9.1.11 SNPN / Mobility management aspects
38.523-13GPP5GSPart 1: ProtocolRelease 17TSUser Equipment (UE) conformance specification
9.1.11.1 SNPN / Initial registration / Rejected / Temporarily not authorized for this SNPN
9.1.11.1.1 Test Purpose (TP)
(1)
with { UE in Automatic SNPN selection mode and a SNPN cell is available for which an entry exists in the "list of subscriber data" and the UE in 5GMM-REGISTERED-INITIATED state }
ensure that {
when { the SS sends a REGISTRATION REJECT message to the UE including an appropriate 5GMM cause value #74 (Temporarily not authorized for this SNPN) }
then { the UE deletes any 5G-GUTI, last visited registered TAI and ngKSI, and stores the SNPN identity in the "temporarily forbidden SNPNs" }
}
(2)
with { the initial registration request cannot be accepted by the network }
ensure that {
when { the SS sends a REGISTRATION REJECT message to the UE including an appropriate 5GMM cause value #74 (Temporarily not authorized for this SNPN) }
then { The UE stores the SNPN identity in the "temporarily forbidden SNPNs" and does not remove it at least until 60 minutes or the UE is switched off }
}
(3)
with { the UE is in 5GMM-DEREGISTERED.PLMN-SEARCH state and the SNPN identity of the current cell belongs to the list of "temporarily forbidden SNPNs" }
ensure that {
when { the UE enters a cell belonging to a SNPN cell for which an entry exists in the "list of subscriber data" }
then { the UE attempts registration on the SNPN cell }
}
9.1.11.1.2 Conformance requirements
References: The conformance requirements covered in the current TC are specified in: TS 24.501 clauses 5.5.1.2.5, 5.1.3.2.1, 5.1.3.2.2, TS 23.122 clause 4.9.3.0. Unless otherwise stated these are Rel-16 requirements.
[TS 24.501, clause 5.5.1.2.5]
If the initial registration request cannot be accepted by the network, the AMF shall send a REGISTRATION REJECT message to the UE including an appropriate 5GMM cause value.
If the initial registration request is rejected due to general NAS level mobility management congestion control, the network shall set the 5GMM cause value to #22 "congestion" and assign a back-off timer T3346.
The UE shall take the following actions depending on the 5GMM cause value received in the REGISTRATION REJECT message.
…
#74 (Temporarily not authorized for this SNPN).
5GMM cause #74 is only applicable when received from a cell belonging to an SNPN. 5GMM cause #74 received from a cell not belonging to an SNPN is considered as an abnormal case and the behaviour of the UE is specified in subclause 5.5.1.2.7.
The UE shall set the 5GS update status to 5U3 ROAMING NOT ALLOWED (and shall store it according to subclause 5.1.3.2.2) and shall delete any 5G-GUTI, last visited registered TAI, TAI list and ngKSI. The UE shall reset the registration attempt counter and store the SNPN identity in the "temporarily forbidden SNPNs" list for the specific access type for which the message was received. The UE shall enter state 5GMM-DEREGISTERED.PLMN-SEARCH and perform an SNPN selection according to 3GPP TS 23.122 [5]. If the message has been successfully integrity checked by the NAS, the UE shall set the SNPN-specific attempt counter for 3GPP access and the SNPN-specific attempt counter for non-3GPP access for the current SNPN to the UE implementation-specific maximum value.
If the message has been successfully integrity checked by the NAS and the UE also supports the registration procedure over the other access to the same SNPN, the UE shall in addition handle 5GMM parameters and 5GMM state for this access, as described for this 5GMM cause value.
NOTE 4: When 5GMM cause #74 is received over 3GPP access, the term "other access" in "the UE also supports the registration procedure over the other access to the same SNPN" is used to express access to SNPN services via a PLMN.
…
[TS 24.501, clause 5.1.3.2.1.3.5]
The substate 5GMM-DEREGISTERED.PLMN-SEARCH is chosen in the UE, if the UE is searching for PLMNs or SNPNs. This substate is left either when a cell has been selected (the new substate is NORMAL-SERVICE or LIMITED-SERVICE) or when it has been concluded that no cell is available at the moment (the new substate is NO-CELL-AVAILABLE).
This substate is not applicable to non-3GPP access.
[TS 24.501, clause 5.1.3.2.2]
In order to describe the detailed UE behaviour, the 5GS update (5U) status pertaining to a specific subscriber is defined.
