in clause 7.2 and shall initiate the IKEv2 SA establishment procedure as described in clause 7.3. During the IKEv2 SA establishment procedure, authentication and authorization for access to 5GCN is performed.
In a trusted non-3GPP access, a UE shall first connect to a TNAN using a link layer protocol and shall initiate EAP authentication. During EAP authentication, authentication and authorization for access to 5GCN is performed by exchange of EAP-5G message encapsulated in the link layer protocol between the UE and the TNAN, see clause 7.3A.2.1. Upon completion of EAP authentication, the UE shall be assigned an IP address by that TNAN. Once the UE is configured with an IP address, it shall initiate the IKEv2 SA establishment procedure as described in clause 7.3A.
In wireline access, the 5G-RG shall first establish connection using W-CP protocol stack with a W-AGF serving the 5G-RG using means out of scope of the present document.
In wireline access, authentication and authorization of an N5GC device behind a CRG for access to 5GCN is performed as described in clause 6.3.2.
Up

6.3.2  Authentication of N5GC device behind a CRG over wireline access |R16|p. 30

In order to register to 5GCN via wireline access, the N5GC device first establishes a layer-2 connection to W-AGF via the CRG as specified in CableLabs WR-TR-5WWC-ARCH- V02-200430 [36]. Once the layer-2 connection is established, authentication and authorization for access to 5GCN is performed.
The W-AGF initiates an exchange of EAP-Request/Identity message and EAP-Response/Identity message as specified in RFC 3748 for obtaining the identity of the N5GC device. In wireline access, the W-AGF and the N5GC device exchange EAP-Request/Identity message and EAP-Response/Identity message via the CRG, encapsulated in the link layer protocol packets.
Upon reception of EAP-Request/Identity message, the N5GC device shall:
  1. construct an EAP-Response/Identity message as described in RFC 3748 containing an NAI username@realm as specified in RFC 7542; and
  2. transmit the EAP-Response of identity type encapsulated in the link layer protocol packets towards the W-AGF.
The CRG conveys the information provided by the N5GC device to the W-AGF which initiates the registration on behalf of the N5GC device as described in TS 24.501. The SUPI of the N5GC device contains a network specific identifier. For the registration, the W-AGF uses the NULL scheme as specified in TS 33.501, to construct a SUCI from the SUPI which was received as the NAI from the N5GC device in the EAP-Response/Identity message.
An exchange of the EAP request and EAP response as described in RFC 3748 occurs until the N5GC device is authenticated by the 5GCN with the EAP authentication described in TS 33.501.
Upon completion of successful authentication and on reception of the authentication result from the AMF, the W-AGF serving the N5GC device shall complete the procedure by sending an EAP-Success message encapsulated in the link layer protocol packets.
Up

6.3a  Authentication for 5G NSWO |R17|p. 31

A UE that supports 5G NSWO can be configured to use 5G NSWO for authentication with WLAN, as specified in Annex S of TS 33.501. If the UE is configured to use 5G NSWO for authentication with WLAN, the UE shall not use EPS NSWO as specified in TS 33.501. 5G NSWO capability can be enabled and disabled via configuration on the USIM (see TS 31.102) or on the ME. Configuration on the USIM shall take precedence over the ME.
In order to use 5G NSWO, and if the WLAN access network requires 5GS-based authentication of a UE to connect to the WLAN, the UE shall perform:
  1. the EAP-AKA' authentication procedure as specified in TS 33.501 Annex S.3, if the UE does not operate in SNPN access operation mode for 5G NSWO; or
  2. any key-generating EAP authentication method as specified in subclause I.10.5 of TS 33.501, if the UE operates in SNPN access operation mode for 5G NSWO.
The UE shall use as its identity the SUCI in NAI format for 5G NSWO as defined in clause 28.7.12 of TS 23.003 when:
  • the UE does not operate in SNPN access operation mode for 5G NSWO;
  • the UE operates in SNPN access operation mode for 5G NSWO and the PLMN subscription is selected; or
  • the UE operates in SNPN access operation mode for 5G NSWO and an indication to use SUPI which is associated with the selected entry of the "list of subscriber data", is not configured in the ME.
If:
  1. the UE operates in SNPN access operation mode for 5G NSWO;
  2. the UE uses the "null-scheme" as specified in TS 33.501 to generate a SUCI; and
  3. an indication to use anonymous SUCI which is associated with the selected entry of the "list of subscriber data", is configured in the ME;
then the UE shall use as its identity the anonymous SUCI in NAI format as specified in clause 28.7.12 of TS 23.003.
If:
  1. the UE operates in SNPN access operation mode for 5G NSWO; and
  2. an indication to use SUPI which is associated with the selected entry of the "list of subscriber data", is configured in the ME;
then the UE:
  1. if the indication to use SUPI is set to "SUPI", shall use as its identity the SUPI, in NAI format as specified in clause 28.7.12 of TS 23.003; or
  2. if the indication to use SUPI is set to "anonymous SUPI", shall use as its identity the anonymous SUPI in NAI format as specified in clause 28.7.12 of TS 23.003;
Upon receipt of an EAP-Request/AKA'-Challenge message the UE shall apply the rules for comparison of the locally determined ANID "5G:NSWO" (see Table 8.1.1.2-2 of TS 24.302) and the Network Name field of the AT_KDF_INPUT attribute received in the EAP-Request/AKA'-Challenge message as specified in RFC 5448.
A:
  1. roaming UE; or
  2. UE which selected a non-subscribed SNPN in the SNPN selection procedures for 5G NSWO;
that supports 5G NSWO and is configured to use 5G NSWO for authentication with WLAN shall use as its identity the SUCI in decorated NAI format or the SUPI in decorated NAI format, as specified for 5G NSWO in clause 28.7.9 of TS 23.003.
Up

