Description
The Trusted WLAN AAA Proxy (TWAP) is a critical control plane function residing within the Trusted WLAN Access Network (TWAN) architecture. Its primary role is to act as an intermediary for Authentication, Authorization, and Accounting (AAA) signaling between the User Equipment (UE) accessing via WLAN and the 3GPP AAA Server (or Proxy) in the mobile operator's core network. The TWAP does not make authentication decisions itself but reliably forwards and may translate AAA protocols, ensuring that the WLAN access point and the 3GPP core can communicate effectively for subscriber management. It is a key enabler for secure, SIM-based access to trusted WLANs.
Operationally, the TWAP sits on the STa reference point, which connects the TWAN to the 3GPP AAA Server. When a UE attempts to connect to a trusted WLAN, it initiates an EAP (Extensible Authentication Protocol) procedure. The WLAN Access Point (AP) forwards the EAP messages to the TWAP using protocols like RADIUS or Diameter. The TWAP then acts as a proxy, forwarding these messages over the STa interface to the 3GPP AAA Server using the Diameter protocol. The AAA server interacts with the Home Subscriber Server (HSS) to verify the UE's credentials (using EAP-AKA or EAP-AKA'). The TWAP ensures the entire authentication dialogue is completed successfully. Beyond initial authentication, the TWAP is also involved in authorization, relaying information about the authorized user's profile and any access restrictions from the core network to the WLAN.
The TWAP's responsibilities extend into session management and policy control. Upon successful authentication, the 3GPP AAA Server provides the TWAP with subscription profile information and may trigger the establishment of the user plane session. The TWAP communicates with the Trusted WLAN Access Gateway (TWAG) within the same TWAN to inform it of the successful authentication and to provide necessary parameters for setting up the data bearer over S2a. Furthermore, in some architectures, the TWAP can interact with the Policy and Charging Rules Function (PCRF) via the Gxa/Gxb reference points (or act as a Proxy for such signaling) to obtain policy and charging rules for the subscriber's session. These rules are then enforced at the TWAG for the user plane traffic.
In summary, the TWAP is the control plane nerve center for trusted WLAN access. It abstracts the specifics of the WLAN's AAA protocol from the 3GPP core, providing a standardized Diameter-based interface. By handling the complex signaling for authentication and policy, it enables the WLAN to be treated as a trusted 3GPP access network, ensuring that only authorized subscribers gain access and that their sessions are managed according to their mobile service profiles. This function was essential for the commercial deployment of seamless and secure carrier Wi-Fi services.
Purpose & Motivation
The TWAP was introduced to solve a critical signaling interoperability problem in integrating WLAN with the 3GPP core network. WLAN infrastructure traditionally uses AAA protocols like RADIUS for network access control, while the 3GPP core network uses the Diameter protocol for its internal AAA signaling. The TWAP was created to bridge this protocol gap, acting as a translation point or proxy to enable communication between these two different technological domains. Without it, SIM-based authentication and 3GPP policy control over trusted WLAN would not be feasible.
Its creation in Release 11 was motivated by the need for a standardized function to handle the control plane signaling for the newly defined Trusted WLAN Access Network (TWAN). Previous non-integrated Wi-Fi access required separate, often web-based, login portals and credentials. The goal was to leverage the strong security of the USIM card for WLAN access. The TWAP made this possible by reliably transporting EAP authentication dialogues (EAP-AKA/AKA') between the UE in the WLAN and the 3GPP AAA Server/HSS in the core. This solved the problem of how a WLAN access point, which speaks RADIUS/EAP, could authenticate a user against a 3GPP HSS.
Beyond basic authentication, the TWAP also addressed the need for integrated session and policy control. It enabled the transfer of subscriber profile information from the core to the access network and facilitated the interaction with the PCRF. This allowed mobile operators to apply the same sophisticated policy and charging rules to Wi-Fi traffic as they did to LTE traffic, enabling service differentiation, guaranteed quality of service for services like VoWiFi, and accurate charging. The TWAP was thus a foundational component that transformed Wi-Fi from a mere internet pipe into a managed, billable, and service-aware extension of the mobile network.
Classification
Detected Changes Across Releases
from 3GPP Change RequestsSpecific changes extracted from the „Change history“ tables of 3GPP specifications (39 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.
Studied in Rel-11, normative work from Rel-15.
In Release 15, the TWAP function was enhanced with support for end-to-end QoS over trusted WLAN and included provisions for emergency configuration data. The release also introduced specific Network Access Identifier (NAI) formats for 5G registration via trusted non-3GPP access, including support for SNPNs and TNGF selection, and defined a Decorated NAI for non-5G-capable WLAN devices accessing the 5G core network.
