RADIUS Authentication

Authentication and key management are fundamental to the security of mobile networks because they provide mutual authentication between users and the network.

5G defines various authentication methods to authenticate a user. In the 5G architecture, the serving network authenticates the Subscription Permanent Identifier (SUPI), and key agreement between the UE and the network using the primary authentication mechanism.

5G supports EAP-based secondary authentication between the UE and the network. The SMF performs the role of the EAP Authenticator. SMF relies on an external AAA server to authenticate and authorize the UE’s request for PDU session establishment. An example of an AAA server is the RADIUS server.

The RADIUS Client function resides within the SMF to enable the generic Cloud Native 5G RADIUS functionality for authentication purposes. When you have enabled the RADIUS Client feature, the SMF performs secondary authentication with the configured external RADIUS server as per 3GPP TS 23.501.

For information on enabling the RADIUS Client feature, see Configuring the RADIUS Client.

Identity Services Engine

Identity Services Engine (ISE) is a common point of policy definition for 5G and other enterprise devices. In 5G as a Service (5GaaS) architecture, ISE conducts only the authorization and accounting. The Control Center handles the 5G authentication. You can implement the 5G authorization with the RADIUS Authorize-Only flow.

SMF supports communication with ISE for Cisco private 5G. Based on the policies that SMF receives from ISE, Cisco private 5G supports various behaviors on the enterprise side. ISE provides a mechanism for the enterprise customers to perform tasks, such as identifying the subscriber, define groups for the subscribers, and assign policy.

Allow-auth

If allow-auth is enabled in the configuration, it allows the ongoing call to continue irrespective of authentication being successful, timed out, or any error message received. The default value is false, configuration is required to enable the allow-auth.