12.6 PS authentication

34.123-13GPPPart 1: Protocol conformance specificationRelease 15TSUser Equipment (UE) conformance specification

12.6.1 Test of authentication

The purpose of this procedure is to verify the user identity. A correct response is essential to guarantee the establishment of the connection. If not, the connection will drop.

12.6.1.1 Authentication accepted

12.6.1.1.1 Definition

12.6.1.1.2 Conformance requirement

A User Equipment shall correctly respond in an authentication and ciphering procedure by sending a response with the RES information field set to the same value as the one produced by the authentication and ciphering algorithm in the network.

Reference

3GPP TS 24.008 clause 4.7.7.

12.6.1.1.3 Test purpose

To test the behaviour of the UE if the network accepts the authentication and ciphering procedure.

12.6.1.1.4 Method of test

Initial condition

System Simulator:

Two cells (not simultaneously activated), cell A in MCC1/MNC1/LAC1/RAC1 (RAI-1), cell B in MCC1/MNC1/LAC1/RAC2 (RAI-4).
Both cells are operating in network operation mode II.

The SIB1 IE "CN domain specific NAS system information", for the CS Domain, is set to value "00 00" (T3212 value is set to 0 and ATT flag is set to FALSE to prevent repeated CS domain registration and/or IMSI Detach by UEs in operation mode A) in both cells.

User Equipment:

The UE has a valid IMSI.

If the UE is in UE operation mode A, then the UE has been registered in the CS domain

Related ICS/IXIT statements

Support of PS service Yes/No
UE operation mode A Yes/No
UE operation mode C Yes/No (only if mode A not supported)
Switch off on button Yes/No
Automatic PS attach procedure at switch on or power on Yes/No

Test procedure

A PS attach is performed, and the SS initiates an authentication and ciphering procedure.

The SS checks the value RES sent by the UE in the AUTHENTICATION AND CIPHERING RESPONSE message.

The UE initiates a routing area updating procedure and the SS checks the value of the PS Ciphering Key Sequence Number sent by the UE in the ROUTING AREA REQUEST message.

Expected Sequence

Step

Direction

Message

Comments

UE

SS

The following messages are sent and shall be received on cell A.

1

SS

Set the cell type of cell A to the "Serving cell".

Set the cell type of cell B to the "Non-Suitable cell".

(see note)

2

UE

The UE is set in UE operation mode C (see ICS). If UE operation mode C not supported, goto step 17.

3

UE

The UE is powered up or switched on and initiates an attach (see ICS).

3a

SS

SS checks that the IE "Establishment cause" in the received RRC CONNECTION REQUEST message is set to "Registration".

4

->

ATTACH REQUEST

Attach type = ‘GPRS attach’

Mobile identity = IMSI

5

<-

AUTHENTICATION AND CIPHERING REQUEST

Request authentication.
Set PS-CKSN-1

6

->

AUTHENTICATION AND CIPHERING RESPONSE

RES

7

SS

The SS checks the RES value and starts integrity protection.

8

<-

ATTACH ACCEPT

Attach result = ‘GPRS only attached’

Allocated P-TMSI = P-TMSI-2

P-TMSI Signature = P-TMSI-2 signature

Routing area identity = RAI-1

9

->

ATTACH COMPLETE

9a

SS

The SS releases the RRC connection.

The following messages are sent and shall be received on cell B.

10

SS

Set the cell type of cell A to the "Non-Suitable cell".

Set the cell type of cell B to the "Serving cell".

(see note)

10a

SS

SS checks that the IE "Establishment cause" in the received RRC CONNECTION REQUEST message is set to "Registration".

11

->

ROUTING AREA UPDATE REQUEST

Update type = ‘RA updating’

Old P-TMSI signature=P-TMSI-2 signature

Old Routing area identity = RAI-1

PS-CKSN-1

12

SS

The value of PS-CKSN is checked. Integrity protection is started.

13

<-

ROUTING AREA UPDATE ACCEPT

Update result = ‘RA updated’

Allocated P-TMSI = P-TMSI-1

P-TMSI Signature = P-TMSI-1 signature

Routing area identity = RAI-4

14

->

ROUTING AREA UPDATE COMPLETE

15

UE

The UE is switched off or power is removed (see ICS).

