24.5023GPPAccess to the 3GPP 5G Core Network (5GCN) via non-3GPP access networksRelease 18TS
This clause specifies the related procedures performed between the UE and untrusted or trusted non-3GPP access network or wireline access network.
6.3 Authentication and authorization for accessing 5GS via non-3GPP access network
In order to register to the 5G core network (5GCN) via untrusted non-3GPP IP access, the UE first needs to be configured with a local IP address from the untrusted non-3GPP access network (N3AN).
Once the UE is configured with a local IP address, the UE shall select the Non-3GPP InterWorking Function (N3IWF) as described in clause 7.2 and shall initiate the IKEv2 SA establishment procedure as described in clause 7.3. During the IKEv2 SA establishment procedure, authentication and authorization for access to 5GCN is performed.
NOTE 1: The trust relationship indicator (see 3GPP TS 24.302 ), which can be received during EAP extension authentication during IKEv2 SA, does not indicate the WLAN is a trusted non-3GPP access network connected to the 5GCN.
In a trusted non-3GPP access, a UE shall first connect to a TNAN using a link layer protocol and shall initiate EAP authentication. During EAP authentication, authentication and authorization for access to 5GCN is performed by exchange of EAP-5G message the link layer protocol between the UE and the TNAN, see clause 7.3A.2.1. Upon completion of EAP authentication, the UE shall be assigned an IP address by that TNAN. Once the UE is configured with an IP address, it shall initiate the IKEv2 SA establishment procedure as described in clause 7.3A.
In a wireline access, the 5G-RG shall first establish connection using W-CP protocol stack with a W-AGF serving the 5G-RG using means out of scope of the present document
NOTE 2: For establishment of connection using W-CP protocol stack, see BBF TR-456 issue 2  and CableLabs WR-TR-5WWC-ARCH .
In wireline access, authentication and authorization of an N5GC device behind a CRG for access to 5GCN is performed as described in clause 6.3.2.
6.3.2 Authentication of N5GC device behind a CRG over wireline access
In order to register to 5GCN via wireline access, the N5GC device first establishes a layer-2 connection to W-AGF via the CRG as specified in CableLabs WR-TR-5WWC-ARCH- V02-200430 . Once the layer-2 connection is established, authentication and authorization for access to 5GCN is performed.
The W-AGF initiates an exchange of EAP-Request/Identity message and EAP-Response/Identity message as specified in IETF RFC 3748  for obtaining the identity of the N5GC device. In wireline access, the W-AGF and the N5GC device exchange EAP-Request/Identity message and EAP-Response/Identity message via the CRG, encapsulated in the link layer protocol packets.
Upon reception of EAP-Request/Identity message, the N5GC device shall:
a) construct an EAP-Response/Identity message as described in IETF RFC 3748  containing an NAI username@realm as specified in IETF RFC 7542 ; and
NOTE: If subscription identifier privacy protection is to be used, the "username" part is either omitted or set to "anonymous".
b) transmit the EAP-Response of identity type encapsulated in the link layer protocol packets towards the W-AGF.
The CRG conveys the information provided by the N5GC device to the W-AGF which initiates the registration on behalf of the N5GC device as described in 3GPP TS 24.501 . The SUPI of the N5GC device contains a network specific identifier. For the registration, the W-AGF uses the NULL scheme as specified in 3GPP TS 33.501 , to construct a SUCI from the SUPI which was received as the NAI from the N5GC device in the EAP-Response/Identity message.
An exchange of the EAP request and EAP response as described in IETF RFC 3748  occurs until the N5GC device is authenticated by the 5GCN with the EAP authentication described in 3GPP TS 33.501 .
Upon completion of successful authentication and on reception of the authentication result from the AMF, the W-AGF serving the N5GC device shall complete the procedure by sending an EAP-Success message encapsulated in the link layer protocol packets.
6.3a Authentication for NSWO in 5GS
A UE that supports NSWO in 5GS and is configured to use NSWO in 5GS, shall not perform NSWO in EPS. NSWO in 5GS capability can be enabled and disabled via configuration on the USIM (see 3GPP TS 31.102 ) or on the ME. Configuration on the USIM shall take precedence over the ME.
In order to use NSWO in 5GS, and if the WLAN access network requires 5GS-based authentication of a UE to connect to the WLAN, the UE shall perform the EAP-AKA’ authentication procedure as specified in 3GPP TS 33.501  annex S.3. The UE shall use as its identity the SUCI in NAI format for NSWO in 5GS as defined in clause 28.7.12 of 3GPP TS 23.003 .
NOTE: The same NAI format is used over both trusted and untrusted non-3GPP access networks for NSWO in 5GS, which is different from the NAI format used for registration over trusted non-3GPP access specified in clause 28.7.6 of 3GPP TS 23.003 .
Upon receipt of an EAP-Request/AKA’-Challenge message the UE shall apply the rules for comparison of the locally determined ANID "5G:NSWO" (see table 184.108.40.206-2 of 3GPP TS 24.302 ) and the Network Name field of the AT_KDF_INPUT attribute received in the EAP-Request/AKA’-Challenge message as specified in IETF RFC 5448 .
A roaming UE that supports NSWO in 5GS and is configured to use NSWO in 5GS shall use as its identity the SUCI in decorated NAI format as specified for NSWO in 5GS in clause 28.7.9 of 3GPP TS 23.003 .
Editor’s note (CR#0211, NSWO_5G): Need for decorated NAI format for NSWO in 5GS is FFS.
6.4 Handling of ANDSP Information
The Access Network Discovery & Selection policy (ANDSP) is used to control UE behavior related to access network discovery and selection of trusted and untrusted non-3GPP access network.
NOTE: ANDSP does not influence access network discovery and selection of wireline access network.
ANDSP consists of:
– WLAN Selection Policy (WLANSP); and
– Non-3GPP access network (N3AN) node configuration information.
The UE uses the WLANSP for selecting the WLAN.
The UE uses the Non-3GPP access network (N3AN) node configuration information for selecting a N3AN node (i.e. N3IWF or ePDG).
When roaming, the UE can receive ANDSP including WLANSP from H-PCF or V-PCF or both. The ANDSP including N3AN node configuration information is provided by H-PCF only. The UE shall ignore the N3AN node configuration information in the ANDSP if the ANDSP is provided by V-PCF.
The structure and the content of ANDSP are defined in 3GPP TS 24.526 .
6.4.2 UE procedures
When ANDSP is modified based on information received from network as specified in 3GPP TS 24.501  Annex D, the UE shall re-evaluate the ANDSP.
The received ANDSP information shall not impact the PLMN selection and reselection procedures specified in 3GPP TS 23.122 .
The UE shall periodically re-evaluate ANDSP. The value of the periodic re-evaluation timer is implementation dependent. The additional trigger for (re‑)evaluating ANDSP is when the active WLANSP rule becomes invalid (conditions no longer fulfilled), or other manufacturer specific trigger.
220.127.116.11 Use of WLAN selection information
During automatic mode WLAN selection, the UE shall use the WLAN selection policy (WLANSP), if provided by the PCF, to determine the selected WLAN as described in clause 5.3.
18.104.22.168 Use of N3AN node configuration information
If the UE accesses 5GCN via the non-3GPP access, the UE shall use the N3AN node configuration information to select an N3AN node as described in clause 7.2, to be used for establishing IKEv2 security association as described in clause 7.3.
6.4.3 ANDSP information from the network
ANDSP information is provided by the network to the UE using the UE policy delivery procedure described in Annex D of 3GPP TS 24.501 .