Selective Authentication

This chapter describes configuration of Selective Authentication of the UE on the MME is based on time and frequency of access attempts.

Feature Description

The MME performs UE authentication on receiving NAS requests. Authentication procedures can be defined for Attach procedures, Service requests and Tracking Area Update (TAU) procedures. These authentication procedures increase signaling towards the RAN and HSS. Selective Authentication is adopted to reduce signaling traffic towards the RAN and HSS. Selective Authentication is achieved by implementing frequency and periodicity based authentication of UE.

In a frequency-based selective authentication scenario the UE is authenticated based on configured frequency of access attempts. The configured frequency specifies the access-attempts per-UE and not across UEs. For example if the configured frequency is "n", the UE is authenticated for every nth NAS request received. The decision to authenticate is based on every nth request and not based on 'n' requests since last authentication. Where the nth request is equal to a multiple of n. (for example if n = 2, it will be 2,4,6,8 and so on)

In a periodicity-based selective authentication scenario the UE is authenticated based on configured periodicity. For example if the configured periodicity is "t", the UE is authenticated at every "t" minutes.

The frequency-based authentication is independent of the configured periodicity. However, periodicity-based authentication attempts are relative to the last UE authentication time. The last UE authentication attempt time is updated whenever an UE authentication is attempted irrespective of the authentication trigger.

How It Works

Flows

The following diagram illustrates the messages exchanged during network-initiated authentication:

Figure 1. Network-initiated Authentication


  1. The MME sends an AUTHENTICATION REQUEST message to the UE. The time duration for the T3460 timer starts. This timer starts when the network initiates the authentication procedure by sending an AUTHENTICATION REQUEST message to the UE and stops upon receipt of the AUTHENTICATION RESPONSE message.
  2. The UE responds with an AUTHENTICATION RESPONSE message to the MME, the T3460 timer stops once the MME receives the AUTHENTICATION RESPONSE message.
  3. If the authentication procedure fails, the MME sends an AUTHENTICATION REJECT message to the UE.

If the authentication procedure is successful the MME performs the security mode control procedure to utilize the new EPS security context. The following diagram depicts the security mode control procedure:

Figure 2. Security mode control procedure


  1. The MME sends a SECURITY MODE COMMAND message to the UE. The time duration for the T3460 timer starts. This timer starts when the network initiates the security mode control procedure by sending a SECURITY MODE COMMAND message to the UE and stops upon receipt of the SECURITY MODE COMPLETE message.
  2. The UE responds with a SECURITY MODE COMPLETE message to the MME, the T3460 timer stops once the MME receives the SECURITY MODE COMPLETE message.
  3. If the security mode control procedure fails, the MME sends a SECURITY MODE REJECT message to the UE.

Limitations

The MME does not maintain periodicity and frequency across session recovery.

The frequency and periodicity configured to trigger authentication/GUTI reallocation requires the new session setup message (NAS Attach/TAU) to be processed by the Session Manager instance which has the corresponding MME DB for the subscriber. If the MME DB is not available the frequency and periodicity triggers will not work. For example, if the mobile identifier in the NAS Attach/TAU message is a foreign GUTI and additional GUTI is not present, the MME does not trigger authentication/GUTI reallocation for the subscriber based on frequency/periodicity.

Configuring Selective Authentication

The following sections describe various procedures to configure selective authentication procedures on the MME.

Selective authentication is not set up by default for any of the following procedures.

Configuring Selective Authentication during Attach Procedures 

config 
   call-control-profile profile_name 
      [ remove ] authenticate attach [ inter-rat ] { frequency frequency| periodicity duration } 
      no authenticate attach  
      end

Notes:

  • The frequency keyword specifies the frequency that authentication is performed for the Attach Procedures; how many Attach Requests occur before the next authentication. If the frequency is set for 12, then the service skips authentication for the first 11 events and authenticates on the twelfth event.

    In releases prior to 21.2: The frequency value is an integer from 1 up to 16.

    In 21.2 and later releases: The frequency value is an integer from 1 up to 256.

  • The periodicity keyword specifies authentication periodicity; the number of minutes between the times the MME authenticates the UE. The periodicity value is an integer from 1 through 10800. For example, if the configured periodicity is "20" minutes, the UE is authenticated at every "20" minutes.
  • The remove command prefix instructs the MME to delete the defined authentication procedures for Attach Requests from the call control profile configuration file.
  • The no command prefix instructs the MME to disable authentication for the attach procedures.

Configuring Selective Authentication during TAU Procedures

The following command is used to configure the frequency and periodicity for selective UE authentication during TAU Procedures: 

config 
   call-control-profile profile_name 
      [ remove ] authenticate tau [ { inter-rat | intra-rat | normal | periodic } ] [ { frequency  frequency | periodicity duration } ] 
      no authenticate tau  
      end

Notes:

  • The keyword inter-rat specifies authentication to be applied for Inter-RAT TAU.
  • The keyword intra-rat specifies authentication to be applied for Intra-RAT TAU.
  • The keyword normal specifies authentication to be applied for normal (TA/LA update) TAU.
  • The keyword periodic specifies authentication to be applied for periodic TAU.

  • The frequency keyword specifies how often authentication is performed for tracking area update (TAU) procedures; specifically, how many TAUs occur before the next authentication. For example, if the frequency is set for 12, then the service skips authentication for the first 11 events and authenticates on the twelfth event.

    In releases prior to 21.2: The frequency value is an integer from 1 up to 16.

    In 21.2 and later releases: The frequency value is an integer from 1 up to 256.