16

->

DETACH REQUEST

Message not sent if power is removed.

Detach type = ‘power switched off, GPRSdetach’

16a

SS

The SS releases the RRC connection. If no RRC CONNECTION RELEASE COMPLETE message have been received within 1 second then the SS shall consider the UE as switched off.

17

SS

Set the cell type of cell A to the "Serving cell".

Set the cell type of cell B to the "Non-Suitable cell".

(see note)

18

UE

The UE is set in UE operation mode A (see ICS) and the test is repeated from step 3 to step 16a.

NOTE: The definitions for "Non-Suitable cell" and "Serving cell" are specified in TS34.108 clause 6.1 in the relevant to the RAT of the cells "Reference Radio Conditions" subclauses.

Specific message contents

None.

12.6.1.1.5 Test requirements

At steps 3a and 10a the UE shall transmit an RRC CONNECTION REQUEST message with the IE "Establishment cause" set to "Registration".

At step4, when the UE is powered on or switched on, UE shall:

– initiate the PS attach procedure with information elements specified in the above Expected Sequence.

At step6, when the UE receives the AUTHENTICATION AND CIPHERING REQUEST message form SS, UE shall:

– send the AUTHENTICATION AND CIPHERING RESPONSE message with the RES information field set to the same value as the one produced by the authentication and ciphering algorithm in the network.

At step11, when the RF level of the attached cell is lower than the RF level of the new cell, UE shall:

– perform routing area updating procedure.

12.6.1.2 Authentication rejected by the network

12.6.1.2.1 Definition

12.6.1.2.2 Conformance requirement

Upon receipt of an AUTHENTICATION AND CIPHERING REJECT message, the UE shall set the PS update status to GU3 ROAMING NOT ALLOWED and shall delete the P-TMSI, P-TMSI signature, RAI and PS ciphering key sequence number stored.

The USIM shall be considered as invalid until switching off or the USIM is removed.

If the AUTHENTICATION AND CIPHERING REJECT message is received, the UE shall abort any GMM procedure, shall stop the timers T3310 and T3330 (if running) and shall enter state GMM-DEREGISTERED.

Reference

3GPP TS 24.008 clauses 4.7.7.5.

12.6.1.2.3 Test purpose

To test the behaviour of the UE if the network rejects the authentication and ciphering procedure.

12.6.1.2.4 Method of test

Initial condition

System Simulator:

Two cells (not simultaneously activated), cell A in MCC1/MNC1/LAC1/RAC1 (RAI-1), cell B in MCC1/MNC1/LAC1/RAC2 (RAI-4).
Both cells are operating in network operation mode II.
The SIB1 IE "CN domain specific NAS system information", for the CS Domain, is set to value "00 00" (T3212 value is set to 0 and ATT flag is set to FALSE) in both cells.

User Equipment:

The UE has a valid IMSI.

If the UE is in UE operation mode A, then the UE has been registered in the CS domain

Related ICS/IXIT statements

Support of PS service Yes/No
UE operation mode A Yes/No
UE operation mode C Yes/No(only if mode A not supported)
Switch off on button Yes/No
Automatic PS attach procedure at switch on or power on Yes/No

Test procedure

The test sequence is repeated for K = 1, 2.

A complete PS attach procedure is performed. The SS rejects the following authentication and ciphering procedure. The UE is paged with its IMSI and shall not respond.
The Cell is changed into a new Routing Area.

The SS checks that the UE does not perform normal routing area updating.

The SS then checks that the UE does not perform a PS detach.

The SS checks that the UE does not perform a PS Attach procedure.

Expected Sequence

The test sequence is repeated for k = 1, 2

For k =1, the UE is set in UE operation mode C. If MS operation mode C not supported then k = 2.

For k = 2 the UE is set in UE operation mode A.

Step

Direction

Message

Comments

UE

SS

The following messages are sent and shall be received on cell A.

1

SS

Set the cell type of cell A to the "Serving cell".

Set the cell type of cell B to the "Non-Suitable cell".

(see note)

2

UE

The UE is powered up or switched on and initiates an attach (see ICS).

2a

Void

2b

SS

SS checks that the IE "Establishment cause" in the received RRC CONNECTION REQUEST message is set to "Registration".