If the UE is not operating in SNPN access operation mode (see 3GPP TS 23.501 [8]), the 5GS update status is stored in a non-volatile memory in the USIM if the corresponding file is present in the USIM, else in the non-volatile memory in the ME, as described in annex C.
If the UE is operating in SNPN access operation mode, the 5GS update status for each SNPN whose SNPN identity is included in the "list of subscriber data" configured in the ME (see 3GPP TS 23.122 [5]) is stored in the non-volatile memory in the ME as described in annex C.
The 5GS update status value is changed only after the execution of a registration, network-initiated de-registration, 5GS based primary authentication and key agreement, service request, paging procedure or due to change in TAI which does not belong to the current registration area while T3346 is running.
5U1: UPDATED
The last registration attempt was successful.
5U2: NOT UPDATED
The last registration attempt failed procedurally, e.g. no response or reject message was received from the AMF.
5U3: ROAMING NOT ALLOWED
The last registration, service request, or registration for mobility or periodic registration update attempt was correctly performed, but the answer from the AMF was negative (because of roaming or subscription restrictions).
[TS 23.122, clause 4.9.3.0]
The ME is configured with a "list of subscriber data" containing zero or more entries. Each entry of the "list of subscriber data" consists of:
…The MS shall maintain a list of "temporarily forbidden SNPNs" and a list of "permanently forbidden SNPNs" in the ME. Each entry of those lists consists of an SNPN identity.
The MS shall add an SNPN to the list of "temporarily forbidden SNPNs", if a message with cause value #74 "Temporarily not authorized for this SNPN" (see 3GPP TS 24.501 [64]) is received by the MS in response to an LR request from the SNPN. In addition, if:
– the message is integrity-protected; or
– the message is not integrity-protected, and the value of the SNPN-specific attempt counter for that SNPN is equal to the MS implementation specific maximum value as defined in 3GPP TS 24.501 [64];
then the MS shall start an MS implementation specific timer not shorter than 60 minutes. The MS shall remove an SNPN from the list of "temporarily forbidden SNPNs", if:
a) there is a successful LR after a subsequent manual selection of the SNPN;
b) the MS implementation specific timer not shorter than 60 minutes expires;
c) the timer T3247 expires and the value of the SNPN-specific attempt counter for that SNPN is less than the MS implementation specific maximum value as defined in 3GPP TS 24.501 [64];
d) the MS is switched off; or
e) an entry of the "list of subscriber data" with the SNPN identity of the SNPN is updated or the USIM is removed if:
– EAP based primary authentication and key agreement procedure using EAP-AKA’; or
– 5G AKA based primary authentication and key agreement procedure;
was performed in the selected SNPN.
If an SNPN is removed from the list of "temporarily forbidden SNPNs" list, the MS shall stop the MS implementation specific timer not shorter than 60 minutes, if running.
9.1.11.1.3 Test description
9.1.11.1.3.1 Pre-test conditions
System Simulator:
– 2 SNPN cells NGC Cell A and NGC Cell B are configured according to Table 6.3.2.2-1 broadcasting default SNPN IDs as indicated in TS 38.508-1 [4] Table 4.4.2-4.
– System information combination NR-12 as defined in TS 38.508-1 [4] clause 4.4.3.1.2 is used in NGC Cells.
UE:
– The UE is in Automatic SNPN selection mode.
– The UE is provisioned with a “list of subscriber data” to allow access to SNPN identified by NGC Cell A and NGC Cell B.
Preamble:
– Ensure that the UE has cleared the Registered SNPN. And the UE is in state Switched OFF (state 0-A).
