10.1.1 PDU session authentication and authorization
38.523-13GPP5GSPart 1: ProtocolRelease 17TSUser Equipment (UE) conformance specification
10.1.1.1 PDU session authentication and authorization / During the UE-requested PDU session procedure
10.1.1.1.1 Test Purpose (TP)
(1)
with { UE is establishing UE-requested PDU session by sending PDU Session establishment Request message }
ensure that {
when { UE receives a PDU SESSION AUTHENTICATION COMMAND message }
then { UE transmits a PDU SESSION AUTHENTICATION COMPLETE message }
}
(2)
with { PDU session authentication and authorization procedure is performed during the UE-requested PDU session establishment procedure }
ensure that {
when { UE receives EAP-failure message in the PDU SESSION ESTABLISHMENT REJECT message }
then { UE consider that the PDU session is not established }
}
(3)
with { PDU session authentication and authorization procedure is performed during the UE-requested PDU session establishment procedure }
ensure that {
when { UE receives EAP-success message in the PDU SESSION ESTABLISHMENT ACCEPT message }
then { UE consider that the PDU session is established }
}
10.1.1.1.2 Conformance requirements
References: The conformance requirements covered in the present TC are specified in: TS 24.501, clause 6.3.1.2.1, 6.3.1.2.2 and 6.4.1.4. Unless otherwise stated these are Rel-15 requirements.
[TS 24.501 clause 6.3.1.2.1]
In order to initiate the PDU EAP message reliable transport procedure, the SMF shall create a PDU SESSION AUTHENTICATION COMMAND message.
The SMF shall set the PTI IE of the PDU SESSION AUTHENTICATION COMMAND message to "No procedure transaction identity assigned".
The SMF shall set the EAP message IE of the PDU SESSION AUTHENTICATION COMMAND message to the EAP-request message provided by the DN or generated locally.
The SMF shall send the PDU SESSION AUTHENTICATION COMMAND message, and the SMF shall start timer T3590 (see example in figure 6.3.1.1).
Upon receipt of a PDU SESSION AUTHENTICATION COMMAND message and a PDU session ID, using the NAS transport procedure as specified in subclause 5.4.5, the UE passes to the upper layers the EAP message received in the EAP message IE of the PDU SESSION AUTHENTICATION COMMAND message. Apart from this action, the authentication and authorization procedure initiated by the DN is transparent to the 5GSM layer of the UE.
[TS 24.501 clause 6.3.1.2.2]
When the upper layers provide an EAP-response message responding to the received EAP-request message, the UE shall create a PDU SESSION AUTHENTICATION COMPLETE message.
The UE shall set the EAP message IE of the PDU SESSION AUTHENTICATION COMPLETE message to the EAP-response message.
The UE shall transport the PDU SESSION AUTHENTICATION COMPLETE message and the PDU session ID, using the NAS transport procedure as specified in subclause 5.4.5. Apart from this action, the authentication and authorization procedure initiated by the DN is transparent to the 5GSM layer of the UE.
Upon receipt of a PDU SESSION AUTHENTICATION COMPLETE message, the SMF shall stop timer T3590 and provides the EAP message received in the EAP message IE of the PDU SESSION AUTHENTICATION COMPLETE message to the DN or handles it locally.
[TS 24.501 clause 6.4.1.4]
If the connectivity with the requested DN is rejected by the network, the SMF shall create a SM PDU SESSION ESTABLISHMENT REJECT message.
The SMF shall set the 5GSM cause IE of the PDU SESSION ESTABLISHMENT REJECT message to indicate the reason for rejecting the PDU session establishment.
The 5GSM cause IE typically indicates one of the following SM cause values:
#8 operator determined barring;
#26 insufficient resources;
#27 missing or unknown DNN;
#28 unknown PDU session type;
#29 user authentication or authorization failed;
10.1.1.1.3 Test description
10.1.1.1.3.1 Pre-test conditions
System Simulator:
NGC Cell A
UE:
None.
Preamble:
The UE is in state 1N-A with PDU session Active state using the generic procedure NR RRC_IDLE according to TS 38.508-1 [4].