3

->

ATTACH REQUEST

Attach type = ‘GPRS attach’

Mobile identity = IMSI

4

Void

5

Void

6

<-

AUTHENTICATION AND CIPHERING REQUEST

Request authentication.
Set PS-CKSN-1

7

->

AUTHENTICATION AND CIPHERING RESPONSE

RES

8

<-

AUTHENTICATION AND CIPHERING REJECT

8a

SS

The SS releases the RRC connection and waits 5s to allow the UE to read system information.

9

<-

PAGING TYPE1

Mobile identity = IMSI
Paging order is for PS services.

10

UE

No response from the UE to the request. This is checked for 10 seconds.

The following messages are sent and shall be received on cell B.

11

SS

Set the cell type of cell A to the "Non-Suitable cell".

Set the cell type of cell B to the "Serving cell".

(see note)

12

UE

Cell B is preferred by the MS.

13

UE

No ROUTING AREA UPDATE REQUEST sent to the SS
(SS waits 30 seconds).

14

UE

The UE initiates an attach by MMI or by AT command.

15

UE

No ATTACH REQUEST sent to the SS
(SS waits 30 seconds).

16

UE

The UE is switched off (see ICS).

17

SS

No DETACH REQUEST sent to the SS
(SS waits 30 seconds).

18

The UE is powered up or switched on and initiates an attach (see ICS).

Step 19 is only performed for k =2

19

UE

Registration on CS

See TS 34.108

SS checks Mobile identity = IMSI.

SS allocates Mobile identity = TMSI-1.

19a

SS

SS checks that the IE "Establishment cause" in the received RRC CONNECTION REQUEST message is set to "Registration".

20

->

ATTACH REQUEST

Attach type = ‘GPRS attach’

Mobile identity = IMSI

20a

<-

AUTHENTICATION AND CIPHERING REQUEST

20b

->

AUTHENTICATION AND CIPHERING RESPONSE

20c

SS

The SS starts integrity protection.

21

<-

ATTACH ACCEPT

Attach result = ‘GPRS only attached’

Allocated P-TMSI = P-TMSI-1

P-TMSI Signature = P-TMSI-1 signature
Routing area identity = RAI-4

22

->

ATTACH COMPLETE

22a

SS

The SS releases the RRC connection.

23

UE

The UE is switched off or power is removed. (see ICS)

23a

SS

SS checks that the IE "Establishment cause" in any received RRC CONNECTION REQUEST message is set to "Detach".

24

->

DETACH REQUEST

Message not sent if power is removed.

24a

SS

If the power was not removed, the SS releases the RRC connection. If no RRC CONNECTION RELEASE COMPLETE message have been received within 1 second then the SS shall consider the UE as switched off .

25

UE

If k=1 then the test is repeated for k=2.

NOTE: The definitions for "Non-Suitable cell" and "Serving cell" are specified in TS34.108 clause 6.1 in the relevant to the RAT of the cells "Reference Radio Conditions" subclauses.

Specific message contents

None.

12.6.1.2.5 Test requirements

At step3, when the UE is powered on or switched on, UE shall:

– initiate the PS attach procedure with information elements specified in the above Expected Sequence.

At step9, when the UE receives the AUTHENTICATION AND CIPHERING REJECT message, UE shall:

– not respond paging message for PS domain.

At step13, when the RF level of the attached cell is lower than the RF level of the new cell, UE shall:

– not perform normal routing area updating.

At step17, when the UE is switched off, UE shall:

– not perform PS detach procedure.

12.6.1.3 Authentication rejected by the UE

12.6.1.3.1 GMM cause ‘MAC failure’

12.6.1.3.1.1 Definition

12.6.1.3.1.2 Conformance requirement

If the UE considers the MAC code (supplied by the core network in the AUTN parameter) to be invalid, the UE shall send AUTHENTICATION AND CIPHERING FAILURE message with the reject cause ‘MAC failure’ to the System Simulator.

Reference

3GPP TS 24.008 clause 4.7.7.

12.6.1.3.1.3 Test purpose

To test the behaviours of the UE, when the UE considers the MAC code (supplied by the core network in the AUTN parameter) to be invalid.

