NAS 5G AMF to UE 3GPP TS 24.501

5G NAS - Authentication Reject

Authentication Reject is the NAS message the network sends when the UE's authentication attempt is not accepted and the current 5GMM path must stop.

Message Fact Sheet

Protocol	nas	Network	5g
Spec	3GPP TS 24.501	Spec Section	8.2.5
Direction	AMF to UE	Message Type	5GMM signaling

Full message name	5G NAS - Authentication Reject
Protocol	NAS
Technology	5G
Direction	AMF to UE
Interface	N1
Signaling bearer / channel	NAS signaling / Dedicated NAS message, commonly via DL Information Transfer
Typical trigger	Sent when the network decides that authentication cannot be accepted.
Main purpose	Explicitly terminates the current authentication procedure from the network side.
Main specification	3GPP TS 24.501, 8.2.5
Release added	Release 15
Procedures where used	5G Initial Registration, 5G Authentication Procedure
Related timers	T3560
Related cause values	None highlighted

What is Authentication Reject in simple terms?

Authentication Reject is the NAS message the network sends when the UE's authentication attempt is not accepted and the current 5GMM path must stop.

Explicitly terminates the current authentication procedure from the network side.

Why this message matters

Authentication Reject means the network refused to continue the authentication procedure.

Where this message appears in the call flow

5G Authentication Procedure

Call flow position: Negative network outcome that stops the authentication branch.

Typical state: UE is still unauthenticated for the current procedure.

Preconditions:

The network determined that authentication cannot continue successfully.

Next likely message: Procedure stop or later fresh registration

Call flow position

Previous message(s): Authentication Request, Authentication Response

Next message(s): Procedure termination, Fresh registration attempt

Message direction and transport

Sender and receiver: AMF to UE

Interface: N1

Domain: Core-side mobility management rejection signaling

Signaling bearer: NAS signaling

Logical channel: Dedicated NAS message, commonly via DL Information Transfer

Transport / encapsulation: NAS 5GS message carried end-to-end between AMF and UE

Security context: Usually tied to an authentication failure path rather than a successful security context.

Message Structure Overview

Authentication Reject is intentionally minimal. Its value is procedural rather than field-rich.

Structure Syntax

This message is not typically analyzed as ASN.1 on the wire. Engineers usually inspect it as a NAS or protocol field decode rather than an ASN.1 tree.

Authentication Reject is a NAS 24.501 message, not an ASN.1 message.

Decoded Message Dump

Authentication Reject
  Extended Protocol Discriminator: 5G Mobility Management
  Security Header Type: Plain NAS
  Message Type: Authentication Reject

How to read this dump

This message is usually interpreted together with the preceding challenge and response exchange.

What to check in logs and traces

Confirm whether the UE answered the challenge before the reject was sent.
Check earlier authentication values and any AMF-side decision context.
Correlate later UE behavior with procedure termination or fresh retry.

Common Issues and Troubleshooting

Registration stops after authentication without a detailed NAS cause.

Likely cause: The network explicitly rejected the authentication branch.

What to inspect: Check Authentication Request, Authentication Response, and subscriber-side authentication context.

Next step: Shift analysis to earlier authentication challenge validation and subscription data.

Detailed explanation

5G NAS - Authentication Reject Explained

Authentication Reject is the network’s negative authentication outcome message. It tells the UE that the current authentication attempt is not accepted and that the current 5GMM path cannot continue.

For beginners, the simple meaning is: the network rejected the UE during authentication.
For engineers, this message is important because it ends the authentication branch and forces investigation back into the earlier challenge-response exchange.

What is Authentication Reject in simple terms?

The UE and network started authentication. The network then decided not to accept that attempt and sent Authentication Reject.

Why Authentication Reject matters

This message matters because it proves the problem is no longer just “authentication is taking time.” The network made a negative decision and stopped the path.

That means the useful troubleshooting focus is usually on:

the earlier Authentication Request
the UE’s Authentication Response
subscriber or core-side authentication context

Where Authentication Reject appears in the call flow

UE                              gNB / AMF
|<-- Authentication Request -----|
|--- Authentication Response ---->|
|<-- Authentication Reject ------|

Transport characteristics

Direction: AMF to UE
Interface: N1
Transport on access side: commonly via DL Information Transfer
Security expectation: tied to the authentication-failure branch rather than a successfully secured NAS context

What Authentication Reject means operationally

Operationally, this message ends the current authentication procedure. Unlike Authentication Failure, which is sent by the UE when it cannot validate the network challenge, Authentication Reject is the network telling the UE that the current attempt is not accepted from the core side.

Example message dump

Authentication Reject
  Extended Protocol Discriminator: 5G Mobility Management
  Security Header Type: Plain NAS
  Message Type: Authentication Reject

How to read this dump

Do not over-focus on the message itself because it is intentionally short.
Instead, correlate it with the full earlier challenge-response exchange.
Then inspect what the UE does next: stop, retry, or restart registration.

What to check in logs

verify whether the UE had already sent Authentication Response
inspect the earlier challenge values and subscriber context
correlate the reject with later procedure stop or re-registration
avoid treating this as a radio-only failure

FAQ

What does Authentication Reject mean in 5G?

It means the network did not accept the authentication procedure and stopped the current registration path.

Summary

Authentication Reject is the NAS message the network sends when the UE's authentication attempt is not accepted and the current 5GMM path must stop.

Advanced Engineer Notes

Because the message is small, the real troubleshooting value comes from careful analysis of the earlier challenge-response path.

Related message pages

Related Procedures

Related Tools

Use This Reference in Practice

Decode this message with the 3GPP Decoder, inspect the related message database, or open the matching call flow to see where this signaling step fits in the full procedure.