Non-seamless WLAN offload (NSWO) is an optional capability of a UE supporting WLAN radio access. A UE supporting non-seamless WLAN offload may, while connected to WLAN access, route specific IP flows via the WLAN access without traversing the 3GPP core network.
The present Annex specifies the support for authentication for NSWO in 5GS (5G NSWO).
5G NSWO shall use EAP-AKA', as specified in RFC 5448, for authentication. The EAP-AKA' implementations shall comply with the EAP-AKA' profile specified in Annex F of the present document.
A new network function, called NSWO NF, is introduced to support authentication for NSWO in 5GS. The NSWO NF interfaces to the WLAN access network using SWa interface and interfaces to the AUSF using Service Based Interface (SBI).
An HPLMN that supports 5G NWSO and wants the UE to use 5G NSWO shall configure the UE to use 5G NSWO. This configuration shall be either on the USIM or ME, with configuration on the USIM taking precedence over the ME.
A UE that supports 5G NSWO and is configured to use 5G NSWO shall always use 5G NSWO (i.e., it shall not use EPS NSWO defined in TS 23.402).
The UE sends an EAP Response/Identity message. The UE shall use the SUCI in NAI format (i.e., username@realm format) as its identity irrespective of whether SUPI Type configured on the USIM is IMSI or NAI. If the SUPI Type configured on the USIM is IMSI, the UE shall construct the SUCI in NAI format with username containing the encrypted MSIN and the realm part containing the MCC/MNC.
The NSWO NF shall send the message Nausf_UEAuthentication_Authenticate Request with SUCI, Serving Network name and NSWO indicator towards the AUSF. NSWO_indicator is used to indicate to the AUSF that the authentication request is for Non-seamless WLAN offload purposes. The NSWO NF shall set the Serving Network name to "5G:NSWO".
Upon reception of the Nudm_UEAuthentication_Get Request, the UDM shall invoke SIDF. SIDF shall de-conceal SUCI to gain SUPI before UDM can process the request. Based on the NSWO indicator, the UDM/ARPF shall select the EAP-AKA' authentication method. UDM shall generate and include the EAP-AKA' authentication vector (RAND, AUTN, XRES, CK' and IK') and may include SUPI to AUSF in a Nudm_UEAuthentication_Get Response message.
At receipt of the RAND and AUTN in the EAP-Request/AKA'-Challenge message, the ME shall construct the SN name by setting it to "5G:NSWO", and the USIM in the UE shall verify the freshness of the AV' by checking whether AUTN can be accepted as described in TS 33.102. If so, the USIM computes a response RES. The USIM shall return RES, CK, IK to the ME. The ME shall derive CK' and IK' according to Annex A.3. If the verification of the AUTN fails on the USIM, then the USIM and ME shall proceed as described in sub-clause 184.108.40.206. The UE may derive MSK from CK' and IK' as per Annex F and as described in RFC 5448. When the UE is performing NSWO authentication, the KAUSF shall not be generated by the UE.
The AUSF shall verify if the received response RES matches the stored and expected response XRES. If the AUSF has successfully verified, it continues as follows to step 16, otherwise it returns an error to the NSWO NF. The AUSF shall derive the required MSK key from CK' and IK' as per Annex F and as described in RFC 5448, based on the NSWO indicator received in step 5. The AUSF shall not generate the KAUSF.
The AUSF shall send Nausf_UEAuthentication_Authenticate Response message with EAP-Success and MSK key to NSWO NF. The AUSF may optionally provide the SUPI to NSWO NF.The AUSF/UDM shall not perform the linking increased home control to subsequent procedures (as stated in present document clause 6.1.4).
Upon receiving the EAP-Success message, the UE derives the MSK as specified in step 11, if it has not derived the MSK earlier. The UE uses MSK to perform 4-way handshake to establish a secure connection with the WLAN AN.