10.1.1.1.3.2 Test procedure sequence
Table 10.1.1.1.3.2-1: Main behaviour
|
St |
Procedure |
Message Sequence |
TP |
Verdict |
|
|
U – S |
Message |
||||
|
1 |
Cause the UE to request connectivity to an additional PDU session. (see Note 1) |
– |
– |
– |
– |
|
2-2A |
Steps 2-3 of the generic procedure for NR RRC_Connected specified in TS 38.508-1 [4] Table 4.5.4.2-3 are performed. |
– |
– |
– |
– |
|
2B |
The UE transmits an RRCSetupComplete message and a SERVICE REQUEST message with service type IE set to “signalling”. |
–> |
SERVICE REQUEST |
– |
– |
|
3-3A |
Steps 5 and 6 of the generic procedure for NR RRC_Connected specified in TS 38.508-1 [4] Table 4.5.4.2-3 are performed. |
– |
– |
– |
– |
|
4 |
The SS transmits an RRCReconfiguration message and a SERVICE ACCEPT message to establish SRB2 and DRB. |
<– |
NR RRC: RRCReconfiguration 5GMM: SERVICE ACCEPT |
– |
– |
|
4A |
The UE transmits an RRCReconfigurationComplete message. |
–> |
NR RRC: RRCReconfigurationComplete |
– |
– |
|
5 |
The UE transmits a PDU SESSION ESTABLISHMENT REQUEST message to request an additional PDU session. Note: PDU SESSION ESTABLISHMENT REQUEST is included in UL NAS transport. UL NAS transport message is included in dedicatedNAS-Message of ULInformationTransfer message. DNN information is included in UL NAS transport message. |
–> |
5GMM: UL NAS TRANSPORT 5GSM: PDU SESSION ESTABLISHMENT REQUEST |
– |
– |
|
6 |
The SS transmits PDU SESSION AUTHENTICATION COMMAND including an EAP-Request message. |
<– |
PDU SESSION AUTHENTICATION COMMAND |
||
|
7 |
Check: Does the UE transmit a PDU SESSION AUTHENTICATION COMPLETE containing EAP-Response message? |
–> |
PDU SESSION AUTHENTICATION COMPLETE |
1 |
P |
|
8 |
The SS transmits PDU SESSION ESTABLISHMENT REJECT message with 5GSM cause #29 including an EAP-Failure message. |
<– |
PDU SESSION ESTABLISHMENT REJECT |
||
|
9 |
The SS releases the RRC connection. |
– |
– |
– |
|
|
10 |
Cause the UE to request connectivity to an additional PDU session. (see Note 1) |
– |
– |
– |
– |
|
11-11A |
Steps 2-3 of the generic procedure for NR RRC_Connected specified in TS 38.508-1 [4] Table 4.5.4.2-3 are performed. |
– |
– |
– |
– |
|
11B |
The UE transmits an RRCSetupComplete message and a SERVICE REQUEST message with service type IE set to “signalling”. |
–> |
SERVICE REQUEST |
– |
– |
|
12-12A |
Steps 5 and 6 of the generic procedure for NR RRC_Connected specified in TS 38.508-1 [4] Table 4.5.4.2-3 are performed. |
– |
– |
– |
– |
|
13 |
The SS transmits an RRCReconfiguration message and a SERVICE ACCEPT message to establish SRB2 and DRB. |
<– |
NR RRC: RRCReconfiguration 5GMM: SERVICE ACCEPT |
– |
– |
|
13A |
The UE transmits an RRCReconfigurationComplete message. |
–> |
NR RRC: RRCReconfigurationComplete |
– |
– |
|
14 |
The UE transmits a PDU SESSION ESTABLISHMENT REQUEST message to request an additional PDU session. Note: PDU SESSION ESTABLISHMENT REQUEST is included in UL NAS transport. UL NAS transport message is included in dedicatedNAS-Message of ULInformationTransfer message DNN information is included in UL NAS transport message. |
–> |
5GMM: UL NAS TRANSPORT 5GSM: PDU SESSION ESTABLISHMENT REQUEST |
2 |
P |
|
15 |
The SS transmits PDU SESSION AUTHENTICATION COMMAND including an EAP-Request message. |
<– |
PDU SESSION AUTHENTICATION COMMAND |
||
|
16 |
Check: Does the UE transmit a PDU SESSION AUTHENTICATION COMPLETE containing EAP-Response message? |
–> |
PDU SESSION AUTHENTICATION COMPLETE |
– |
– |
|
17 |
The SS transmits RRCReconfiguration message containing PDU SESSION ESTABLISHMENT ACCEPT message containing an EAP-Success message. |
