5.4.1 Primary authentication and key agreement procedure

24.5013GPPNon-Access-Stratum (NAS) protocol for 5G System (5GS)Release 18Stage 3TS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

5.4.1.1 General

The purpose of the primary authentication and key agreement procedure is to enable mutual authentication between the UE and the network and to provide keying material that can be used between the UE and network in subsequent security procedures, as specified in 3GPP TS 33.501 [24].

Two methods are defined:

a) EAP based primary authentication and key agreement procedure.

b) 5G AKA based primary authentication and key agreement procedure.

The UE and the AMF shall support the EAP based primary authentication and key agreement procedure and the 5G AKA based primary authentication and key agreement procedure.

5.4.1.2 EAP based primary authentication and key agreement procedure

5.4.1.2.1 General

The purpose of the EAP based primary authentication and key agreement procedure is to provide mutual authentication between the UE and the network and to agree on the keys K_AUSF, K_SEAF and K_AMF (see 3GPP TS 33.501 [24]).

Extensible authentication protocol (EAP) as specified in IETF RFC 3748 [34] enables authentication using various EAP methods.

EAP defines four types of EAP messages:

a) an EAP-request message;

b) an EAP-response message;

c) an EAP-success message; and

d) an EAP-failure message.

Several rounds of exchanges of an EAP-request message and a related EAP-response message can be required to achieve the authentication (see example in figure 5.4.1.2.1.1).

The EAP based primary authentication and key agreement procedure is always initiated and controlled by the network.

The EAP-request message, the ngKSI and the ABBA are transported from the network to the UE using the AUTHENTICATION REQUEST message of the EAP message reliable transport procedure.

The EAP-response message is transported from the UE to the network using the AUTHENTICATION RESPONSE message of the EAP message reliable transport procedure.

If the authentication of the UE completes successfully, the serving AMF intends to initiate a security mode control procedure after the EAP based primary authentication and key agreement procedure and the security mode control procedure intends to bring into use the partial native 5G NAS security context created by the EAP based primary authentication and key agreement procedure, then the EAP-success message and the ngKSI are transported from the network to the UE using the SECURITY MODE COMMAND message of the security mode control procedure (see subclause 5.4.2).

If the authentication of the UE completes successfully and the serving AMF does not intend to initiate a security mode control procedure bringing into use the partial native 5G NAS security context created by the EAP based primary authentication and key agreement procedure, then the EAP-success message, and the ngKSI are transported from the network to the UE using the AUTHENTICATION RESULT message of the EAP result message transport procedure.

NOTE 1: The serving AMF will not initiate a security mode control procedure after the EAP based primary authentication and key agreement procedure e.g. in case of AMF relocation during registration procedure.

If the authentication of the UE completes unsuccessfully, the EAP-failure message is transported from the network to the UE using the AUTHENTICATION RESULT message or the AUTHENTICATION REJECT message of the EAP result message transport procedure or in a response of the initial 5GMM procedure as part of which the EAP based primary authentication and key agreement procedure is performed.

The AMF shall set the authenticator retransmission timer specified in IETF RFC 3748 [34] subclause 4.3 to infinite value.

NOTE 2: The EAP message reliable transport procedure provides a reliable transport of EAP messages and therefore retransmissions at the EAP layer do not occur.

The AUSF and the AMF support exchange of EAP messages using N12.

The UE shall detect and handle any duplication of EAP message as specified in IETF RFC 3748 [34].

Figure 5.4.1.2.1.1: EAP based primary authentication and key agreement procedure

5.4.1.2.2 EAP-AKA’ related procedures

5.4.1.2.2.1 General

The UE shall support acting as EAP-AKA’ peer as specified in IETF RFC 5448 [40]. The AUSF may support acting as EAP-AKA’ server as specified in IETF RFC 5448 [40]. The AAA server of the Credentials Holder (CH) or the Default Credentials Server (DCS) may support acting as EAP-AKA’ server as specified in IETF RFC 5448 [40].

The EAP-AKA’ enables mutual authentication of the UE and the network.

The UE can reject the EAP-request/AKA’-challenge message sent by the network. The UE shall proceed with an EAP-request/AKA’-challenge message only if a USIM is present.

During a successful EAP based primary authentication and key agreement procedure, the CK and IK are computed by the USIM. CK and IK are then used by the ME as key material to generate an EMSK or MSK.

5.4.1.2.2.2 Initiation

In order to initiate the EAP based primary authentication and key agreement procedure using EAP-AKA’, the AUSF or the AAA server of the CH or the DCS shall send an EAP-request/AKA’-challenge message as specified in IETF RFC 5448 [40]. The AUSF or the AAA server of the CH or the DCS shall set the AT_KDF_INPUT attribute of the EAP-request/AKA’-challenge message to the SNN. The SNN is in format described in subclause 9.12.1. The AUSF or the AAA server of the CH or the DCS may include AT_RESULT_IND attribute in the EAP-request/AKA’-challenge message.

The network shall select an ngKSI value. If an ngKSI is contained in an initial NAS message during a 5GMM procedure, the network shall select a different ngKSI value. The network shall send the selected ngKSI value to the UE along with each EAP message. The network shall send the ABBA value as described in subclause 9.11.3.10 to the UE along with the EAP request message and EAP-success message.

Upon receiving an EAP-request/AKA’-challenge message, the UE shall check whether the UE has a USIM, shall check the key derivation function indicated in AT_KDF attributes as specified in IETF RFC 5448 [40], and if the value of the Key derivation function field within the received AT_KDF attribute, is of value 1, shall check:

a) whether the network name field of the AT_KDF_INPUT attribute is the SNN constructed according to subclause 9.12.1; and

b) whether the network name field of the AT_KDF_INPUT attribute matches the PLMN identity or the SNPN identity of the selected SNPN saved in the UE.

When not operating in SNPN access operation mode, the PLMN identity the UE uses for the above network name check is as follows:

a) when the UE moves from 5GMM-IDLE mode to 5GMM-CONNECTED mode, until the first handover, the UE shall use the PLMN identity of the selected PLMN; and

b) after handover or inter-system change to N1 mode in 5GMM-CONNECTED mode:

1) if the target cell is not a shared network cell, the UE shall use the PLMN identity received as part of the broadcast system information;

2) if the target cell is a shared network cell and the UE has a valid 5G-GUTI, the UE shall use the PLMN identity that is part of the 5G-GUTI; and

3) if the target cell is a shared network cell and the UE has a valid 4G-GUTI, but not a valid 5G-GUTI, the UE shall use the PLMN identity that is part of the 4G-GUTI.

When operating in SNPN access operation mode, the SNPN identity the UE uses for the above network name check is the SNPN identity of the selected SNPN.

5.4.1.2.2.3 UE successfully authenticates network

If a USIM is present and the SNN check is successful, the UE shall handle the EAP-request/AKA’-challenge message as specified in IETF RFC 5448 [40]. The USIM shall derive CK and IK and compute the authentication response (RES) using the 5G authentication challenge data received from the ME, and pass RES to the ME. The ME shall derive CK’ and IK’ from CK and IK, and if the UE operates in SNPN access operation mode and the credentials in the USIM contain an indication to use MSK for derivation of K_AUSF after success of primary authentication and key agreement procedure then derive MSK from CK’ and IK’ otherwise derive EMSK from CK’ and IK’.

NOTE 1: When the UE is registering or registered for onboarding services in SNPN, credentials in the USIM do not contain an indication to use MSK for derivation of K_AUSF after success of primary authentication and key agreement procedure.

Furthermore, if the UE operates in SNPN access operation mode and the credentials in the USIM

contain an indication to use MSK for derivation of K_AUSF after success of primary authentication and key agreement procedure then the ME may generate a new K_AUSFfrom the MSK otherwise the ME may generate a new K_AUSFfrom the EMSK.

If the ME generates a new K_AUSF, the ME shall generate a new K_SEAF from the new K_AUSF, and the K_AMF from the ABBA received together with the EAP-request/AKA’-challenge message, and the new K_SEAF as described in 3GPP TS 33.501 [24], and create a partial native 5G NAS security context identified by the ngKSI value received together with the EAP-request/AKA’-challenge message in subclause 5.4.1.2.4.2 in the volatile memory of the ME. If the K_AMF and the partial native 5G NAS security context are created, the ME shall store the K_AMFin the created partial native 5G NAS security context, and shall send an EAP-response/AKA’-challenge message as specified in IETF RFC 5448 [40].

NOTE 2: Generation of the new K_AUSFand the new K_SEAF does not result into deletion of the valid K_AUSF and the valid K_SEAF, if any.

The ME shall not use the new K_AUSF in the verification of SOR transparent container and UE parameters update transparent container, if any are received, until receipt of an EAP-success message.

If the EAP-request/AKA’-challenge message contains AT_RESULT_IND attribute, the UE may include AT_RESULT_IND attribute in the EAP-response/AKA’-challenge message as specified in IETF RFC 5448 [40].

5.4.1.2.2.4 Errors when handling EAP-request/AKA’-challenge message

If a USIM is present, the SNN check fails or the UE does not accept AUTN during handling of the EAP-request/AKA’-challenge message as specified in IETF RFC 5448 [40], the UE shall send an EAP-response/AKA’-authentication-reject message as specified in IETF RFC 5448 [40].

If a USIM is present, the SNN check is successful but the UE detects that the sequence number in AUTN is not correct during handling of the EAP-request/AKA’-challenge message as specified in IETF RFC 5448 [40], the UE shall send an EAP-response/AKA’-synchronization-failure message as specified in IETF RFC 5448 [40].

If a USIM is present, the SNN check is successful, the sequence number in AUTN is correct and the UE detects another error during handling of the EAP-request/AKA’-challenge message as specified in IETF RFC 5448 [40], the UE shall send an EAP-response/AKA’-client-error message as specified in IETF RFC 5448 [40].

If a USIM is not present, the UE shall send an EAP-response/AKA’-client-error message as specified in IETF RFC 5448 [40].

For any of the above, the UE shall start timer T3520 when the AUTHENTICATION RESPONSE message containing the EAP-response message is sent. Furthermore, the UE shall stop any of the timers T3510, T3517 or T3521 (if they were running). Upon receiving an AUTHENTICATION REQUEST message with the EAP message IE containing an EAP-request/AKA’-challenge from the network, the UE shall stop timer T3520, if running, and then process the EAP-request/AKA’-challenge information as normal.

5.4.1.2.2.5 Network successfully authenticates UE

Upon reception of the EAP-response/AKA’-challenge message, if procedures for handling an EAP-response/AKA’-challenge message as specified in IETF RFC 5448 [40] are successful and:

a) the AUSF acts as the EAP-AKA’ server, the AUSF shall generate EMSK, the K_AUSF from the EMSK, and the K_SEAF from the K_AUSF as described in 3GPP TS 33.501 [24]; or

b) the AAA server of the CH or the DCS acts as the EAP-AKA’ server, the AAA server of the CH or the DCS shall generate MSK as described in 3GPP TS 33.501 [24];

and:

a) if the AUSF or the AAA server of the CH or the DCS included the AT_RESULT_IND attribute in the EAP-request/AKA’-challenge message and the AT_RESULT_IND attribute is included in the corresponding EAP-response/AKA’-challenge message, the AUSF or the AAA server of the CH or the DCS shall send an EAP-request/AKA’-notification message as specified in IETF RFC 5448 [40]; or

b) if the AUSF or the AAA server of the CH or the DCS:

1) included the AT_RESULT_IND attribute in the EAP-request/AKA’-challenge message and the AT_RESULT_IND attribute is not included in the EAP-response/AKA’-challenge message; or

2) did not include the AT_RESULT_IND attribute in the EAP-request/AKA’-challenge message;

then the AUSF or the AAA server of the CH or the DCS shall send an EAP-success message as specified in IETF RFC 5448 [40] and shall consider the procedure complete.

