AUN3

Authenticable Non-3GPP Devices

Security →
Introduced in Rel-18

AUN3 is the term for authenticable non-3GPP devices, such as Wi-Fi access points, which the 5G core network can authenticate to securely integrate diverse access technologies and extend services.

Category
Security
Introduced
Rel-18
Where
Core Network › 5G Core
Specifications
6 specs
AUN3 Description Purpose Related Classification Detected Changes Specifications

Description

Authenticable Non-3GPP (AUN3) devices represent a crucial component in 5G's converged network architecture, enabling the secure integration of non-3GPP access networks with the 5G Core (5GC). These devices include Wi-Fi access points, fixed network gateways, and other access equipment that can establish trusted connections to the 5G system through standardized authentication procedures. The AUN3 framework allows these heterogeneous access technologies to be treated as trusted entry points into the 5G network, subject to the same security controls and policies as native 3GPP radio access.

The technical implementation of AUN3 involves several key components working in coordination. The Non-3GPP Interworking Function (N3IWF) serves as the primary interface between non-3GPP access networks and the 5G Core, establishing IPsec tunnels for secure data transmission. The Authentication Server Function (AUSF) performs the actual authentication of devices using Extensible Authentication Protocol (EAP) methods, while the Unified Data Management (UDM) stores authentication credentials and subscription data. The Access and Mobility Management Function (AMF) coordinates the overall authentication and registration procedures, ensuring seamless mobility between 3GPP and non-3GPP access.

The authentication process for AUN3 devices follows a sophisticated protocol flow defined in 3GPP specifications. When a device attempts to connect through non-3GPP access, it initiates an authentication request that travels through the N3IWF to the AMF. The AMF then coordinates with the AUSF to perform EAP-based authentication, which may involve various methods including EAP-AKA' for 5G-specific authentication or EAP-TLS for certificate-based authentication. During this process, the device proves its identity using credentials stored in the Universal Subscriber Identity Module (USIM) or through certificate-based mechanisms, while the network authenticates itself to the device to prevent man-in-the-middle attacks.

Security considerations for AUN3 devices are comprehensive and multi-layered. The framework mandates mutual authentication between the device and the network, ensuring both parties verify each other's identities. IPsec security associations provide confidentiality and integrity protection for user plane traffic, while control plane signaling is protected through NAS security mechanisms. The system also supports key hierarchy management, with separate keys derived for different security contexts including integrity protection, confidentiality, and key refresh procedures. This layered security approach ensures that even though the physical access medium differs from 3GPP radio, the security level remains equivalent.

The role of AUN3 in the 5G ecosystem extends beyond basic connectivity to enable advanced service capabilities. By authenticating non-3GPP devices, operators can offer seamless service continuity as users move between cellular and Wi-Fi networks, implement consistent quality of service policies across different access types, and enable network slicing that spans both 3GPP and non-3GPP domains. This convergence capability is particularly important for enterprise deployments, where private 5G networks often integrate with existing Wi-Fi infrastructure, and for fixed wireless access scenarios where 5G core services are delivered through non-cellular last-mile technologies.

Purpose & Motivation

The AUN3 framework was developed to address the growing need for converged network architectures that can seamlessly integrate diverse access technologies under a unified security and management umbrella. As 5G networks evolved beyond traditional cellular deployments, operators faced increasing pressure to incorporate Wi-Fi, fixed access, and other non-3GPP technologies into their service offerings while maintaining the robust security standards expected from 3GPP systems. Previous approaches to non-3GPP integration, such as those in 4G EPC, offered limited authentication capabilities and often treated non-3GPP access as secondary or less secure alternatives.

Historically, non-3GPP access integration suffered from fragmented security implementations and inconsistent authentication mechanisms across different technologies. Wi-Fi networks typically used WPA2/WPA3 with separate authentication servers, while fixed networks employed various proprietary authentication methods. This fragmentation created security gaps, complicated roaming scenarios, and prevented operators from applying consistent policy controls across their entire network footprint. The AUN3 framework addresses these limitations by providing a standardized, 3GPP-aligned authentication framework that brings non-3GPP devices under the same security governance as native 5G access.

The creation of AUN3 was motivated by several key industry trends: the proliferation of Wi-Fi 6/6E technologies offering performance comparable to 5G NR, the emergence of fixed wireless access as a primary broadband delivery method, and the growing enterprise demand for private networks that blend cellular and non-cellular technologies. By enabling secure authentication of non-3GPP devices, the framework supports these use cases while maintaining the end-to-end security principles that are fundamental to 3GPP systems. This allows operators to leverage their existing infrastructure investments while expanding service coverage and capabilities through heterogeneous access integration.

