The AUN3 device initiates a layer 2 connection with the 5G-RG either via Ethernet or WLAN. If the layer 2 connection is based on Ethernet, steps 20-21 are skipped.
The 5G-RG shall initiate the EAP authentication procedure by sending an EAP request/Identity to the AUN3 device in a layer 2 frame (e.g., EAPOL).
The AUN3 device shall send back an EAP response/Identity including its Network Access Identifier (NAI) in the form of username@realm. If the AUN3 device supports SUPI privacy, the AUN3 device shall send SUCI in the EAP response/Identity.
The 5G-RG shall construct a SUCI using null-scheme from the NAI-based SUPI if the NAI-based SUPI is received from the AUN3 device in step 3. The 5G-RG shall send a NAS Registration Request message to the AMF, including the SUCI of the AUN3 device and an AUN3 device indicator.
The AMF/SEAF shall select the AUSF based on the SUCI in the received registration request and send to the AUSF a Nausf_UEAuthentication_Authenticate Request message, including the SUCI of the AUN3 device and the AUN3 device indicator.
The AUSF shall send to the UDM a Nudm_UEAuthentication_Get Request message, including the SUCI of the AUN3 device and the AUN3 device indicator.
Upon reception of the Nudm_UEAuthentication_Get Request, the UDM shall invoke the SIDF to map the SUCI to the SUPI and select EAP-AKA' as authentication method based on the SUPI and the AUN3 device indicator. The UDM/ARPF shall generate an authentication vector using the Access Network Identity as the KDF input parameter.
The UDM shall send to the AUSF a Nudm_UEAuthentication_Get Response message, including the EAP-AKA' authentication vector (RAND, AUTN, XRES, CK' and IK'), the SUPI. According to the AUN3 subscription data, the UDM shall also send the MSK indicator to the AUSF to indicate that the AUN3 device does not support the 5G key hirerachy.
The AUSF shall store XRES for future verification. The AUSF shall send the EAP-Request/AKA'-Challenge message to the AMF/SEAF in a Nausf_UEAuthentication_Authenticate Response message.
The AMF/SEAF shall send the EAP-Request/AKA'-Challenge message to the 5G-RG in the NAS Authentication Request message.
The 5G-RG shall send to the AUN3 device the EAP-Request/AKA'-Challenge message encapsulated in a layer 2 (L2) message.
At receipt the EAP-Request/AKA'-Challenge message, the AUN3 device shall verify the message, generate the authentication response, and derive keys as described in RFC 5448
The AUN3 device shall send the EAP-Response/AKA'-Challenge message to the 5G-RG, encapsulated in a layer 2 message.
The 5G-RG shall send to the AMF/SEAF the EAP-Response/AKA'-Challenge message in an NAS Authentication Response message.
The AMF/SEAF shall send to the AUSF the EAP-Response/AKA'-Challenge message in an Nausf_UEAuthentication_Authenticate Request message.
The AUSF shall verify the AKA'-Challenge message as described in RFC 5448
. If successful, based on the MSK indicator received in step 8, the AUSF shall generate the MSK as described in RFC 5448
and the AUSF shall not generate the KAUSF
The AUSF shall send to the AMF/SEAF an Nausf_UEAuthentication_Authenticate Response message including the EAP-Success, the MSK, and the SUPI.
Based on the received MSK, the AMF shall not generate the KAMF
. The AMF shall send EAP-Success and MSK to the 5G-RG in N1 message.
Step 18 could be NAS Security Mode Command or Authentication Result. If Step 18 is a NAS Security Mode Command, it uses NULL encryption and NULL integrity protection, since the NAS security context is not required in this scenario.
The 5G-RG sends to the AUN3 device the the EAP-Success message in a layer 2 frame.
If the layer 2 connection is over WLAN (IEEE 802.11), the AUN3 device and the 5G-RG use the first 256-bit of the MSK as the PMK, from which the WLAN keys are derived.
The AUN3 and the 5G-RG performs four-way handshaking to establish WLAN secure connection.