Closed Access Group

Description

A Closed Access Group (CAG) is a 3GPP-defined mechanism in 5G systems that facilitates controlled and restricted network access for a defined group of User Equipment (UEs) within a specific geographical area, such as an enterprise campus, factory, or hospital. It operates by associating one or more CAG Identifiers (CAG IDs) with specific cells, known as CAG cells, which are part of a Public Land Mobile Network (PLMN). Only UEs that are subscribed to and explicitly authorized for a particular CAG ID are permitted to access the corresponding CAG cells. This creates a logical, access-controlled network slice within the public 5G infrastructure, ensuring that the radio resources and network services are dedicated to the authorized group, thereby preventing unauthorized public access.

The architecture involves several key network functions. The Access and Mobility Management Function (AMF) plays a central role in enforcing CAG access control during registration and service request procedures. The Unified Data Management (UDM) stores the subscriber's CAG subscription data, including the list of Allowed CAG IDs for each UE. This subscription data is provided to the AMF via the Authentication Server Function (AUSF) during authentication. The Radio Access Network (RAN), specifically the gNB, broadcasts the supported CAG IDs for a cell in System Information Block 1 (SIB1) using the `cag-IdentityList` parameter. A UE configured for CAG access scans for these broadcasts and only attempts to select or camp on a cell if its subscribed Allowed CAG list includes one of the IDs broadcast by that cell.

The operational flow begins with the UE, which must have a USIM containing a CAG-specific Access Control List. When the UE is powered on or enters the area, it reads the CAG ID list from the cell's SIB1. The UE compares this list with its stored Allowed CAG list. If a match is found, the UE proceeds with the initial registration procedure, indicating its selected CAG ID to the network. The AMF then verifies the UE's authorization by checking the subscription data received from the UDM. If the UE is not authorized for the requested CAG, the AMF rejects the registration with an appropriate cause code, such as "CAG not allowed." For mobility, a UE is generally not permitted to handover into a CAG cell unless it is authorized for that CAG, ensuring the closed nature of the group is maintained during movement.

CAG is closely integrated with other 5G features like Network Slicing. A CAG can be associated with one or more Network Slice Instances (NSIs), allowing the closed group of users to access specific, tailored services (e.g., ultra-reliable low-latency communication for factory automation) on a dedicated logical network. This combination provides both access control and service isolation. Management and exposure of CAG capabilities are handled by the Network Exposure Function (NEF) and the Service Capability Exposure Function (SCEF) for northbound APIs, enabling enterprise applications to manage their CAG memberships and policies.

Purpose & Motivation

CAG was introduced in 3GPP Release 16 to address the growing demand from vertical industries (e.g., manufacturing, energy, healthcare) and enterprises for private, secure, and controlled 5G network access. Prior to CAG, similar concepts existed like Closed Subscriber Groups (CSG) in 4G LTE, which were primarily designed for residential femtocells. However, CSG had limitations for large-scale enterprise deployments, including less flexible subscription management and limited integration with modern 5G core network principles like network slicing and service-based architecture. CAG was created to provide a more scalable, policy-driven, and network-slice-aware access control mechanism suitable for professional and industrial use cases.

The primary problem CAG solves is enabling a public network operator to offer a "virtual private network" experience on a shared public RAN and core infrastructure. Without CAG, an enterprise would require a physically separate, dedicated network (a true private network) to ensure only its devices can connect, which is costly and inefficient. CAG allows the operator to logically partition a portion of its public network, designating certain cells for exclusive use by a customer's authorized devices. This solves the problems of unauthorized access, radio resource contention with public users, and lack of service guarantees for critical enterprise applications.

Furthermore, CAG supports the 5G vision of network-as-a-service and network slicing by providing the foundational access control layer. It allows enterprises to have guaranteed connectivity for their mission-critical IoT devices, autonomous guided vehicles, and AR/VR tools without interference from public traffic. The motivation stems from industry digitization trends (Industry 4.0) where reliable, low-latency, and secure wireless connectivity is a prerequisite. CAG, combined with network slicing, enables operators to meet stringent Service Level Agreements (SLAs) for these vertical customers on a shared infrastructure, unlocking new revenue streams and use cases beyond traditional consumer mobile broadband.

Key Features

• Restricts network access to UEs with explicit subscription to a specific CAG Identifier
• CAG IDs are broadcast by the gNB in SIB1, enabling UEs to identify authorized cells
• Access control is enforced by the AMF during registration using subscription data from UDM
• Supports association with one or more Network Slices for combined access and service isolation
• Allows a UE to be a member of multiple CAGs, providing access flexibility
• Prevents unauthorized handovers into CAG cells, maintaining closed group integrity

Evolution Across Releases

Defining Specifications