NOTE 1: When the AAA server of the CH or the DCS acts as the EAP-AKA’ server, the AAA server of the CH or the DCS provides (via the NSSAAF) the MSK and the SUPI to the AUSF. Upon reception of the MSK, the AUSF generates the K_AUSF from the MSK, and the K_SEAF from the K_AUSF as described in 3GPP TS 33.501 [24].

NOTE 2: The AUSF provides the K_SEAFand optionally the SUPI (unless the SEAF provided the AUSF with the SUPI before) to the SEAF as described in 3GPP TS 33.501 [24]. Upon reception of the K_SEAF and optionally the SUPI, the SEAF generates the K_AMFbased on the ABBA, the K_SEAF and the SUPI as described in 3GPP TS 33.501 [24] and provides ngKSI and the K_AMF to the AMF. Upon reception of the ngKSI and the K_AMF, the AMF creates a partial native 5G NAS security context identified by the ngKSI and stores the K_AMFin the created partial native 5G NAS security context.

5.4.1.2.2.6 UE handling EAP-AKA’ notification message

Upon receiving an EAP-request/AKA’-notification message, the UE shall send an EAP-response/AKA’-notification message as specified in IETF RFC 5448 [40].

5.4.1.2.2.6A EAP based Identification initiation by the network

If the AUSF or the AAA server of the CH or the DCS decides to initiate the EAP based identification procedure, the AUSF or the AAA server of the CH or the DCS shall send an EAP-Request/Identity or EAP-Request/AKA’-Identity message as specified in IETF RFC 5448 [40].

The AMF shall encapsulate the EAP-Request/Identity or EAP-Request/AKA’-Identity message in the AUTHENTICATION REQUEST message and send it to the UE.

5.4.1.2.2.6B EAP based Identification response by the UE

Upon receipt of the AUTHENTICATION REQUEST message with EAP-Request/Identity message the UE shall send an AUTHENTICATION RESPONSE message with EAP-Response/Identity to the network. In the EAP-Response/Identity message, the UE shall provide the requested identity according to 3GPP TS 33.501 [24] annex F.2, in the UE identity in the EAP-Response/Identity message as specified in IETF RFC 5448 [40].

Upon receipt of the AUTHENTICATION REQUEST message with EAP-Request/AKA’-Identity message the UE shall send an AUTHENTICATION RESPONSE message with EAP-Response/AKA’-Identity to the network. Based on the attribute received in the EAP-Request/AKA’-Identity, the UE shall provide the requested identity according to 3GPP TS 33.501 [24] annex F.2, in the EAP-Response/AKA’-Identity message, as specified in IETF RFC 5448 [40].

If the EAP-Request/AKA’-Identity carries the AT_PERMANENT_REQ, the UE shall respond with EAP-Response/AKA’-Client-Error with the error code "unable to process packet".

5.4.1.2.2.7 Network sending EAP-success message

Upon reception of the EAP-response/AKA’-notification message, if earlier procedures for handling an EAP-request/AKA’-challenge message as specified in IETF RFC 5448 [40] were successful, the AUSF or the AAA server of the CH or the DCS shall send an EAP-success message as specified in IETF RFC 5448 [40] and shall consider the procedure complete.

NOTE: The AUSF provides the K_SEAFto the SEAF. Upon reception of the K_SEAF, the SEAF generates the K_AMFbased on the ABBA and the K_SEAF as described in 3GPP TS 33.501 [24], and provides ngKSI and the K_AMF to the AMF. Upon reception of the ngKSI and the K_AMF, the AMF creates a partial native 5G NAS security context identified by the ngKSI, and stores the K_AMFin the created partial native 5G NAS security context.

5.4.1.2.2.8 UE handling EAP-success message

Upon receiving an EAP-success message, the ME shall:

a) delete the valid K_AUSF and the valid K_SEAF, if any;

b) if the ME has not generated a new K_AUSFand a new K_SEAF and has not created a partial native 5G NAS security context as described in subclause 5.4.1.2.2.3:

1) if the UE operates in SNPN access operation mode and the credentials in the USIM contain an indication to use MSK for derivation of K_AUSF after success of primary authentication and key agreement procedure then generate a new K_AUSFfrom the MSK otherwise generate a new K_AUSFfrom the EMSK;

NOTE: When the UE is registering or registered for onboarding services in SNPN, credentials in the USIM do not contain an indication to use MSK for derivation of K_AUSF after success of primary authentication and key agreement procedure.

2) generate a new K_SEAF from the new K_AUSF, and the K_AMF from the ABBA that was received with the EAP-success message, and the new K_SEAF as described in 3GPP TS 33.501 [24];

3) create a partial native 5G NAS security context identified by the ngKSI value in the volatile memory of the ME; and

4) store the K_AMFin the created partial native 5G NAS security context; and

c) consider the new K_AUSF to be the valid K_AUSF, and the new K_SEAF to be the valid K_SEAF, reset the SOR counter and the UE parameter update counter to zero, and store the valid K_AUSF,the valid K_SEAF, the SOR counter and the UE parameter update counter as specified in annex C, and use the valid K_AUSF in the verification of SOR transparent container and UE parameters update transparent container, if any are received.

The UE shall consider the procedure complete.

5.4.1.2.2.9 Network not successfully authenticates UE

Upon reception of the EAP-response/AKA’-challenge message, if procedures for handling an EAP-response/AKA’-challenge message as specified in IETF RFC 5448 [40] are not successful, the AUSF or the AAA server of the CH or the DCS shall send an EAP-request/AKA’-notification message that implies failure as specified in IETF RFC 5448 [40].

5.4.1.2.2.10 Network sending EAP-failure message

Upon reception of the EAP-response/AKA’-notification message, if earlier procedures for handling an EAP-request/AKA’-challenge message as specified in IETF RFC 5448 [40] were not successful, the AUSF or the AAA server of the CH or the DCS shall send an EAP-failure message as specified in IETF RFC 5448 [40] and shall consider the procedure complete.

If the authentication response (RES) returned by the UE in the AT_RES attribute of the EAP-response/AKA’-challenge message is not valid, the network handling depends upon the type of identity used by the UE in the initial NAS message, that is:

– if the 5G-GUTI was used; or

– if the SUCI was used.

If the 5G-GUTI was used, the network should transport the EAP-failure message in the AUTHENTICATION RESULT message of the EAP result message transport procedure, initiate an identification procedure to retrieve SUCI from the UE and restart the EAP based primary authentication and key agreement procedure with the received SUCI.

If the SUCI was used for identification in the initial NAS message or in a restarted EAP based primary authentication and key agreement procedure, or the network decides not to initiate the identification procedure to retrieve SUCI from the UE after an unsuccessful EAP based primary authentication and key agreement procedure, the network should transport the EAP-failure message in an AUTHENTICATION REJECT message of the EAP result message transport procedure.

Depending on local requirements or operator preference for emergency services, if the UE initiates a registration procedure with 5GS registration type IE set to "emergency registration" and the AMF is configured to allow emergency registration without user identity, the AMF needs not follow the procedures specified for transporting the EAP-failure message in the AUTHENTICATION REJECT message of the EAP result message transport procedure in the present subclause. The AMF may include the EAP-failure message in a response of the current 5GMM specific procedure or in the AUTHENTICATION RESULT of the EAP result message transport procedure.

5.4.1.2.2.11 UE handling EAP-failure message

Upon receiving an EAP-failure message, the UE shall delete the partial native 5G NAS security context and shall delete the new K_AUSFand the new K_SEAF, if any were created as described in subclause 5.4.1.2.2.3.

The UE shall consider the procedure complete.

If the EAP-failure message is received in an AUTHENTICATION REJECT message:

1) if the AUTHENTICATION REJECT message has been successfully integrity checked by the NAS:

– the UE shall set the update status to 5U3 ROAMING NOT ALLOWED, delete the stored 5G-GUTI, TAI list, last visited registered TAI and ngKSI;

In case of PLMN, the USIM shall be considered invalid until switching off the UE or the UICC containing the USIM is removed.

In case of SNPN, if the UE is neither registered for onboarding services in SNPN nor performing initial registration for onboarding services in SNPN and the UE does not support access to an SNPN using credentials from a credentials holder, the entry of the "list of subscriber data" with the SNPN identity of the current SNPN shall be considered invalid until the UE is switched off or the entry is updated. Additionally, the UE shall consider the USIM as invalid for the current SNPN until switching off or the UICC containing the USIM is removed.

In case of SNPN, if the UE is neither registered for onboarding services in SNPN nor performing initial registration for onboarding services in SNPN and the UE supports access to an SNPN using credentials from a credentials holder, the UE shall consider the selected entry of the "list of subscriber data" as invalid until the UE is switched off or the entry is updated. Additionally, the UE shall consider the USIM as invalid for the entry until switching off or the UICC containing the USIM is removed.

If the UE is registered for onboarding services in SNPN or is performing initial registration for onboarding services in SNPN, the UE shall store the SNPN identity in the "permanently forbidden SNPNs" list for onboarding services, enter state 5GMM-DEREGISTERED.PLMN-SEARCH, and perform an SNPN selection or an SNPN selection for onboarding services according to 3GPP TS 23.122 [5];

– if the UE is neither registered for onboarding services in SNPN nor performing initial registration for onboarding services in SNPN, the UE shall set:

i) the counter for "SIM/USIM considered invalid for GPRS services" events, the counter for "USIM considered invalid for 5GS services over non-3GPP access" events, and the counter for "SIM/USIM considered invalid for non-GPRS services" events if maintained by the UE, in case of PLMN; or

ii) the counter for "the entry for the current SNPN considered invalid for 3GPP access" events and the counter for "the entry for the current SNPN considered invalid for non-3GPP access" events in case of SNPN;

to UE implementation-specific maximum value.

If the UE is registered for onboarding services in SNPN or performing initial registration for onboarding services in SNPN, the UE shall set the SNPN-specific attempt counter for the current SNPN to the UE implementation-specific maximum value; and

– if the UE is operating in single-registration mode, the UE shall handle EMM parameters, 4G-GUTI, last visited registered TAI, TAI list and eKSI as specified in 3GPP TS 24.301 [15] for the case when the authentication procedure is not accepted by the network. The USIM shall be considered as invalid also for non-EPS services until switching off or the UICC containing the USIM is removed; and

2) if the AUTHENTICATION REJECT message is received without integrity protection, the UE shall start timer T3247 with a random value uniformly drawn from the range between 30 minutes and 60 minutes, if the timer is not running (see subclause 5.3.20).