In Release 16, the TWAP function was enhanced to support 5G System (5GS) trusted non-3GPP access, introducing new procedures for UE registration, TNGF and PLMN selection, and WLAN selection specifically for this trusted access. It defined new NAI formats for 5G registration via trusted non-3GPP access for both PLMN and SNPN scenarios, including formats for TNGF selection and for non-5G-capable over WLAN (N5CW) devices. Additionally, Release 16 specified mechanisms for TWAP ID change reporting and updated the scope and description of trusted non-3GPP access.
- EAP-5G extensions for trusted non-3GPP access TS 24.502CR0067
- Update to the scope for trusted non-3GPP access TS 24.502CR0071
- Introduction of trusted non-3GPP access description TS 24.502CR0072
- Update to WLAN selection procedure because of trusted non-3GPP access TS 24.502CR0075
- TNAN and PLMN selection procedures using trusted WLAN TS 24.502CR0084
- UE registration for trusted non-3GPP access TS 24.502CR0068
+ 6 more changes
In Release 17, enhancements for the TWAP function included the specification for transporting a Subscription Concealed Identifier (SUCI) via trusted non-3GPP access, including the format for an anonymous SUCI. Furthermore, the release provided detailed clarifications and corrections for network selection and connectivity procedures, such as defining the specific Network Access Identifier (NAI) formats a UE must use when registering via a selected Trusted Non-3GPP Gateway Function (TNGF) or for Non-5G-Capable over WLAN (N5CW) devices.
In Release 18, the TWAP function was enhanced to support new NAI (Network Access Identifier) formats and procedures for 5G registration via trusted non-3GPP access, specifically for Standalone Non-Public Networks (SNPNs) and for Non-5G-Capable-over-WLAN (N5CW) devices. This included defining specific NAI formats for registration via a selected SNPN, via a selected TNGF (Trusted Non-3GPP Gateway Function), and for anonymous SUCI use in an SNPN context. The release also introduced clarifications and corrections for procedures involving UEs behind a 5G-RG and for security protections over this trusted access.
- NAI format for 5G registration via trusted access using SNPN TS 23.003CR0648
- NAI format for N5CW device 5G registration via trusted access using SNPN TS 23.003CR0665
- TNGF ID format in NAI used for 5G registration via trusted non-3GPP access TS 23.003CR0685
- SNPN for trusted non-3GPP access TS 24.502CR0212
- SNPN selection procedures for using trusted non-3GPP access TS 24.502CR0217
- Accessing 5GS via trusted non-3GPP access for UE behind 5G-RG TS 24.502CR0262
+ 8 more changes
In Release 19, enhancements for the TWAP function focused on supporting Non-5G-Capable over WLAN (N5CW) devices, including enabling their mobility between TWAPs connected to the same Trusted WLAN Interworking Function (TWIF). The release also introduced specific Decorated NAI formats for N5CW devices connecting via trusted non-3GPP access in both PLMN and SNPN scenarios, detailing the required username and realm structures for registration and authentication procedures.
- Mobility of the N5CW device connected to a TWAP to another TWAP connected to the same TWIF TS 24.502CR0317
- Clarify the behavior of the PCRF in the case of PGW failure TS 29.214CR1704
- Format for proxying UDP in HTTP Datagram TS 29.561CR0176
- QUIC-aware proxying using HTTP TS 29.561CR0177
- Context ID handling in Proxying UDP TS 29.561CR0185
- QUIC aware proxy enhancement TS 29.561CR0186
Explore further
Broader topics and technologies where TWAP plays a role.
Defining Specifications
3GPP specifications that define or reference TWAP, with the latest known release. Sourced from the 3GPP document catalog — see methodology.
| Specification | Title | Release |
|---|---|---|
| TS 23.003 vj50 | Numbering, addressing and identification in 3GPP | Rel-19 |
| TS 23.273 vj50 | 5G Location Services Stage 2 Architecture | Rel-19 |
| TS 23.402 vj00 | EPC for Non-3GPP Access (PMIP) | Rel-19 |
| TS 23.852 vc00 | Study on GTP-based S2a for WLAN Access | Rel-12 |
| TS 24.502 vj20 | 5G Core Access via Non-3GPP Networks; Stage 3 | Rel-19 |
| TS 29.214 vj20 | Policy and Charging Control over Rx | Rel-19 |
| TS 29.518 vj50 | AMF Service Based Interface Protocol | Rel-19 |
| TS 29.561 vj30 | 5G Interworking with External Data Networks | Rel-19 |
| TS 33.501 vk00 | 5G Security Architecture and Procedures | Rel-20 |
| TS 38.413 vj10 | NG Application Protocol (NGAP) | Rel-19 |