<– |
PDU SESSION ESTABLISHMENT ACCEPT |
||
|
18 |
The UE transmits RRCReconfigurationComplete message to confirm the establishment of DRB. |
– |
– |
3 |
P |
|
– |
EXCEPTION: Step 19a1 describes behaviour depending UE implementation; the "lower case letter" identifies a step sequence that take place if the UE performs a specific action. |
– |
– |
– |
– |
|
19a1 |
If initiated by the UE, the generic procedure for IP address allocation in the user plane, specified in clause 4.5A.3 of TS 38.508-1 [4], takes place performing IP address allocation in the user plane. |
– |
– |
– |
– |
|
20 |
The SS releases the RRC connection. |
– |
– |
– |
|
|
Note 1: The request of connectivity to an additional PDU session may be performed by MMI or AT command +CGACT. |
|||||
10.1.1.1.3.3 Specific message contents
Table 10.1.1.1.3.3-1: Void
Table 10.1.1.1.3.3-2: Void
Table 10.1.1.1.3.3-3: PDU SESSION ESTABLISHMENT REQUEST (step 5 and 14, Table 10.1.1.1.3.2-1)
|
Derivation path: TS 38.508-1 [4], Table 4.7.2-1 |
||||
|
Information Element |
Value/remark |
Comment |
Condition |
|
|
PDU session ID |
PSI-1 |
UE assigns a particular PSI not yet used between 1 and 15 |
||
|
PTI |
PTI-1 |
UE assigns a particular PTI not yet used between 1 and 254 |
||
Table 10.1.1.1.3.3-4: UL NAS Transport (step 5 and 14, Table 10.1.1.1.3.2-1)
|
Derivation path: TS 38.508-1 [4], Table 4.7.1-10 |
||||
|
Information Element |
Value/remark |
Comment |
Condition |
|
|
Payload container type |
‘0001’B |
N1 SM information |
||
|
PDU session ID |
PSI-1 |
|||
|
Request type |
‘001’B |
Initial request |
||
|
S-NSSAI |
Not Present |
|||
|
DNN |
DNN-1 (New DNN name) |
The requested DNN is different from default DNN. |
||
Table 10.1.1.1.3.3-5: PDU SESSION ESTABLISHMENT REJECT (step 8, Table 10.1.1.1.3.2-1)
|
Derivation path: TS 38.508-1 [4], Table 4.7.2-3 |
||||
|
Information Element |
Value/remark |
Comment |
Condition |
|
|
PDU session ID |
PSI-1 |
|||
|
PTI |
PTI-1 |
|||
|
5GSM cause |
‘00011 101’ |
User authentication or authorization failed |
||
Table 10.1.1.1.3.3-6: PDU SESSION ESTABLISHMENT ACCEPT (step 17, Table 10.1.1.1.3.2-1)
|
Derivation path: TS 38.508-1 [4], Table 4.7.2-2 |
||||
|
Information Element |
Value/remark |
Comment |
Condition |
|
|
PDU session ID |
PSI-1 |
|||
|
PTI |
PTI-1 |
|||
|
Authorized QoS rules |
||||
|
QoS rule |
||||
|
QoS rule identifier |
‘0000 0001’B |
|||
|
Rule operation code |
‘001’B |
Create new QoS rule |
||
|
DQR bit |
‘1’B |
The QoS rule is the default QoS rule. |
||
|
Number of packet filters |
‘0001’B |
1 packet filter |
||
|
Packet filter list |
See table 4.8.2.1-1 |
Packet filter list #1 |
||
|
Packet filter direction |
‘11’B |
bidirectional |
||
|
Packet filter identifier |
‘0000’B |
Id 0 |
||
|
Component type 1 ID |
‘0000 0001’B |
Match-all type |
||
|
QoS rule precedence |
‘0000 0000’B |
0 |
||
|
QoS flow identifier (QFI) |
’00 0011’B |
QFI 3 |
||
|
EAP message |
Set according to TS 38.508-1 [4] Table 4.7.3.2-3 |
EAP-Success |
||
|
QoS flow description |
||||
|
QFI |
‘00 0011’B |
QFI 3 |
||
|
Operation code |
‘001’B |
Create new QoS flow description |
||
|
E bit |
‘1’B |
Parameters list is included |
||
|
Number of parameters |
’00 0001’B |
1 parameters |
||
|
5QI |
‘0000 1001’B |
5QI 9 |
||
|
DNN |
DNN-1 |
|||
10.1.1.2 PDU session authentication and authorization / After the UE-requested PDU session procedure
10.1.1.2.1 Test Purpose (TP)
(1)
with { the UE is in 5GMM-REGISTERED state with an established PDU session }
ensure that {
when { UE receives a PDU SESSION AUTHENTICATION COMMAND message }