Additionally, if the UE is neither registered for onboarding services in SNPN nor performing initial registration for onboarding services in SNPN, the UE shall:

a) if the AUTHENTICATION REJECT message is received over 3GPP access, and the counter for "SIM/USIM considered invalid for GPRS services" events in case of PLMN or the counter for "the entry for the current SNPN considered invalid for 3GPP access" events in case of SNPN has a value less than a UE implementation-specific maximum value, proceed as specified in subclause 5.3.20, list item 1)-a) of subclause 5.3.20.2 (if the UE is not operating in SNPN access operation mode) or list item a)-1) of subclause 5.3.20.3 (if the UE is operating in SNPN access operation mode) for the case that the 5GMM cause value received is #3;

b) if the AUTHENTICATION REJECT message is received over non-3GPP access, and the counter for "USIM considered invalid for 5GS services over non-3GPP access" events in case of PLMN or the counter for "the entry for the current SNPN considered invalid for non-3GPP access" events in case of SNPN has a value less than a UE implementation-specific maximum value, proceed as specified in subclause 5.3.20, list item 1)-b) of subclause 5.3.20.2 (if the UE is not operating in SNPN access operation mode) or list item a)-2) of subclause 5.3.20.3 (if the UE is operating in SNPN access operation mode) for the case that the 5GMM cause value received is #3;

c) otherwise:

i) if the AUTHENTICATION REJECT message is received over 3GPP access:

– The UE shall set the update status for 3GPP access to 5U3 ROAMING NOT ALLOWED, delete for 3GPP access only the stored 5G-GUTI, TAI list, last visited registered TAI and ngKSI.

– In case of PLMN, the UE shall consider the USIM as invalid for 5GS services via 3GPP access and invalid for non-EPS service until switching off the UE or the UICC containing the USIM is removed.

In case of SNPN, if the UE does not support access to an SNPN using credentials from a credentials holder, the UE shall consider the entry of the "list of subscriber data" with the SNPN identity of the current SNPN as invalid for 3GPP access until the UE is switched off or the entry is updated. Additionally, the UE shall consider the USIM as invalid for the current SNPN via 3GPP access until switching off or the UICC containing the USIM is removed.

In case of SNPN, if the UE supports access to an SNPN using credentials from a credentials holder, the UE shall consider the selected entry of the "list of subscriber data" as invalid for 3GPP access until the UE is switched off or the entry is updated. Additionally, the UE shall consider the USIM as invalid for the entry via 3GPP access until switching off or the UICC containing the USIM is removed.

– The UE shall set:

– the counter for "SIM/USIM considered invalid for GPRS services" events and the counter for "SIM/USIM considered invalid for non-GPRS services" events if maintained by the UE, in case of PLMN; or

– the counter for "the entry for the current SNPN considered invalid for 3GPP access" events in case of SNPN;

to UE implementation-specific maximum value.

– If the UE is operating in single-registration mode, the UE shall handle 4G-GUTI, TAI list and eKSI as specified in 3GPP TS 24.301 [15] for the case when the authentication procedure is not accepted by the network. The USIM shall be considered as invalid also for non-EPS services until switching off or the UICC containing the USIM is removed; and

ii) if the AUTHENTICATION REJECT message is received over non-3GPP access:

– the UE shall set the update status for non-3GPP access to 5U3 ROAMING NOT ALLOWED, delete for non-3GPP access only the stored 5G-GUTI, TAI list, last visited registered TAI and ngKSI;

– in case of PLMN, the UE shall consider the USIM as invalid for 5GS services via non-3GPP access until switching off the UE or the UICC containing the USIM is removed.

In case of SNPN, the UE shall consider the entry of the "list of subscriber data" with the SNPN identity of the current SNPN as invalid for non-3GPP access until the UE is switched off or the entry is updated. Additionally, the UE shall consider the USIM as invalid for the current SNPN and for non-3GPP access until switching off or the UICC containing the USIM is removed; and

– the UE shall set:

– the counter for "USIM considered invalid for 5GS services over non-3GPP access" events to UE implementation-specific maximum value in case of PLMN; or

– the counter for "the entry for the current SNPN considered invalid for non-3GPP access" events to UE implementation-specific maximum value in case of SNPN.

If the UE is registered for onboarding services in SNPN or performing initial registration for onboarding services in SNPN, the UE shall:

a) if the SNPN-specific attempt counter for the SNPN sending the AUTHENTICATION REJECT message has a value less than a UE implementation-specific maximum value, increment the SNPN-specific attempt counter for the SNPN; or

b) otherwise, the UE shall set the update status to 5U3.ROAMING NOT ALLOWED, delete the stored 5G-GUTI, TAI list, last visited registered TAI, and ngKSI, store the SNPN identity in the "permanently forbidden SNPNs" list for onboarding services, enter state 5GMM-DEREGISTERED.PLMN-SEARCH, and perform an SNPN selection or an SNPN selection for onboarding services according to 3GPP TS 23.122 [5].

If the AUTHENTICATION REJECT message is received by the UE, the UE shall abort any 5GMM signalling procedure, stop any of the timers T3510, T3517, T3519 or T3521 (if they were running), enter state 5GMM-DEREGISTERED and delete any stored SUCI.

5.4.1.2.2.12 Abnormal cases in the UE

The following abnormal cases can be identified:

a) EAP-request/AKA’-challenge message with the key derivation function indicated in AT_KDF attributes set to a value other than 1.

The UE shall act as specified in IETF RFC 5448 [40] subclause 3.2 for the case when the AUTN had been incorrect.

5.4.1.2.3 EAP-TLS related procedures

5.4.1.2.3.1 General

The UE may support acting as EAP-TLS peer as specified in 3GPP TS 33.501 [24]. The AUSF may support acting as EAP-TLS server as specified in 3GPP TS 33.501 [24]. The AAA server of the CH or the DCS may support acting as EAP server of such EAP method as specified in 3GPP TS 23.501 [8].

The EAP-TLS enables mutual authentication of the UE and the network.

When initiating an EAP based primary authentication and key agreement procedure using EAP-TLS, the network shall select an ngKSI value. If an ngKSI is contained in an initial NAS message during a 5GMM procedure, the network shall select a different ngKSI value. The network shall send the selected ngKSI value to the UE along with each EAP message. The network shall send the ABBA value as described in subclause 9.11.3.10 to the UE along with the EAP-request message and EAP-success message.

When the EAP based primary authentication and key agreement procedure uses EAP-TLS:

a) if the UE operates in SNPN access operation mode and:

1) the default UE credentials for primary authentication, if the UE is registering or registered for onboarding services in SNPN; or

2) credentials in the selected entry of the "list of subscriber data", if the UE is not registering or registered for onboarding services in SNPN;

contain an indication to use MSK for derivation of K_AUSF after success of primary authentication and key agreement procedure then the ME shall generate MSK as described in 3GPP TS 33.501 [24] otherwise the ME shall generate EMSKas described in 3GPP TS 33.501 [24];

b) if the AUSF acts as the EAP-TLS server, the AUSF shall generate EMSKas described in 3GPP TS 33.501 [24]; and

c) if the AAA server of the CH or the DCS acts as the EAP-TLS server, the AAA server of the CH or the DCS shall generate MSKas described in 3GPP TS 33.501 [24].

When handling of an EAP-request message results into generation of MSK or EMSK, if the UE operates in SNPN access operation mode and:

a) the default UE credentials for primary authentication, if the UE is registering or registered for onboarding services in SNPN; or

b) credentials in the selected entry of the "list of subscriber data", if the UE is not registering or registered for onboarding services in SNPN;

contain an indication to use MSK for derivation of K_AUSF after success of primary authentication and key agreement procedure , then the ME may generate a new K_AUSFfrom the MSK otherwise the ME may generate a new K_AUSFfrom the EMSK.

If the ME generates a new K_AUSF, the ME shall generate a new K_SEAF from the new K_AUSF, and the K_AMF from the ABBA received together with the EAP-request message, and the new K_SEAF as described in 3GPP TS 33.501 [24], and create a partial native 5G NAS security context identified by the ngKSI value received together with the EAP-request message in subclause 5.4.1.2.4.2, in the volatile memory of the ME. If the K_AMF and the partial native 5G NAS security context are created, the ME shall store the K_AMFin the created partial native 5G NAS security context.

NOTE 1: Generation of the new K_AUSFand the new K_SEAF does not result into deletion of the valid K_AUSF and the valid K_SEAF, if any.

The ME shall not use the new K_AUSF in the verification of SOR transparent container and UE parameters update transparent container, if any are received, until receipt of an EAP-success message.

When the AUSF acts as the EAP-TLS server and handling of an EAP response message results into generation of EMSK, the AUSF shall generate the K_AUSF from the EMSK, and the K_SEAF from the K_AUSFas described in 3GPP TS 33.501 [24].

NOTE 2: When the AAA server of the CH or the DCS acts as the EAP-TLS server, the AAA server of the CH or the DCS provides (via the NSSAAF) the MSK and the SUPI to the AUSF. Upon reception of the MSK, the AUSF generates the K_AUSF from the MSK, and the K_SEAF from the K_AUSF as described in 3GPP TS 33.501 [24].

NOTE 3: The AUSF provides the K_SEAFand optionally the SUPI (unless the SEAF provided the AUSF with the SUPI before) to the SEAF as described in 3GPP TS 33.501 [24]. Upon reception of the K_SEAF and optionally the SUPI, the SEAF generates the K_AMFbased on the ABBA, the K_SEAF and the SUPI as described in 3GPP TS 33.501 [24], and provides ngKSI and the K_AMF to the AMF. Upon reception of the ngKSI and the K_AMF, the AMF creates a partial native 5G NAS security context identified by the ngKSI, and stores the K_AMFin the created partial native 5G NAS security context.

If the UE does not accept the server certificate of the network, the UE shall start timer T3520 when the AUTHENTICATION RESPONSE message containing the EAP-response message is sent. Furthermore, the UE shall stop any of the retransmission timers that are running (e.g. T3510, T3517 or T3521). Upon receiving an AUTHENTICATION REQUEST message with the EAP message IE containing an EAP-request message from the network, the UE shall stop timer T3520, if running, and then process the EAP-request message as normally.

If the network does not accept the client certificate of the UE, the network handling depends upon the type of identity used by the UE in the initial NAS message, that is:

– if the 5G-GUTI was used; or

– if the SUCI was used.

If the SUCI was used for identification in the initial NAS message or in a restarted EAP based primary authentication and key agreement procedure, or the network decides not to initiate the identification procedure to retrieve SUCI from the UE after an unsuccessful the EAP based primary authentication and key agreement procedure, the network should transport the EAP-failure message in an AUTHENTICATION REJECT message of the EAP result message transport procedure.

If the EAP-failure message is received in an AUTHENTICATION REJECT message:

a) if the AUTHENTICATION REJECT message has been successfully integrity checked by the NAS:

1) the UE shall set the update status to 5U3 ROAMING NOT ALLOWED, delete the stored 5G-GUTI, TAI list, last visited registered TAI and ngKSI.

In case of PLMN, the USIM shall be considered invalid until switching off the UE or the UICC containing the USIM is removed.

2) if the UE is neither registered for onboarding services in SNPN nor performing initial registration for onboarding services in SNPN, the UE shall set:

NOTE 4: The term "non-3GPP access" used in the counter for "the entry for the current SNPN considered invalid for non-3GPP access" events, is used to express access to SNPN services via a PLMN.

to UE implementation-specific maximum value.

3) if the UE is operating in single-registration mode, the UE shall handle EMM parameters, 4G-GUTI, last visited registered TAI, TAI list and eKSI as specified in 3GPP TS 24.301 [15] for the case when the authentication procedure is not accepted by the network. The USIM shall be considered as invalid also for non-EPS services until switching off or the UICC containing the USIM is removed; and

b) if the AUTHENTICATION REJECT message is received without integrity protection, the UE shall start timer T3247 with a random value uniformly drawn from the range between 30 minutes and 60 minutes, if the timer is not running (see subclause 5.3.20).

