The UE Authentication Service is consumed by the AMF. The AMF initiates the authentication operation, when indicated, as part of the UE registration process. The AUSF performs either 5G-AKA or EAP-based authentication based on information received from the AMF. If EAP authentication is used then the AUSF and the UE exchange EAP messages through the AMF.

3GPP TS 29.509 V16.3.0; 5G System; Authentication Server Services

Common Dialogs on Nausf-auth Service

Authenticate UE – Request

HTTP POST sent from the AMF to the AUSF, to the URL /nausf-auth/v1/ue-authentications with JSON body containing the SUPI or the SUCI, and the serving network name.

Authenticate UE – Response

If request from the AMF is successfully processed by the AUSF, it sends back a “201 Created” response, with a JSON Body containing the authentication vectors:

{
	"authType":	"5G_AKA",
	"5gAuthData":	{
		"rand":	"2a5bd0c930cb162df31dec1578369041",
		"hxresStar":	"0823805f83b19180d125d4a419eec01a",
		"autn":	"3de60d616ece80000c27e1bbdcf6bf95"
	},
	"_links":	{
		"5g-aka":	{
			"href":	"http://127.0.0.11:7777/nausf-auth/v1/ue-authentications/1/5g-aka-confirmation"
		}
	}
}

5G-AKA Confirmation – Request

The AMF needs to advise the AUSF the RES returned from the Subscriber (if one was returned) to confirm the UE successfully authenticated, so the AMF sends this in the form of an HTTP PUT to the AUSF to the URL /nausf-auth/v1/ue-authentications/1/5g-aka-confirmation

5G-AKA Confirmation – Response

If successful a 200 OK is sent back to the AMF by the AUSF with a JSON body containing the SUPI of the Subscriber (keep in mind the subscriber may have authenticated with a SUCI, so up until this point the AMF doesn’t know the SUPI of the Subscriber), and the Kseaf key used for ciphering and integrity protection.

Common Dialogs on Nudm-ueau Service

The Nudm_UEAuthentication service is used by NF service consumers to obtain UE authentication vectors from the UDM, to inform the UDM of authentication results, to query authentication results, and to purge authentication results.

3GPP TS 29.503 Unified Data Management Services

Generate Authentication Data – Request

When the AUSF needs to authenticate a subscriber, for example because an AMF has requested vectors, it in turn needs to request this information be generated by the UDM.

So the AUSF sends a HTTP POST to /nudm-ueau/v1/suci-0-901-70-0000-0-0-0000000003/security-information/generate-auth-data on the UDM (Where 901-70-0000-0-0-0000000003 is the SUPI or SUCI of the subscriber), and with a JSON body containing the AUSF’s Instance ID.

Generate Authentication Data – Response

Once the UDM has

The UDM will need to take the SUPI/SUCI provided by the AUSF and generate the authentication vectors following the AKA Process taking the OP/OPc & K keys as inputs.

The UDM sends a 200 OK back to the AUSF that requested the information, with a JSON Body containing the full vectors, including the Kausf to be provided to the AMF when the subscriber has successfully authenticated.

{
	"authType":	"5G_AKA",
	"authenticationVector":	{
		"avType":	"5G_HE_AKA",
		"rand":	"2a5bd0c930cb162df31dec1578369041",
		"autn":	"3de60d616ece80000c27e1bbdcf6bf95",
		"xresStar":	"a58354f64c04ea9291093c619415fe3c",
		"kausf":	"b16fb3a0cafb28459bb1d30a75045764967c6a27fba369f44122ff680dacef4e"
	}
}

The AUSF sends an HTTP GET to the UDM with the SUPI/SUCI in the URI /nudr-dr/v1/subscription-data/imsi-901700000000003/authentication-data/authentication-subscription

To do this the UDM needs the K & OP (or OPc) values for that subscriber, depending on the UDM configuration, it may have this data cached, or it may need to retrieve these values from the UDR.