NAI

Network Access Identifier

Identifier →
Introduced in Rel-2 Also in: Security, Services

NAI is a standardized user identity format, structured as 'user@realm', used for unambiguous identification and routing of authentication requests, especially in roaming scenarios within mobile networks.

Category
Identifier
Introduced
Rel-2
Where
Core Network › 5G Core
Also touches
2 segments
Specifications
25 specs
NAI Description Purpose Detected Changes Specifications

Description

The Network Access Identifier (NAI) is a critical identifier defined in IETF RFC 7542 and adopted by 3GPP for use in access authentication. Its primary format is 'username@realm'. The 'username' part uniquely identifies the user within the context of the specified 'realm'. The 'realm' is a crucial component that denotes the administrative domain responsible for authenticating the user, typically the user's home service provider (e.g., operator.com). This structure is essential for roaming.

During network access, when a user (UE) attempts to connect to a visited network (e.g., while roaming internationally), the UE presents its NAI in the access request. The visited network's access point (e.g., a PDN Gateway in 5G, or a AAA proxy) examines the realm portion of the NAI. Since the realm is not local, the visited network's AAA infrastructure forwards the authentication request, containing the NAI, to the AAA server in the user's home realm. This routing is often done through a hierarchy of proxy AAA servers.

The home AAA server (e.g., HSS/UDM in 3GPP) uses the username part of the NAI to look up the user's subscription profile and authentication credentials. It then engages in an authentication protocol (like EAP-AKA') with the UE. The NAI remains constant throughout this process, ensuring the home network knows exactly which user is being authenticated. In 3GPP systems, the NAI is often derived from the user's International Mobile Subscriber Identity (IMSI) or a subscription permanent identifier (SUPI) in a privacy-preserving way (e.g., creating a pseudonym).

The NAI's role extends beyond initial access. It is used in accounting records (e.g., RADIUS Accounting messages) to correlate usage data with a specific user and their home realm for billing and settlement between roaming partners. It is a carrier-grade identifier designed for scalability and global uniqueness, forming the backbone of interoperable authentication in heterogeneous and roaming-enabled network environments.

Purpose & Motivation

The NAI was created to solve the fundamental problem of uniquely and unambiguously identifying a mobile user in a world of multiple, interconnected network service providers (roaming). Before standardization, different networks used various, often incompatible, formats for user IDs (e.g., simple usernames, MSISDNs), which caused severe problems in routing authentication requests during roaming and made inter-operator accounting complex.

The primary motivation was to enable seamless and secure network access authentication for roaming users. The 'user@realm' structure provides a simple, yet powerful, way to embed routing information (the realm) directly into the user's identity. This allows any visited network to determine, without prior knowledge of the user, where to send the authentication request. It decouples the visited network's authentication infrastructure from the home network's user database.

3GPP adopted the NAI to integrate its core network authentication (using Diameter and later HTTP/2-based protocols) with the broader Internet authentication framework established by the IETF. It addresses the limitations of using only an IMSI or MSISDN, which do not explicitly contain domain routing information and can raise privacy concerns if transmitted in clear text. The NAI format is extensible and supports privacy enhancements like pseudonymous or fast re-authentication identities, making it a versatile and future-proof cornerstone for secure, scalable mobile access.

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (131 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-2, normative work from Rel-15.

Rel-15 33 changes

In Release 15, the NAI (Network Access Identifier) function was newly introduced as a format for the Subscription Permanent Identifier (SUPI) and for the encrypted Subscription Concealed Identifier (SUCI). It was also explicitly defined as an identifier for use with non-3GPP access networks. Furthermore, the release included work on subscription identifier privacy support and the partitioning of identifier space for EPS interworking.

  • Subscription identifier privacy suppport TS 31.102CR0778
  • Clarification to Subscription identifier privacy TS 33.501CR0145
  • Use of identifiers for mobility between GERAN/UTRAN and 5GS TS 23.501CR0017
  • Partitioning of Identifier space to ensure success of Context retrieval for EPS Interworking TS 23.501CR0090
  • Subscription Permanent Identifier TS 23.501CR0189
  • Changed length and mapping of 5GS Temporary Identifiers TS 23.501CR0206

+ 27 more changes

Rel-16 16 changes

In Release 16, the NAI function was enhanced to support identifier translation for multicast and group communications, including the translation of a Group Identifier to a list of specific UE identifiers. It also introduced support for a UE identifier specifically for Standalone Non-Public Networks (SNPN) and clarified the use of the CAG identifier. Furthermore, new test data was defined for SUCI computation based on a network-specific identifier.

  • Group Identifier Translation TS 29.503CR0281
  • External Group Identifier in NIDD information TS 29.503CR0330
  • Translation of Group Id to UE identifier list TS 29.503CR0366
  • SUCI computation: implementers' test data for network specific identifier-based SUPI TS 33.501CR0847
  • Clarification for the related CAG identifier TS 23.501CR1371
  • UE identifier for SNPN TS 23.501CR1881

+ 10 more changes

Rel-17 20 changes

In Release 17, key enhancements for the Network Access Identifier (NAI) function included the correction of handling for the Network Identifier (NID) within a SUCI in NAI format and clarifications on the NAI format for the PRUK ID. Additionally, specific corrections and clarifications were provided for the NAI used in Non-Seamless WLAN Offload (NSWO) and the NAI provided by an N5CW device. These updates ensured more consistent and accurate identifier handling across various procedures and access technologies, including satellite NG-RAN.