9.1.11.1.3.2 Test procedure sequence
Table 9.1.11.1.3.2-1: Main behaviour
|
St |
Procedure |
Message Sequence |
TP |
Verdict |
|
|
U – S |
Message |
||||
|
1 |
The SS configures: – NGC Cell A as the "Serving cell ". – NGC Cell B as “Non-suitable cell”. |
– |
– |
– |
– |
|
2 |
The UE is switched on. |
– |
– |
– |
– |
|
3-14 |
Steps 2-13 of Table 4.5.2.2-2 of the generic procedure in TS 38.508-1 [4] are performed |
– |
– |
– |
– |
|
15 |
The SS transmits a REGISTRATION REJECT message, 5GMM cause value = #74 "Temporarily not authorized for this SNPN". |
<– |
REGISTRATION REJECT |
– |
– |
|
16 |
The SS starts timer 1 = 60 min. |
– |
– |
– |
– |
|
17 |
The SS releases the RRC connection. |
– |
– |
– |
– |
|
18 |
Check: Does the UE transmit the REGISTRATION REQUEST message on NGC Cell A in the next 60 seconds? |
–> |
REGISTRATION REQUEST |
1 |
F |
|
19 |
The SS reconfigures: – NGC cell B as the "Serving cell". |
– |
– |
– |
– |
|
20 |
Check: Does the UE transmit the REGISTRATION REQUEST message on NGC Cell B? |
–> |
REGISTRATION REQUEST |
3 |
P |
|
21-27 |
Steps 5 to 11 from procedure in TS 38.508-1 [4] Table 4.5.2.2-2 are performed. |
– |
– |
– |
– |
|
28 |
The SS transmits a REGISTRATION REJECT message, 5GMM cause value = #74 " Temporarily not authorized for this SNPN". |
<– |
REGISTRATION REJECT |
– |
– |
|
29 |
The SS releases the RRC connection. |
– |
– |
– |
– |
|
30 |
The SS reconfigures: – NGC cell B as the " Non-suitable cell". |
– |
– |
– |
– |
|
31 |
Check: Does the UE transmit the REGISTRATION REQUEST message on NGC Cell A in the next 60 seconds? |
–> |
REGISTRATION REQUEST |
2 |
F |
|
32 |
The SS stops timer 1. |
– |
– |
– |
– |
|
33 |
The UE is switched OFF |
– |
– |
– |
– |
|
34 |
The UE is Switched ON |
– |
– |
– |
– |
|
35 |
Check: Does the UE transmit the REGISTRATION REQUEST message on NGC Cell A? |
–> |
REGISTRATION REQUEST |
2 |
P |
|
36-51 |
Steps 5-20a1 of Table 4.5.2.2-2 of the generic procedure in TS 38.508-1 [4] are performed on NGC Cell A. |
– |
– |
– |
– |
9.1.11.1.3.3 Specific message contents
Table 9.1.11.1.3.3-1: REGISTRATION REJECT (step 15 and step 28, Table 9.1.11.1.3.2-1)
|
Derivation path: TS 38.508-1 [4] table 4.7.1-9 |
|||
|
Information Element |
Value/remark |
Comment |
Condition |
|
5GMM cause |
‘01001010’B |
#74 "Temporarily not authorized for this SNPN" |
|
Table 9.1.11.1.3.3-2: REGISTRATION REQUEST (step 20 and step 35, Table 9.1.11.1.3.2-1)
|
Derivation path: TS 38.508-1 [4] table 4.7.1-6 |
|||
|
Information Element |
Value/Remark |
Comment |
Condition |
|
ngKSI |
|||
|
NAS key set identifier |
‘111’B |
no key is available |
|
|
TSC |
Any allowed value |
TSC does not apply for NAS key set identifier value "111" |
|
|
5GS mobile identity |
The valid SUCI |
Only SUCI is available. |
|
|
Last visited registered TAI |
Not present |
||
9.1.11.2 SNPN / Initial registration / Rejected / Permanently not authorized for this SNPN
9.1.11.2.1 Test Purpose (TP)
(1)
with { UE in Automatic SNPN selection mode and a and SNPN cell is available for which an entry exists in the "list of subscriber data" and the UE in 5GMM-REGISTERED-INITIATED state }
ensure that {
when { the SS sends a REGISTRATION REJECT message to the UE including an appropriate 5GMM cause value #75 (Permanently not authorized for this SNPN) }
then { the UE deletes any 5G-GUTI, last visited registered TAI and ngKSI, and store the SNPN identity in the "permanently forbidden SNPNs" }
}
(2)
with { the UE is in 5GMM-DEREGISTERED.PLMN-SEARCH state }
ensure that {
when { User manually selects the SNPN cell which belongs to the "permanently forbidden SNPNs" list }
then { the UE attempts registration on the SNPN cell }
}
9.1.11.2.2 Conformance requirements
References: The conformance requirements covered in the current TC are specified in: TS 24.501 clauses 5.5.1.2.5, 5.1.3.2.1, 5.1.3.2.2, TS 23.122 clause 4.9.3.0. Unless otherwise stated these are Rel-16 requirements.
[TS 24.501, clause 5.5.1.2.5]
If the initial registration request cannot be accepted by the network, the AMF shall send a REGISTRATION REJECT message to the UE including an appropriate 5GMM cause value.