Classification

Part ofN3IWF
Related approachesAUSF

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (84 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Rel-15 3 changes

In Release 15, the AUN3 (Authenticable Non-3GPP Devices) function was introduced, enabling a 5G-RG (Residential Gateway) to act on behalf of an AUN3 device by exchanging NAS signalling messages with an AMF for registration and PDU session establishment. This release also specified the use of EAP methods like EAP-AKA' for primary authentication of such devices and introduced Non-3GPP QoS Assistance Information (N3QAI) to allow QoS differentiation for traffic from AUN3 devices behind the 5G-RG. Furthermore, procedures for interworking between E-UTRAN/EPC and N3IWF/5GCN were defined to support the transfer of active connections.

  • Interworking between E-UTRAN/EPC and N3IWF/5GCN TS 24.501CR0176
  • Resolution of editor's note on the information the N3IWF maintains for a registered UE TS 24.501CR0703
  • Correction of N3IWF key TS 29.413CR0004
Rel-16 12 changes

In Release 16, the AUN3 function was newly defined, specifying that a 5G-RG acting on behalf of an Authenticable Non-3GPP device exchanges NAS signalling with an AMF and can request the establishment of a PDU session for that device. The release also introduced support for authentication and registration of N5GC devices via wireline access and defined procedures for using EAP methods like EAP-AKA' for primary authentication of an AUN3 device.

  • Packet filters based on N3IWF IP address and SPI for IPsec SA TS 24.501CR1231
  • 5GS NAS extended timers for NB-N1 mode and WB-N1/CE mode devices TS 24.501CR1647
  • Introduction of NSSAI efficient signalling for IoT devices TS 24.501CR1657
  • Registration of N5GC devices via wireline access TS 24.501CR2020
  • N3IWF FQDN configured in a UE to support access to PLMN/SNPN services via SNPN/PLMN TS 24.502CR0079
  • Support of authentication and registration of N5GC devices via wireline access TS 24.502CR0116

+ 6 more changes

Rel-17 4 changes

In Release 17, the AUN3 function was enhanced to define procedures for a 5G-RG acting on behalf of an AUN3 device that does not support N1 mode, including its registration and the establishment of a single PDU session on the device's behalf. It also introduced Non-3GPP QoS Assistance Information (N3QAI) to enable QoS differentiation for traffic from such devices. Furthermore, the release specified the use of EAP methods for primary authentication of an AUN3 device when supported by the 5G-RG, AMF, and AUSF.

  • Add requirements to support NR RedCap devices TS 24.501CR3688
  • N3IWF selection for emergency services TS 24.502CR0194
  • Correction to procedures for non 5G capable over WLAN (N5CW) devices TS 24.502CR0175
  • Update of N3IWF selection procedure for access to SNPN services via a PLMN TS 24.502CR0183
Rel-18 64 changes

In Release 18, the AUN3 function was enhanced to formally define the scenario where a 5G-RG acts on behalf of an Authenticable Non-3GPP device, establishing a separate 5GMM context and performing registration and PDU session establishment for it. The release also specified the use of EAP methods, such as EAP-AKA' and EAP-TLS, for the primary authentication of these AUN3 devices. Furthermore, it introduced mechanisms for network slice-aware N3IWF selection, allowing the UE to indicate its support for this and enabling the network to reject registrations if the selected N3IWF is incompatible with the requested slices.

  • N3IWF with slice capability TS 24.501CR4877
  • UE to indicate its support for Slice-based N3IWF selection to the network TS 24.501CR4961
  • Rejecting the UE Registration due to the selected N3IWF by the UE is not compatible with the used slices TS 24.501CR4963
  • Aborting registration procedure when the selected N3IWF is not compatible with the allowed NSSAI TS 24.501CR5119
  • Support of AUN3/NAUN3 device behind 5G-RG TS 24.501CR5421
  • Requirements for supporting AUN3 devices connected to 5G-RG TS 24.501CR5643

+ 58 more changes

Rel-19 1 change

In Release 19, the AUN3 function introduced new handling for an unprotected REGISTRATION REJECT message containing specific cause codes, namely #81 and #82, which indicate that the selected N3IWF or TNGF is not compatible with the allowed NSSAI. This enhancement addresses a specific failure scenario in the registration procedure for authenticable non-3GPP devices.

  • Handling of unprotected REGISTRATION REJECT message with causes #81 and #82 (Selected N3IWF/TNGF is not compatible with the allowed NSSAI) TS 24.501CR6795

Explore further

Broader topics and technologies where AUN3 plays a role.

Topics
OAM (Operations & Maintenance)Authentication (5G-AKA, EAP)EPC (Evolved Packet Core)NAS (Non-Access Stratum)Roaming & InterconnectMEC (Edge Computing)
Technologies
LTE5G

Defining Specifications

3GPP specifications that define or reference AUN3, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 24.501 vj50 5G NAS Protocols Specification Rel-19
TS 24.502 vj20 5G Core Access via Non-3GPP Networks; Stage 3 Rel-19
TS 24.526 vj30 UE Policies for 5GS; Stage 3 Rel-19
TS 29.413 vj00 NGAP for Non-3GPP Access Rel-19
TS 33.501 vk00 5G Security Architecture and Procedures Rel-20
TS 38.413 vj10 NG Application Protocol (NGAP) Rel-19