Description
The Network Slice-specific Authentication and Authorization Function (NSSAAF) is a dedicated logical function within the 5G Core Network (5GC) specified from 3GPP Release 16. Its primary role is to facilitate the Network Slice-Specific Authentication and Authorization (NSSAA) procedure. The NSSAAF does not perform the authentication itself but acts as a relay and orchestrator between the Access and Mobility Management Function (AMF) within the operator's trust domain and external Authentication, Authorization, and Accounting (AAA) servers that belong to the tenant or provider of a specific network slice. This architecture is fundamental to enabling multi-party and multi-domain network slicing scenarios.
Operationally, the NSSAAF receives NSSAA requests from the AMF via the service-based interface Nnssaaf_NSSAA. This request includes the UE's identity and the identifier of the requested network slice (S-NSSAI). The NSSAAF then initiates a dialogue with the appropriate external AAA server, which is identified based on the S-NSSAI. The communication with the external AAA server occurs over the N33 reference point. The NSSAAF transparently relays Extensible Authentication Protocol (EAP) packets between the UE (which is the EAP peer) and the external AAA server (which is the EAP server). The UE and the external AAA server conduct a full EAP authentication method (e.g., EAP-AKA', EAP-TLS), with the NSSAAF and AMF simply passing the packets. The NSSAAF is responsible for mapping the EAP session to the correct UE and AMF context.
The NSSAAF's key responsibilities include managing the state of the NSSAA procedure, enforcing timeouts, and translating the final result from the external AAA server (EAP Success/Failure) into a 3GPP-defined NSSAA result sent to the AMF. It also handles potential error conditions from the external AAA server. The function can be implemented as a standalone Network Function (NF) or can be combined with another NF, such as the Authentication Server Function (AUSF), depending on vendor implementation and network deployment choices. Its design emphasizes neutrality to the specific EAP method used, allowing slice tenants to employ the authentication mechanism that best suits their security requirements.
Purpose & Motivation
The NSSAAF was created to operationalize the concept of slice-specific authentication introduced with NSSAA. Without a dedicated function to manage the interaction with external AAA systems, the AMF would need to directly interface with a potentially unlimited number of tenant-specific AAA servers, each with different protocols and security requirements. This would create immense complexity, scalability issues, and security risks for the core network operator.
The NSSAAF solves this by providing a standardized, secure, and controlled intermediary point. It abstracts the complexity of external AAA interactions from the AMF, allowing the AMF to handle mobility and session management while delegating slice-specific security decisions. This separation of concerns is a classic architectural principle that enhances modularity and security. Furthermore, the NSSAAF provides a single point in the operator's network where policies regarding external connectivity (e.g., firewall rules, traffic policing for AAA messages) can be enforced. Its creation was motivated by the need to make network slicing practically deployable for enterprise and vertical use cases, where the slice tenant demands control over access authentication without requiring deep integration of their AAA systems into the MNO's core.
Classification
Detected Changes Across Releases
from 3GPP Change RequestsSpecific changes extracted from the „Change history“ tables of 3GPP specifications (723 CRs across 6 releases). Complements the general historical overview above with the evidence-based evolution of this function.
In Release 15, the NSSAAF was newly introduced to perform network slice-specific authentication and authorization, enabling the 5G system to authenticate a UE for a specific S-NSSAI. This function works in conjunction with the primary authentication procedure, which was enhanced with the addition of the ABBA parameter. The NSSAAF allows for the authorization of network slice usage based on the UE's subscription and the network's slice availability policies.
- Including S-NSSAI received in EPS in Requested NSSAI and in PDU session establishment request upon inter-system change from S1 mode to N1 mode TS 24.501CR0082
- Addition of ABBA in 5G based primary authentication procedure TS 24.501CR0036
- Correction to rejected S-NSSAI TS 23.501CR0007
- Clarification on UE specific DRX parameter from old AMF to new AMF TS 23.501CR0014
- Correction to handling of S-NSSAI mapping information TS 23.501CR0020
- UE-specific DRX parameter negotiation between UE and AMF TS 23.501CR0031
+ 70 more changes
In Release 16, the NSSAAF introduced a new, slice-specific authentication and authorization procedure, enabling per-S-NSSAI credential checks. This included the concept of a "pending NSSAI" to manage UE registration while these slice-specific procedures are ongoing. The release also defined handling for scenarios where a UE requests an S-NSSAI subject to NSSAA but the slice is not available in the current PLMN.