12.6.1.3.1.4 Method of test

Initial condition

System Simulator:

Two cells (not simultaneously activated), cell A in MCC1/MNC1/LAC1/RAC1 (RAI-1), cell B in MCC1/MNC1/LAC1/RAC2 (RAI-4).
Both cells are operating in network operation mode II.
The SIB1 IE "CN domain specific NAS system information", for the CS Domain, is set to value "00 00" (T3212 value is set to 0 and ATT flag is set to FALSE) in both cells.

The MAC (Message Authentication Code) code, which is included in AUTHENTICATION AND CIPHERING REQUEST, is invalid value.

User Equipment:

The UE has a valid IMSI.

The UE has been registered in the CS domain.

Related ICS/IXIT statements

Support of PS service Yes/No
UE operation mode A Yes/No
UE operation mode C Yes/No
Switch off on button Yes/No
Automatic PS attach procedure at switch on or power on Yes/No

Test procedure

A PS attach is performed, and the SS initiates an authentication and ciphering procedure.

The UE sends AUTHENTICATION AND CIPHERING FAILURE message with reject cause ‘MAC failure’ to the SS.

The SS initiates an identification procedure, upon receipt of a failure message with reject cause ‘MAC failure’.

After the identification procedure is complete, the SS re-initiates an authentication and ciphering procedure.

Expected Sequence

Step

Direction

Message

Comments

UE

SS

The following messages are sent and shall be received on cell A.

1

SS

Set the cell type of cell A to the "Serving cell".

Set the cell type of cell B to the "Non-Suitable cell".

(see note 1)

2

UE

The UE is set in UE operation mode C (see ICS). If UE operation mode C is not supported, goto step 25.

3

UE

4

The following messages are sent and shall be received on cell A.

5

UE

The UE is powered up or switched on and initiates an attach (see ICS).

5a

SS

The SS verifies that the IE "Establishment cause" in the received RRC CONNECTION REQUEST message is set to "Registration".

6

->

ATTACH REQUEST

Attach type = ‘GPRS attach’

Mobility identity = IMSI

7

<-

AUTHENTICATION AND CIPHERING REQUEST

Request authentication.

Invalid Message Authentication Code (MAC).

9

->

AUTHENTICATION AND CIPHERING FAILURE

GMM cause=’MAC failure’

9a

<-

IDENTITY REQUEST

Identity type = IMSI

9b

->

IDENTITY RESPONSE

Mobile identity = IMSI

10

<-

AUTHENTICATION AND CIPHERING REQUEST

Request authentication.

Including PS-CSKN-1

11

->

AUTHENTICATION AND CIPHERING RESPONSE

RES

12

SS

The SS checks the RES value and starts integrity protection.

13

Void

14

Void

15

Void

16

<-

ATTACH ACCEPT

Attach result = ‘GPRS only attached’

Allocated P-TMSI = P-TMSI-2

P-TMSI Signature = P-TMSI-2 signature

Routing area identity = RAI-1

17

->

ATTACH COMPLETE

17a

SS

The SS releases the RRC connection.

The following messages are sent and shall be received on cell B.

18

SS

Set the cell type of cell A to the "Non-Suitable cell".

Set the cell type of cell B to the "Serving cell".

(see note 1)

18a

SS

The SS verifies that the IE "Establishment cause" in the received RRC CONNECTION REQUEST message is set to "Registration".

19

->

ROUTING AREA UPDATE REQUEST

Update type = ‘RA updating’

Old P-TMSI signature=P-TMSI-2 signature

Old Routing area identity = RAI-1

PS-CKSN-1

20

SS

The SS checks the value of PS-CKSN and starts integrity protection.

21

<-

ROUTING AREA UPDATE ACCEPT

Update result = ‘RA updated’

Allocated P-TMSI = P-TMSI-1

P-TMSI Signature = P-TMSI-1 signature

Routing area identity = RAI-4

22

->

ROUTING AREA UPDATE COMPLETE

23

UE

The UE is switched off or power is removed (see ICS).

24

->

DETACH REQUEST

Message is not sent if power is removed.

Detach type = ‘power switched off, GPRSdetach’

24a

SS

The SS releases the RRC connection. If no RRC CONNECTION RELEASE COMPLETE message have been received within 1 second then the SS shall consider the UE as switched off.