then { UE transmits a PDU SESSION AUTHENTICATION COMPLETE message }
}
(2)
with { PDU session authentication and authorization procedure is performed after the UE-requested PDU session establishment procedure }
ensure that {
when { UE receives EAP-failure message in the PDU SESSION RELEASE COMMAND message }
then { the 5GSM state of the UE is PDU SESSION INACTIVE state }
}
(3)
with { PDU session authentication and authorization procedure is performed after the UE-requested PDU session establishment procedure }
ensure that {
when { UE receives EAP-success message in the PDU SESSION AUTHENTICATION RESULT message }
then { the 5GSM state of the UE is PDU SESSION ACTIVE state }
}
10.1.1.2.2 Conformance requirements
References: The conformance requirements covered in the present TC are specified in: TS 24.501, clause 6.3.1.1, clause 6.3.1.2.1, 6.3.1.2.2 and 6.3.1.3.1. Unless otherwise stated these are Rel-15 requirements.
[TS 24.501 clause 6.3.1.1]
The purpose of the PDU session authentication and authorization procedure is to enable the DN:
a) to authenticate the upper layers of the UE, when establishing the PDU session;
b) to authorize the upper layers of the UE, when establishing the PDU session;
c) both of the above; or
d) to re-authenticate the upper layers of the UE after establishment of the PDU session.
The PDU session authentication and authorization procedure can be performed only during or after the UE-requested PDU session procedure establishing a non-emergency PDU session. The PDU session authentication and authorization procedure shall not be performed during or after the UE-requested PDU session establishment procedure establishing an emergency PDU session.
The network authenticates the UE using the Extensible Authentication Protocol (EAP) as specified in IETF RFC 3748 [32].
EAP has defined four types of EAP messages:
a) an EAP-request message;
b) an EAP-response message;
c) an EAP-success message; and
d) an EAP-failure message.
The EAP-request message is transported from the network to the UE using the PDU SESSION AUTHENTICATION COMMAND message of the PDU EAP message reliable transport procedure.
The EAP-response message to the EAP-request message is transported from the UE to the network using the PDU SESSION AUTHENTICATION COMPLETE message of the PDU EAP message reliable transport procedure.
If the PDU session authentication and authorization procedure is performed during the UE-requested PDU session establishment procedure:
a) and the DN authentication of the UE completes successfully, the EAP-success message is transported from the network to the UE as part of the UE-requested PDU session establishment procedure in the PDU SESSION ESTABLISHMENT ACCEPT message.
b) and the DN authentication of the UE completes unsuccessfully, the EAP-failure message is transported from the network to the UE as part of the UE-requested PDU session establishment procedure in the PDU SESSION ESTABLISHMENT REJECT message.
If the PDU session authentication and authorization procedure is performed after the UE-requested PDU session establishment procedure:
a) and the DN authentication of the UE completes successfully, the EAP-success message is transported from the network to the UE using the PDU SESSION AUTHENTICATION RESULT message of the PDU EAP result message transport procedure.
b) and the DN authentication of the UE completes unsuccessfully, the EAP-failure message is transported from the network to the UE using the PDU SESSION RELEASE COMMAND message of the network-requested PDU session release procedure.