- Enhancement on slice interworking--501 TS 23.501CR0850
- NEF service for service specific parameter provisioning TS 23.501CR0878
- Sol#6 specific updates to 5.6.4.2 TS 23.501CR0897
- Introduction of Slice-Specific Authentication and Authorisation TS 23.501CR1174
- Alignment of IMS Voice Service via EPS Fallback with RAN specifications TS 23.501CR1333
- 23.501 part of PCF selection for PDU sessions with same DNN and S-NSSAI TS 23.501CR1375
+ 136 more changes
In Release 17, the NSSAAF saw enhancements for Standalone Non-Public Networks (SNPN), including support for using an AAA Server for primary authentication and authorization with SNPN name (SNN) verification. Furthermore, new functionality was introduced for the remote provisioning of credentials to be used specifically for NSSAA or for secondary authentication and authorization. These additions expanded the authentication frameworks and credential management options available for network slice access.
- Support of different slices over different Non 3GPP access TS 23.501CR2525
- Network Slice restriction based on NWDAF analytics TS 23.501CR2567
- SNPN support AAA Server for primary authentication and authorization TS 23.501CR2611
- TS23.501 KI#1 Network Slice Admission Control Function (NSACF) definition TS 23.501CR2679
- TS23.501 KI#2 Network Slice Admission Control Function (NSACF) definition TS 23.501CR2680
- Support for UE-Slice-MBR TS 23.501CR2706
+ 170 more changes
In Release 18, the NSSAAF saw enhancements to improve network slice lifecycle management and user experience, including the introduction of an Alternative S-NSSAI replacement determined by the NSSF and support for graceful termination of PDU sessions during network slice decommissioning. These updates also introduced the capability for network-controlled slice usage and the storage of S-NSSAI validity time information. Furthermore, support was added for network slice replacement, including during handover, and for handling reduced network slice availability.
- Secondary DN authentication and authorization in EPS IWK case TS 23.501CR3701
- N3IWF selection enhancement for support of S-NSSAI needed by UE TS 23.501CR3707
- Change of Network Slice instance for PDU sessions TS 23.501CR3867
- Improved network control of the UE beahviour for a network slice TS 23.501CR3939
- TNGF selection enhancement for support of S-NSSAI needed by UE TS 23.501CR3953
- Optimizations for the support of time vality policies for a network slice and graceful network slice PDU sessions release. TS 23.501CR4004
+ 254 more changes
In Release 19, the NSSAAF saw enhancements for supporting UE served by a Mobile Wireless Access Gateway (MWAB) with new authorization aspects and for handling AF-specific UE IDs. Furthermore, clarifications were added for network slice handling in the case of Indirect Network Sharing. The release also introduced support for exposing energy consumption information per network slice at the S-NSSAI granularity.
- Support of Slice change based on AF request TS 23.501CR5764
- Support of UE served by a MWAB: authorization aspects TS 23.501CR5688
- Rel-19 CR 32.240 Support the energy related information per network slice TS 32.240CR0498
- S-NSSAI selection while in EPS TS 23.501CR5866
- Support for S-NSSAI granularity energy consumption exposure TS 23.501CR5956
- Handling of AF Specific UE IDs TS 23.501CR6168
+ 62 more changes
In Release 20, the key new feature for the NSSAAF was the introduction of Network Slice-specific Authentication and Authorization procedures over the Evolved Packet Core (EPC). This enhancement extended the slice-specific security framework, previously defined for the 5G System, to also operate within 4G EPS architectures. Consequently, it enabled the use of NSSAAF functionality to authenticate and authorize a UE for a specific Network Slice when connected via EPC networks.
- Introducing NSSAA over EPC TS 23.501CR6451
Explore further
Broader topics and technologies where NSSAAF plays a role.
Defining Specifications
3GPP specifications that define or reference NSSAAF, with the latest known release. Sourced from the 3GPP document catalog — see methodology.
| Specification | Title | Release |
|---|---|---|
| TS 23.501 vk00 | 5G System Architecture Stage 2 | Rel-20 |
| TS 24.501 vj50 | 5G NAS Protocols Specification | Rel-19 |
| TS 28.204 vi11 | Charging management | Rel-18 |
| TR 28.843 vi10 | Technical Report on Charging Aspects for Vertical Scenarios | Rel-18 |
| TS 29.526 vj30 | Nnssaaf Service Based Interface Stage 3 | Rel-19 |
| TS 29.561 vj30 | 5G Interworking with External Data Networks | Rel-19 |
| TS 32.240 vj40 | Charging Management Architecture & Principles | Rel-19 |
| TS 32.290 vj50 | 5G Charging for Service Based Interface | Rel-19 |
| TR 32.847 vi00 | Technical Report | Rel-18 |