16 Interworking with NSS-AAA (RADIUS)

29.5613GPP5G SystemInterworking between 5G Network and external Data NetworksRelease 17Stage 3TS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

16.1 RADIUS procedures

16.1.1 General

The Network Slice Specific Authentication and Authorization procedure is triggered for a network slice requiring Network Slice Specific Authentication and Authorization with an NSS-AAA server which may be hosted by the H-PLMN operator or by a third party which has a business relationship with the H-PLMN. An AAA Proxy (AAA-P) in the HPLMN may be involved e.g. if the NSS-AAA Server belongs to a third party.

16.1.2 RADIUS Authentication and Authorization

RADIUS Authentication and Authorization shall be used according to IETF RFC 2865 [8], IETF RFC 3162 [9] and IETF RFC 4818 [10]. In 5G, multiple authentication methods using Extensible Authentication Protocol (EAP) may be used such as EAP-TLS (see IETF RFC 5216 [11]), EAP-TTLS (see IETF RFC 5281 [37]). The NSSAAF or AAA-P shall implement the RADIUS extension to support EAP as specified in IETF RFC 3579 [7].

The RADIUS client function may reside in an NSSAAF. When the NSSAAF receives Nnssaaf_NSSAA_Authenticate request from AMF, the RADIUS client function shall send the authentication information with network slice information to a NSS-AAA server directly or via an AAA-P.

The NSS-AAA server performs authentication and authorization for the user and requested network slice information. When the NSSAAF receives an Access-Accept message from the NSS-AAA server or AAA-P, it shall complete the network slice specific authentication procedure. If Access-Reject or no response is received, the NSSAAF shall reject the network slice specific authentication procedure with a suitable cause code.

The NSS-AAA may revoke the authorization for the network slice, see details in clause 16.2.2. In the present release, the NSS-AAA initiated re-authentication is not supported.

16.2 Message flows for network slice specific authentication

16.2.1 Authentication and Authorization procedures

When the NSSAAF receives Nnssaaf_NSSAA_Authenticate request from AMF, it shall send a RADIUS Access-Request message with EAP extension to an NSS-AAA server directly or via an AAA-P if AAA-P is involved. The Access-Request message shall include GPSI in Calling-Station-Id or External-Identifier attribute and network slice information in 3GPP-S-NSSAI attribute. Upon receipt of the Access-Request message, the NSS-AAA server shall respond with an Access-Challenge message. Multi-round authentication using the Access-Challenge (sent by NSS-AAA) and Access-Request messages may be used. The NSS-AAA server finally authenticates and authorizes the user and the network slice by replying with an Access Accept message.

For re-authentication and re-authorization, the NSSAAF shall send a RADIUS Access-Request message with EAP extension to the NSS-AAA server directly or via the AAA-P if AAA-P is used and the NSS-AAA shall respond with an Access-Challenge message. Multi-round authentication using the Access-Challenge (sent by NSS-AAA) and Access-Request messages may be used. The NSS-AAA server finally authenticates and authorizes the user and the network slice by replying with an Access Accept message.

The following figure 16.2.1-1 is an example message flow to show the procedure of RADIUS Authentication and Authorization between an AMF and a NSS-AAA server:

1. AMF decides to trigger the start of the Network Slice Specific Authentication and Authorization procedure.

2. The AMF may send an EAP Identity Request in a NAS Network Slice-Specific Authentication Command message.

3. The UE provides the EAP Identity Response in a NAS Network Slice-Specific Authentication Complete message towards the AMF.

4. The AMF sends Nnssaaf_NSSAA_Authenticate Request to the NSSAAF including the authentication/authorization information.

5-6. If the AAA-P is present (e.g. because the NSS-AAA belongs to a third party and the operator deploys a proxy towards third parties), the NSSAAF sends the Access-Request message to the NSS-AAA via the AAA-P to forward the authentication/authorization information, otherwise the NSSAAF sends the Access-Request message directly to the NSS-AAA.

7-14. The NSS-AAA responds with the Access-Challenge message to the NSSAAF directly or via the AAA-P. The authentication/authorization information is further transferred to UE via AMF by Nnssaaf_NSSAA_Authenticate service and NAS Network Slice-Specific Authentication Command message. UE responds to the received authentication/authorization data and such information is transferred in NAS Network Slice-Specific Authentication Complete message and Nnssaaf_NSSAA_Authenticate service, then finally sent to the NSS-AAA by the NSSAAF, via the AAA-P if the AAA-P is used, in the Access-Request message.