There can be several rounds of exchange of an EAP-request message and a related EAP-response message for the DN to complete the authentication and authorization of the request for a PDU session (see example in figure 6.3.1.1).
The SMF shall set the authenticator retransmission timer specified in IETF RFC 3748 [34] subclause 4.3 to infinite value.
NOTE: The PDU session authentication and authorization procedure provides a reliable transport of EAP messages and therefore retransmissions at the EAP layer of the SMF do not occur.
Figure 6.3.1.1: PDU session authentication and authorization procedure
[TS 24.501 clause 6.3.1.2.1]
In order to initiate the PDU EAP message reliable transport procedure, the SMF shall create a PDU SESSION AUTHENTICATION COMMAND message.
The SMF shall set the PTI IE of the PDU SESSION AUTHENTICATION COMMAND message to "No procedure transaction identity assigned".
The SMF shall set the EAP message IE of the PDU SESSION AUTHENTICATION COMMAND message to the EAP-request message provided by the DN or generated locally.
The SMF shall send the PDU SESSION AUTHENTICATION COMMAND message, and the SMF shall start timer T3590 (see example in figure 6.3.1.1).
Upon receipt of a PDU SESSION AUTHENTICATION COMMAND message and a PDU session ID, using the NAS transport procedure as specified in subclause 5.4.5, the UE passes to the upper layers the EAP message received in the EAP message IE of the PDU SESSION AUTHENTICATION COMMAND message. Apart from this action, the authentication and authorization procedure initiated by the DN is transparent to the 5GSM layer of the UE.
[TS 24.501 clause 6.3.1.2.2]
When the upper layers provide an EAP-response message responding to the received EAP-request message, the UE shall create a PDU SESSION AUTHENTICATION COMPLETE message.
The UE shall set the EAP message IE of the PDU SESSION AUTHENTICATION COMPLETE message to the EAP-response message.
The UE shall transport the PDU SESSION AUTHENTICATION COMPLETE message and the PDU session ID, using the NAS transport procedure as specified in subclause 5.4.5. Apart from this action, the authentication and authorization procedure initiated by the DN is transparent to the 5GSM layer of the UE.
Upon receipt of a PDU SESSION AUTHENTICATION COMPLETE message, the SMF shall stop timer T3590 and provides the EAP message received in the EAP message IE of the PDU SESSION AUTHENTICATION COMPLETE message to the DN or handles it locally.
[TS 24.501 clause 6.3.1.3.1]
In order to initiate the PDU EAP result message transport procedure, the SMF shall create a PDU SESSION AUTHENTICATION RESULT message.
The SMF shall set the PTI IE of the PDU SESSION AUTHENTICATION RESULT message to "No procedure transaction identity assigned".
The SMF shall set the EAP message IE of the PDU SESSION AUTHENTICATION RESULT message to the EAP-success message provided by the DN.
The SMF shall send the PDU SESSION AUTHENTICATION RESULT message.
Upon receipt of a PDU SESSION AUTHENTICATION RESULT message and a PDU session ID, using the NAS transport procedure as specified in subclause 5.4.5, the UE passes to the upper layers the EAP message received in the EAP message IE of the PDU SESSION AUTHENTICATION RESULT message. Apart from this action, the authentication and authorization procedure initiated by the DN is transparent to the 5GSM layer of the UE.
10.1.1.2.3 Test description
10.1.1.2.3.1 Pre-test conditions
System Simulator:
NGC Cell A
UE:
None.
Preamble:
The UE is in state 3N-A, on NGC Cell A with at least one PDU Session X (1<=X<=15) active according to TS 38.508-1 [4].
