Description
Network Slice-Specific Authentication and Authorization (NSSAA) is a critical security mechanism introduced in 3GPP Release 16 to complement the primary authentication and authorization performed by the Authentication Server Function (AUSF). While primary authentication verifies the UE's identity for the 5G Core Network (5GC) as a whole, NSSAA provides an additional, granular layer of security for individual network slices. This is essential because different slices may have vastly different security requirements, business models, and trust domains. For instance, a slice for massive IoT sensors may have different security postures compared to a slice for ultra-reliable low-latency communication (URLLC) in industrial automation. NSSAA ensures that access to a high-security slice is not granted based solely on credentials valid for a lower-security slice.
The NSSAA procedure is typically triggered after successful primary authentication when a UE requests a network slice that requires slice-specific authentication, as indicated by the Subscribed Network Slice Selection Assistance Information (S-NSSAI). The procedure is orchestrated by the Network Slice-Specific Authentication and Authorization Function (NSSAAF), which acts as an intermediary. The NSSAAF receives an authentication request from the Access and Mobility Management Function (AMF) and communicates with external, slice-specific Authentication, Authorization, and Accounting (AAA) servers. These external AAA servers are considered part of the slice tenant's domain and are responsible for evaluating the UE's credentials against policies specific to that slice. The communication between the NSSAAF and the external AAA server can use protocols like the Extensible Authentication Protocol (EAP), allowing for a wide range of authentication methods (EAP-AKA', EAP-TLS, etc.) as defined by the slice provider.
The architecture involves several 5GC network functions. The AMF is the main point of contact, initiating the procedure upon slice request. The NSSAAF, a dedicated logical function, can be deployed as a standalone Network Function (NF) or co-located with another NF like the AUSF. It interfaces with the external AAA server via the N33 reference point. The Unified Data Management (UDM) may store indications of which S-NSSAIs require NSSAA for a given subscriber. The procedure's result (success, failure, or on-going) is conveyed back to the AMF, which then allows or denies the UE's registration for the requested slice. A key aspect is that NSSAA can run in parallel for multiple slices, and its failure for one slice does not necessarily impact the UE's registration for other, already authorized slices. This provides flexibility and maintains service continuity where possible.
Purpose & Motivation
NSSAA was created to address the security and business model challenges inherent in network slicing. Prior to its introduction in Release 16, network slice access control was primarily based on subscription data stored in the UDM, which could indicate whether a subscriber was allowed to use a slice. However, this was a simple binary check and did not support dynamic, real-time authentication and authorization decisions that might involve external credentials or tenant-specific policies. This limitation was a significant barrier for enterprises and vertical industries wishing to operate their own slices with their own identity management systems.
The primary problem NSSAA solves is the need for enhanced security isolation between slices. In a shared physical infrastructure, it is paramount to ensure that a compromise or weak authentication in one slice does not become a vector to access a more sensitive slice. By delegating the final authorization decision to an external AAA server controlled by the slice tenant, NSSAA enables strong, domain-specific authentication. This is crucial for business models where a Mobile Network Operator (MNO) provides network-as-a-service to third-party enterprises. The enterprise can retain control over which of its devices or users are allowed onto its dedicated slice, using its existing corporate credentials and security policies, without the MNO needing to manage those identities directly. This separation of concerns facilitates the commercialization of network slicing.
Key Features
- Provides secondary, slice-specific authentication after primary 5G core authentication
- Utilizes external AAA servers for tenant-controlled authorization decisions
- Supports the Extensible Authentication Protocol (EAP) for flexible authentication methods
- Allows parallel authentication procedures for multiple network slices
- Enables strict security isolation between network slices with different trust levels
- Facilitates enterprise and vertical industry slice ownership with independent identity management
Evolution Across Releases
Introduced the NSSAA framework as a new work item. Defined the NSSAAF network function, the N33 interface to external AAA servers, and the complete procedure integrated with the 5G Registration and PDU Session Establishment processes. Established the use of EAP as the carrier protocol for authentication messages between the UE and the external AAA server via the NSSAAF.
Defining Specifications
| Specification | Title |
|---|---|
| TS 23.501 | 3GPP TS 23.501 |
| TS 24.501 | 3GPP TS 24.501 |
| TS 28.204 | 3GPP TS 28.204 |
| TS 29.518 | 3GPP TS 29.518 |
| TS 29.526 | 3GPP TS 29.526 |
| TS 29.571 | 3GPP TS 29.571 |
| TS 31.105 | 3GPP TR 31.105 |
| TS 31.826 | 3GPP TR 31.826 |
| TS 32.291 | 3GPP TR 32.291 |
| TS 32.847 | 3GPP TR 32.847 |
| TS 33.501 | 3GPP TR 33.501 |
| TS 33.700 | 3GPP TR 33.700 |