25

UE

The UE is set in UE operation mode A (see ICS) and the test is repeated from step 1 to step 24.

NOTE: The definitions for "Non-Suitable cell" and "Serving cell" are specified in TS34.108 clause 6.1 in the relevant to the RAT of the cells "Reference Radio Conditions" subclauses.

Specific message contents

None.

12.6.1.3.1.5 Test requirements

At step6, when the UE is powered on or switched on, UE shall:

– initiate the PS attach procedure with information element specified in the above Expected Sequence.

At step9, when the UE receives the AUTHENTICATION AND CIPHERING REQUEST with Invalid Message Authentication Code, UE shall:

– send the AUTHENTICATION AND CIPHERING FAILURE message with GMM cause ‘MAC failure’ to the SS

At step11, when the UE receives the second AUTHENTICATION AND CIPHERING REQUEST message (containing a valid MAC) from SS, UE shall:

– send the AUTHENTICATION AND CIPHERING RESPONSE message to SS.

At step9b, when the UE receives the IDENTITY REQUEST message with Identity type = IMSI from SS, UE shall:

– send the IDENTITY RESPONSE message with Mobile identity = IMSI to SS.

12.6.1.3.2 GMM cause ‘Synch failure’

12.6.1.3.2.1 Definition

12.6.1.3.2.2 Conformance requirement

If the UE considers the SQN (supplied by the core network in the AUTN parameter) to be out of range, the UE shall send AUTHENTICATION AND CIPHERING FAILURE message with the reject cause ‘Synch failure’ to the System Simulator.

Reference

3GPP TS 24.008 clause 4.7.7.

12.6.1.3.2.3 Test purpose

To test the behaviours of the UE, when the UE considers the SQN (supplied by the core network in the AUTN parameter) to be out of range.

12.6.1.3.2.4 Method of test

Initial condition

System Simulator:

Two cells (not simultaneously activated), cell A in MCC1/MNC1/LAC1/RAC1 (RAI-1), cell B in MCC1/MNC1/LAC1/RAC2 (RAI-4).
Both cells are operating in network operation mode II.
The SIB1 IE "CN domain specific NAS system information", for the CS Domain, is set to value "00 00" (T3212 value is set to 0 and ATT flag is set to FALSE) in both cells.

User Equipment:

The UE has a valid IMSI.

The UE has been registered in the CS domain.

Related ICS/IXIT statements

Support of PS service Yes/No
UE operation mode A Yes/No
UE operation mode C Yes/No
Switch off on button Yes/No
Automatic PS attach procedure at switch on or power on Yes/No

Test procedure

A PS attach is performed, and the SS initiates an authentication and ciphering procedure.

UE sends AUTHENTICATION AND CIPHERING FAILURE message with reject cause ‘synch failure’ to the SS.

SS re-initiates an authentication and ciphering procedure.

Expected Sequence

Step

Direction

Message

Comments

UE

SS

The following messages are sent and shall be received on cell A.

1

SS

Set the cell type of cell A to the "Serving cell".

Set the cell type of cell B to the "Non-Suitable cell".

(see note 1)

2

UE

The UE is set in UE operation mode C (see ICS). If UE operation mode C is not supported, goto step 21.

The following messages are sent and shall be received on cell A.

3

UE

The UE is powered up or switched on and initiates an attach (see ICS).

3a

SS

The SS verifies that the IE "Establishment cause" in the received RRC CONNECTION REQUEST message is set to "Registration".

4

->

ATTACH REQUEST

Attach type = ‘GPRS attach’

Mobility identity = IMSI

5

<-

AUTHENTICATION AND CIPHERING REQUEST

Request authentication.

SQN is out of range.

6

Void

7

->

AUTHENTICATION AND CIPHERING FAILURE

GMM cause = ‘Synch failure’

AUTS parameter

8

SS

set new authentication vectors. (re-synchronisation)

9

<-

AUTHENTICATION AND CIPHERING REQUEST

Request authentication.

Including PS-CKSN-1

10

->

AUTHENTICATION AND CIPHERING RESPONSE

RES

11

SS

The SS checks the RES value and starts integrity protection.