  • The periodicity keyword specifies the period of time, in minutes, between the times the MME authenticates the UE. The periodicity value is an integer from 1 through 10800. For example, if the configured periodicity is "20" minutes, the UE is authenticated every "20" minutes.
  • The remove command prefix instructs the MME to delete the defined authentication procedures for TAUs from the call control profile configuration file.
  • The no command prefix disables the authentication procedures specified in the call control profile configuration.

Configuring Selective Authentication during All Events

The following command is used to configure the frequency and periodicity for selective UE authentication for all events (Attach or TAU): 

config 
   call-control-profile profile_name 
      [ remove ] authenticate all-events [ { frequency  frequency | periodicity duration } ] 
      no authenticate all-events  
      end

Notes:

  • The frequency keyword sets how often authentication is performed for any event. If the frequency value is set to 5, then authentication is not done till the 5th event.

    In releases prior to 21.2: The frequency value is an integer from 1 up to 16.

    In 21.2 and later releases: The frequency value is an integer from 1 up to 256.

  • The periodicity keyword instructs the MME how many minutes to wait between each UE authentications. The periodicity value is an integer from 1 through 10800.
  • The remove command prefix instructs the MME to delete the defined authentication procedures for all events from the call control profile configuration file.
  • The no command prefix instructs the MME to disable authentication for all events.

Configuring Selective Authentication during Service Requests

The following command is used to configure the frequency and periodicity for selective UE authentication for all Service Requests: 

config 
   call-control-profile profile_name 
      [ remove ] authenticate service-request [ service-type { data | page-response | signaling } ] [ frequency frequency | periodicity duration } ] 
      no authenticate service-request  
      end

Notes:

  • The keyword service-type specifies the service-type classification.
  • The keyword data specifies service-type for data service requests.
  • The keyword page-response service-type for service requests in response to paging.
  • The keyword signaling specifies service-type for service requests due to other signaling.

  • The frequency keyword sets how often (frequency) UE authentication occurs. If the frequency is set to 12, then the service skips authentication for the first 11 events and authenticates on the twelfth event.

    In releases prior to 21.2: The frequency value is an integer from 1 up to 16.

    In 21.2 and later releases: The frequency value is an integer from 1 up to 256.

  • The periodicity keyword defines the amount of time (in minutes) between UE authentications. The periodicity value must be an integer from 1 through 10800 minutes; for example, if the configured periodicity is "20" minutes, the UE is authenticated every "20" minutes.
  • The remove command prefix instructs the MME to delete the Service Request authentication procedures specified in the call control profile configuration.
  • The no command prefix instructs the MME to disable the Service Request authentication procedures.

Monitoring and Troubleshooting Selective Authentication in MME

Selective Authentication Show Command(s) and/or Outputs

This section provides information regarding show commands and/or their outputs in support of the Selective Authentication feature in MME.

show call-control-profile full all

The following fields show output to illustrate the configured Selective Authentication parameters:

  • Authentication All-Events ANY (UMTS/GPRS/EUTRAN) Frequency
  • Authentication All-Events ANY (UMTS/GPRS/EUTRAN) Frequency Value
  • Authentication All-Events ANY (UMTS/GPRS/EUTRAN) Periodicity
  • Authentication All-Events ANY (UMTS/GPRS/EUTRAN) Periodicity Value
  • Authentication Attach ANY Frequency
  • Authentication Attach ANY (UMTS/GPRS/EUTRAN) Frequency Value
  • Authentication Attach ANY Periodicity
  • Authentication Attach ANY Periodicity Value
  • Authentication Attach Inter-rat ANY (UMTS/GPRS/EUTRAN) Frequency
  • Authentication Attach Inter-rat ANY (UMTS/GPRS/EUTRAN) Frequency Value
  • Authentication Attach Inter-rat ANY Periodicity
  • Authentication Attach Inter-rat ANY Periodicity Value
  • Authentication Service Req Frequency
  • Authentication Service Req Frequency Value
  • Authentication Service Req Periodicity
  • Authentication Service Req Periodicity Value
  • Authentication Service Req Data Frequency
  • Authentication Service Req Data Frequency Value
  • Authentication Service Req Data Periodicity
  • Authentication Service Req Data Periodicity Value
  • Authentication Service Req Signaling Frequency
  • Authentication Service Req Signaling Frequency Value
  • Authentication Service Req Signaling Periodicity
  • Authentication Service Req Signaling Periodicity Value
  • Authentication Service Req Page Response Frequency
  • Authentication Service Req Page Response Frequency Value
  • Authentication Service Req Page Response Periodicity
  • Authentication Service Req Page Response Periodicity Value
  • Authentication TAU Frequency
  • Authentication TAU Frequency Value
  • Authentication TAU Periodicity
  • Authentication TAU Periodicity Value
  • Authentication Inter-RAT TAU Frequency
  • Authentication TAU Frequency Value
  • Authentication TAU Inter-rat Periodicity
  • Authentication TAU Inter-rat Periodicity Value
  • Authentication Intra-RAT TAU Frequency
  • Authentication Intra-RAT TAU Frequency Value
  • Authentication TAU Intra-rat Periodicity
  • Authentication TAU Intra-rat Periodicity Value
  • Authentication Normal TAU Frequency
  • Authentication Normal TAU Frequency Value
  • Authentication TAU Normal Periodicity
  • Authentication TAU Normal Periodicity Value
  • Authentication Periodic TAU Frequency
  • Authentication Periodic TAU Frequency Value
  • Authentication TAU Periodic Periodicity
  • Authentication TAU Periodic Periodicity Value