5G NAS - Authentication Request

Message Fact Sheet

Protocol	nas	Network	5g
Spec	3GPP TS 24.501	Spec Section	8.2.1
Direction	AMF to UE	Message Type	5GMM signaling

Full message name	5G NAS - Authentication Request
Protocol	NAS
Technology	5G
Direction	AMF to UE
Interface	N1
Signaling bearer / channel	NAS signaling / Dedicated NAS message, commonly transported via DL Information Transfer
Typical trigger	Sent after Registration Request or another 5GMM procedure when the network needs to authenticate the UE.
Main purpose	Carries the network authentication challenge and related security context so the UE can prove subscriber legitimacy.
Main specification	3GPP TS 24.501, 8.2.1
Release added	Release 15
Procedures where used	5G Initial Registration, Mobility Registration Update, 5G Authentication Procedure
Related timers	T3560

What is Authentication Request in simple terms?

Authentication Request is the NAS message the AMF uses to challenge the UE and start the 5G primary authentication procedure.

Carries the network authentication challenge and related security context so the UE can prove subscriber legitimacy.

Why this message matters

Authentication Request is the network challenging the UE to prove that it is a valid subscriber.

Where this message appears in the call flow

5G Authentication Procedure

Call flow position: Network challenge message that starts the UE side of 5G primary authentication.

Typical state: UE is attempting to register or refresh 5GMM context and has not yet completed authentication.

Preconditions:

The AMF has enough identity context to start authentication.

Next likely message: Authentication Response or Authentication Failure

Call flow position

Previous message(s): Registration Request, Identity Response

Next message(s): Authentication Response, Authentication Failure

Message direction and transport

Sender and receiver: AMF to UE

Interface: N1

Domain: Core-side mobility management signaling with radio-side NAS transport

Signaling bearer: NAS signaling

Logical channel: Dedicated NAS message, commonly transported via DL Information Transfer

Transport / encapsulation: NAS 5GS message carried end-to-end between AMF and UE

Security context: Often sent before full NAS security is active, so the exact protection state depends on the authentication stage and available context.

Message Structure Overview

Authentication Request is a NAS 5GMM challenge message rather than an ASN.1-encoded RRC or NGAP structure.
In practice, engineers first inspect RAND, AUTN, ngKSI, and whether the procedure is normal 5G AKA or EAP based.

ASN.1 Message Syntax for 5G NAS - Authentication Request

This message is not typically analyzed as ASN.1 on the wire. It is usually read as a NAS or protocol field structure instead.

Authentication Request follows the NAS 24.501 IE structure and is not an ASN.1 message.

5G NAS - Authentication Request - Example Dump

Authentication Request
  Extended Protocol Discriminator: 5G Mobility Management
  Security Header Type: Plain NAS
  Message Type: Authentication Request
  ngKSI: 3
  ABBA: 0x0000
  RAND: 9f76b5c4a102f6d1557a4f2cb9d0e841
  AUTN: 8d34fe2210ca7f118e4c22aa119b55f0

How to read this dump

Read RAND and AUTN together because they define the authentication challenge.
Check whether the message is part of 5G AKA or EAP-based authentication before interpreting the following result.

Important Information Elements

IE	Required	Description
`ngKSI`	Yes	Identifies the NAS key set context associated with the authentication procedure.
`ABBA`	Yes	Anti-bidding down between architectures parameter used in 5G authentication handling.
`Authentication parameter RAND`	Yes	Random challenge value the UE uses to compute the authentication response.
`Authentication parameter AUTN`	Yes	Authentication token that lets the UE verify the network and derive response values.
`EAP message`	Optional	Present when the network is using EAP-based primary authentication rather than pure 5G AKA challenge handling.

Detailed field explanation

`ngKSI`

Identifies the NAS key set context associated with the authentication procedure.

Presence: Required

In practice: In practice, compare this field with the original request and with any later release-dependent optional fields so you can see whether the network accepted the same service model the UE asked for.

`ABBA`

Anti-bidding down between architectures parameter used in 5G authentication handling.

Presence: Required

In practice: In practice, compare this field with the original request and with any later release-dependent optional fields so you can see whether the network accepted the same service model the UE asked for.

`Authentication parameter RAND`

Random challenge value the UE uses to compute the authentication response.

Presence: Required

In practice: In practice, compare this field with the original request and with any later release-dependent optional fields so you can see whether the network accepted the same service model the UE asked for.

`Authentication parameter AUTN`

Authentication token that lets the UE verify the network and derive response values.

Presence: Required

In practice: In practice, compare this field with the original request and with any later release-dependent optional fields so you can see whether the network accepted the same service model the UE asked for.

`EAP message`

Present when the network is using EAP-based primary authentication rather than pure 5G AKA challenge handling.

Presence: Optional

In practice: If present, it reflects the external DN authentication result. It is worth checking when the session succeeds on NAS but service access still depends on an external authentication flow.

What to check in logs and traces

Confirm the message appears after Registration Request or Identity Response.
Check ngKSI and whether it matches the expected security-context scenario.
Inspect RAND and AUTN formatting if authentication repeatedly fails.
Correlate the message with the UE's next Authentication Response or Authentication Failure.

Common Issues and Troubleshooting

Authentication never progresses after Authentication Request.

Likely cause: The UE may reject the challenge, fail lower-layer delivery, or be unable to verify AUTN.

What to inspect: Check RAND/AUTN values, UE logs, and whether any Authentication Failure follows.

Next step: Compare against a known-good authentication trace and verify subscriber credentials and time synchronization context.

FAQ

What does Authentication Request do in 5G?

It challenges the UE so the network can verify subscriber identity before allowing registration to continue.

Related message pages

Related Procedures

Related Tools

Use This Reference in Practice

Decode this message with the 3GPP Decoder, inspect the related message database, or open the matching call flow to see where this signaling step fits in the full procedure.