12

<-

ATTACH ACCEPT

Attach result = ‘GPRS only attached’

Allocated P-TMSI = P-TMSI-2

P-TMSI Signature = P-TMSI-2 signature

Routing area identity = RAI-1

13

->

ATTACH COMPLETE

13a

SS

The SS releases the RRC connection.

The following messages are sent and shall be received on cell B.

14

SS

Set the cell type of cell A to the "Non-Suitable cell".

Set the cell type of cell B to the "Serving cell".

(see note 1)

14a

SS

The SS verifies that the IE "Establishment cause" in the received RRC CONNECTION REQUEST message is set to "Registration".

15

->

ROUTING AREA UPDATE REQUEST

Update type = ‘RA updating’

Old P-TMSI signature=P-TMSI-2 signature

Old Routing area identity = RAI-1

PS-CKSN-1

16

SS

The SS checks the value of PS-CKSN and starts integrity protection

17

<-

ROUTING AREA UPDATE ACCEPT

Update result = ‘RA updated’

Allocated P-TMSI = P-TMSI-1

P-TMSI Signature = P-TMSI-1 signature

Routing area identity = RAI-4

18

->

ROUTING AREA UPDATE COMPLETE

19

UE

The UE is switched off or power is removed (see ICS).

20

->

DETACH REQUEST

Message is not sent if power is removed.

Detach type = ‘power switched off, GPRSdetach’

20a

SS

The SS releases the RRC connection. If no RRC CONNECTION RELEASE COMPLETE message have been received within 1 second then the SS shall consider the UE as switched off.

21

UE

The UE is set in UE operation mode A (see ICS) and the test is repeated from step 1 to step 20.

NOTE: The definitions for "Non-Suitable cell" and "Serving cell" are specified in TS34.108 clause 6.1 in the relevant to the RAT of the cells "Reference Radio Conditions" subclauses.

Specific message contents

None.

12.6.1.3.2.5 Test requirements

At step4, when the UE is powered on or switched on, UE shall:

– initiate the PS attach procedure with information element specified in the above Expected Sequence.

At step7, when the UE receives the AUTHENTICATION AND CIPHERING REQUEST message(SQN is out of range.), UE shall:

– send the AUTHENTICATION AND CIPHERING FAILURE message with GMM cause ‘synch failure’ to the SS

At step9, when the UE receives the second AUTHENTICATION AND CIPHERING REQUEST message from SS, UE shall:

– send the AUTHENTICATION AND CIPHERING RESPONSE message to SS.

At step15, when the RF level of the attached cell is lower than the RF level of the new cell, UE shall:

– perform routing area updating procedure.

12.6.1.3.3 Authentication rejected by the UE / fraudulent network

12.6.1.3.3.1 Definition

12.6.1.3.3.2 Conformance requirement

R99 and REL-4:

1. It can be assumed that the source of the authentication challenge is not genuine (authentication not accepted by the UE) if any of the following occur:

– After sending the AUTHENTICATION & CIPHERING FAILURE message with GMM cause ‘MAC failure’ the timer T3318 expires;

– Upon receipt of the second AUTHENTICATION & CIPHERING REQUEST message from the network while the T3318 is running and the MAC value cannot be resolved.

When it has been deemed by the MS that the source of the authentication challenge is not genuine (authentication not accepted by the MS), the MS shall behave as described in 3GPP 24.008 clause 4.7.7.6.1.

2. In addition to the cases specified in subclause 4.7.7.6, the UE may deem that the network has failed the authentication check after any combination of three consecutive authentication failures, regardless whether ‘MAC failure’, ‘invalid SQN’, or ‘GSM authentication unacceptable’ was diagnosed. The authentication failures shall be considered as consecutive only, if the authentication challenges causing the second and third authentication failure are received by the UE, while the timer T3318 or T3320 started after the previous authentication failure is running.

If the UE deems that the network has failed the authentication check, then it shall request RR or RRC to release the RR connection and the PS signalling connection, if any, and bar the active cell or cells (see 3GPP TS 25.331 and 3GPP TS 04.18).

Reference

3GPP TS 24.008 clause 4.7.7.6 (f) and 4.7.7.6.1.

