CAG

Closed Access Group

Services →
Introduced in Rel-16 Also in: Core Network, User Equipment, Management, Security

CAG is a 5G feature that provides restricted and secure network access exclusively to authorized users within a specific location, such as an enterprise campus.

Category
Services
Introduced
Rel-16
Where
Radio Access Network › NG-RAN (5G)
Also touches
4 segments
Specifications
22 specs
CAG Description Purpose Detected Changes Specifications

Description

A Closed Access Group (CAG) is a 3GPP-defined mechanism in 5G systems that facilitates controlled and restricted network access for a defined group of User Equipment (UEs) within a specific geographical area, such as an enterprise campus, factory, or hospital. It operates by associating one or more CAG Identifiers (CAG IDs) with specific cells, known as CAG cells, which are part of a Public Land Mobile Network (PLMN). Only UEs that are subscribed to and explicitly authorized for a particular CAG ID are permitted to access the corresponding CAG cells. This creates a logical, access-controlled network slice within the public 5G infrastructure, ensuring that the radio resources and network services are dedicated to the authorized group, thereby preventing unauthorized public access.

The architecture involves several key network functions. The Access and Mobility Management Function (AMF) plays a central role in enforcing CAG access control during registration and service request procedures. The Unified Data Management (UDM) stores the subscriber's CAG subscription data, including the list of Allowed CAG IDs for each UE. This subscription data is provided to the AMF via the Authentication Server Function (AUSF) during authentication. The Radio Access Network (RAN), specifically the gNB, broadcasts the supported CAG IDs for a cell in System Information Block 1 (SIB1) using the `cag-IdentityList` parameter. A UE configured for CAG access scans for these broadcasts and only attempts to select or camp on a cell if its subscribed Allowed CAG list includes one of the IDs broadcast by that cell.

The operational flow begins with the UE, which must have a USIM containing a CAG-specific Access Control List. When the UE is powered on or enters the area, it reads the CAG ID list from the cell's SIB1. The UE compares this list with its stored Allowed CAG list. If a match is found, the UE proceeds with the initial registration procedure, indicating its selected CAG ID to the network. The AMF then verifies the UE's authorization by checking the subscription data received from the UDM. If the UE is not authorized for the requested CAG, the AMF rejects the registration with an appropriate cause code, such as "CAG not allowed." For mobility, a UE is generally not permitted to handover into a CAG cell unless it is authorized for that CAG, ensuring the closed nature of the group is maintained during movement.

CAG is closely integrated with other 5G features like Network Slicing. A CAG can be associated with one or more Network Slice Instances (NSIs), allowing the closed group of users to access specific, tailored services (e.g., ultra-reliable low-latency communication for factory automation) on a dedicated logical network. This combination provides both access control and service isolation. Management and exposure of CAG capabilities are handled by the Network Exposure Function (NEF) and the Service Capability Exposure Function (SCEF) for northbound APIs, enabling enterprise applications to manage their CAG memberships and policies.

Purpose & Motivation

CAG was introduced in 3GPP Release 16 to address the growing demand from vertical industries (e.g., manufacturing, energy, healthcare) and enterprises for private, secure, and controlled 5G network access. Prior to CAG, similar concepts existed like Closed Subscriber Groups (CSG) in 4G LTE, which were primarily designed for residential femtocells. However, CSG had limitations for large-scale enterprise deployments, including less flexible subscription management and limited integration with modern 5G core network principles like network slicing and service-based architecture. CAG was created to provide a more scalable, policy-driven, and network-slice-aware access control mechanism suitable for professional and industrial use cases.

The primary problem CAG solves is enabling a public network operator to offer a "virtual private network" experience on a shared public RAN and core infrastructure. Without CAG, an enterprise would require a physically separate, dedicated network (a true private network) to ensure only its devices can connect, which is costly and inefficient. CAG allows the operator to logically partition a portion of its public network, designating certain cells for exclusive use by a customer's authorized devices. This solves the problems of unauthorized access, radio resource contention with public users, and lack of service guarantees for critical enterprise applications.

Furthermore, CAG supports the 5G vision of network-as-a-service and network slicing by providing the foundational access control layer. It allows enterprises to have guaranteed connectivity for their mission-critical IoT devices, autonomous guided vehicles, and AR/VR tools without interference from public traffic. The motivation stems from industry digitization trends (Industry 4.0) where reliable, low-latency, and secure wireless connectivity is a prerequisite. CAG, combined with network slicing, enables operators to meet stringent Service Level Agreements (SLAs) for these vertical customers on a shared infrastructure, unlocking new revenue streams and use cases beyond traditional consumer mobile broadband.

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (220 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Rel-15 3 changes

In Release 15, the Closed Access Group (CAG) function was introduced as part of Mobility Restrictions, allowing network access to be limited to a specific group. The specification defines that CAG information is included in a UE's subscription data and is used to enforce access control. Furthermore, an NR Femto Hosting Party is defined as being capable of playing the role of a CAG owner.

  • Clarification to the usage of Internal-Group Identifier TS 23.501CR0262
  • Correction to Default MAC Cell Group configuration TS 38.331CR0445
  • Modified UE capability on different numerologies within the same PUCCH group TS 38.331CR1115
Rel-16 89 changes

In Release 16, the CAG function was enhanced with new procedures for provisioning and signaling, including the provisioning of an allowed CAG list and a "CAG access only" indication to the UE. Key signaling additions included the inclusion of a CAG information list in the REGISTRATION ACCEPT and REGISTRATION REJECT messages, and the transmission of the UE's CAG capability to the network. Furthermore, support was added for providing CAG information to lower layers for paging and defining a specific 5GMM cause value for CAG-related rejections.