If the initial registration request is rejected due to general NAS level mobility management congestion control, the network shall set the 5GMM cause value to #22 "congestion" and assign a back-off timer T3346.
The UE shall take the following actions depending on the 5GMM cause value received in the REGISTRATION REJECT message.
…
#75 (Permanently not authorized for this SNPN).
5GMM cause #75 is only applicable when received from a cell belonging to an SNPN with a globally-unique SNPN identity. 5GMM cause #75 received from a cell not belonging to an SNPN or a cell belonging to an SNPN with a non-globally-unique SNPN identity is considered as an abnormal case and the behaviour of the UE is specified in subclause 5.5.1.2.7.
The UE shall set the 5GS update status to 5U3 ROAMING NOT ALLOWED (and shall store it according to subclause 5.1.3.2.2) and shall delete any 5G-GUTI, last visited registered TAI, TAI list and ngKSI. The UE shall reset the registration attempt counter and store the SNPN identity in the "permanently forbidden SNPNs" list for the specific access type for which the message was received and, if the UE supports access to an SNPN using credentials from a credentials holder, the selected entry of the "list of subscriber data" or the selected PLMN subscription. If the registration request is not for onboarding services in SNPN, the UE shall enter state 5GMM-DEREGISTERED.PLMN-SEARCH and perform an SNPN selection according to 3GPP TS 23.122 [5]. If the registration request is for onboarding services in SNPN, the UE shall enter state 5GMM-DEREGISTERED.PLMN-SEARCH and perform an SNPN selection for onboarding services according to 3GPP TS 23.122 [5]. If the message has been successfully integrity checked by the NAS, the UE shall set the SNPN-specific attempt counter for 3GPP access and the SNPN-specific attempt counter for non-3GPP access for the current SNPN to the UE implementation-specific maximum value.
If the message has been successfully integrity checked by the NAS and the UE also supports the registration procedure over the other access to the same SNPN, the UE shall in addition handle 5GMM parameters and 5GMM state for this access, as described for this 5GMM cause value.
NOTE 6: When 5GMM cause #75 is received over 3GPP access, the term "other access" in "the UE also supports the registration procedure over the other access to the same SNPN" is used to express access to SNPN services via a PLMN.
…
[TS 24.501, clause 5.1.3.2.1.3.5]
The substate 5GMM-DEREGISTERED.PLMN-SEARCH is chosen in the UE, if the UE is searching for PLMNs or SNPNs. This substate is left either when a cell has been selected (the new substate is NORMAL-SERVICE or LIMITED-SERVICE) or when it has been concluded that no cell is available at the moment (the new substate is NO-CELL-AVAILABLE).
This substate is not applicable to non-3GPP access.
[TS 24.501, clause 5.1.3.2.2]
In order to describe the detailed UE behaviour, the 5GS update (5U) status pertaining to a specific subscriber is defined.
If the UE is not operating in SNPN access operation mode (see 3GPP TS 23.501 [8]), the 5GS update status is stored in a non-volatile memory in the USIM if the corresponding file is present in the USIM, else in the non-volatile memory in the ME, as described in annex C.
If the UE is operating in SNPN access operation mode, the 5GS update status for each SNPN whose SNPN identity is included in the "list of subscriber data" configured in the ME (see 3GPP TS 23.122 [5]) is stored in the non-volatile memory in the ME as described in annex C.
The 5GS update status value is changed only after the execution of a registration, network-initiated de-registration, 5GS based primary authentication and key agreement, service request, paging procedure or due to change in TAI which does not belong to the current registration area while T3346 is running.
5U1: UPDATED
The last registration attempt was successful.
5U2: NOT UPDATED
The last registration attempt failed procedurally, e.g. no response or reject message was received from the AMF.
5U3: ROAMING NOT ALLOWED
The last registration, service request, or registration for mobility or periodic registration update attempt was correctly performed, but the answer from the AMF was negative (because of roaming or subscription restrictions).
[TS 23.122, clause 4.9.3.0]
The ME is configured with a "list of subscriber data" containing zero or more entries. Each entry of the "list of subscriber data" consists of:
… The MS shall add an SNPN to the list of "permanently forbidden SNPNs" which is, if the MS supports access to an SNPN using credentials from a credentials holder, associated with the selected entry of the "list of subscriber data" or the selected PLMN subscription, if a message with cause value #75 "Permanently not authorized for this SNPN" (see 3GPP TS 24.501 [64]) is received by the MS in response to an LR request from the SNPN.