REL-5 and later releases:

1. It can be assumed that the source of the authentication challenge is not genuine (authentication not accepted by the UE) if any of the following occurs:

– after sending the AUTHENTICATION & CIPHERING FAILURE message with GMM cause ‘MAC failure’ the timer T3318 expires;

  • the MS detects any combination of the authentication failures: "MAC failure", "invalid SQN", and "GSM authentication unacceptable", during three consecutive authentication challenges. The authentication challenges shall be considered as consecutive only, if the authentication challenges causing the second and third authentication failure are received by the MS, while the timer T3318 or T3320 started after the previous authentication failure is running.

When it has been deemed by the MS that the source of the authentication challenge is not genuine (authentication not accepted by the MS), the MS shall behave as described in 3GPP TS 24.008 subclause 4.7.7.6.1.

2. If the UE deems that the network has failed the authentication check, then it shall request RR or RRC to release the RR connection and the PS signalling connection, if any, and bar the active cell or cells (see 3GPP TS 25.331 and 3GPP TS 44.018).

Reference

3GPP TS 24.008 clause 4.7.7.6 (f) and 4.7.7.6.1.

12.6.1.3.3.3 Test purpose

R99 and REL-4

To test UE treating a cell as barred:

1. when the network sends the second or third AUTHENTICATION & CIPHERING REQUEST message with invalid MAC code during the timer T3318 is running.

2. when the timer T3318 has expired.

REL-5 or later release:

To test UE treating a cell as barred:

1. when the network sends the third AUTHENTICATION & CIPHERING REQUEST message with invalid MAC code during the timer T3318 is running.

2. when the timer T3318 has expired.

12.6.1.3.3.4 Method of test

Initial condition

System Simulator:

Two cells (not simultaneously activated), cell A in MCC1/MNC1/LAC1/RAC1(RAI-1), cell B in MCC1/MNC1/LAC1/RAC2(RAI-2).
Both cells are operating in network operation mode II.
The SIB1 IE "CN domain specific NAS system information", for the CS Domain, is set to value "00 00" (T3212 value is set to 0 and ATT flag is set to FALSE) in both cells.

User Equipment:

The UE has a valid IMSI.

The UE has been registered in the CS domain.

Related ICS/IXIT statements

Support of PS service Yes/No
UE operation mode A Yes/No
UE operation mode C Yes/No
Automatic PS attach procedure at switch on or power on Yes/No

Test procedure

Two cells are configured. Cell A transmits with higher power so that the UE attempts an attach procedure to cell A.

During the attach procedure, the SS initiates an authentication and ciphering procedure but it sends an incorrect Message Authentication Code (MAC) value in its AUTHENTICATION AND CIPHERING REQUEST message.

The UE sends AUTHENTICATION AND CIPHERING FAILURE message to the SS indicating authentication failure.

The SS repeats a second time the authentication procedure, again with an incorrect Message Authentication Code (MAC) value in its AUTHENTICATION AND CIPHERING REQUEST message.

For R99 and REL-4: SS waits 30 seconds. If the UE sends an AUTHENTICATION AND CIPHERING FAILURE message during this time then the SS repeats the authentication procedure a third time and then waits 30 seconds. The UE moves into idle mode and do not make any access attempt on Cell A.

For REL-5 or later release: The SS repeats a third time the authentication procedure, again with an incorrect Message Authentication Code (MAC) value in its AUTHENTICATION AND CIPHERING REQUEST message. The UE moves into idle mode and do not make any access attempt on Cell A.

The UE shall attempt to attach to cell B. The SS initiates an authentication and ciphering procedure but it sends an incorrect Message Authentication Code (MAC) value in its AUTHENTICATION AND CIPHERING REQUEST message. The UE sends AUTHENTICATION AND CIPHERING FAILURE message to the SS indicating authentication failure.

The SS waits for T3318 to expire.

The UE shall treat now both cells as barred and shall not attempt to access the network, even if the user triggers the UE to perform an attach procedure.

Expected Sequence

Step

Direction

Message

Comments

UE

SS

1

SS

Set the cell type of cell A to the "Serving cell".

Set the cell type of cell B to the "Non-Suitable cell".

(see note)

The following messages are sent and shall be received on cell A.

2

UE

The UE is powered up or switched on and initiates an attach procedure.

3

->

ATTACH REQUEST

Attach type = ‘GPRS attach’

Mobility identity = IMSI

4

<-

AUTHENTICATION AND CIPHERING REQUEST

Request for authentication.