  • Identifier Translation TS 29.503CR0654
  • Authorization of Group Identifier Translation TS 29.503CR0694
  • Corrections on the AF related identifier TS 23.501CR3064
  • Avoid including both PAP/CHAP and EAP identifiers in PDU session establishment request TS 24.501CR2941
  • Clarification on the setting of packet filter identifier value TS 24.501CR3300
  • Network identifier is not specified TS 24.501CR3389

+ 14 more changes

Rel-18 36 changes

In Release 18, enhancements for the Network Access Identifier (NAI) function included introducing a Decorated NAI specifically for Non-Seamless WLAN Offload (NSWO) scenarios and clarifying its usage within Standalone Non-Public Networks (SNPNs). The release also resolved editorial notes on NAI construction for SNPN authentication and expanded support for decorated NAIs in WLAN access. Furthermore, it provided clarifications on the NAI format and alignment for NSWO operations.

  • PIN identifiers TS 23.501CR4287
  • Protecting the N3IWF/TNGF identifier information in the REGISTRATION REJECT message TS 24.501CR5932
  • Resolving the EN related to N3IWF selection based on N3IWF identifier information in the REGISTRATION REJECT message TS 24.502CR0230
  • Prefixed OI/TAI Identifier FQDN for N3IWF selection TS 24.502CR0223
  • Resolve EN on NAI construction for SNPN authentication TS 24.502CR0242
  • N3IWF selection for non-IMS services supporting extended home N3IWF identifier configuration and slice-specific N3IWF prefix configuration TS 24.502CR0248

+ 30 more changes

Rel-19 26 changes

In Release 19, the NAI function was enhanced to support QoS differentiation for multiple Non-3GPP Device Identifiers connecting behind a UE or 5G-RG, including procedures for suspending this differentiation. The release also introduced the capability for an Application Function (AF) to select a specific UE identifier during translation in the UDM and to store this AF-specific identifier in the UDR.

  • UDR enhancement supporting Device Identifier of non-3GPP Devices connecting behind a UE/5G-RG TS 23.501CR5547
  • Definition of identifiers of N3GPP device behind UE/5G-RG TS 23.501CR5749
  • Support of reject QoS differentiation for non-3GPP device identifier(s) TS 24.501CR6926
  • Procedure update for QoS differentiation of non-3GPP device identifiers TS 24.501CR6994
  • Support for AF Specific Identifier Selection in Multiple Identifiers Translation in UDM TS 29.503CR1341
  • AF Identifier in ImsEeSubscription TS 29.562CR0179

+ 20 more changes

Explore further

Broader topics and technologies where NAI plays a role.

Topics
OAM (Operations & Maintenance)Authentication (5G-AKA, EAP)IMS & Voice (VoLTE, VoNR)Roaming & InterconnectPrivacy (SUPI, SUCI)MEC (Edge Computing)
Technologies
5G

Defining Specifications

3GPP specifications that define or reference NAI, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TR 21.905 vj00 3GPP Technical Terms and Definitions Rel-19
TS 22.495 v1700 NGN Requirements for IMS Services Rel-7
TS 23.228 vj50 IMS Stage-2 Service Description Rel-19
TS 23.234 vd10 3GPP-WLAN Interworking Index Rel-13
TS 23.501 vk00 5G System Architecture Stage 2 Rel-20
TR 23.923 v1300 Mobile IP+ Feasibility Study for UMTS/GPRS Rel-4
TS 24.229 vj50 IMS call control protocol based on SIP and SDP Rel-19
TS 24.234 vc20 3GPP-WLAN Interworking Network Selection Rel-12
TS 24.302 vj00 Access to EPC via non-3GPP networks; Stage 3 Rel-19
TS 24.501 vj50 5G NAS Protocols Specification Rel-19
TS 24.502 vj20 5G Core Access via Non-3GPP Networks; Stage 3 Rel-19
TS 24.554 vj40 5G Proximity Services (ProSe) Protocols Rel-19
TS 24.890 vg00 5G NAS Protocol for 5GS Stage 3 Rel-16
TS 29.061 vj00 Packet Domain Interworking for PLMN Rel-19
TS 29.275 vj00 PMIPv6 Mobility & Tunnelling Protocols Stage 3 Rel-19
TS 29.503 vj50 UDM Service Based Interface Stage 3 Rel-19
TS 29.562 vj40 HSS Services for IMS & GBA Interworking Rel-19
TS 31.102 vj40 USIM Application Specification Rel-19
TS 31.103 vj00 ISIM Application Specification Rel-19
TS 32.182 vj00 UDC Common Baseline Information Model (CBIM) Rel-19
TS 33.107 vj00 Lawful Interception Architecture & Functions Rel-19
TS 33.501 vk00 5G Security Architecture and Procedures Rel-20
TS 33.503 vj20 Security for Proximity Services (ProSe) in 5G Rel-19
TS 33.822 v1800 Security Architecture for Inter-Access Mobility Rel-8
TS 33.835 vg10 Study on authentication and key management for apps Rel-16