The MS shall remove an SNPN from the list of "permanently forbidden SNPNs" which is, if the MS supports access to an SNPN using credentials from a credentials holder, associated with the selected entry of the "list of subscriber data" or the selected PLMN subscription, if:
a) there is a successful LR after a subsequent manual selection of the SNPN;
b) the MS is configured to use timer T3245 and timer T3245 expires;
c) the MS is not configured to use timer T3245, the timer T3247 expires and the value of the SNPN-specific attempt counter for that SNPN is less than the MS implementation specific maximum value as defined in 3GPP TS 24.501 [64] ;
d) an entry of the "list of subscriber data" with the subscribed SNPN identity identifying the SNPN is updated or the USIM is removed if:
– EAP based primary authentication and key agreement procedure using EAP-AKA’; or
– 5G AKA based primary authentication and key agreement procedure;
was performed in the selected SNPN; or
e) the selected entry of the "list of subscriber data" is updated or USIM is removed for the selected PLMN subscription.
9.1.11.2.3 Test description
9.1.11.2.3.1 Pre-test conditions
System Simulator:
– SNPN cell NGC Cell A is configured according to Table 6.3.2.2-2 broadcasting globally-unique SNPN IDs as per Table 9.1.11.2.3.1-1.
Table 9.1.11.2.3.1–1: SNPN Identifier
|
cell ID |
Network Identifier (NID) |
|
|
Assignment mode |
NID value |
|
|
NGC Cell A |
0 |
1 |
– System information combination NR-12 as defined in TS 38.508-1 [4] clause 4.4.3.1.2 is used in the NGC Cell.
UE:
– The UE is in Automatic SNPN selection mode.
– The UE is provisioned with a “list of subscriber data” to allow access to SNPN identified by NGC Cell A.
Preamble:
– NGC Cell A is set to “Serving Cell”.
– The UE is in state Switched OFF (state 0-A).
9.1.11.2.3.2 Test procedure sequence
Table 9.1.11.2.3.2-1: Main behaviour
|
St |
Procedure |
Message Sequence |
TP |
Verdict |
|
|
U – S |
Message |
||||
|
1 |
The UE is switched on. |
– |
– |
– |
– |
|
2-13 |
Steps 2-13 of Table 4.5.2.2-2 of the generic procedure in TS 38.508-1 [4] are performed |
– |
– |
– |
– |
|
14 |
The SS transmits a REGISTRATION REJECT message, 5GMM cause value = #75 "Permanently not authorized for this SNPN ". |
<– |
REGISTRATION REJECT |
– |
– |
|
15 |
The SS releases the RRC connection. |
– |
– |
– |
– |
|
16 |
Check: Does the UE transmit the REGISTRATION REQUEST message on NGC Cell A in the next 60 seconds? |
–> |
REGISTRATION REQUEST |
1 |
F |
|
17 |
The UE is made to perform manual SNPN search and select SNPN identified by NGC Cell A. |
||||
|
18 |
Check: Does the UE transmit the REGISTRATION REQUEST message on NGC Cell A? |
–> |
REGISTRATION REQUEST |
2 |
P |
|
19-34a1 |
Steps 5-20a1 of Table 4.5.2.2-2 of the generic procedure in TS 38.508-1 [4] are performed on NGC Cell A. |
– |
– |
– |
– |
|
35 |
The user sets the UE in Automatic SNPN/Network selection mode. |
– |
– |
– |
– |
9.1.11.2.3.3 Specific message contents
Table 9.1.11.2.3.3-1: REGISTRATION REJECT (step 14, Table 9.1.11.2.3.2-1)
|
Derivation path: TS 38.508-1 [4] table 4.7.1-9 |
|||
|
Information Element |
Value/remark |
Comment |
Condition |
|
5GMM cause |
‘01001011’B |
#75 "Permanently not authorized for this SNPN" |
|
Table 9.1.11.2.3.3-2: REGISTRATION REQUEST (step 18, Table 9.1.11.2.3.2-1)
|
Derivation path: TS 38.508-1 [4] table 4.7.1-6 |
|||
|
Information Element |
Value/Remark |
Comment |
Condition |
|
ngKSI |
|||
|
NAS key set identifier |
‘111’B |
no key is available |
|
|
TSC |
Any allowed value |
TSC does not apply for NAS key set identifier value "111" |
|
|
5GS mobile identity |