Invalid Message Authentication Code (MAC).

5

->

AUTHENTICATION AND CIPHERING FAILURE

GMM cause=’MAC failure’

6

<-

AUTHENTICATION AND CIPHERING REQUEST

Request for authentication.

Invalid Message Authentication Code (MAC).

7

->

AUTHENTICATION AND CIPHERING FAILURE

GMM cause=’MAC failure’

R99 and REL-4: In case message is not received within 30s then SS should continue from step 9.

7a

<-

AUTHENTICATION AND CIPHERING REQUEST

Request for authentication.

Invalid Message Authentication Code (MAC).

R99 and REL-4: Optional step

7b

Void

8

SS

SS verifies that the UE does not attempt to access the network for 30s.

R99 and REL-4: Optional step

9

SS

Set the cell type of cell A to the "Non-Suitable cell".

Set the cell type of cell B to the "Serving cell".

(see note)

UE shall attempt an attach on cell B.

The following messages are sent and shall be received on cell B.

10

UE

The UE initiates a PS attach. If UE does not attach automatically, then UE initiates the attach procedure by MMI or AT command.

11

->

ATTACH REQUEST

Attach type = ‘GPRS attach’

Mobility identity = IMSI

12

<-

AUTHENTICATION AND CIPHERING REQUEST

Request for authentication.

Invalid Message Authentication Code (MAC).

13

->

AUTHENTICATION AND CIPHERING FAILURE

GMM cause=’MAC failure’

14

SS

SS waits T3318 (20s)

15

SS

SS verifies that the UE does not attempt to access the network for 30s.

16

UE

The UE initiates an attach by MMI or AT command.

17

SS

SS verifies that the UE does not attempt to access the network for 30s.

NOTE: The definitions for "Non-Suitable cell" and "Serving cell" are specified in TS34.108 clause 6.1 in the relevant to the RAT of the cells "Reference Radio Conditions" subclauses.

Specific message contents

None.

12.6.1.3.3.5 Test requirements

At step3, when the UE is powered on or switched on, the UE shall:

– initiate the PS attach procedure with information elements specified in the above Expected Sequence.

After step4, when the UE have received the first AUTHENTICATION AND CIPHERING REQUEST message with invalid Message Authentication Code (MAC), the UE shall:

– send the AUTHENTICATION AND CIPHERING FAILURE message with GMM cause ‘MAC failure’ to the SS.

For R99 and REL-4 UE:

Alternative 1:

– After step 6, when the UE have received the second AUTHENTICATION AND CIPHERING REQUEST message with invalid Message Authentication Code (MAC), the UE shall not attempt to access the network.

Alternative 2:

– After step6, when the UE have received the second AUTHENTICATION AND CIPHERING REQUEST message with invalid Message Authentication Code (MAC) while the timer T3318 is running, the UE shall send an AUTHENTICATION AND CIPHERING FAILURE message with GMM cause ‘MAC failure’ to the SS; and

– After step 7a , when the UE have received the third AUTHENTICATION AND CIPHERING REQUEST message with invalid Message Authentication Code (MAC), the UE shall not attempt to access the network.

For REL-5 UE:

– After step 6, when the UE receives the second AUTHENTICATION AND CIPHERING REQUEST message with invalid Message Authentication Code (MAC) from the network while the timer T3318 is running, the UE shall send an AUTHENTICATION AND CIPHERING FAILURE message with GMM cause ‘MAC failure’ to the SS; and

– After step 7a, when the UE have received the third AUTHENTICATION AND CIPHERING REQUEST message with invalid Message Authentication Code (MAC), the UE shall not attempt to access the network.

At step 11, when the activated cell is changed from cell A to cell B, the UE shall:

– initiate the PS attach procedure with information elements specified in the above Expected Sequence.

After step 12, when the UE have received the AUTHENTICATION AND CIPHERING REQUEST message with invalid Message Authentication Code (MAC), the UE shall:

– send an AUTHENTICATION AND CIPHERING FAILURE message with GMM cause ‘MAC failure’ to the SS.

At step 17, when the timer T3318 have expired, the UE shall:

– not attempt to access the network.

12.6.2 Void