SDNAEPC

Secondary DN Authentication and Authorization over EPC

Core Network →
Introduced in Rel-18

SDNAEPC is a mechanism that enables a secondary Data Network to perform its own authentication and authorization of a UE connected via the Evolved Packet Core, allowing independent security policies beyond the 3GPP access.

Category
Core Network
Introduced
Rel-18
Where
Core Network › 5G Core
Specifications
3 specs
SDNAEPC Description Purpose Related Classification Detected Changes Specifications

Description

SDNAEPC is a feature defined in 3GPP Release 18 that extends the authentication and authorization framework for User Equipment (UE) accessing services via the Evolved Packet Core. It specifically addresses scenarios where a UE, having already undergone primary 3GPP network access authentication (e.g., via EPS AKA), needs to be authenticated and authorized separately by a secondary Data Network (DN), such as a corporate network or a specific service provider's platform. The architecture involves the UE, the serving network (EPC with MME, S-GW, P-GW), and the secondary DN's Authentication, Authorization, and Accounting (AAA) server. The process is typically integrated with the Packet Data Network (PDN) connection establishment or modification procedures. When a UE requests access to a secondary DN that requires SDNAEPC, the P-GW (acting as the gateway to that DN) interacts with the DN's AAA server. The P-GW relays Extensible Authentication Protocol (EAP) messages between the UE and the secondary DN's AAA server, facilitating an EAP-based authentication dialogue. This allows the secondary DN to validate the UE's credentials (which are separate from the USIM credentials) and apply its own authorization policies, such as granting access to specific services or applying traffic filters. The successful completion of this secondary authentication results in the establishment of the PDN connection with the authorized context. This mechanism is vital for multi-tenancy scenarios, ensuring that the secondary DN maintains control over which UEs can access its resources, providing an additional security layer independent of the mobile operator's core network trust domain.

Purpose & Motivation

SDNAEPC was created to address the growing need for secure, partitioned network access in an increasingly interconnected ecosystem. Traditional EPC access authentication (e.g., using EPS AKA) only verifies the UE's subscription with the mobile network operator (MNO). However, many enterprise, industrial IoT, and specialized service providers require their own independent authentication before granting access to their sensitive resources. Prior to SDNAEPC, such secondary authentication was often handled in an ad-hoc manner at the application layer or required complex VPN setups, which could be inefficient and lack standardization. SDNAEPC standardizes this secondary authentication at the network layer during PDN connection setup. It solves the problem of allowing a DN provider to enforce its own security policies without relying solely on the MNO's authentication. This is particularly important for scenarios like enterprise mobility, where a company needs to verify employee device credentials, or for IoT verticals where a service platform must authenticate a sensor independently. By integrating this into the 3GPP EPC procedures, it provides a streamlined, secure, and standardized method for multi-domain trust, enabling new business models and secure network slicing precursors in 4G networks.

Classification

Part ofEPC
Related approachesEAP

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (149 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Rel-15 23 changes

In Release 15, the SDNAEPC function introduced the capability for a DN-AAA server to revoke secondary authentication and authorization following an intersystem change from 5GS (N1 mode) to EPS (S1 mode). This addition provides a mechanism to cleanly terminate the secondary authentication session upon the UE's handover to the legacy EPC network. The release also included corrections and clarifications to related authentication procedures, such as specifying fixed lengths for certain authentication parameter IEs.

  • Addition of ABBA in 5G based primary authentication procedure TS 24.501CR0036
  • Secondary authentication/authorization revocation by DN-AAA server after intersystem change from N1 mode to S1. TS 24.301CR3026
  • Authentication response parameter IE to be of fixed length (24.301) TS 24.301CR3098
  • Stop T3416 when authentication reject received TS 24.301CR3154
  • Authentication for normal services not accepted by network TS 24.501CR0035
  • Authentication Response TS 24.501CR0048

+ 17 more changes

Rel-16 30 changes

In Release 16, the SDNAEPC function introduced new capabilities for network slice-specific authentication and authorization (NSSAA), including the handling of pending NSSAI and procedures for deregistration or registration rejection upon its failure. It also expanded secondary authentication mechanisms, particularly for scenarios involving a W-AGF acting on behalf of an FN-RG. Furthermore, the release enhanced abnormal case handling, such as stopping timer T3519 and deleting the SUCI upon receiving an authentication reject.