The valid SUCI |
Only SUCI is available. |
|
|
Last visited registered TAI |
Not present |
||
9.1.11.3 SNPN / EAP based primary authentication and key agreement / EAP-AKA’ related procedures
9.1.11.3.1 Test Purpose (TP)
(1)
with { the UE in 5GMM-REGISTERED-INITIATED state }
ensure that {
when { the SS sends an EAP-request/AKA’-challenge message within AUTHENTICATION REQUEST }
then { the UE sends an EAP-response/AKA’-challenge message within AUTHENTICATION RESPONSE }
}
(2)
with { the UE in 5GMM-REGISTERED-INITIATED state and SS initiates an EAP based primary authentication and key agreement procedure }
ensure that {
when { the SS sends an EAP-success message within AUTHENTICATION RESULT }
then { the UE considers the procedure complete and authentication procedure succeed }
}
(3)
with { the UE in 5GMM-REGISTERED-INITIATED state and SS initiates an EAP based primary authentication and key agreement procedure}
ensure that {
when { the SS sends an EAP-failure message within AUTHENTICATION REJECT }
then { the UE shall consider the entry of the "list of subscriber data" with/without the SNPN identity of the current SNPN as invalid for 3GPP access until the UE is switched off or the entry is updated, and the USIM is considered invalid until switching off the UE }
}
9.1.11.3.2 Conformance requirements
References: The conformance requirements covered in the present TC are specified in: TS 24.501 clauses 5.4.1.2.2.3, 5.4.1.2.2.8, 5.4.1.2.2.11 , 9.12.1
[TS 24.501, clause 5.4.1.2.2.3 ]
If a USIM is present and the SNN check is successful, the UE shall handle the EAP-request/AKA’-challenge message as specified in IETF RFC 5448 [40]. The USIM shall derive CK and IK and compute the authentication response (RES) using the 5G authentication challenge data received from the ME, and pass RES to the ME. The ME shall derive CK’ and IK’ from CK and IK, and EMSK from CK’ and IK’. Furthermore, the ME may generate KAUSF from the EMSK, the KSEAF from the KAUSF, and the KAMF from the ABBA received together with the EAP-request/AKA’-challenge message, and the KSEAF as described in 3GPP TS 33.501 [24], and create a partial native 5G NAS security context identified by the ngKSI value received together with the EAP-request/AKA’-challenge message in subclause 5.4.1.2.4.2 in the volatile memory of the ME. If the KAMF and the partial native 5G NAS security context are created, the ME shall store the KAMF in the created partial native 5G NAS security context, and shall send an EAP-response/AKA’-challenge message as specified in IETF RFC 5448 [40].
If the EAP-request/AKA’-challenge message contains AT_RESULT_IND attribute, the UE may include AT_RESULT_IND attribute in the EAP-response/AKA’-challenge message as specified in IETF RFC 5448 [40].
[TS 24.501, clause 5.4.1.2.2.8]
Upon receiving an EAP-success message, if the ME has not generated a partial native 5G NAS security context as described in subclause 5.4.1.2.2.3, the ME shall:
a) generate the KAUSF from the EMSK, the KSEAF from the KAUSF, and the KAMF from the ABBA that was received with the EAP-success message, and the KSEAF as described in 3GPP TS 33.501 [24];
b) create a partial native 5G NAS security context identified by the ngKSI value in the volatile memory of the ME; and
c) store the KAMF in the created partial native 5G NAS security context.
The UE shall consider the procedure complete.
[TS 24.501, clause 5.4.1.2.2.11]
Upon receiving an EAP-failure message, the UE shall delete the partial native 5G NAS security context if any was created as described in subclause 5.4.1.2.2.3.
The UE shall consider the procedure complete.
