5G Roaming Authentication Call Flow
5G Roaming Authentication is the trust-validation procedure that lets a visited network confirm a roaming UE using home-network-backed credentials.
It combines home-side subscriber data, NAS challenge-response signaling, and visited-network service continuation into one roaming security workflow.
Introduction
This page focuses on the authentication part of roaming, not the full registration or session procedure around it.
The most reliable analysis pattern is to follow the path from subscriber identity, to home-side vector retrieval, to the Authentication Request and Response pair, and then to the final validation outcome.
What Is Roaming Authentication in Simple Terms?
- What starts the procedure: A roaming UE must be trusted before secure service can continue in the visited network.
- What the UE and network want to achieve: Validate the subscriber and bootstrap secure roaming service.
- What success looks like: The challenge-response sequence completes correctly and the network continues to protected signaling.
- What failure means: Subscriber trust, vectors, or response validation did not line up.
Why this procedure matters
Roaming authentication failures often look like generic attach or registration problems until you isolate the trust-validation path. A dedicated page keeps the real failure domain visible.
Quick Fact Sheet
| Procedure name | 5G Roaming Authentication |
|---|---|
| Domain | 5G roaming subscriber validation and security bootstrap across visited and home networks |
| Main trigger | A roaming UE starts registration or service in a visited network and must be authenticated against home-network credentials |
| Start state | UE is attached to a visited network but is not yet trusted for secure roaming service |
| End state | The UE and network complete roaming-aware authentication and can continue with protected service procedures |
| Main nodes | UE, visited gNB, visited AMF, home AUSF, home UDM, security functions |
| Main protocols | NAS, AKA or related authentication signaling, roaming subscriber interfaces |
| Main success outcome | Authentication vectors and responses match, allowing security activation and continued roaming service |
| Main failure outcome | Subscriber validation, vector retrieval, or response checking fails and roaming service cannot proceed securely |
| Most important messages | Authentication Request, Authentication Response, Authentication Reject/Failure, Security Mode signaling |
| Main specs | TS 23.501, TS 23.502, TS 24.501, roaming subscriber interface procedures |
Preconditions
- The UE has reached a point in roaming service where authentication is required.
- Visited and home networks can exchange subscriber-validation information.
- The UE has valid subscriber credentials for the home network.
- Later security signaling can continue if authentication succeeds.
Nodes and Interfaces
Nodes involved
| Node | Role in this procedure |
|---|---|
| UE | Responds to the network challenge using subscriber credentials while operating in a visited network context. |
| Visited gNB | Carries the radio-side leg of the roaming authentication exchange. |
| Visited AMF | Anchors the visited-network side of the authentication procedure and coordinates with home functions. |
| Home AUSF | Provides the authentication logic and validation outcome from the home-network side. |
| Home UDM | Supplies subscriber information and authentication material needed for roaming trust decisions. |
| Security functions | Support the derivation and later use of keys once authentication succeeds. |
Interfaces used
| Interface | Path | Role |
|---|---|---|
| NR-Uu | UE <-> visited gNB | Carries the radio-side access for roaming authentication signaling. |
| N1 | UE <-> visited AMF | Carries Authentication Request, Response, and related NAS security signaling. |
| N2 | visited gNB <-> visited AMF | Relays UE context and NAS messages in the visited network. |
| Roaming subscriber interfaces | visited AMF <-> home AUSF/UDM | Carry vector retrieval, subscriber validation, and authentication-state coordination. |
End-to-End Call Flow
UE visited gNB visited AMF home AUSF / UDM
| | | |
| | |-- get vectors ----->|
| | |<-- auth context -----|
|<-- Authentication Request ----------| |
|-- Authentication Response --------->| |
| | |-- validate --------->|
| | |<-- success / reject -|
|==== continue to security or stop ========================>|Major Phases
| Phase | What happens |
|---|---|
| 1. Roaming authentication trigger | The roaming UE reaches the point where the visited network needs home-backed trust validation. |
| 2. Home-side vector and subscriber retrieval | Visited and home functions coordinate to get the material needed for the challenge. |
| 3. UE challenge and response | The network sends Authentication Request and the UE returns Authentication Response. |
| 4. Validation outcome | The network accepts the response or ends the attempt with reject or failure handling. |
| 5. Security continuation | A successful result allows later security activation and continued roaming service procedures. |
Step-by-Step Breakdown
Roaming service reaches the trust-validation point
Sender -> receiver: UE -> visited AMF via visited access
Message(s): Registration or service context that triggers authentication
Purpose: Move the roaming UE from tentative access into a properly validated subscriber state.
State or context change: The UE is no longer treated as only an unidentified visitor; it becomes a candidate for trusted roaming service.
Note: Keep the roaming context visible while reading the trace, because the root cause may live in home-side validation rather than in the NAS challenge itself.
Visited network requests home-side authentication support
Sender -> receiver: Visited AMF <-> home AUSF / UDM
Message(s): Subscriber lookup and vector retrieval
Purpose: Obtain the material required to challenge the roaming UE correctly.
State or context change: The visited network becomes able to authenticate using home-derived trust information.
Note: A delay or failure here can make the later NAS side look broken even though the real issue is cross-network coordination.
