Description
DN-AAA is a logical function defined in the 5G System (5GS) architecture, residing within or interfacing with an external Data Network (DN). Its primary role is to execute AAA procedures for User Equipment (UE) accessing services in that DN. It operates in conjunction with, but is separate from, the 3GPP AAA functions performed by the Unified Data Management (UDM) and Authentication Server Function (AUSF) for core network access. The DN-AAA interacts with the 5G Core Network via the Network Exposure Function (NEF) or directly with the Session Management Function (SMF) depending on the deployment scenario.
How it works involves several steps. When a UE establishes a PDU Session to a DN that requires external AAA, the SMF may trigger DN-specific authentication/authorization. The SMF can communicate with the DN-AAA server, typically using the Diameter or RADIUS protocol over the N6 interface or via the NEF if the DN-AAA is a third-party service. The DN-AAA server authenticates the user (often using credentials separate from the 3GPP subscription), authorizes the specific service or QoS profile, and can begin accounting for the data session. The authorization result (e.g., permitted QoS, session duration limits) is conveyed back to the SMF, which enforces these policies within the 3GPP network for that PDU Session.
Key components include the DN-AAA server itself, which holds user profiles and policies for the DN, and the standardized interfaces to the 5G Core. Its role is crucial for enabling enterprise and third-party service providers to integrate their existing AAA infrastructure with 5G networks without needing direct access to the 3GPP HSS/UDM. This allows for flexible business models, such as an enterprise managing access to its corporate network for 5G users, while the mobile operator manages the radio and core network access separately.
Purpose & Motivation
DN-AAA was introduced in 5G to address the need for seamless and secure integration of external data networks (like enterprise networks, IoT platforms, or internet services) with the 5G system. Previous generations lacked a standardized, network-exposed method for a Data Network to perform its own AAA, often leading to clunky workarounds or requiring the 3GPP operator to manage all credentials on behalf of the DN operator.
Its creation was motivated by the 5G vision of network exposure and support for vertical industries. Enterprises demand control over who accesses their resources and how, using their existing identity and access management systems. DN-AAA solves this by providing a clean, standardized hook within the PDU Session establishment flow where the external network's AAA policy can be invoked. This separation of concerns is vital: the mobile operator authenticates the subscriber for network access, while the service provider authenticates the user for application access.
This solves critical problems of business autonomy, security segregation, and operational complexity. It enables new multi-party service delivery models, such as network slicing for enterprises where the slice user (the enterprise) manages access to the slice, and facilitates the convergence of fixed and mobile access with a common AAA point in the service network.
Detected Changes Across Releases
from 3GPP Change RequestsSpecific changes extracted from the „Change history“ tables of 3GPP specifications (19 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.
In Release 15, the DN-AAA function was introduced to provide Data Network-specific authorization data for policy control, enabling features such as the precedence of a DN-AAA authorized Session-AMBR over the UDM subscribed one. This release also specified support for policy authorization with required QoS, including parameters like Packet Error Rate, and introduced the DN-AAA authorization profile index as a key attribute. Furthermore, the foundation was laid for authorizing specific services like emergency QoS and for handling authorization in scenarios involving preliminary service information or non-IP traffic.
In Release 16, the DN-AAA function was enhanced to provide authorization data specifically for policy control, introducing a new DN-AAA authorization profile index and establishing that the DN-AAA authorized Session-AMBR takes precedence over the UDM subscribed Session-AMBR. This release also defined support for the "AuthorizationWithRequiredQoS" feature, which enables policy authorization for application function sessions with required Quality of Service parameters.
In Release 17, enhancements to the DN-AAA function included the introduction of policy authorization for PCC rules with preliminary service information and the support for service-specific authorization within the service parameter provisioning procedure. The release also defined the "AuthorizationWithRequiredQoS" feature, enabling detailed QoS authorization for PCC rules, and allowed the DN-AAA authorized Session-AMBR to take precedence over the UDM subscribed Session-AMBR. Furthermore, new capabilities were added for the PCF to authorize QoS control in the VPLMN and to perform authorization for UE-initiated resource modifications.
- Authorization of UE initiates a resource modification TS 29.512CR0808
- PCC rules authorization with preliminary service information TS 29.512CR0809
- AM Policy Authorization procedure for DCAMP TS 29.513CR0274
- Adding service specific authorization in the service parameter provisioning procedure TS 29.513CR0327
- Correction to the declaration of authorization credentials TS 29.512CR0828
- PCF authorization for QoS control in the VPLMN TS 29.512CR0864
In Release 18, enhancements for the DN-AAA function introduced the **"DN-Authorization" feature** for policy control, which allows the DN-AAA authorized Session-AMBR to take precedence over the UDM subscribed Session-AMBR. The release also formally defined the **"AuthorizationWithRequiredQoS" feature**, enabling policy authorization for AF sessions with required Quality of Service, including support for alternative QoS profiles and preliminary service information. Furthermore, it specified mechanisms for the PCF to use locally stored Onboarding Configuration Data for authorization when subscription data checks are omitted.
- IPTV service authorization TS 29.512CR1063
- Policy Authorization for AF requested QoS for a UE or group of UEs not identified by a UE address TS 29.512CR1153
- Clarification of PCF authorization during SM policy association establishment TS 29.512CR1172
- Policy Authorization for AF requested QoS for a UE or group of UEs not identified by a UE address TS 29.513CR0502
- Correction to PCC rule authorization for AF requests with Alternative Service Requirements TS 29.513CR0408
In Release 19, the DN-AAA function was enhanced to support service parameter authorization in the PCF. This allows the PCF to use locally stored Onboarding Configuration Data for a specific DNN and S-NSSAI to make authorization and policy decisions, omitting the subscription data check with the UDR. Furthermore, the release formalized that the DN-AAA authorized Session-AMBR takes precedence over the UDM subscribed Session-AMBR when both are available at the SMF.
- Service parameter authorization in the PCF TS 29.513CR0582
Explore further
Broader topics and technologies where DN-AAA plays a role.
Defining Specifications
3GPP specifications that define or reference DN-AAA, with the latest known release. Sourced from the 3GPP document catalog — see methodology.
| Specification | Title | Release |
|---|---|---|
| TS 29.512 vj40 | 5G Session Management Policy Control Service | Rel-19 |
| TS 29.513 vj40 | 5G PCC Signalling Flows & QoS Mapping | Rel-19 |