If the EAP-failure message is received in an AUTHENTICATION REJECT message:
1) if the AUTHENTICATION REJECT message has been successfully integrity checked by the NAS:
– The UE shall set the update status to 5U3 ROAMING NOT ALLOWED, delete the stored 5G-GUTI, TAI list, last visited registered TAI and ngKSI;
In case of PLMN, the USIM shall be considered invalid until switching off the UE or the UICC containing the USIM is removed;
In case of SNPN, the entry of the "list of subscriber data" with the SNPN identity of the current SNPN shall be considered invalid until the UE is switched off or the entry is updated. Additionally, the UE shall consider the USIM as invalid for the current SNPN until switching off or the UICC containing the USIM is removed;
– The UE shall set:
i) the counter for "SIM/USIM considered invalid for GPRS services" events, the counter for "USIM considered invalid for 5GS services over non-3GPP access" events, and the counter for "SIM/USIM considered invalid for non-GPRS services" events if maintained by the UE, in case of PLMN; or
ii) the counter for "the entry for the current SNPN considered invalid for 3GPP access" events and the counter for "the entry for the current SNPN considered invalid for non-3GPP access" events in case of SNPN;
to UE implementation-specific maximum value;
[TS 24.501, clause 9.12.1]
The serving network name (SNN) is used:
– in the Network name field of the AT_KDF_INPUT attribute defined in IETF RFC 5448 [40];
– in KAUSF derivation function as specified in 3GPP TS 33.501 [24] annex A; and
– in RES* and XRES* derivation function as specified in 3GPP TS 33.501 [24] annex A.
SNN shall contain a UTF-8 string without terminating null characters.
SNN is of maximum length of 1020 octets.
SNN consists of SNN-service-code and SNN-network-identifier, delimited by a colon.
SNN-network-identifier identifies the serving PLMN or the serving SNPN.
MCC and MNC in the SNN-PLMN-ID are MCC and MNC of the serving PLMN. If the MNC of the serving PLMN has two digits, then a zero is added at the beginning.
MCC and MNC in the SNN-SNPN-ID are MCC and MNC of the serving SNPN. If the MNC of the serving SNPN has two digits, then a zero is added at the beginning.
SNN-NID contains an NID in hexadecimal digits.
ABNF syntax of SNN is specified in table 9.12.1.1
Table 9.12.1.1: ABNF syntax of SNN
SNN = SNN-service-code ":" SNN-network-identifier
SNN-service-code = %x35.47 ; "5G"
SNN-network-identifier = SNN-PLMN-ID / SNN-SNPN-ID
SNN-PLMN-ID = SNN-mnc-string SNN-mnc-digits "." SNN-mcc-string SNN-mcc-digits "." SNN-3gppnetwork-string "." SNN-org-string ; applicable when not operating in SNPN access operation mode.
SNN-SNPN-ID = SNN-mnc-string SNN-mnc-digits "." SNN-mcc-string SNN-mcc-digits "." SNN-3gppnetwork-string "." SNN-org-string ":" SNN-NID ; applicable when operating in SNPN access operation mode.
SNN-mnc-digits = DIGIT DIGIT DIGIT ; MNC of the PLMN ID
SNN-mcc-digits = DIGIT DIGIT DIGIT ; MCC of the PLMN ID
SNN-mnc-string = %x6d.6e.63 ; "mnc" in lower case
SNN-mcc-string = %x6d.63.63 ; "mcc" in lower case
SNN-3gppnetwork-string = %x33.67.70.70.6e.65.74.77.6f.72.6b ; "3gppnetwork" in lower case
SNN-org-string = %x6f.72.67 ; "org" in lower case
SNN-NID = 11SNN-hexadecimal-digit ; NID in hexadecimal digits
SNN-hexadecimal-digit = DIGIT / %x41 / %x42 / %x43 / %x44 / %x45 / %x46
NOTE: SNN-service-code allows for distinguishing of ANID specified in 3GPP TS 24.302 [16] and SNN as either of SNN or ANID can be carried in the AT_KDF_INPUT attribute.
EXAMPLE 1: In case of a PLMN, if PLMN ID contains MCC = 234 and MNC = 15, SNN is 5G:mnc015.mcc234.3gppnetwork.org.
EXAMPLE 2: In case of an SNPN, if SNPN ID contains a PLMN ID of MCC = 234 and MNC = 15 and an NID of 123456ABCDEH, SNN is 5G:mnc015.mcc234.3gppnetwork.org:123456ABCDE.
9.1.11.3.3 Test description
9.1.11.3.3.1 Pre-test conditions
System Simulator:
– SNPN cell NGC Cell is configured according to Table 6.3.2.2-1 broadcasting default SNPN ID as indicated in TS 38.508-1 [4] Table 4.4.2-4.
– System information combination NR-12 as defined in TS 38.508-1 [4] clause 4.4.3.1.2 is used in NGC Cells.
UE:
– The UE is in Automatic SNPN selection mode.
– The UE is provisioned with a “list of subscriber data” to allow access to SNPN identified by NGC Cell A.
Preamble:
– NGC Cell A is set to “Serving Cell”.
– The UE is in state Switched OFF (state 0-A).
