Secondary DN Authentication and Authorization over EPC

Description

SDNAEPC is a feature defined in 3GPP Release 18 that extends the authentication and authorization framework for User Equipment (UE) accessing services via the Evolved Packet Core. It specifically addresses scenarios where a UE, having already undergone primary 3GPP network access authentication (e.g., via EPS AKA), needs to be authenticated and authorized separately by a secondary Data Network (DN), such as a corporate network or a specific service provider's platform. The architecture involves the UE, the serving network (EPC with MME, S-GW, P-GW), and the secondary DN's Authentication, Authorization, and Accounting (AAA) server. The process is typically integrated with the Packet Data Network (PDN) connection establishment or modification procedures. When a UE requests access to a secondary DN that requires SDNAEPC, the P-GW (acting as the gateway to that DN) interacts with the DN's AAA server. The P-GW relays Extensible Authentication Protocol (EAP) messages between the UE and the secondary DN's AAA server, facilitating an EAP-based authentication dialogue. This allows the secondary DN to validate the UE's credentials (which are separate from the USIM credentials) and apply its own authorization policies, such as granting access to specific services or applying traffic filters. The successful completion of this secondary authentication results in the establishment of the PDN connection with the authorized context. This mechanism is vital for multi-tenancy scenarios, ensuring that the secondary DN maintains control over which UEs can access its resources, providing an additional security layer independent of the mobile operator's core network trust domain.

Purpose & Motivation

SDNAEPC was created to address the growing need for secure, partitioned network access in an increasingly interconnected ecosystem. Traditional EPC access authentication (e.g., using EPS AKA) only verifies the UE's subscription with the mobile network operator (MNO). However, many enterprise, industrial IoT, and specialized service providers require their own independent authentication before granting access to their sensitive resources. Prior to SDNAEPC, such secondary authentication was often handled in an ad-hoc manner at the application layer or required complex VPN setups, which could be inefficient and lack standardization. SDNAEPC standardizes this secondary authentication at the network layer during PDN connection setup. It solves the problem of allowing a DN provider to enforce its own security policies without relying solely on the MNO's authentication. This is particularly important for scenarios like enterprise mobility, where a company needs to verify employee device credentials, or for IoT verticals where a service platform must authenticate a sensor independently. By integrating this into the 3GPP EPC procedures, it provides a streamlined, secure, and standardized method for multi-domain trust, enabling new business models and secure network slicing precursors in 4G networks.

Key Features

• Enables secondary, DN-specific authentication independent of 3GPP access authentication
• Utilizes EAP (Extensible Authentication Protocol) for flexible authentication method support
• Integrated into EPC PDN connection establishment and modification procedures
• Allows secondary DN AAA server to apply its own authorization policies and traffic filters
• Maintains separation of security domains between MNO and DN provider
• Provides a standardized mechanism for secure enterprise and IoT network access over 4G EPC

Evolution Across Releases

Defining Specifications