Data Network Authentication, Authorization and Accounting

Description

DN-AAA is a logical function defined in the 5G System (5GS) architecture, residing within or interfacing with an external Data Network (DN). Its primary role is to execute AAA procedures for User Equipment (UE) accessing services in that DN. It operates in conjunction with, but is separate from, the 3GPP AAA functions performed by the Unified Data Management (UDM) and Authentication Server Function (AUSF) for core network access. The DN-AAA interacts with the 5G Core Network via the Network Exposure Function (NEF) or directly with the Session Management Function (SMF) depending on the deployment scenario.

How it works involves several steps. When a UE establishes a PDU Session to a DN that requires external AAA, the SMF may trigger DN-specific authentication/authorization. The SMF can communicate with the DN-AAA server, typically using the Diameter or RADIUS protocol over the N6 interface or via the NEF if the DN-AAA is a third-party service. The DN-AAA server authenticates the user (often using credentials separate from the 3GPP subscription), authorizes the specific service or QoS profile, and can begin accounting for the data session. The authorization result (e.g., permitted QoS, session duration limits) is conveyed back to the SMF, which enforces these policies within the 3GPP network for that PDU Session.

Key components include the DN-AAA server itself, which holds user profiles and policies for the DN, and the standardized interfaces to the 5G Core. Its role is crucial for enabling enterprise and third-party service providers to integrate their existing AAA infrastructure with 5G networks without needing direct access to the 3GPP HSS/UDM. This allows for flexible business models, such as an enterprise managing access to its corporate network for 5G users, while the mobile operator manages the radio and core network access separately.

Purpose & Motivation

DN-AAA was introduced in 5G to address the need for seamless and secure integration of external data networks (like enterprise networks, IoT platforms, or internet services) with the 5G system. Previous generations lacked a standardized, network-exposed method for a Data Network to perform its own AAA, often leading to clunky workarounds or requiring the 3GPP operator to manage all credentials on behalf of the DN operator.

Its creation was motivated by the 5G vision of network exposure and support for vertical industries. Enterprises demand control over who accesses their resources and how, using their existing identity and access management systems. DN-AAA solves this by providing a clean, standardized hook within the PDU Session establishment flow where the external network's AAA policy can be invoked. This separation of concerns is vital: the mobile operator authenticates the subscriber for network access, while the service provider authenticates the user for application access.

This solves critical problems of business autonomy, security segregation, and operational complexity. It enables new multi-party service delivery models, such as network slicing for enterprises where the slice user (the enterprise) manages access to the slice, and facilitates the convergence of fixed and mobile access with a common AAA point in the service network.

Key Features

• Provides AAA services external to the 3GPP trust domain
• Interworks with 5GC via SMF or NEF using standardized procedures
• Supports Diameter and RADIUS protocols for interoperability
• Enables independent policy enforcement by the Data Network operator
• Allows separate credential management from 3GPP subscription
• Facilitates accounting and charging for DN-specific services

Evolution Across Releases

Defining Specifications