  • Further detailing of 5G LAN group management TS 23.501CR1052
  • Adding UDR NF Group ID association functionality TS 23.501CR1384
  • Assistance indication for WUS grouping TS 23.501CR2053
  • Providing CAG ID to the lower layer TS 24.501CR0997
  • Provisioning of an allowed CAG list and a CAG access only indication TS 24.501CR1056
  • 5GMM cause value for CAG TS 24.501CR1057

+ 83 more changes

Rel-17 61 changes

In Release 17, key enhancements for the Closed Access Group (CAG) function included the introduction of a USIM file to store a pre-configured CAG information list and the requirement for the AMF to provide the CAG information list for the current PLMN. The release also defined procedures for network-initiated actions using this list, such as triggering AN release or NAS signalling connection release when the list contains no entry for the current PLMN. Furthermore, it specified UE behaviours, including that only CAG-supported UEs process the CAG information list and clarified the handling of emergency sessions and rejections for CAG-only UEs.

  • Enabling slice priority and slice groups for RRM purposes TS 23.501CR3317
  • Enabling configuration of Network Slice AS Groups TS 23.501CR3539
  • Usage of initial CAG information list TS 24.501CR2774
  • Network slice simultaneous registration group TS 24.501CR3349
  • Network slice AS group - General aspects TS 24.501CR4199
  • Introduce a USIM file to store pre-configured CAG information list TS 31.102CR0904

+ 55 more changes

Rel-18 50 changes

In Release 18, the CAG function was enhanced to support an allowed CAG list with a validity condition, enabling time-based access control for groups. The release also introduced procedures for enhanced CAG selection, providing additional information and enforcement mechanisms for both successful and unsuccessful cases. Furthermore, it defined UE handling mechanisms for scenarios when the CAG validity state changes.

  • Service area provisioning and LADN aspects for enhanced group management TS 23.501CR3914
  • KI#3, NEF exposure for handling PDU Session Type change and managing temporal invalidity/validity condition for a group of UEs TS 23.501CR3964
  • Group MBR TS 23.501CR3982
  • UE-to-UE QoS for a group TS 23.501CR3984
  • Allowing UE to simultaneously send data to different groups with different QoS policy TS 23.501CR3986
  • Add the default QoS parameters for 5G VN group data TS 23.501CR4010

+ 44 more changes

Rel-19 17 changes

In Release 19, the CAG function was enhanced with new provisioning capabilities and clarifications for roaming support. Specifically, the release introduced the functionality for a 5G NR Femto Hosting Party to act as a CAG owner and provided verification checks for NR Femto cell CAG IDs. Additionally, it brought clarifications on CAG-related UE access restrictions and the optional use of CAG IDs in NR Femto deployments.

  • Exposure enhancements for static UE IP address assignment and 5G VN group's User Plane Security Policy TS 23.501CR5492
  • CAG information provisioning TS 23.501CR5808
  • CAG information Provisioning clarification of roaming support TS 23.501CR5856
  • Rel-19 CR 32.255 Adding use of charging characteristics for CHF Group TS 32.255CR0566
  • LI for 5G LAN parameter provisioning (VN Group) TS 33.127CR0253
  • 5G Femto Hosting Party acting as a CAG owner TS 23.501CR5667

+ 11 more changes

Explore further

Broader topics and technologies where CAG plays a role.

Topics
Authentication (5G-AKA, EAP)MEC (Edge Computing)LTE / LTE-AdvancedLawful InterceptNetwork SlicingIoT & MTC
Technologies
LTE5G

Defining Specifications

3GPP specifications that define or reference CAG, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 23.501 vk00 5G System Architecture Stage 2 Rel-20
TS 24.501 vj50 5G NAS Protocols Specification Rel-19
TS 27.007 vj40 AT Command Set for UE Rel-19
TS 28.622 vk20 Telecommunication Management; Generic NRM Information Service Rel-20
TR 28.828 vi00 Charging Aspects for Non-Public Networks Rel-18
TS 31.102 vj40 USIM Application Specification Rel-19
TS 31.111 vj30 USIM Application Toolkit (USAT) Specification Rel-19
TS 32.255 vk10 Telecom Management; Charging for 5G Data Connectivity Rel-20
TS 32.422 vk00 Telecom Management: Trace Control & Configuration Rel-20
TS 33.127 vj50 Lawful Interception Architecture and Functions Rel-19
TS 33.545 vj20 Security for NR Femto Subsystem Rel-19
TS 33.745 vj10 Security Study for 5G NR Femto Rel-19
TS 33.819 vg10 5GS Security for Vertical & LAN Services Rel-16
TS 37.483 vj10 E1 Application Protocol (E1AP) Rel-19
TS 38.300 vj00 NG-RAN Overall Description Rel-19
TS 38.304 vj00 UE RRC_IDLE and RRC_INACTIVE Procedures Rel-19
TS 38.331 vj00 NR Radio Resource Control (RRC) Protocol Specification Rel-19
TS 38.401 vj10 NG-RAN Architecture Specification Rel-19
TS 38.413 vj10 NG Application Protocol (NGAP) Rel-19
TS 38.423 vj10 Xn Application Protocol (XnAP) specification Rel-19
TS 38.463 vj00 E1 Application Protocol (E1AP) Rel-19
TS 38.473 vj10 5G F1 Application Protocol (F1AP) Rel-19