Additionally, if the UE is neither registered for onboarding services in SNPN nor performing initial registration for onboarding services in SNPN, the UE shall:

1) if the AUTHENTICATION REJECT message is received over 3GPP access, and the counter for "SIM/USIM considered invalid for GPRS services" events in case of PLMN or the counter for "the entry for the current SNPN considered invalid for 3GPP access" events in case of SNPN has a value less than a UE implementation-specific maximum value, proceed as specified in subclause 5.3.20, list item 1)-a) of subclause 5.3.20.2 (if the UE is not SNPN enabled or is not operating in SNPN access operation mode) or list item a) 1) of subclause 5.3.20.3 (if the UE is operating in SNPN access operation mode) for the case that the 5GMM cause value received is #3;

2) if the AUTHENTICATION REJECT message is received over non-3GPP access, and the counter for "USIM considered invalid for 5GS services over non-3GPP access" events in case of PLMN or the counter for "the entry for the current SNPN considered invalid for non-3GPP access" events in case of SNPN has a value less than a UE implementation-specific maximum value, proceed as specified in subclause 5.3.20, list item 1)-b) of subclause 5.3.20.2 (if the UE is not operating in SNPN access operation mode) or list item a)-2) of subclause 5.3.20.3 (if the UE is operating in SNPN access operation mode) for the case that the 5GMM cause value received is #3; or

3) otherwise:

i) if the AUTHENTICATION REJECT message is received over 3GPP access:

A) the UE shall set the update status for 3GPP access to 5U3 ROAMING NOT ALLOWED, delete for 3GPP access only the stored 5G-GUTI, TAI list, last visited registered TAI and ngKSI.

In case of PLMN, the UE shall consider the USIM as invalid for 5GS services via 3GPP access and invalid for non-EPS service until switching off the UE or the UICC containing the USIM is removed.

B) the UE shall set:

– the counter for "SIM/USIM considered invalid for GPRS services" events and the counter for "SIM/USIM considered invalid for non-GPRS services" events if maintained by the UE, in case of PLMN; or

– the counter for "the entry for the current SNPN considered invalid for 3GPP access" events in case of SNPN;

to UE implementation-specific maximum value; and

C) If the UE is operating in single-registration mode, the UE shall handle 4G-GUTI, TAI list and eKSI as specified in 3GPP TS 24.301 [15] for the case when the authentication procedure is not accepted by the network. The USIM shall be considered as invalid also for non-EPS services until switching off or the UICC containing the USIM is removed; and

ii) if the AUTHENTICATION REJECT message is received over non-3GPP access:

A) the UE shall set the update status for non-3GPP access to 5U3 ROAMING NOT ALLOWED, delete for non-3GPP access only the stored 5G-GUTI, TAI list, last visited registered TAI and ngKSI. In case of PLMN, the USIM shall be considered invalid for 5GS services via non-3GPP access until switching off the UE or the UICC containing the USIM is removed. In case of SNPN, the UE shall consider the entry of the "list of subscriber data" with the SNPN identity of the current SNPN shall be considered invalid for non-3GPP access until the UE is switched off or the entry is updated; and

B) the UE shall set the counter for "USIM considered invalid for 5GS services over non-3GPP access" events in case of PLMN or the counter for "the entry for the current SNPN considered invalid for non-3GPP access" events in case of SNPN to UE implementation-specific maximum value.

If the UE is registered for onboarding services in SNPN or performing initial registration for onboarding services in SNPN, the UE shall:

1) if the SNPN-specific attempt counter for the SNPN sending the AUTHENTICATION REJECT message has a value less than a UE implementation-specific maximum value, increment the SNPN-specific attempt counter for the SNPN; or

2) otherwise, the UE shall set the update status to 5U3.ROAMING NOT ALLOWED, delete the stored 5G-GUTI, TAI list, last visited registered TAI, and ngKSI, store the SNPN identity in the "permanently forbidden SNPNs" list for onboarding services, enter state 5GMM-DEREGISTERED.PLMN-SEARCH, and perform an SNPN selection or an SNPN selection for onboarding services according to 3GPP TS 23.122 [5].

Upon receiving an EAP-success message, the ME shall:

a) delete the valid K_AUSF and the valid K_SEAF, if any;

b) if the ME has not generated a new K_AUSFand a new K_SEAF and has not created a partial native 5G NAS security context when handling the EAP-request message which resulted into generation of EMSK or MSK as described above:

1) if the UE operates in SNPN access operation mode and:

i) the default UE credentials for primary authentication, if the UE is registering or registered for onboarding services in SNPN; or

ii) credentials in the selected entry of the "list of subscriber data", if the UE is not registering or registered for onboarding services in SNPN;

contain an indication to use MSK for derivation of K_AUSF after success of primary authentication and key agreement procedure then generate a new K_AUSFfrom the MSK otherwise generate a new K_AUSFfrom the EMSK;

2) generate a new K_SEAF from the new K_AUSF, and the K_AMF from the ABBA that was received with the EAP-success message, and the new K_SEAF as described in 3GPP TS 33.501 [24];

3) create a partial native 5G NAS security context identified by the ngKSI value in the volatile memory of the ME; and

4) store the K_AMFin the created partial native 5G NAS security context; and

c) consider the new K_AUSF to be the valid K_AUSF, and the new K_SEAF to be the valid K_SEAF, reset the SOR counter and the UE parameter update counter to zero, store the valid K_AUSF,the valid K_SEAF, the SOR counter and the UE parameter update counter as specified in annex C, and use the valid K_AUSF in the verification of SOR transparent container and UE parameters update transparent container, if any are received.

The UE shall consider the procedure complete.

Upon receiving an EAP-failure message, the UE shall delete the partial native 5G NAS security context and shall delete the new K_AUSFand the new K_SEAF, if any were created when handling the EAP-request message which resulted into generation of EMSK or MSK as described above.

The UE shall consider the procedure complete.

5.4.1.2.3A Procedures related to EAP methods other than EAP-AKA’ and EAP-TLS

5.4.1.2.3A.1 General

This subclause applies when an EAP method:

a) supporting mutual authentication;

b) supporting EMSK or MSK generation; and

c) other than EAP-AKA’ and EAP-TLS;

is used for primary authentication and key agreement in an SNPN.

The UE may support acting as EAP peer of such EAP method as specified in 3GPP TS 33.501 [24]. The AUSF may support acting as EAP server of such EAP method as specified in 3GPP TS 33.501 [24]. The AAA server of the CH or the DCS may support acting as EAP server of such EAP method as specified in 3GPP TS 23.501 [8].

When initiating an EAP based primary authentication and key agreement procedure using such EAP method, the network shall select an ngKSI value. If an ngKSI is contained in an initial NAS message during a 5GMM procedure, the network shall select a different ngKSI value. The network shall send the selected ngKSI value to the UE along with each EAP message. The network shall send the ABBA value as described in subclause 9.11.3.10 to the UE along with the EAP-request message and EAP-success message.

When the EAP based primary authentication and key agreement procedure uses such EAP method:

a) if:

1) the default UE credentials for primary authentication, if the UE is registering or registered for onboarding services in SNPN; or

2) credentials in the selected entry of the "list of subscriber data", if the UE is not registering or registered for onboarding services in SNPN;

b) if the AUSF acts as the EAP server, the AUSF shall generate EMSK as described in 3GPP TS 33.501 [24]; and

c) if the AAA server of the CH or the DCS acts as the EAP server, the AAA server of the CH or the DCS shall generate MSKas described in 3GPP TS 33.501 [24].

When handling of an EAP-request message results into generation of MSK or EMSK, if:

a) the default UE credentials for primary authentication, if the UE is registering or registered for onboarding services in SNPN; or

b) credentials in the selected entry of the "list of subscriber data", if the UE is not registering or registered for onboarding services in SNPN;

NOTE 1: Generation of the new K_AUSFand the new K_SEAF does not result into deletion of the valid K_AUSF and the valid K_SEAF, if any.

The ME shall not use the new K_AUSF in the verification of SOR transparent container and UE parameters update transparent container, if any are received, until receipt of an EAP-success message.

When the AUSF acts as the EAP server and handling of an EAP response message results into generation of EMSK, the AUSF shall generate the K_AUSF from the EMSK, and the K_SEAF from the K_AUSFas described in 3GPP TS 33.501 [24].

NOTE 2: When the AAA server of the CH or the DCS acts as the EAP server and handling of an EAP response message results into generation of MSK, the AAA server of the CH or the DCS provides (via the NSSAAF) the MSK and the SUPI to the AUSF. Upon reception of the MSK, the AUSF generates the K_AUSF from the MSK, and the K_SEAF from the K_AUSF as described in 3GPP TS 33.501 [24].

If the UE fails to authenticate the network, the UE shall start timer T3520 when the AUTHENTICATION RESPONSE message containing the EAP-response message is sent. Furthermore, the UE shall stop any of the retransmission timers that are running (e.g. T3510, T3517 or T3521). Upon receiving an AUTHENTICATION REQUEST message with the EAP message IE containing an EAP-request message from the network, the UE shall stop timer T3520, if running, and then process the EAP-request message as normally.

If the network fails to authenticate the UE, the network handling depends upon the type of identity used by the UE in the initial NAS message, that is:

– if the 5G-GUTI was used; or

– if the SUCI was used.

If the SUCI was used for identification in the initial NAS message or in a restarted EAP based primary authentication and key agreement procedure, or the network decides not to initiate the identification procedure to retrieve SUCI from the UE after an unsuccessful the EAP based primary authentication and key agreement procedure, the network should transport the EAP-failure message in an AUTHENTICATION REJECT message of the EAP result message transport procedure.

If the EAP-failure message is received in an AUTHENTICATION REJECT message:

a) if the AUTHENTICATION REJECT message has been successfully integrity checked by the NAS:

1) the UE shall set the update status to 5U3 ROAMING NOT ALLOWED, delete the stored 5G-GUTI, TAI list, last visited registered TAI and ngKSI.

In case of SNPN, if the UE is registered for onboarding services in SNPN or is performing initial registration for onboarding services in SNPN, the UE shall store the SNPN identity in the "permanently forbidden SNPNs" list for onboarding services, enter state 5GMM-DEREGISTERED.PLMN-SEARCH, and perform an SNPN selection or an SNPN selection for onboarding services according to 3GPP TS 23.122 [5]; and

2) if the UE is neither registered for onboarding services in SNPN nor performing initial registration for onboarding services in SNPN, the UE shall set the counter for "the entry for the current SNPN considered invalid for 3GPP access" events and the counter for "the entry for the current SNPN considered invalid for non-3GPP access" events in case of SNPN to UE implementation-specific maximum value.

NOTE 4: The term "non-3GPP access" used in the counter for "the entry for the current SNPN considered invalid for non-3GPP access" events, is used to express access to SNPN services via a PLMN.

