. For SNPN the procedures are re-used with the following modifications:
Steps 0-4 are performed as described in
clause 7A.2.1.
In step 5, the SUCI can be an onboarding SUCI.
Further in step 5, the SUCI carried in AN parameter and NAS-PDU can be of type anonymous SUCI if the construction of SUCI as described in
clause 6.12 cannot be used and if the employed EAP method supports SUPI privacy. If anonymous SUCI is used, the UE shall send a 64-bit random number as a key identifier in the AN parameters. The random number generation should follow the recommendations given in
SP 800-90A [110] or equivalent. If the UE provides a key identifier already allocated in the TNGF, the UE will be rejected.
Step 6-7 is performed as described in
clause 7A.2.1.
In step 8 of
clause 7A.2.1, in case the AUSF receives an onboarding indication, the AUSF shall perform steps 6-10 and 14-17 as described in
Annex I.2.2.2.
In the selection of UE authentication method in step 8 of
clause 7A.2.1, 5G AKA, EAP-AKA', or any other key-generating EAP authentication method apply. When the
"username" part of the SUPI is
"anonymous" or omitted, the UDM may select an authentication method based on the
"realm" part of the SUPI or on the UDM local policy.
In case the AUSF received an anonymous SUCI in step 7 (but no onboarding indication was received) the AUSF shall perform steps 11-13 of
Annex I.2.2.2 after a successful authentication to inform the UDM of the actual SUPI. In case anonymous SUCI and onboarding indication was received in step 7, steps 11-13 of
Annex I.2.2.2 can be skipped.
Steps 9-12 are performed as described in
clause 7A.2.1.
In step 13, in case anonymous SUCI was used in step 5, the key identifier sent in the AN parameters is used in the IDi payload. If the key identifier is not the same as the one sent in step 5, the IPsec setup will fail and the UE will be rejected.
Steps 14-19 are performed as described in
clause 7A.2.1.