6.3b  5G NSWO provided by 5G-RG |R18|p. 32

6.3b.1  Generalp. 32

The 5G-RG may support acting as the WLAN access network entity as defined in clause 4.2.15 and clause 5.42 of TS 23.501. This clause applies in that case.
The 5G-RG shall register to 5GC before initiating the authentication for 5G NSWO.

6.3b.2  Authentication for 5G NSWO provided by 5G-RGp. 32

The 5G-RG shall handle the EAP messages:
  1. from the UE behind the 5G-RG; or
  2. to the UE behind the 5G-RG,
in the same way as the WLAN access network as specified in TS 33.501 Annex S.3.
The 5G-RG shall handle messages of the Swa' reference point from the NSWOF or to the NSWOF in the same way as the WLAN access network as specified in TS 33.501 Annex S.3. Messages of Swa' reference point are user data packets. The W-AGF serving the 5G-RG is not impacted by passing of the messages of Swa' reference point.
Up

6.4  Handling of ANDSP Informationp. 32

6.4.1  Generalp. 32

The Access Network Discovery & Selection policy (ANDSP) is used to control UE behavior related to access network discovery and selection of trusted and untrusted non-3GPP access network.
ANDSP consists of:
  • WLAN Selection Policy (WLANSP); and
  • Non-3GPP access network (N3AN) node configuration information.
The UE uses the WLANSP for selecting the WLAN.
The UE uses the Non-3GPP access network (N3AN) node configuration information for selecting a N3AN node (i.e. N3IWF or ePDG).
When roaming, the UE can receive ANDSP from H-PCF or V-PCF or both with following exception:
  • the V-PCF only provides the N3AN node configuration information containing slice-specific N3IWF prefix configuration applicable for the visited PLMN (see clause 7.2.2).The UE shall ignore the N3AN node configuration information containing the information other than slice-specific N3IWF prefix configuration in the ANDSP if the ANDSP is provided by V-PCF.
The structure and the content of ANDSP are defined in TS 24.526.
Up

6.4.2  UE proceduresp. 33

6.4.2.1  Generalp. 33

When ANDSP is modified based on information received from network as specified in TS 24.501 Annex D, the UE shall re-evaluate the ANDSP.
The received ANDSP information shall not impact the PLMN selection and reselection procedures specified in TS 23.122.
The UE shall periodically re-evaluate ANDSP. The value of the periodic re-evaluation timer is implementation dependent. The additional trigger for (re-)evaluating ANDSP is when the active WLANSP rule becomes invalid (conditions no longer fulfilled), or other manufacturer specific trigger.
Up

6.4.2.2  Use of WLAN selection informationp. 33

During automatic mode WLAN selection, the UE shall use the WLAN selection policy (WLANSP), if provided by the PCF, to determine the selected WLAN as described in clause 5.3.

6.4.2.3  Use of N3AN node configuration informationp. 33

If the UE accesses 5GCN via the non-3GPP access, the UE shall use the N3AN node configuration information to select an N3AN node as described in clause 7.2, to be used for establishing IKEv2 security association as described in clause 7.3.

6.4.3  ANDSP information from the networkp. 33

ANDSP information is provided by the network to the UE using the UE policy delivery procedure described in Annex D of TS 24.501.

Up   Top   ToC