Additionally, if the UE is neither registered for onboarding services in SNPN nor performing initial registration for onboarding services in SNPN, the UE shall:

1) if the AUTHENTICATION REJECT message is received over 3GPP access, and the counter for "the entry for the current SNPN considered invalid for 3GPP access" events has a value less than a UE implementation-specific maximum value, proceed as specified in list item a) 1) of subclause 5.3.20.3 for the case that the 5GMM cause value received is #3;

2) if the AUTHENTICATION REJECT message is received over non-3GPP access, and the counter for "the entry for the current SNPN considered invalid for non-3GPP access" events has a value less than a UE implementation-specific maximum value, proceed as specified in list item a)-2) of subclause 5.3.20.3 for the case that the 5GMM cause value received is #3; or

3) otherwise:

i) if the AUTHENTICATION REJECT message is received over 3GPP access:

– the UE shall set the update status for 3GPP access to 5U3 ROAMING NOT ALLOWED, delete for 3GPP access only the stored 5G-GUTI, TAI list, last visited registered TAI and ngKSI;

In case of SNPN, if the UE does not support access to an SNPN using credentials from a credentials holder, the entry of the "list of subscriber data" with the SNPN identity of the current SNPN shall be considered invalid for 3GPP access until the UE is switched off or the entry is updated;

– the UE shall set the counter for "the entry for the current SNPN considered invalid for 3GPP access" events to UE implementation-specific maximum value; and

ii) if the AUTHENTICATION REJECT message is received over non-3GPP access:

– the UE shall set the update status for non-3GPP access to 5U3 ROAMING NOT ALLOWED, delete for non-3GPP access only the stored 5G-GUTI, TAI list, last visited registered TAI and ngKSI. The entry of the "list of subscriber data" with the SNPN identity of the current SNPN shall be considered invalid for non-3GPP access until the UE is switched off or the entry is updated; and

– the UE shall set the counter for "the entry for the current SNPN considered invalid for non-3GPP access" events to UE implementation-specific maximum value.

NOTE 5: The AUTHENTICATION REJECT message "received over non-3GPP access" in this subclause refers to an AUTHENTICATION REJECT message received via a PLMN when the UE attempts to access SNPN services via a PLMN.

If the UE is registered for onboarding services in SNPN or performing initial registration for onboarding services in SNPN, the UE shall:

Upon receiving an EAP-success message, the ME shall:

a) delete the valid K_AUSF and the valid K_SEAF, if any;

1) if:

i) the default UE credentials for primary authentication, if the UE is registering or registered for onboarding services in SNPN; or

ii) credentials in the selected entry of the "list of subscriber data", if the UE is not registering or registered for onboarding services in SNPN;

2) generate a new K_SEAF from the new K_AUSF, and the K_AMF from the ABBA that was received with the EAP-success message, and the K_SEAF as described in 3GPP TS 33.501 [24];

3) create a partial native 5G NAS security context identified by the ngKSI value in the volatile memory of the ME; and

4) store the K_AMFin the created partial native 5G NAS security context; and

The UE shall consider the procedure complete.

5.4.1.2.3A.2 EAP-TTLS with two phases of authentication

The UE may support acting as EAP peer of EAP-TTLS with two phases of authentication as specified in 3GPP TS 33.501 [24] and acting as peer of a legacy authentication protocol as specified in 3GPP TS 33.501 [24]. The AUSF may support acting as EAP server of EAP-TTLS with two phases of authentication as specified in 3GPP TS 33.501 [24]. The AAA server of the CH or the DCS may support acting a server of a legacy authentication protocol as specified in 3GPP TS 33.501 [24].

When EAP-TTLS with two phases of authentication as specified in 3GPP TS 33.501 [24] is used for primary authentication and key agreement in an SNPN:

a) requirements in subclause 5.4.1.2.3A.1 shall apply in addition to requirements specified in 3GPP TS 33.501 [24] annex U;

b) indication to use MSK for derivation of K_AUSF after success of primary authentication and key agreement procedure is not included in:

1) the default UE credentials for primary authentication, if the UE is registering or registered for onboarding services in SNPN; or

2) credentials in the selected entry of the "list of subscriber data", if the UE is not registering or registered for onboarding services in SNPN; and

c) the SUPI of the UE is in the form of a SUPI with the SUPI format "network specific identifier" containing a network-specific identifier.

NOTE: Support of EAP-TTLS with two phases of authentication is based on the informative requirements as specified in 3GPP TS 33.501 [24].

5.4.1.2.3B Procedures related to EAP methods used for primary authentication of an N5GC device

5.4.1.2.3B.1 General

This subclause applies when an EAP method:

a) supporting mutual authentication; and

b) other than EAP-AKA’,

is used for primary authentication of an N5GC device, when an W-AGF supports acting on behalf of the N5GC device, the AMF supports serving the W-AGF acting on behalf of the N5GC device and the AUSF supports authentication of the N5GC device. EAP-TLS is an example of such EAP method.

NOTE 1: Neither the N5GC device nor the AUSF derive any 5G related keys during or after the primary authentication.

The AUSF supporting authentication of the N5GC device shall support acting as EAP server of at least one such EAP method as specified in annex O of 3GPP TS 33.501 [24].

The N5GC device shall support acting as EAP peer of at least one such EAP method as specified in annex O of 3GPP TS 33.501 [24], which is also supported by the AUSF.

The W-AGF acting on behalf of the N5GC device provides to the N5GC device an EAP-request message, an EAP-success message or an EAP-failure message received from the network according to subclause 5.4.1.2.1 and sends to the network according to subclause 5.4.1.2.1 an EAP-response provided by the N5GC device. The N5GC device can inform the W-AGF acting on behalf of the N5GC device that the N5GC device fails to authenticate the network. Details of communication between the N5GC device and the W-AGF acting on behalf of the N5GC device are out of scope of this specification.

When initiating an EAP based primary authentication and key agreement procedure using such EAP method, the network shall select an ngKSI value. The network shall send the selected ngKSI value to the W-AGF acting on behalf of the N5GC device along with each EAP message. The network shall send the ABBA value as described in subclause 9.11.3.10 to the W-AGF acting on behalf of the N5GC device along with the EAP-request message and EAP-success message. The W-AGF acting on behalf of the N5GC device shall not forward the ngKSI value or the ABBA value to the N5GC device.

NOTE 2: The network provides the ngKSI value and the ABBA value since the ngKSI IE and the ABBA IE are mandatory IEs in AUTHENTICATION REQUEST message. The W-AGF acting on behalf of the N5GC device does not use the ngKSI value or the ABBA value provided by the network.

If the N5GC device fails to authenticate the network, the W-AGF acting on behalf of the N5GC device shall start timer T3520 when the AUTHENTICATION RESPONSE message containing the EAP-response message is sent. Furthermore, the W-AGF acting on behalf of the N5GC device shall stop any of the retransmission timers that are running (e.g. T3510, T3517 or T3521). Upon receiving an AUTHENTICATION REQUEST message with the EAP message IE containing an EAP-request message from the network, the W-AGF acting on behalf of the N5GC device shall stop timer T3520, if running, and then provides the EAP-request message to the N5GC device as normally.

If the network fails to authenticate the N5GC device, the network handling depends upon the type of identity used by the W-AGF acting on behalf of the N5GC device in the initial NAS message, that is:

a) if the 5G-GUTI was used; or

b) if the SUCI was used.

If the 5G-GUTI was used, the network should transport the EAP-failure message in the AUTHENTICATION RESULT message of the EAP result message transport procedure, initiate an identification procedure to retrieve SUCI from the W-AGF acting on behalf of the N5GC device and restart the EAP based primary authentication and key agreement procedure with the received SUCI.

If the SUCI was used for identification in the initial NAS message or in a restarted EAP based primary authentication and key agreement procedure, or the network decides not to initiate the identification procedure to retrieve SUCI from the W-AGF acting on behalf of the N5GC device after an unsuccessful EAP based primary authentication and key agreement procedure, the network should transport the EAP-failure message in an AUTHENTICATION REJECT message of the EAP result message transport procedure.

If the EAP-failure message is received in an AUTHENTICATION REJECT message, the W-AGF acting on behalf of the N5GC device shall start timer T3247 with a random value uniformly drawn from the range between 30 minutes and 60 minutes, if the timer is not running (see subclause 5.3.20). Additionally, the W-AGF acting on behalf of the N5GC device shall:

a) if the counter for "USIM considered invalid for 5GS services over non-3GPP access" events has a value less than a W-AGF implementation-specific maximum value, proceed as specified in list item 1)-b) of subclause 5.3.20.2 for the case that the 5GMM cause value received is #3; or

b) otherwise, set the update status to 5U3 ROAMING NOT ALLOWED, delete the stored 5G-GUTI, TAI list, last visited registered TAI and ngKSI. The USIM shall be considered invalid for 5GS services via non-3GPP access until switching off or the UICC containing the USIM is removed.

If the AUTHENTICATION REJECT message is received by the W-AGF acting on behalf of the N5GC device, the W-AGF acting on behalf of the N5GC device shall abort any 5GMM signalling procedure, stop any of the timers T3510, T3517, T3519 or T3521 (if they were running), enter state 5GMM-DEREGISTERED and delete any stored SUCI.

Upon receiving an EAP-success message, the W-AGF acting on behalf of the N5GC device shall consider the procedure complete.

Upon receiving an EAP-failure message, the W-AGF acting on behalf of the N5GC device shall consider the procedure complete.

5.4.1.2.4 EAP message reliable transport procedure

5.4.1.2.4.1 General

The purpose of the EAP message reliable transport procedure is to provide a reliable transport of an EAP-request message, the ngKSI and the ABBA from the network to the UE and of an EAP-response message from the UE to the network.

The EAP message reliable transport procedure is initiated by an AUTHENTICATION REQUEST message with the EAP message IE.

5.4.1.2.4.2 EAP message reliable transport procedure initiation by the network

In order to initiate the EAP message reliable transport procedure, the AMF shall create an AUTHENTICATION REQUEST message.

The AMF shall set the EAP message IE of the AUTHENTICATION REQUEST message to the EAP-request message to be sent to the UE. The AMF shall set the ngKSI IE of the AUTHENTICATION REQUEST message to the ngKSI value selected in subclause 5.4.1.2.2.2, subclause 5.4.1.2.3.1 or subclause 5.4.1.2.3A.1. In this release of specification, the AMF shall set the ABBA IE of the AUTHENTICATION REQUEST message with the length of ABBA IE to 2 and the ABBA contents to be 2 octets in length with value 0000H as described in subclause 9.11.3.10.

The AMF shall send the AUTHENTICATION REQUEST message to the UE, and the AMF shall start timer T3560 (see example in figure 5.4.1.2.4.2.1).

Figure 5.4.1.2.4.2.1: EAP message reliable transport procedure

Upon receipt of an AUTHENTICATION REQUEST message with the EAP message IE, the UE handles the EAP message received in the EAP message IE and the ABBA of the AUTHENTICATION REQUEST message.

5.4.1.2.4.3 EAP message reliable transport procedure accepted by the UE

The UE shall create an AUTHENTICATION RESPONSE message.

If the received EAP message is an EAP-request message, the UE shall set the EAP message IE of the AUTHENTICATION RESPONSE message to the EAP-response message responding to the received EAP-request message.

The UE shall send the AUTHENTICATION RESPONSE message to the AMF.

Upon receipt of an AUTHENTICATION RESPONSE message, the AMF shall stop timer T3560. If the EAP message IE is included in the AUTHENTICATION RESPONSE message, the AMF handles the EAP message received in the EAP message IE of the AUTHENTICATION RESPONSE message.

5.4.1.2.4.4 Abnormal cases on the network side

The following abnormal cases can be identified:

a) Expiry of timer T3560.

The AMF shall, on the first expiry of the timer T3560, retransmit the AUTHENTICATION REQUEST message and shall reset and start timer T3560. This retransmission is repeated four times, i.e. on the fifth expiry of timer T3560, the AMF shall abort the EAP based primary authentication and key agreement procedure and any ongoing 5GMM specific procedure, and release the N1 NAS signalling connection.

b) Lower layers indication of non-delivered NAS PDU due to handover.