NOTE: Step 7 to step 14 can be repeated depending on the authentication/authorization mechanism used (e.g. EAP-TLS).

15-16. If the AAA-P is used, the NSS-AAA sends a Access-Accept message with the final result of authentication/authorization to the NSSAAF via the AAA-P, otherwise the NSS-AAA sends the Access-Accept message directly to the NSSAAF.

17. The NSSAAF sends a Nnssaaf_NSSAA_Authenticate Response with the final result of authentication/authorization information to the AMF.

18. The AMF transfers the final result of authentication/authorization information in a NAS Network Slice-Specific Authentication Result message to the UE.

Figure 16.2.1-1: Network slice specific authentication and Authorization procedure (RADIUS)

16.2.2 NSS-AAA initiated revocation of network slice authorization

The NSS-AAA server may send a RADIUS Disconnect-Request to the NSSAAF directly or via AAA-P (if AAA-P is used) asking for revocation of network slice authorization. On receipt of the Disconnect-Request from the NSS-AAA server, the NSSAAF shall check whether the NSS-AAA server is authorized to request the revocation by verifying the local configuration of the address of the NSS-AAA server per S-NSSAI, if successful, the NSSAAF shall release the resources, interact with its succeeding Network Function AMF which is got from the UDM by Nudm_UECM_GET service operation with GPSI and reply with a Disconnect-ACK. If the NSSAAF is unable to release the corresponding resources, it shall reply to the NSS-AAA server with a Disconnect-NAK. For more information on RADIUS Disconnect, see IETF RFC 5176 [27]. It is not necessary for the NSSAAF to wait for the response (i.e. Nudm_UECM_GET or Nnssaaf_NSSAA_Notify response) from the succeeding Network Function before sending the RADIUS Disconnect-ACK to the NSS-AAA server or AAA-P (if AAA-P is used).

Editor’s Note: It is FFS whether the RADIUS is applicable.

Figure 16.2.2-1 is an example message flow to show the procedure of NSS-AAA initiated revocation of network slice authorization. If the AAA-P is not used, the Disconnect Request and Response messages are exchanged between the NSS-AAA and the NSSAAF.

Figure 16.2.2-1: NSS-AAA initiated revocation of network slice authorization with RADIUS

16.3 List of RADIUS attributes

16.3.1 General

Information defined in clause 11.3 are re-used for network slice specific authentication with the following differences:

– NSSAAF replaces SMF.

– IP, Ethernet and PDU session related descriptions and attributes are not applicable.

– RADIUS messages for accounting function (Accounting Request/Response) are not applicable.

– Additional detailed information needed for network slice specific authentication are described below.

Table 16.3-1: Additional information needed for network slice specific authentication

Sub-attr #	Sub-attribute Name	Differences
200	3GPP-S-NSSAI	Added.
NOTE: 5G specific RADIUS VSAs for network slice specific authentication are numbered from 200.

200 – 3GPP-S-NSSAI

	Bits
Octets	8	7	6	5	4	3	2	1
1	3GPP type = 200
2	3GPP Length= m
3	SST
4-6	SD (octet string)

3GPP Type: 200

Length: 3 or 6

SST: the Slice/Service Type with value range 0 to 255.

SD: 3-octet string, representing the Slice Differentiator, the encoding follows sd attribute specified in clause 5.4.4.2 of 3GPP TS 29.571 [46]. Its presence depends on the Length field.

Table 16.3-2 describes the sub-attributes of the 3GPP Vendor-Specific attribute described above in different RADIUS messages.

Table 16.3-2: List of the 3GPP Vendor-Specific sub-attributes for network slice specific authentication

Sub-attr #	Sub-attribute Name	Description	Presence Requirement	Associated attribute (Location of Sub-attr)	Applicability
200	3GPP-S-NSSAI	It includes the S-NSSAI.	Conditional (NOTE)	Access-Request
NOTE: This VSA shall be included in the initial Access-Request message.

Sub-attr #

Sub-attribute Name

Description

Presence Requirement

Associated attribute

(Location of Sub-attr)

Applicability

200

3GPP-S-NSSAI

It includes the S-NSSAI.

Conditional (NOTE)

Access-Request

NOTE: This VSA shall be included in the initial Access-Request message.