  • Authentication and security handling for restricted local operator services TS 24.301CR3162
  • Abnormal case handling when authentication is not accepted TS 24.301CR3193
  • RLOS integrity and authentication handling TS 24.301CR3266
  • Authentication and security handling for RLOS TS 24.301CR3334
  • Slice-specific authentication and authorization procedure TS 24.501CR1450
  • Primary authentication using EAP methods other than EAP-AKA' and EAP-TLS TS 24.501CR1510

+ 24 more changes

Rel-17 57 changes

In Release 17, the SDNAEPC function introduced new procedures for UUAA (UAV/UAS Authentication and Authorization) and C2 (Command and Control) pairing authorization specifically within EPS, including at attach, bearer resource modification, and PDU session establishment/modification. It also defined mechanisms for UUAA re-authentication, re-authorization, and revocation, while leveraging the existing EPS authentication framework and ePCO (Extended Protocol Configuration Options) parameter for carrying authorization data.

  • ePCO parameter for UUAA/C2 authorization in EPS TS 24.008CR3299
  • C2 pairing authorization at bearer resource modification TS 24.301CR3532
  • UUAA re-authentication, re-authorization, and revocation TS 24.301CR3628
  • UUAA and C2 pairing authorization at attach - UE procedure on receiving side TS 24.301CR3636
  • ePCO for UUAA/C2 authorization in EPS TS 24.301CR3662
  • The impact on UE due to the introduction of Authentication and Key Management for Applications (AKMA) TS 24.501CR2794

+ 51 more changes

Rel-18 33 changes

In Release 18, the SDNAEPC function introduced a new capability indicator for Secondary DN Authentication and Authorization over EPC, which is exchanged during the PDN Connectivity procedure via the Protocol Configuration Options. The release defined specific ESM procedures for exchanging SDNAEPC EAP messages and introduced a new ESM cause for rejection when user authentication or authorization fails.

  • Introducing the secondary DN authentication and authorization over EPC support indicator TS 24.008CR3322
  • Indicating the capability of supporting SDNAEPC during the PDN connectivity procedure TS 24.301CR3851
  • Rejecting PDN connectivity procedure due to SDNAEPC is not supported by the UE TS 24.301CR3852
  • Exchanging the SDNAEPC EAP message in ESM procedures TS 24.301CR3853
  • Resolving the EN related to exchanging the SDNAEPC EAP message TS 24.301CR3870
  • Resolving the EN related to the inclusion of SDNAEPC support indicator in the PCO or the ePCO TS 24.301CR3871

+ 27 more changes

Rel-19 6 changes

In Release 19, the SDNAEPC function was updated with specific corrections to enhance robustness and protocol compliance. These included a correction to the Service-level AA container's IE length within authentication command/complete messages and a fix to the SDNAEPC indication within the 5GSM capability Information Element. Furthermore, the release introduced clarifications and corrections for UE behavior, particularly regarding attempt counter resets and the handling of the AUTHENTICATION REJECT message when the UE is configured to use timer T3245.

  • Corrected requirements for attempt counter reset at authentication reject TS 24.301CR4214
  • Correction in handling AUTHENTICATION REJECT message by a UE configured to use T3245 TS 24.301CR4599
  • Corrected requirements for attempt counter reset at authentication reject TS 24.501CR6675
  • Correction in handling AUTHENTICATION REJECT message by a UE configured to use T3245 TS 24.501CR7066
  • Correction of IE length for Service-level AA container in Service-level authentication command/complete message TS 24.501CR7092
  • Correction to SDNAEPC in 5GSM capability IE TS 24.501CR6621

Explore further

Broader topics and technologies where SDNAEPC plays a role.

Topics
Authentication (5G-AKA, EAP)EPC (Evolved Packet Core)MEC (Edge Computing)LTE / LTE-AdvancedLawful InterceptNetwork Slicing
Technologies
LTE

Defining Specifications

3GPP specifications that define or reference SDNAEPC, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 24.008 vj50 3GPP TS 24008: Core Network Protocols Rel-19
TS 24.301 vj60 NAS protocol for Evolved Packet System Rel-19
TS 24.501 vj50 5G NAS Protocols Specification Rel-19