If the AUTHENTICATION REQUEST message could not be delivered due to an intra AMF handover and the target TA is included in the TAI list, then upon successful completion of the intra AMF handover the AMF shall retransmit the AUTHENTICATION REQUEST message. If a failure of handover procedure is reported by the lower layer and the N1 NAS signalling connection exists, the AMF shall retransmit the AUTHENTICATION REQUEST message.

5.4.1.2.4.5 Abnormal cases in the UE

The following abnormal cases can be identified:

a) Authentication failure (5GMM cause #71 "ngKSI already in use").

The UE shall send an AUTHENTICATION FAILURE message, with 5GMM cause #71 "ngKSI already in use", to the network and start the timer T3520 (see example in figure 5.4.1.3.7.1). Furthermore, the UE shall stop any of the retransmission timers that are running (e.g. T3510, T3517 or T3521). Upon the first receipt of an AUTHENTICATION FAILURE message from the UE with 5GMM cause #71 "ngKSI already in use", the network performs necessary actions to select a new ngKSI and send the same EAP-request message to the UE.

NOTE 1: Upon receipt of an AUTHENTICATION FAILURE message from the UE with 5GMM cause #71 "ngKSI already in use", the network can also re-initiate the EAP based primary authentication and key agreement procedure (see subclause 5.4.1.2.2.2).

Upon receiving a new AUTHENTICATION REQUEST message with the EAP message IE containing an EAP-request message from the network, the UE shall stop timer T3520, if running, process the EAP-request message as normal.

If the network is validated successfully (an AUTHENTICATION REQUEST message that contains a valid ngKSI and EAP-request message is received), the UE shall send the AUTHENTICATION RESPONSE message to the network and shall start any retransmission timers (e.g. T3510, T3517 or T3521) if they were running and stopped when the UE received the first failed AUTHENTICATION REQUEST message.

b) Transmission failure of AUTHENTICATION RESPONSE message or AUTHENTICATION FAILURE message indication from lower layers (if the EAP based primary authentication and key agreement procedure is triggered by a registration procedure).

The UE shall stop the timer T3520, if running, and re-initiate the registration procedure.

c) Transmission failure of AUTHENTICATION RESPONSE message or AUTHENTICATION FAILURE message indication with change in the current TAI (if the EAP based primary authentication and key agreement procedure is triggered by a service request procedure).

The UE shall stop the timer T3520, if running.

If the current TAI is not in the TAI list, the EAP based primary authentication and key agreement procedure shall be aborted and a registration procedure for mobility and periodic registration update shall be initiated.

If the current TAI is still part of the TAI list, it is up to the UE implementation how to re-run the ongoing procedure that triggered the EAP based primary authentication and key agreement procedure.

d) Transmission failure of AUTHENTICATION RESPONSE message or AUTHENTICATION FAILURE message indication without change in the current TAI (if the authentication procedure is triggered by a service request procedure).

The UE shall stop the timer T3520, if running. It is up to the UE implementation how to re-run the ongoing procedure that triggered the EAP based primary authentication and key agreement procedure.

e) Network failing the authentication check.

If the UE deems that the network has failed the authentication check, then it shall request RRC to locally release the RRC connection and treat the active cell as barred (see 3GPP TS 38.304 [28] or 3GPP TS 36.304 [25C]). The UE shall start any retransmission timers (e.g. T3510, T3517 or T3521), if they were running and stopped when the UE received the first AUTHENTICATION REQUEST message containing an ngKSI that was already in use.

f) Change in the current TAI.

If that the current TAI is not in the TAI list before the AUTHENTICATION RESPONSE message is sent, the UE may discard sending the AUTHENTICATION RESPONSE message to the network and continue with the initiation of the registration procedure for mobility and periodic registration update as described in subclause 5.5.1.3.2.

For item e, if no emergency service is started or is ongoing:

The UE shall stop timer T3520, if the timer is running and the UE enters 5GMM-IDLE mode, e.g. upon detection of a lower layer failure, release of the N1 NAS signalling connection, or as the result of an inter-system change in 5GMM-CONNECTED mode from N1 mode to S1 mode.

The UE shall deem that the network has failed the authentication check or assume that the authentication is not genuine and proceed as described in item e above if any of the following occurs:

– the timer T3520 expires;

– the UE detects any combination of the EAP-based authentication failures: transmission of AUTHENTICATION FAILURE message with 5GMM cause #71 "ngKSI already in use", transmission of AUTHENTICATION RESPONSE message with an EAP-response message after detecting an error as described in subclause 5.4.1.2.2.4, with an EAP-response message after not accepting of the server certificate as described in subclause 5.4.1.2.3.1 or with an EAP-response message after failing to authenticate the network as described in subclause 5.4.1.2.3A.1, during three consecutive authentication challenges. The EAP-request/AKA’-challenge challenges shall be considered as consecutive only, if the EAP-request/AKA’-challenge challenges causing the second and third EAP-based authentication failure are received by the UE, while the timer T3520 started after the previous EAP-based authentication failure is running. Not accepting of the server certificate shall be considered as consecutive only, if the EAP-request messages causing the second and third not accepting of the server certificate are received by the UE, while the timer T3520 started after the previous EAP request message causing the previous not accepting of the server certificate is running.

NOTE 2: Reception of an EAP-failure message is not considered when determining the three consecutive authentication challenges or three consecutive not accepting of the server certificate.

For item e if there is an emergency service started or is ongoin:

If a UE has an emergency PDU session established or is establishing an emergency PDU session, and sends an AUTHENTICATION FAILURE message to the AMF with the 5GMM cause appropriate for this cases (i.e. #71) or an AUTHENTICATION RESPONSE message containing an EAP-response message as described in subclause 5.4.1.2.2.4, containing an EAP-response message after not accepting of the server certificate as described in subclause 5.4.1.2.3.1 or containing an EAP-response message after failing to authenticate the network as described in subclause 5.4.1.2.3A.1, and receives the SECURITY MODE COMMAND message before the timeout of timer T3520, the UE shall deem that the network has passed the authentication check successfully, stop timer T3520, respectively, and execute the security mode control procedure.

If a UE has an emergency PDU session established or is establishing an emergency PDU session when timer T3520 expires, the UE shall not deem that the network has failed the authentication check and not behave as described in item e. Instead the UE shall continue using the current security context, if any, release all non-emergency PDU sessions, if any, by initiating UE-requested PDU session release procedure. If there is an ongoing PDU session establishment procedure, the UE shall release all non-emergency PDU sessions upon completion of the PDU session establishment procedure.

The UE shall start any retransmission timers (e.g. T3510, T3517 or T3521) if:

– they were running and stopped when the UE received the AUTHENTICATION REQUEST message and detected an authentication failure; and

– the procedures associated with these timers have not yet been completed.

The UE shall consider itself to be registered for emergency services.

5.4.1.2.5 EAP result message transport procedure

5.4.1.2.5.1 General

The purpose of the EAP result message transport procedure is to provide an EAP-success message or an EAP-failure message, and ngKSI from the network to the UE, when the EAP message cannot be piggybacked by another NAS message.

The EAP result message transport procedure is initiated:

– by an AUTHENTICATION RESULT message with the EAP message IE carrying the EAP-success message or the EAP-failure message; or

– by an AUTHENTICATION REJECT message with the EAP message IE carrying the EAP-failure message.

5.4.1.2.5.2 EAP result message transport procedure initiation by the network

In order to initiate the EAP result message transport procedure, the AMF shall create an AUTHENTICATION RESULT message or an AUTHENTICATION REJECT message.

The AMF shall set the EAP message IE of the AUTHENTICATION RESULT message to an EAP-success message or an EAP-failure message to be sent to the UE. The AMF shall set the EAP message IE of the AUTHENTICATION REJECT message to an EAP-failure message to be sent to the UE. The AMF shall set the ngKSI IE of the AUTHENTICATION RESULT message or the AUTHENTICATION REJECT message to the ngKSI value selected in subclause 5.4.1.2.2.2, subclause 5.4.1.2.3.1 or subclause 5.4.1.2.3A.1.

The AMF shall send the AUTHENTICATION RESULT message or the AUTHENTICATION REJECT message to the UE (see example in figure 5.4.1.2.5.2.1).

Figure 5.4.1.2.5.2.1: EAP result message transport procedure

Upon receipt of an AUTHENTICATION RESULT message or an AUTHENTICATION REJECT message with the EAP message IE, the UE handles the EAP message received in the EAP message IE and the ABBA if received of the AUTHENTICATION RESULT message or in the AUTHENTICATION REJECT message.

5.4.1.3 5G AKA based primary authentication and key agreement procedure

5.4.1.3.1 General

The purpose of the 5G AKA based primary authentication and key agreement procedure is to provide mutual authentication between the UE and the network and to agree on the keys K_AUSF, K_SEAF and K_AMF (see 3GPP TS 33.501 [24]). The cases when the 5G AKA based primary authentication and key agreement procedure is used are defined in 3GPP TS 33.501 [24].

The network initiates the 5G AKA based primary authentication and key agreement procedure by sending an AUTHENTICATION REQUEST message to the UE without the EAP message IE. The network shall include the ngKSI and the ABBA in AUTHENTICATION REQUEST message.

The 5G AKA based primary authentication and key agreement procedure is always initiated and controlled by the network. However, the UE can reject the 5G authentication challenge sent by the network.

The UE shall proceed with a 5G authentication challenge only if a USIM is present.

A partial native 5G NAS security context is established in the UE and the network when a 5G authentication is successfully performed. During a successful 5G AKA based primary authentication and key agreement procedure, the CK and IK are computed by the USIM. CK and IK are then used by the ME as key material to compute new keys K_AUSF, K_SEAF and K_AMF. K_AMF is stored in the 5G NAS security contexts (see 3GPP TS 33.501 [24]) of both the network and in the volatile memory of the ME while registered to the network, and is the root for the 5GS integrity protection and ciphering key hierarchy.

NOTE 1: Generation of the new K_AUSFand the new K_SEAF does not result into deletion of the valid K_AUSF and the valid K_SEAF, if any.

The 5G AKA based primary authentication and key agreement procedure is initiated by an AUTHENTICATION REQUEST message without the EAP message IE.

Upon successful completion of the 5G AKA based primary authentication, the AMF shall initiate a security mode control procedure (see subclause 5.4.2) to take the new partial native 5G NAS security context into use.

NOTE 2: The AMF immediately initiates a security mode control procedure (see subclause 5.4.2) after 5G AKA primary authentication is successful to avoid K_AUSFkey mismatch between the UE and the network.

5.4.1.3.2 Authentication initiation by the network

The network may initiate a 5G AKA based primary authentication and key agreement procedure for a UE in 5GMM-CONNECTED mode at any time. For restrictions applicable after handover or inter-system change to N1 mode in 5GMM-CONNECTED mode, see subclause 5.5.1.3.3.

The network initiates the 5G AKA based primary authentication and key agreement procedure by sending an AUTHENTICATION REQUEST message to the UE and starting the timer T3560 (see example in figure 5.4.1.3.2.1). The AUTHENTICATION REQUEST message shall contain the parameters necessary to calculate the authentication response (see 3GPP TS 33.501 [24]). This message shall include the ngKSI that will be used by the UE and AMF to identify the K_AMF and the partial native security context that is created if the authentication is successful. This message shall also include the ABBA parameter. In this release of specification, the network shall set the length of ABBA IE to 2 and the ABBA contents to be 2 octets in length with value 0000H as described in subclause 9.11.3.10.

If an ngKSI is contained in an initial NAS message during a 5GMM procedure, the network shall include a different ngKSI value in the AUTHENTICATION REQUEST message when it initiates a 5G AKA based primary authentication and key agreement procedure.

