Onboarding Standalone Non-Public Network

Description

ON-SNPN is a standardized procedure defined by 3GPP for onboarding devices onto a Standalone Non-Public Network. An SNPN is a 5G network operated by a private entity, not relying on a Public Land Mobile Network (PLMN) for core network functions. The primary challenge ON-SNPN addresses is the initial provisioning of devices that lack a valid subscription or credentials for the target SNPN. The architecture involves several key functional entities: the device seeking access (User Equipment - UE), the SNPN's Access and Mobility Management Function (AMF) and Authentication Server Function (AUSF), and an Onboarding Network (ONN). The ONN is a separate, trusted network that facilitates the initial connection and credential provisioning.

The ON-SNPN procedure typically begins when a UE, configured for onboarding, attempts to connect to a network. The UE broadcasts a registration request indicating its onboarding intent. The SNPN, recognizing the request, may redirect the UE to a designated ONN. The ONN provides limited, initial access, often using a generic or provisional credential. Through this secured channel, the UE then interacts with an onboarding server, which is part of or trusted by the SNPN's ecosystem. This server authenticates the device's identity (e.g., using a factory-installed certificate) and provisions it with the necessary credentials (like a subscription permanent identifier - SUPI and associated keys) specific to the target SNPN.

Once the device receives its SNPN-specific credentials, it can disconnect from the ONN and perform a standard registration procedure directly with the target SNPN using the newly provisioned subscription data. The SNPN's AUSF validates these credentials, completing the authentication. This process is heavily secured to prevent man-in-the-middle attacks and credential theft, employing mechanisms like certificate-based device authentication and secure tunneling during credential transfer. ON-SNPN is a cornerstone for zero-touch provisioning in Industry 4.0, enabling the seamless integration of sensors, actuators, and other IoT devices into private 5G networks without manual intervention.

Purpose & Motivation

ON-SNPN was created to solve the logistical and security challenges of deploying large-scale IoT devices in private 5G networks (SNPNs). Prior to its standardization, provisioning credentials for thousands of industrial devices was a manual, error-prone, and insecure process, often involving physical access or pre-loading network-specific keys at the factory, which limited supply chain flexibility. The need for automated, secure, and scalable onboarding became critical with the rise of Industry 4.0 and massive IoT deployments in manufacturing, logistics, and utilities.

The technology addresses the limitation of traditional PLMN-based subscription models, which are ill-suited for privately owned and operated networks. It enables device manufacturers to produce generic devices without binding them to a specific customer's network during production. Instead, the secure onboarding process allows the end-user (the SNPN operator) to take ownership and provision credentials after deployment. This decoupling streamlines the supply chain and provides operational flexibility. Furthermore, ON-SNPN enhances security by ensuring that even the initial, limited-access connection for onboarding occurs over a controlled and authenticated channel, preventing unauthorized devices from accessing the primary SNPN resources during the provisioning phase.

Key Features

• Enables automatic discovery and connection to an Onboarding Network (ONN) for initial access
• Supports secure device authentication using pre-installed credentials (e.g., device certificates)
• Facilitates the over-the-air provisioning of SNPN-specific subscription credentials (SUPI, keys)
• Allows redirection from an SNPN to a dedicated ONN for the onboarding procedure
• Provides a standardized interface between the device, ONN, and the SNPN's credential server
• Ensures the onboarding process is isolated from the operational SNPN for security

Evolution Across Releases

Defining Specifications