9.1.11.3.3.2 Test procedure sequence
Table 9.1.11.3.3.2-1: Main behaviour
|
St |
Procedure |
Message Sequence |
TP |
Verdict |
|
|
U – S |
Message |
||||
|
1 |
The UE is switched on. |
– |
– |
– |
– |
|
2-4 |
The UE establishes RRC connection and initiates registration procedure by executing steps 2-4 of Table 4.5.2.2-2 in TS 38.508-1 [4]. |
– |
– |
– |
– |
|
5 |
SS transmits a correct AUTHENTICATION REQUEST message with an EAP-Request/AKA’-challenge message. |
<– |
5GMM: AUTHENTICATION REQUEST |
– |
– |
|
6 |
Check: Does the UE respond with a correct AUTHENTICATION RESPONSE message, with an EAP-Response/AKA’-challenge message? |
–> |
5GMM: AUTHENTICATION RESPONSE |
1 |
P |
|
7 |
The SS transmits an “EAP-failure” message within AUTHENTICATION REJECT |
<– |
5GMM: AUTHENTICATION REJECT |
– |
– |
|
8 |
SS releases the RRC connection |
– |
– |
– |
– |
|
9 |
Check: Does the UE transmit an RRCSetupRequest message for initial registration procedure within the next 30 seconds? |
–> |
NR RRC: RRCSetupRequest |
3 |
F |
|
10 |
The UE is switched off by executing generic procedure in Table 4.9.6.4-1 in TS 38.508-1 [4]. |
– |
– |
– |
– |
|
11 |
The UE is switched on. |
– |
– |
– |
– |
|
12-14 |
The UE establishes RRC connection and initiates registration procedure by executing steps 2-4 of Table 4.5.2.2-2 in TS 38.508-1 [4]. |
– |
– |
– |
– |
|
15 |
SS transmits a correct AUTHENTICATION REQUEST message with an EAP-Request/AKA’-challenge message. |
<– |
5GMM: AUTHENTICATION REQUEST |
– |
– |
|
16 |
Check: Does the UE respond with a correct AUTHENTICATION RESPONSE message, with an EAP-Response/AKA’-challenge message? |
–> |
5GMM: AUTHENTICATION RESPONSE |
1 |
P |
|
17 |
SS transmits an AUTHENTICATION RESULT message with an EAP-success message. |
<– |
5GMM: AUTHENTICATION RESULT |
– |
– |
|
18-24 |
The registration procedure is performed by executing steps 8-14 of Table 4.5.2.2-2 in TS 38.508-1 [4]. |
– |
– |
– |
– |
|
25 |
Check: Does the UE transmits a REGISTRATION COMPLETE message? |
–> |
5GMM: REGISTRATION COMPLETE |
2 |
P |
|
26 |
Steps 19a1 of Table 4.5.2.2-2 in TS 38.508-1 [4] are performed |
– |
– |
– |
– |
9.1.11.3.3.3 Specific message contents
Table 9.1.11.3.3.3-1: Message AUTHENTICATION RESPONSE (step 6, 16, Table 9.1.11.3.3.2-1)
|
Derivation path: TS 38.508-1 [4], table 4.7.1-2 |
|||
|
Information Element |
Value/Remark |
Comment |
Condition |
|
EAP message |
EAP-Response/AKA’-Challenge |
RES* equal to the XRES* calculated in the SS with the parameters provided/indicated in the AUTHENTICATION REQUEST |
EAP-AKA |
Table 9.1.11.3.3.3-2: Message AUTHENTICATION RESULT (step 17, Table 9.1.11.3.3.2-1)
|
Derivation path: TS 38.508-1 [4], table 4.7.1-3 |
|||
|
Information Element |
Value/Remark |
Comment |
Condition |
|
EAP message |
EAP-Success |
EAP-AKA |
|
Table 9.1.11.3.3.3-3: AUTHENTICATION REJECT (step 7, Table 9.1.11.3.3.2-1)
|
Derivation path: TS 38.508-1 [4], table 4.7.1-5 |
|||
|
Information Element |
Value/Remark |
Comment |
Condition |
|
Extended protocol discriminator |
5GMM |
||
|
Security header type |
’0000’B |
Plain 5GS NAS message, not security protected |
|
|
Spare half octet |
‘0000’B |
||
|
EAP message |
EAP-failure |
EAP-failure |
|
|
NOTE: This message is sent within SECURITY PROTECTED 5GS NAS MESSAGE message with Integrity protected and ciphered. |
|||