Figure 5.4.1.3.2.1: 5G AKA based primary authentication and key agreement procedure

5.4.1.3.3 Authentication response by the UE

The UE shall respond to an AUTHENTICATION REQUEST message. With the exception of the cases described in subclause 5.4.1.3.6 and 5.4.1.3.7 case l, the UE shall process the 5G authentication challenge data and respond with an AUTHENTICATION RESPONSE message to the network.

Upon a successful 5G authentication challenge, the UE shall determine the PLMN identity to be used for the calculation of the new K_AMF from the 5G authentication challenge data according to the following rules:

a) When the UE moves from 5GMM-IDLE mode to 5GMM-CONNECTED mode, until the first handover, the UE shall use the PLMN identity of the selected PLMN; and

b) After handover or inter-system change to N1 mode in 5GMM-CONNECTED mode,

1) if the target cell is not a shared network cell, the UE shall use the PLMN identity received as part of the broadcast system information;

2) if the target cell is a shared network cell and the UE has a valid 5G-GUTI, the UE shall use the PLMN identity that is part of the 5G-GUTI; and

3) if the target cell is a shared network cell and the UE has a valid 4G-GUTI, but not a valid 5G-GUTI, the UE shall use the PLMN identity that is part of the 4G-GUTI.

Upon a successful 5G authentication challenge, the new K_AMF calculated from the 5G authentication challenge data shall be stored in a new 5G NAS security context in the volatile memory of the ME.

The USIM will compute the authentication response (RES) using the 5G authentication challenge data received from the ME, and pass RES to the ME. From the RES, RES* is then generated according to Annex A of 3GPP TS 33.501 [24].

In order to avoid a synchronisation failure, when the UE receives an AUTHENTICATION REQUEST message, the UE shall store the received RAND together with the RES*, in the volatile memory of the ME. When the UE receives a subsequent AUTHENTICATION REQUEST message, if the stored RAND value is equal to the new received value in the AUTHENTICATION REQUEST message, then the ME shall not pass the RAND to the USIM, but shall send the AUTHENTICATION RESPONSE message with the stored RES*. If there is no valid stored RAND in the ME or the stored RAND is different from the new received value in the AUTHENTICATION REQUEST message, the ME shall pass the RAND to the USIM, shall override any previously stored RAND and RES* with the new ones and start, or reset and restart timer T3516.

The RAND and RES* values stored in the ME shall be deleted and timer T3516, if running, shall be stopped:

a) upon receipt of a

1) SECURITY MODE COMMAND message,

2) SERVICE REJECT message,

3) REGISTRATION REJECT message,

4) REGISTRATION ACCEPT message,

5) AUTHENTICATION REJECT message, or

6) SERVICE ACCEPT message;

b) upon expiry of timer T3516;

c) if the UE enters the 5GMM state 5GMM-DEREGISTERED or 5GMM-NULL; or

d) if the UE enters 5GMM-IDLE mode.

5.4.1.3.4 Authentication completion by the network

Upon receipt of an AUTHENTICATION RESPONSE message, the network stops the timer T3560 and checks the correctness of RES* (see 3GPP TS 33.501 [24]).

If the 5G AKA based primary authentication and key agreement procedure has been completed successfully and the related ngKSI is stored in the 5G NAS security context of the network, the network shall include a different ngKSI value in the AUTHENTICATION REQUEST message when it initiates a new 5G AKA based primary authentication and key agreement procedure.

Upon receipt of an AUTHENTICATION FAILURE message, the network stops the timer T3560. In the case where the 5GMM cause #21 "synch failure" is received, the core network may renegotiate with the UDM/AUSF and provide the UE with new authentication parameters.

5.4.1.3.5 Authentication not accepted by the network

If the authentication response (RES) returned by the UE is not valid, the network response depends upon the type of identity used by the UE in the initial NAS message, that is:

– if the 5G-GUTI was used; or

– if the SUCI was used.

If the 5G-GUTI was used, the network should initiate an identification procedure to retrieve SUCI from the UE and restart the 5G AKA based primary authentication and key agreement procedure with the received SUCI.

If the SUCI was used for identification in the initial NAS message or in a restarted 5G AKA based primary authentication and key agreement procedure, or the network decides not to initiate the identification procedure to retrieve SUCI from the UE after an unsuccessful 5G AKA based primary authentication and key agreement procedure, the network should send an AUTHENTICATION REJECT message to the UE. The network shall maintain, if any, the 5GMM-context and 5G NAS security context of the UE unchanged.

Upon receipt of an AUTHENTICATION REJECT message,

1) if the AUTHENTICATION REJECT message has been successfully integrity checked by the NAS:

the UE shall set the update status to 5U3 ROAMING NOT ALLOWED, delete the stored 5G-GUTI, TAI list, last visited registered TAI and ngKSI.

In case of PLMN, the USIM shall be considered invalid until switching off the UE or the UICC containing the USIM is removed.

In case of SNPN, if the UE is neither registered for onboarding services in SNPN nor performing initial registration for onboarding services in SNPN and the UE supports access to an SNPN using credentials from a credentials holder, the UE shall consider the selected entry of the "list of subscriber data" as invalid for 3GPP access until the UE is switched off or the entry is updated. Additionally, the UE shall consider the USIM as invalid for the entry until switching off or the UICC containing the USIM is removed.

– if the UE is neither registered for onboarding services in SNPN nor performing initial registration for onboarding services in SNPN, the UE shall set:

to UE implementation-specific maximum value.

2) if the AUTHENTICATION REJECT message is received without integrity protection and if timer T3516 or T3520 is running, the UE shall start timer T3247 with a random value uniformly drawn from the range between 30 minutes and 60 minutes, if the timer is not running (see subclause 5.3.20).

Additionally, if the UE is neither registered for onboarding services in SNPN nor performing initial registration for onboarding services in SNPN, the UE shall:

c) otherwise:

i) if the AUTHENTICATION REJECT message is received over 3GPP access:

– The UE shall set the update status for 3GPP access to 5U3 ROAMING NOT ALLOWED, delete for 3GPP access only the stored 5G-GUTI, TAI list, last visited registered TAI and ngKSI.

– In case of PLMN, the UE shall consider the USIM as invalid for 5GS services via 3GPP access and non-EPS service until switching off the UE or the UICC containing the USIM is removed.

In case of SNPN, the UE shall consider the entry of the "list of subscriber data" with the SNPN identity of the current SNPN shall be considered invalid for 3GPP access until the UE is switched off or the entry is updated. Additionally, the UE shall consider the USIM as invalid for the current SNPN via 3GPP access until switching off or the UICC containing the USIM is removed.

– The UE shall set:

– the counter for "SIM/USIM considered invalid for GPRS services" events and the counter for "SIM/USIM considered invalid for non-GPRS services" events if maintained by the UE, in case of PLMN; or

– the counter for "the entry for the current SNPN considered invalid for 3GPP access" events in case of SNPN;

to UE implementation-specific maximum value.

ii) if the AUTHENTICATION REJECT message is received over non-3GPP access:

– the UE shall set the update status for non-3GPP access to 5U3 ROAMING NOT ALLOWED, delete for non-3GPP access only the stored 5G-GUTI, TAI list, last visited registered TAI and ngKSI;

– in case of PLMN, the UE shall consider the USIM as invalid for 5GS services via non-3GPP access until switching off the UE or the UICC containing the USIM is removed.

– the UE shall set:

– the counter for "USIM considered invalid for 5GS services over non-3GPP access" events to UE implementation-specific maximum value in case of PLMN; or

– the counter for "the entry for the current SNPN considered invalid for non-3GPP access" events to UE implementation-specific maximum value in case of SNPN.

If the UE is registered for onboarding services in SNPN or performing initial registration for onboarding services in SNPN, the UE shall:

If the AUTHENTICATION REJECT message is received by the UE, the UE shall abort any 5GMM signalling procedure, stop any of the timers T3510, T3516, T3517, T3519, T3520 or T3521 (if they were running), enter state 5GMM-DEREGISTERED and delete any stored SUCI.

5.4.1.3.6 Authentication not accepted by the UE

In the 5G authentication challenge, the UE shall check the 5G authentication challenge data (RAND, AUTN and ngKSI) received in the AUTHENTICATION REQUEST message to verify authenticity of the 5G core network.

The ME shall check that ngKSI received in the AUTHENTICATION REQUEST message is not already in use. The ME shall forward the RAND and AUTN to the USIM to check.

The UE may reject the core network due to an incorrect AUTN or ngKSI parameter. If the UE has to reject the 5G authentication challenge, the UE shall return AUTHENTICATION FAILURE message to the network with a cause value indicating the reason for the failure (see 3GPP TS 33.501 [24]).

Incorrect 5G authentication challenge data contains four possible causes for authentication failure:

a) MAC code failure:

If the UE finds the MAC code (supplied by the core network in the AUTN parameter) to be invalid, the UE shall send an AUTHENTICATION FAILURE message to the network, with the 5GMM cause #20 "MAC failure". The UE shall then follow the procedure described in subclause 5.4.1.3.7, item c.

b) Non-5G authentication unacceptable:

If the UE finds that the "separation bit" in the AMF field of AUTN supplied by the core network is set to 0, the UE shall send an AUTHENTICATION FAILURE message to the network, with the 5GMM cause #26 "non-5G authentication unacceptable" (see subclause 6.1.3 in 3GPP TS 33.501 [24]). The UE shall then follow the procedure described in subclause 5.4.1.3.7, item d.

c) ngKSI already in use:

If the UE detects that ngKSI received in the AUTHENTICATION REQUEST message is already in use in the UE shall send an AUTHENTICATION FAILURE message to the network, with the 5GMM cause #71 "ngKSI already in use". The UE shall then follow the procedure described in subclause 5.4.1.3.7, item e.

d) SQN failure:

If the UE finds the sequence number SQN (supplied by the core network in the AUTN parameter) to be out of range, the UE shall send an AUTHENTICATION FAILURE message to the network, with the 5GMM cause #21 "synch failure" and a re-synchronization token AUTS provided by the USIM (see 3GPP TS 33.102 [23]). The UE shall then follow the procedure described in subclause 5.4.1.3.7, item f.

If the UE returns an AUTHENTICATION FAILURE message to the network, the UE shall delete any previously stored RAND and RES* and shall stop timer T3516, if running.

If the UE has an emergency PDU session established or is establishing such a PDU session, additional UE requirements are specified in subclause 5.4.1.3.7, under "for items c, d, e and f".

5.4.1.3.7 Abnormal cases

a) Lower layer failure.

Upon detection of lower layer failure before the AUTHENTICATION RESPONSE message is received, the network shall abort the procedure.

b) Expiry of timer T3560.

The network shall, on the first expiry of the timer T3560, retransmit the AUTHENTICATION REQUEST message and shall reset and start timer T3560. This retransmission is repeated four times, i.e. on the fifth expiry of timer T3560, the network shall abort the 5G AKA based primary authentication and key agreement procedure and any ongoing 5GMM specific procedure and release the N1 NAS signalling connection.

c) Authentication failure (5GMM cause #20 "MAC failure").

The UE shall send an AUTHENTICATION FAILURE message, with 5GMM cause #20 "MAC failure" according to subclause 5.4.1.3.6, to the network and start timer T3520 (see example in figure 5.4.1.3.7.1). Furthermore, the UE shall stop any of the retransmission timers that are running (e.g. T3510, T3517 or T3521). Upon the first receipt of an AUTHENTICATION FAILURE message from the UE with 5GMM cause #20 "MAC failure", the network may initiate the identification procedure described in subclause 5.4.3. This is to allow the network to obtain the SUCI from the UE. The network may then check that the 5G-GUTI originally used in the 5G authentication challenge corresponded to the correct SUPI. Upon receipt of the IDENTITY REQUEST message from the network, the UE shall proceed as specified in subclause 5.4.3.3.

