NSSAA

Network Slice-Specific Authentication and Authorization

Network Slicing →
Introduced in Rel-16 Also in: Security

NSSAA is a 5G security framework that performs slice-specific authentication and authorization, ensuring a user device is explicitly permitted to access a particular network slice beyond general network access.

Category
Network Slicing
Introduced
Rel-16
Where
Core Network › 5G Core
Also touches
1 segments
Specifications
12 specs
NSSAA Description Purpose Related Classification Detected Changes Specifications

Description

Network Slice-Specific Authentication and Authorization (NSSAA) is a critical security mechanism introduced in 3GPP Release 16 to complement the primary authentication and authorization performed by the Authentication Server Function (AUSF). While primary authentication verifies the UE's identity for the 5G Core Network (5GC) as a whole, NSSAA provides an additional, granular layer of security for individual network slices. This is essential because different slices may have vastly different security requirements, business models, and trust domains. For instance, a slice for massive IoT sensors may have different security postures compared to a slice for ultra-reliable low-latency communication (URLLC) in industrial automation. NSSAA ensures that access to a high-security slice is not granted based solely on credentials valid for a lower-security slice.

The NSSAA procedure is typically triggered after successful primary authentication when a UE requests a network slice that requires slice-specific authentication, as indicated by the Subscribed Network Slice Selection Assistance Information (S-NSSAI). The procedure is orchestrated by the Network Slice-Specific Authentication and Authorization Function (NSSAAF), which acts as an intermediary. The NSSAAF receives an authentication request from the Access and Mobility Management Function (AMF) and communicates with external, slice-specific Authentication, Authorization, and Accounting (AAA) servers. These external AAA servers are considered part of the slice tenant's domain and are responsible for evaluating the UE's credentials against policies specific to that slice. The communication between the NSSAAF and the external AAA server can use protocols like the Extensible Authentication Protocol (EAP), allowing for a wide range of authentication methods (EAP-AKA', EAP-TLS, etc.) as defined by the slice provider.

The architecture involves several 5GC network functions. The AMF is the main point of contact, initiating the procedure upon slice request. The NSSAAF, a dedicated logical function, can be deployed as a standalone Network Function (NF) or co-located with another NF like the AUSF. It interfaces with the external AAA server via the N33 reference point. The Unified Data Management (UDM) may store indications of which S-NSSAIs require NSSAA for a given subscriber. The procedure's result (success, failure, or on-going) is conveyed back to the AMF, which then allows or denies the UE's registration for the requested slice. A key aspect is that NSSAA can run in parallel for multiple slices, and its failure for one slice does not necessarily impact the UE's registration for other, already authorized slices. This provides flexibility and maintains service continuity where possible.

Purpose & Motivation

NSSAA was created to address the security and business model challenges inherent in network slicing. Prior to its introduction in Release 16, network slice access control was primarily based on subscription data stored in the UDM, which could indicate whether a subscriber was allowed to use a slice. However, this was a simple binary check and did not support dynamic, real-time authentication and authorization decisions that might involve external credentials or tenant-specific policies. This limitation was a significant barrier for enterprises and vertical industries wishing to operate their own slices with their own identity management systems.

The primary problem NSSAA solves is the need for enhanced security isolation between slices. In a shared physical infrastructure, it is paramount to ensure that a compromise or weak authentication in one slice does not become a vector to access a more sensitive slice. By delegating the final authorization decision to an external AAA server controlled by the slice tenant, NSSAA enables strong, domain-specific authentication. This is crucial for business models where a Mobile Network Operator (MNO) provides network-as-a-service to third-party enterprises. The enterprise can retain control over which of its devices or users are allowed onto its dedicated slice, using its existing corporate credentials and security policies, without the MNO needing to manage those identities directly. This separation of concerns facilitates the commercialization of network slicing.

Classification

Part ofNSSAAF
Specific typesNSSAAF
Related approachesNSSAIS-NSSAI

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (1110 CRs across 6 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Rel-15 147 changes

In Release 15, the NSSAA function was newly introduced as part of the 5G security framework, with specifications detailing its authentication and authorization procedures between network functions. The release included clarifications for protection at the network or transport layer and for authorization and authentication between network functions and the NRF. Furthermore, it added the "ABBA" parameter to the 5G primary authentication procedure to support slice-specific security contexts.

  • Including S-NSSAI received in EPS in Requested NSSAI and in PDU session establishment request upon inter-system change from S1 mode to N1 mode TS 24.501CR0082
  • Storing Configured NSSAI when the PLMN is changed TS 24.501CR0203
  • Rules on concurrent running of authentication and NAS SMC procedure TS 33.501CR0004
  • Clarifications to: Protection at the network or transport layer, Authorization and authentication between network functions and the NRF TS 33.501CR0147
  • CR-slice-management-security TS 33.501CR0290
  • Addition of ABBA in 5G based primary authentication procedure TS 24.501CR0036

+ 141 more changes

Rel-16 223 changes

In Release 16, the NSSAA (Network Slice-Specific Authentication and Authorization) function was introduced as a new procedure, enabling separate authentication and authorization for specific network slices. This enhancement allows the network to handle S-NSSAIs subject to NSSAA distinctly, including their storage impact and handling within the pending NSSAI. The release also extended primary authentication to support EAP methods other than EAP-AKA' and EAP-TLS for this slice-specific procedure.