10.1.1.2.3.2 Test procedure sequence
Table 10.1.1.2.3.2-1: Main behaviour
|
St |
Procedure |
Message Sequence |
TP |
Verdict |
|
|
U – S |
Message |
||||
|
0A |
Cause the UE to request establishment of PDU session Y to the DN.(Note 1) |
– |
– |
– |
|
|
0B |
The PDU session establishment procedure as specified in TS 38.508-1 [4] subclause 4.5A.2 take place. |
– |
– |
– |
|
|
1 |
The SS transmits PDU SESSION AUTHENTICATION COMMAND including an EAP-Request message. |
<– |
PDU SESSION AUTHENTICATION COMMAND |
– |
– |
|
2 |
Check: Does the UE transmit a PDU SESSION AUTHENTICATION COMPLETE containing EAP-Response message? |
–> |
PDU SESSION AUTHENTICATION COMPLETE |
1 |
P |
|
3 |
The SS transmits PDU SESSION AUTHENTICATION RESULT message containing an EAP-Success message. |
<– |
PDU SESSION AUTHENTICATION RESULT |
– |
– |
|
4 |
The SS transmits PDU SESSION AUTHENTICATION COMMAND including an EAP-Request message. |
<– |
PDU SESSION AUTHENTICATION COMMAND |
– |
– |
|
5 |
Check: Does the UE transmit a PDU SESSION AUTHENTICATION COMPLETE containing EAP-Response message? |
–> |
PDU SESSION AUTHENTICATION COMPLETE |
3 |
P |
|
6 – 17 |
Void |
– |
– |
– |
– |
|
18 |
Check: Does the UE perform PDU session release procedure defined in clause 4.9.21 of TS 38.508-1 [4] with PDU SESSION RELEASE COMMAND including 5GSM cause #29 “user authentication or authorization failed"? |
– |
– |
2- |
P |
|
19 |
Void |
– |
– |
– |
– |
|
Note 1: The request of connectivity to an additional PDU session may be performed by MMI or AT command. |
|||||
10.1.1.2.3.3 Specific message contents
Table 10.1.1.2.3.3-1: PDU SESSION ESTABLISHMENT ACCEPT (step 0B, Table 10.1.1.2.3.2-1; step 3, Table 4.5A.2.2.2-1, TS 38.508-1 [4])
|
Derivation path: TS 38.508-1 [4], Table 4.7.2-2 |
||||
|
Information Element |
Value/remark |
Comment |
Condition |
|
|
Authorized QoS rules |
5GC QoS rule of the Config#1 in Table 4.8.4-1 |
|||
|
Mapped EPS bearer contexts |
||||
|
Mapped EPS bearer context |
||||
|
Mapped EPS QoS parameters |
EPC default bearer context of the Config#1 in Table 4.8.4-1 |
|||
|
DNN |
The same DNN value as sent in the UL NAS TRANSPORT message at (step 0B, Table 10.1.1.2.3.2-1; step 2a1, Table 4.5A.2.2.2-2, TS 38.508-1[4]) |
|||
Table 10.1.1.2.3.3-2: Void
Table 10.1.1.2.3.3-2A: PDU SESSION AUTHENTICATION RESULT (step 3, Table 10.1.1.2.3.2-1)
|
Derivation Path: TS 38.508-1 table 4.7.2-6 |
||||
|
Information Element |
Value/remark |
Comment |
Condition |
|
|
EAP message |
EAP-success |
See TS 24.501 [25] subclause 9.11.2.2 |
||
Table 10.1.1.2.3.3-3: Void
Table 10.1.1.2.3.3-3A: Void
Table 10.1.1.2.3.3-4: Void
Table 10.1.1.2.3.3-5: PDU SESSION RELEASE COMMAND (step 18, Table 10.1.1.2.3.2-1; step 1, TS 36.508 [4] Table 4.9.21.2.2-1)
|
Derivation Path: TS 38.508-1 [4] Table 4.7.2-14 |
||||
|
Information Element |
Value/remark |
Comment |
Condition |
|
|
PDU session ID |
The same ID as the ID of PDU session which UE request in step 13 in Table 10.1.1.2.3.2-1 |
|||
|
5GSM cause |
‘0001 1101’B |
user authentication or authorization failed |
||
|
Back-off timer value |
‘1010 0000’B |
0 minutes |
||
|
EAP Message |
EAP-Failure |
See TS 24.501 [25] subclause 9.11.2.2 |
||