NAI

Network Access Identifier

Identifier
Introduced in Rel-2
The Network Access Identifier (NAI) is a standardized user identity format used in network access authentication, particularly in roaming scenarios. It follows the structure 'user@realm', where the 'realm' part identifies the user's home network domain. The NAI is fundamental to protocols like EAP, RADIUS, and Diameter, enabling unambiguous identification of users and proper routing of authentication requests to their home network.

Description

The Network Access Identifier (NAI) is a critical identifier defined in IETF RFC 7542 and adopted by 3GPP for use in access authentication. Its primary format is 'username@realm'. The 'username' part uniquely identifies the user within the context of the specified 'realm'. The 'realm' is a crucial component that denotes the administrative domain responsible for authenticating the user, typically the user's home service provider (e.g., operator.com). This structure is essential for roaming.

During network access, when a user (UE) attempts to connect to a visited network (e.g., while roaming internationally), the UE presents its NAI in the access request. The visited network's access point (e.g., a PDN Gateway in 5G, or a AAA proxy) examines the realm portion of the NAI. Since the realm is not local, the visited network's AAA infrastructure forwards the authentication request, containing the NAI, to the AAA server in the user's home realm. This routing is often done through a hierarchy of proxy AAA servers.

The home AAA server (e.g., HSS/UDM in 3GPP) uses the username part of the NAI to look up the user's subscription profile and authentication credentials. It then engages in an authentication protocol (like EAP-AKA') with the UE. The NAI remains constant throughout this process, ensuring the home network knows exactly which user is being authenticated. In 3GPP systems, the NAI is often derived from the user's International Mobile Subscriber Identity (IMSI) or a subscription permanent identifier (SUPI) in a privacy-preserving way (e.g., creating a pseudonym).

The NAI's role extends beyond initial access. It is used in accounting records (e.g., RADIUS Accounting messages) to correlate usage data with a specific user and their home realm for billing and settlement between roaming partners. It is a carrier-grade identifier designed for scalability and global uniqueness, forming the backbone of interoperable authentication in heterogeneous and roaming-enabled network environments.

Purpose & Motivation

The NAI was created to solve the fundamental problem of uniquely and unambiguously identifying a mobile user in a world of multiple, interconnected network service providers (roaming). Before standardization, different networks used various, often incompatible, formats for user IDs (e.g., simple usernames, MSISDNs), which caused severe problems in routing authentication requests during roaming and made inter-operator accounting complex.

The primary motivation was to enable seamless and secure network access authentication for roaming users. The 'user@realm' structure provides a simple, yet powerful, way to embed routing information (the realm) directly into the user's identity. This allows any visited network to determine, without prior knowledge of the user, where to send the authentication request. It decouples the visited network's authentication infrastructure from the home network's user database.

3GPP adopted the NAI to integrate its core network authentication (using Diameter and later HTTP/2-based protocols) with the broader Internet authentication framework established by the IETF. It addresses the limitations of using only an IMSI or MSISDN, which do not explicitly contain domain routing information and can raise privacy concerns if transmitted in clear text. The NAI format is extensible and supports privacy enhancements like pseudonymous or fast re-authentication identities, making it a versatile and future-proof cornerstone for secure, scalable mobile access.

Key Features

  • Standardized format 'username@realm' as per IETF RFC 7542
  • The realm component enables routing of authentication requests to the user's home network domain
  • Fundamental identifier used in EAP, RADIUS, and Diameter authentication and accounting protocols
  • Often constructed from or mapped to the user's IMSI or SUPI for 3GPP subscribers
  • Supports privacy mechanisms through the use of pseudonym or re-authentication identities
  • Globally unique identifier essential for roaming scenarios and inter-operator settlements

Evolution Across Releases

Rel-2 Initial

Initially introduced and adopted from IETF standards for use in 3GPP packet-switched core network authentication, particularly for GPRS and early 3G data services. It provided a standardized way to identify users during RADIUS/Diameter-based authentication procedures, especially in roaming scenarios between different operators' networks.

TS 21.905TS 22.495TS 23.228TS 23.234TS 23.501TS 23.923TS 24.229TS 24.234TS 24.302TS 24.501TS 24.502TS 24.554TS 24.890TS 29.061TS 29.275TS 29.503TS 29.562TS 31.102TS 31.103TS 32.182TS 33.107TS 33.501TS 33.503TS 33.822TS 33.835

Defining Specifications

SpecificationTitle
TS 21.905 3GPP TS 21.905
TS 22.495 3GPP TS 22.495
TS 23.228 3GPP TS 23.228
TS 23.234 3GPP TS 23.234
TS 23.501 3GPP TS 23.501
TS 23.923 3GPP TS 23.923
TS 24.229 3GPP TS 24.229
TS 24.234 3GPP TS 24.234
TS 24.302 3GPP TS 24.302
TS 24.501 3GPP TS 24.501
TS 24.502 3GPP TS 24.502
TS 24.554 3GPP TS 24.554
TS 24.890 3GPP TS 24.890
TS 29.061 3GPP TS 29.061
TS 29.275 3GPP TS 29.275
TS 29.503 3GPP TS 29.503
TS 29.562 3GPP TS 29.562
TS 31.102 3GPP TR 31.102
TS 31.103 3GPP TR 31.103
TS 32.182 3GPP TR 32.182
TS 33.107 3GPP TR 33.107
TS 33.501 3GPP TR 33.501
TS 33.503 3GPP TR 33.503
TS 33.822 3GPP TR 33.822
TS 33.835 3GPP TR 33.835