NOTE 1: Upon receipt of an AUTHENTICATION FAILURE message from the UE with 5GMM cause #20 "MAC failure", the network may also terminate the 5G AKA based primary authentication and key agreement procedure (see subclause 5.4.1.3.5).

If the mapping of 5G-GUTI to SUPI in the network was incorrect, the network should respond by sending a new AUTHENTICATION REQUEST message to the UE. Upon receiving the new AUTHENTICATION REQUEST message from the network, the UE shall stop the timer T3520, if running, and then process the 5G challenge information as normal. If the mapping of 5G-GUTI to SUPI in the network was correct, the network should terminate the 5G AKA based primary authentication and key agreement procedure by sending an AUTHENTICATION REJECT message (see subclause 5.4.1.3.5).

If the network is validated successfully (an AUTHENTICATION REQUEST message that contains a valid SQN and MAC is received), the UE shall send the AUTHENTICATION RESPONSE message to the network and shall start any retransmission timers (e.g. T3510, T3517 or T3521) if they were running and stopped when the UE received the first failed AUTHENTICATION REQUEST message.

If the UE receives the second AUTHENTICATION REQUEST message, and the MAC value cannot be resolved, the UE shall follow the procedure specified in this subclause, item c, starting again from the beginning, or if the message contains a UMTS authentication challenge, the UE shall follow the procedure specified in item d. If the SQN is invalid, the UE shall proceed as specified in item f.

Figure 5.4.1.3.7.1: Authentication failure during 5G AKA based primary authentication and key agreement procedure

d) Authentication failure (5GMM cause #26 "non-5G authentication unacceptable").

The UE shall send an AUTHENTICATION FAILURE message, with 5GMM cause #26 "non-5G authentication unacceptable", to the network and start the timer T3520 (see example in figure 5.4.1.3.7.1). Furthermore, the UE shall stop any of the retransmission timers that are running (e.g. T3510, T3517 or T3521). Upon the first receipt of an AUTHENTICATION FAILURE message from the UE with 5GMM cause #26 "non-5G authentication unacceptable", the network may initiate the identification procedure described in subclause 5.4.3. This is to allow the network to obtain the SUCI from the UE. The network may then check that the 5G-GUTI originally used in the 5G authentication challenge corresponded to the correct SUPI. Upon receipt of the IDENTITY REQUEST message from the network, the UE shall proceed as specified in subclause 5.4.3.3.

NOTE 2: Upon receipt of an AUTHENTICATION FAILURE message from the UE with 5GMM cause #26 "non-5G authentication unacceptable", the network may also terminate the 5G AKA based primary authentication and key agreement procedure (see subclause 5.4.1.3.5).

If the mapping of 5G-GUTI to SUPI in the network was incorrect, the network should respond by sending a new AUTHENTICATION REQUEST message to the UE. Upon receiving the new AUTHENTICATION REQUEST message from the network, the UE shall stop the timer T3520, if running, and then process the 5G challenge information as normal. If the mapping of 5G-GUTI to SUPI in the network was correct, the network should terminate the 5G AKA based primary authentication and key agreement authentication procedure by sending an AUTHENTICATION REJECT message (see subclause 5.4.1.3.5).

If the network is validated successfully (an AUTHENTICATION REQUEST message that contains a valid 5G authentication challenge is received), the UE shall send the AUTHENTICATION RESPONSE message to the network and shall start any retransmission timers (e.g. T3510, T3517 or T3521) if they were running and stopped when the UE received the first failed AUTHENTICATION REQUEST message.

e) Authentication failure (5GMM cause #71 "ngKSI already in use").

NOTE 3: Upon receipt of an AUTHENTICATION FAILURE message from the UE with 5GMM cause #71 "ngKSI already in use", the network may also re-initiate the 5G AKA based primary authentication and key agreement procedure (see subclause 5.4.1.3.2).

Upon receiving the new AUTHENTICATION REQUEST message from the network, the UE shall stop the timer T3520, if running, and then process the 5G challenge information as normal.

If the network is validated successfully (an AUTHENTICATION REQUEST message that contains a valid ngKSI, SQN and MAC is received), the UE shall send the AUTHENTICATION RESPONSE message to the network and shall start any retransmission timers (e.g. T3510, T3517 or T3521) if they were running and stopped when the UE received the first failed AUTHENTICATION REQUEST message.

f) Authentication failure (5GMM cause #21 "synch failure").

The UE shall send an AUTHENTICATION FAILURE message, with 5GMM cause #21 "synch failure", to the network and start the timer T3520 (see example in figure 5.4.1.3.7.1). Furthermore, the UE shall stop any of the retransmission timers that are running (e.g. T3510, T3517 or T3521). Upon the first receipt of an AUTHENTICATION FAILURE message from the UE with the 5GMM cause #21 "synch failure", the network shall use the returned AUTS parameter from the authentication failure parameter IE in the AUTHENTICATION FAILURE message, to re-synchronise. The re-synchronisation procedure requires the AMF to delete all unused authentication vectors for that SUPI and obtain new vectors from the UDM/AUSF. When re-synchronisation is complete, the network shall initiate the 5G AKA based primary authentication and key agreement procedure. Upon receipt of the AUTHENTICATION REQUEST message, the UE shall stop the timer T3520, if running.

NOTE 4: Upon receipt of two consecutive AUTHENTICATION FAILURE messages from the UE with 5GMM cause #21 "synch failure", the network may terminate the 5G AKA based primary authentication and key agreement procedure by sending an AUTHENTICATION REJECT message.

If the network is validated successfully (a new AUTHENTICATION REQUEST message is received which contains a valid SQN and MAC) while T3520 is running, the UE shall send the AUTHENTICATION RESPONSE message to the network and shall start any retransmission timers (e.g. T3510, T3517 or T3521), if they were running and stopped when the UE received the first failed AUTHENTICATION REQUEST message.

Upon receipt of an AUTHENTICATION REJECT message, the UE shall perform the actions as specified in subclause 5.4.1.3.5.

g) Network failing the authentication check.

h) Transmission failure of AUTHENTICATION RESPONSE message or AUTHENTICATION FAILURE message indication from lower layers (if the 5G AKA based primary authentication and key agreement procedure is triggered by a registration procedure).

The UE shall stop the timer T3520, if running, and re-initiate the registration procedure.

i) Transmission failure of AUTHENTICATION RESPONSE message or AUTHENTICATION FAILURE message indication with change in the current TAI (if the 5G AKA based primary authentication and key agreement procedure is triggered by a service request procedure).

The UE shall stop the timer T3520, if running.

If the current TAI is not in the TAI list, the 5G AKA based primary authentication and key agreement procedure shall be aborted and a registration procedure for mobility and periodic registration update shall be initiated.

If the current TAI is still part of the TAI list, it is up to the UE implementation how to re-run the ongoing procedure that triggered the 5G AKA based primary authentication and key agreement procedure.

j) Transmission failure of AUTHENTICATION RESPONSE message or AUTHENTICATION FAILURE message indication without change in the current TAI (if the authentication procedure is triggered by a service request procedure).

The UE shall stop the timer T3520, if running. It is up to the UE implementation how to re-run the ongoing procedure that triggered the 5G AKA based primary authentication and key agreement procedure.

k) Lower layers indication of non-delivered NAS PDU due to handover.

l) Change in the current TAI.

If the current TAI is not in the TAI list before the AUTHENTICATION RESPONSE message is sent, the UE may discard sending the AUTHENTICATION RESPONSE message to the network and continue with the initiation of the registration procedure for mobility and periodic registration update as described in subclause 5.5.1.3.2.

m) AUTHENTICATION REJECT message is received without integrity protection and neither timer T3516 nor T3520 is running.

If an AUTHENTICATION REJECT message is received without integrity protection and if neither timer T3516 nor T3520 is running, then the UE shall discard the AUTHENTICATION REJECT message. Additionally, the UE may request RRC to locally release the RRC connection and treat the active cell as barred (see 3GPP TS 38.304 [28] or 3GPP TS 36.304 [25C]).

For items c, d, e, and f if no emergency service is started or is ongoing:

The UE shall deem that the network has failed the authentication check or assume that the authentication is not genuine and proceed as described in item g above if any of the following occurs:

– the timer T3520 expires;

– the UE detects any combination of the 5G authentication failures: 5GMM causes #20 "MAC failure", #21 "synch failure", #26 "non-5G authentication unacceptable" or #71 "ngKSI already in use", during three consecutive authentication challenges. The 5G authentication challenges shall be considered as consecutive only, if the 5G authentication challenges causing the second and third 5G authentication failure are received by the UE, while the timer T3520 started after the previous 5G authentication failure is running.

For items c, d, e, and f if there is an emergency service started or is ongoing:

If there is an ongoing service request procedure for emergency services fallback the UE shall abort the service request procedure, stop timer T3517 and locally release any resources allocated for the service request procedure and enters state 5GMM-REGISTERED. The UE shall attempt to select an E-UTRA cell connected to EPC or 5GCN according to the domain priority and selection rules specified in 3GPP TS 23.167 [6]. If the UE finds a suitable E-UTRA cell, it then proceeds with the appropriate EMM or 5GMM procedures. If the UE operating in single-registration mode has changed to S1 mode, it shall disable the N1 mode capability for 3GPP access.

Depending on local requirements or operator preference for emergency services, if the UE has an emergency PDU session established or is establishing an emergency PDU session, the AMF need not follow the procedures specified for the authentication failure specified in the present subclause. The AMF may respond to the AUTHENTICATION FAILURE message by initiating the security mode control procedure selecting the "null integrity protection algorithm" 5G-IA0, "null ciphering algorithm" 5G-EA0 or may abort the 5G AKA based primary authentication and key agreement procedure and continue using the current security context, if any. The AMF shall indicate to the SMF to perform the release of all non-emergency PDU sessions, if any. If there is an ongoing PDU session establishment procedure, the AMF shall indicate to the SMF to perform the release of all non-emergency PDU sessions upon completion of the PDU session establishment procedure. The network shall behave as if the UE is registered for emergency services.

If a UE has an emergency PDU session established or is establishing an emergency PDU session and sends an AUTHENTICATION FAILURE message to the AMF with the 5GMM cause appropriate for these cases (#20, #21, #26, or #71 respectively) and receives the SECURITY MODE COMMAND message before the timeout of timer T3520, the UE shall deem that the network has passed the authentication check successfully, stop timer T3520, respectively, and execute the security mode control procedure.

If a UE has an emergency PDU session established or is establishing an emergency PDU session when timer T3520 expires, the UE shall not deem that the network has failed the authentication check and not behave as described in item g. Instead the UE shall continue using the current security context, if any, release all non-emergency PDU sessions, if any, by initiating UE-requested PDU session release procedure. If there is an ongoing PDU session establishment procedure, the UE shall release all non-emergency PDU sessions upon completion of the PDU session establishment procedure.

The UE shall start any retransmission timers (e.g. T3510, T3517 or T3521) if:

– they were running and stopped when the UE received the AUTHENTICATION REQUEST message and detected an authentication failure; and

– the procedures associated with these timers have not yet been completed.

The UE shall behave as if the UE is registered for emergency services.