  • Enhancement on slice interworking--501 TS 23.501CR0850
  • NEF service for service specific parameter provisioning TS 23.501CR0878
  • Sol#6 specific updates to 5.6.4.2 TS 23.501CR0897
  • Introduction of Slice-Specific Authentication and Authorisation TS 23.501CR1174
  • Alignment of IMS Voice Service via EPS Fallback with RAN specifications TS 23.501CR1333
  • 23.501 part of PCF selection for PDU sessions with same DNN and S-NSSAI TS 23.501CR1375

+ 217 more changes

Rel-17 279 changes

In Release 17, NSSAA enhancements included support for remote provisioning of credentials for secondary authentication/authorization and enabling Authentication and Key Management for Applications (AKMA) for network slices. The release also introduced support for using an AAA Server for primary authentication and authorization within SNPNs. Furthermore, it defined a reference point between the AUSF and the NSSAAF to support these expanded authentication mechanisms.

  • Support of different slices over different Non 3GPP access TS 23.501CR2525
  • Network Slice restriction based on NWDAF analytics TS 23.501CR2567
  • SNPN support AAA Server for primary authentication and authorization TS 23.501CR2611
  • TS23.501 KI#1 Network Slice Admission Control Function (NSACF) definition TS 23.501CR2679
  • TS23.501 KI#2 Network Slice Admission Control Function (NSACF) definition TS 23.501CR2680
  • Support for UE-Slice-MBR TS 23.501CR2706

+ 273 more changes

Rel-18 374 changes

In Release 18, the NSSAA function was enhanced by introducing the concept of a Partially Allowed NSSAI and Partially Rejected S-NSSAI, providing more granular control over slice authorization outcomes. It also introduced support for an Alternative S-NSSAI, determined by the NSSF, to replace a requested slice when it is unavailable or congested. Furthermore, the release added mechanisms for graceful termination of PDU sessions during network slice decommissioning and improved network control over slice usage and validity time information.

  • Secondary DN authentication and authorization in EPS IWK case TS 23.501CR3701
  • N3IWF selection enhancement for support of S-NSSAI needed by UE TS 23.501CR3707
  • Change of Network Slice instance for PDU sessions TS 23.501CR3867
  • Improved network control of the UE beahviour for a network slice TS 23.501CR3939
  • TNGF selection enhancement for support of S-NSSAI needed by UE TS 23.501CR3953
  • Optimizations for the support of time vality policies for a network slice and graceful network slice PDU sessions release. TS 23.501CR4004

+ 368 more changes

Rel-19 85 changes

In Release 19, key enhancements to NSSAA included the support for slice change based on an Application Function (AF) request and the authorization handling for UEs served by a Mobile Wireless Access Backhaul (MWAB) node. The release also introduced clarifications for network slice handling in indirect network sharing scenarios and for the termination of slice replacement procedures. Furthermore, it provided updates on the handling of Configured NSSAI during AF-requested modifications and when a network performs slice replacement for on-demand slices.

  • Support of Slice change based on AF request TS 23.501CR5764
  • Support of UE served by a MWAB: authorization aspects TS 23.501CR5688
  • Support of Network Slice Area Scope of MDT TS 29.571CR0611
  • Rel-19 CR 32.291 Add network slice energy information TS 32.291CR0601
  • Token-based authorization for indirect communication scenarios when NF is selected at target PLMN TS 33.501CR2135
  • S-NSSAI selection while in EPS TS 23.501CR5866

+ 79 more changes

Rel-20 2 changes

In Release 20, the NSSAA function was extended to support operation over the Evolved Packet Core (EPC), enabling this slice-specific authentication for 4G networks. Furthermore, corrections were made for roaming scenarios to properly structure PLMN ID information within access token claims, specifically replacing appended claims with PLMN ID-specific claims to ensure alignment across specifications.

  • Introducing NSSAA over EPC TS 23.501CR6451
  • Correction of misalignment with TS 29.510: Replace appended PLMN ID access token claims with PLMN ID specific claims in roaming TS 33.501CR2214

Explore further

Broader topics and technologies where NSSAA plays a role.

Topics
Authentication (5G-AKA, EAP)MEC (Edge Computing)Lawful InterceptNetwork Slicing5G Core (5GC)IoT & MTC
Technologies
5G

Defining Specifications

3GPP specifications that define or reference NSSAA, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 23.501 vk00 5G System Architecture Stage 2 Rel-20
TS 24.501 vj50 5G NAS Protocols Specification Rel-19
TS 28.204 vi11 Charging management Rel-18
TS 29.518 vj50 AMF Service Based Interface Protocol Rel-19
TS 29.526 vj30 Nnssaaf Service Based Interface Stage 3 Rel-19
TS 29.571 vj50 Common Data Types for 5G Service Based Interfaces Rel-19
TS 31.105 vj10 Slice Subscriber Identity Module (SSIM) Application Rel-19
TR 31.826 vi00 Technical Report Rel-18
TS 32.291 vj40 Charging Management: Service-Based Interface Protocol Rel-19
TR 32.847 vi00 Technical Report Rel-18
TS 33.501 vk00 5G Security Architecture and Procedures Rel-20
TS 33.700 3GPP TR 33.700 Rel-16