4.9 Authentication and Security

23.4023GPPArchitecture enhancements for non-3GPP accessesRelease 18TS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

4.9.1 Access Authentication in non-3GPP Accesses

Non-3GPP access authentication defines the process that is used for Access Control i.e. to permit or deny a subscriber to attach to and use the resources of a non-3GPP IP access which is interworked with the EPC network. Non-3GPP access authentication signalling is executed between the UE and the 3GPP AAA server/HSS. The authentication signalling may pass through AAA proxies.

3GPP based access authentication is executed across a SWa/STa reference point as depicted in the EPS architecture diagram. Following principles shall apply in this case:

– Transport of authentication signalling shall be independent of the non-3GPP IP Access technology.

– The 3GPP based access authentication signalling shall be based on IETF protocols, for e.g., Extensible Authentication Protocol (EAP) as specified in RFC 3748 [11].

The details of the access authentication procedure are defined in TS 33.402 [45].

4.9.2 Tunnel Authentication

Tunnel authentication refers to the procedure by which the UE and the ePDG perform mutual authentication during the IPsec tunnel establishment between the UE and the ePDG (SWu reference point).

Tunnel authentication is used only in case of Untrusted Non-3GPP Access and is executed across a SWm reference point as depicted in the EPS architecture diagram.

The details of the tunnel authentication procedure are defined in TS 33.402 [45].

4.9.3 Support for EAP Re-Authentication

A non-3GPP access network (typically, a WLAN) may utilize EAP re-authentication as specified in RFC 6696 [85] in order to provide enhanced performance and optimize the user experience. As an example, a WLAN access network may utilize EAP re-authentication in order to enable Fast Initial Link Setup (specified in IEEE 802.11ai) and minimize the link-setup delay between the UE and the WLAN access network.

An EPC network may optionally support EAP re-authentication for interworking with non-3GPP accesses. Also, the UE may optionally support EAP re-authentication. By using EAP re-authentication, UEs can connect to EPC via non-3GPP access and utilize EPC services with enhanced performance. For example, a UE may experience improved voice-over-IMS service due to the small link-setup delay that occurs when the UE transitions between access points in the non-3GPP access network.

When an EPC network supports EAP re-authentication, the functionality of the 3GPP AAA server/proxy and the procedures over STa, SWa and SWd interfaces shall be enhanced in order to support the applicable procedures specified in RFC 6696 [85]. Also, when a UE supports EAP re-authentication, the UE shall be enhanced in order to support the functionality of the EAP re-authentication peer RFC 6696 [85]. EAP re-authentication over the SWu interface (i.e. when the UE establishes a secure connection with the ePDG) is not applicable.

When an EPC network supports EAP re-authentication, one or both of the following scenarios shall be supported:

– The EAP re-authentication server (defined in RFC 6696 [85]) is located in the non-3GPP access network.

– The EAP re-authentication server is located in the EPC network. In this case it shall be collocated with the 3GPP AAA server or with the 3GPP AAA proxy.