The UE receives Authentication Request
Sender -> receiver: Visited AMF -> UE
Message(s): Authentication Request
Purpose: Challenge the UE with the correct roaming-aware authentication input.
State or context change: The roaming UE is now in the active challenge-response portion of the security path.
Note: Always verify that the challenge belongs to the right subscriber and registration attempt before judging the UE response.
The UE answers with Authentication Response
Sender -> receiver: UE -> visited AMF
Message(s): Authentication Response or Authentication Failure
Purpose: Prove possession of the expected credentials or report why the attempt cannot continue.
State or context change: The network now has enough evidence to accept or reject the roaming subscriber.
Note: Authentication Failure does not always mean bad radio behavior; it often reflects a real credential or sequence issue.
The network validates the result and continues to security
Sender -> receiver: Visited AMF <-> home AUSF plus UE follow-up
Message(s): Authentication Reject or later security signaling
Purpose: Finish the roaming authentication decision and move to protected signaling if successful.
State or context change: The UE either becomes a trusted roaming subscriber or is denied continued service.
Note: A good authentication result should be read together with the next security step, not in isolation.
Important Messages in This Flow
| Message | Protocol | Direction | Purpose in this procedure | What to inspect briefly |
|---|---|---|---|---|
| Authentication Request | NAS | Network -> UE | Challenges the roaming UE using home-backed authentication context. | Check timing, subscriber correlation, and challenge sequence. |
| Authentication Response | NAS | UE -> Network | Provides the UE proof needed for successful roaming authentication. | Inspect whether the response matches the expected subscriber state. |
| Authentication Failure | NAS | UE -> Network | Signals that the UE could not continue the expected authentication path. | Important for distinguishing real credential problems from generic radio issues. |
| Authentication Reject | NAS | Network -> UE | Shows the network denied further continuation after validation failed. | Use it to anchor the exact end of the roaming trust attempt. |
Important Parameters to Inspect
| Parameter | What it is | Where it appears | Why it matters | Common issues |
|---|---|---|---|---|
| SUPI / SUCI or temporary identity | Subscriber identity used for the roaming authentication attempt. | Registration and authentication context | Must match the home-side subscriber that vectors were retrieved for. | Identity mismatch creates confusing rejects. |
| Authentication vector context | Home-derived material used for the challenge. | Visited-home coordination path | Core foundation for a valid roaming challenge. | Failures here often never show clearly on the radio trace alone. |
| Response timing | How quickly the UE and network complete the challenge-response exchange. | Authentication Request/Response timing | Useful in distinguishing NTN, roaming, or transport delay from credential failure. | Unexpected delay can trigger abort logic. |
| Failure cause | Reason why roaming authentication did not proceed. | Authentication Failure or network decision path | Separates bad credentials, sequence mismatch, and transport problems. | Skipping this loses the whole diagnosis. |
| Security continuation state | Whether the result led into Security Mode and protected NAS service. | Post-authentication signaling | Best sign that roaming trust really succeeded. | Authentication success without continuation is incomplete. |
Success Criteria
- The correct subscriber identity is tied to the roaming attempt.
- The visited network gets valid home-backed authentication context.
- The UE returns a response that validates correctly.
- The network continues to the expected secure roaming procedure afterward.
Common Failures and Troubleshooting
| Symptom | Likely cause | Where to inspect | Relevant message(s) | Relevant interface(s) | Likely next step |
|---|---|---|---|---|---|
| The visited network never gets usable vectors | Home-side subscriber lookup or vector retrieval failed. | Visited-home authentication coordination. | Pre-challenge subscriber signaling | Roaming subscriber interfaces | This is often the real cause behind apparently empty NAS authentication traces. |
| The UE responds but the network still rejects the attempt | The response did not validate against the expected home-side state. | Authentication Request/Response pair and home-side decision. | Authentication Response / Reject | N1, roaming interfaces | Focus on subscriber correlation before blaming the UE generically. |
| Authentication loops or restarts repeatedly | Context synchronization or cross-network state handling is unstable. | Repeated request/response cycles. | Authentication Request / Response | N1, roaming interfaces | A loop usually means state-management trouble, not just poor radio conditions. |
| Authentication succeeds but later security still fails | Trust validation completed, but the follow-up key or security continuation did not converge cleanly. | Post-authentication security path. | Security Mode signaling | N1 | Treat authentication and security continuation as linked but separate checkpoints. |
Related Pages
Related sub-procedures
- 5G NR Roaming Registration
- 5G Home-Routed Roaming Registration
- 5G Authentication Procedure
- 5G NAS Security Mode Procedure
Related message reference pages
Related troubleshooting pages
FAQ
What is Roaming Authentication?
It is the security-validation procedure that proves a roaming UE is a legitimate subscriber using home-network-backed credentials.
Is it different from normal 5G authentication?
The basic NAS challenge flow is familiar, but the trust decision depends on coordination between visited and home networks.
What proves success?
A correct Authentication Request and Response sequence followed by continued secure roaming procedures.
What should I inspect first?
Start with subscriber identity correlation, home-side vector retrieval, and the exact Authentication Request/Response pair.
Why can this fail even when radio coverage looks fine?
Because many roaming authentication failures are caused by cross-network subscriber or credential-state issues rather than radio problems.