5G AS Security Activation Procedure Call Flow
5G AS Security Activation is the point where trust established in the core becomes real radio-side protection on the access network.
It is the handoff from NAS-level security success to protected RRC and access continuity between the UE and gNB.
Introduction
This procedure matters because a trace can look healthy at authentication and NAS level while the access side is still not aligned on protected radio behavior.
That makes AS activation one of the most important checkpoints between NAS Security Mode and later mobility or traffic continuity.
What Is AS Security Activation Procedure in Simple Terms?
- What starts the procedure: The network is ready to activate radio-side security after earlier trust establishment.
- What the UE and network want to achieve: Protect RRC and related access behavior using the active AS security context.
- What success looks like: Protected radio signaling continues cleanly after activation.
- What failure means: The radio side is not aligned on the active context even though earlier security phases may look fine.
Why this procedure matters
AS security activation is where the 5G security model becomes real on the air interface. If it is weak, handover, reconfiguration, and ongoing radio continuity become fragile even when subscriber authentication was correct.
Quick Fact Sheet
| Procedure name | 5G AS Security Activation Procedure |
|---|---|
| Domain | 5G access-stratum security activation on the radio side |
| Main trigger | NAS-side authentication and security setup have succeeded enough to activate radio-side protection |
| Start state | The UE has trusted core-side security context, but radio-side AS protection is not yet fully active for the current branch |
| End state | RRC and user-plane related radio exchanges run under the active AS security context |
| Main nodes | UE, gNB, AMF |
| Main protocols | RRC, NAS, access-stratum key usage |
| Main success outcome | The UE and gNB align on the active access-stratum keys and protected radio signaling continues cleanly |
| Main failure outcome | Radio-side protection is activated inconsistently and later RRC or data continuity breaks |
| Most important messages | Security Mode Complete, RRC Reconfiguration, later protected RRC signaling |
| Main specs | TS 33.501, TS 38.331, TS 23.502 |
Preconditions
- Primary authentication has succeeded.
- NAS security activation has completed or is stable enough to hand off into radio-side protection.
- The gNB has the correct access-side security context for this UE.
- Later RRC signaling will be available to prove that the activation really worked.
Nodes and Interfaces
Nodes involved
| Node | Role in this procedure |
|---|---|
| UE | Applies the access-stratum security context to protected radio signaling and later user-plane handling. |
| gNB | Activates the radio-side security context and uses it for later protected RRC and access continuity. |
| AMF | Provides the core-side continuity that allows the radio side to derive or activate the needed access context. |
Interfaces used
| Interface | Path | Role |
|---|---|---|
| NR-Uu | UE <-> gNB | Carries the protected RRC signaling that proves AS security activation is working. |
| N2 | gNB <-> AMF | Carries context coordination while the access side activates radio protection. |
| N1 | UE <-> AMF via gNB | Carries the preceding NAS security steps that usually bootstrap AS security activation. |
End-to-End Call Flow
UE gNB AMF
| | |
|<-- NAS side security already complete -|
|<-- protected radio config / context ----|
|-- later protected RRC signaling ------->|
|==== AS security now protects radio continuity ====|Major Phases
| Phase | What happens |
|---|---|
| 1. NAS-side trust is established | Authentication and NAS security activation provide the basis for radio-side protection. |
| 2. Access-side keys and context are prepared | The gNB and UE get aligned on the access-stratum context that should protect later radio signaling. |
| 3. Protected radio signaling becomes active | RRC exchanges continue under the newly active AS security context. |
| 4. Operational proof | Later radio-control and service continuity show whether AS security activation really succeeded. |
Step-by-Step Breakdown
Authentication and NAS security complete the preconditions
Sender -> receiver: UE <-> AMF via gNB
Message(s): Authentication Procedure and NAS Security Mode
Purpose: Provide the trusted security anchor and procedure order needed for radio-side protection.
State or context change: The UE is trusted at NAS level, and the system can now move toward protected radio continuity.
Note: If AS activation fails, always confirm the NAS-side handoff was healthy first.
gNB and UE align on access-stratum security context
Sender -> receiver: AMF -> gNB -> UE
Message(s): AS key activation and radio security context preparation
Purpose: Move the security model from core-side trust into protected RRC and access behavior.
State or context change: The radio side is transitioning from unprotected or partially protected setup into active AS security.
Note: This is where K_gNB and related radio-side continuity become operationally important.
Protected RRC signaling continues under the new AS context
Sender -> receiver: UE <-> gNB
Message(s): RRC Reconfiguration and later protected RRC signaling
Purpose: Prove that access-stratum protection is active and usable for ongoing service.
State or context change: Radio-control signaling is now protected using the active AS security context.
Note: Do not treat activation as successful until you inspect at least one later protected radio exchange.
Later data or mobility continuity confirms operational success
Sender -> receiver: UE <-> gNB and related network nodes
Message(s): Protected radio continuation, mobility signaling, and later service activity
Purpose: Show that AS security activation survives real operation and not only initial configuration.
State or context change: The security state is no longer theoretical; it is carrying live radio continuity.
Note: Many AS security issues first become visible during handover, reconfiguration, or resumed traffic rather than at the activation moment itself.
Important Messages in This Flow
| Message | Protocol | Direction | Purpose in this procedure | What to inspect briefly |
|---|---|---|---|---|
| Security Mode Complete | NAS | UE -> AMF | Marks that the NAS-side precondition for AS security activation has completed. | Inspect whether the radio side tries to activate AS security only after this point. |
| RRC Reconfiguration | RRC | gNB -> UE | Common place where the active protected radio context becomes visible in practice. | Inspect whether protected radio signaling continues cleanly after the security handoff. |
| Later protected RRC messages | RRC | UE <-> gNB | Prove that AS security is operational rather than only configured in theory. | Check integrity and continuity in the first follow-on protected RRC exchanges. |
Important Parameters to Inspect
| Parameter | What it is | Where it appears | Why it matters | Common issues |
|---|---|---|---|---|
| K_gNB or access key lineage | The radio-side key material derived from the trusted core-side security anchor. | AS security handling | Explains how radio-side protection is tied to earlier authentication and NAS security. | Broken lineage causes later radio protection mismatch. |
| Activation ordering | Whether radio-side protection is activated after the required NAS-side preconditions. | Procedure timeline | Separates valid activation from premature or out-of-order signaling. | Wrong ordering creates confusing mixed protection states. |
| First protected RRC message | The first real use of the active AS security context. | Post-activation radio trace | Best operational proof that the context works. | If it fails, the activation was not really successful. |
| Mobility linkage | Whether the active AS context must survive handover or radio relocation soon after activation. | Mobility timeline | Important because several access-side failures only appear under mobility stress. | A stable idle cell can hide a broken mobility security chain. |
| NAS to AS continuity | How the core-side security handoff fed the radio-side context. | AMF and gNB context transfer | Shows whether the security model stayed coherent across layers. | If broken, one layer may trust the UE while another rejects it. |
Success Criteria
- NAS-side trust and the access-side handoff happen in the right order.
- The UE and gNB activate the same radio-side context.
- Protected RRC signaling continues cleanly after activation.
- Later mobility and traffic behavior remain stable under the active AS context.
Common Failures and Troubleshooting
| Symptom | Likely cause | Where to inspect | Relevant message(s) | Relevant interface(s) | Likely next step |
|---|---|---|---|---|---|
| Protected RRC signaling fails right after activation | The UE and gNB did not align on the same access-stratum context. | AS key lineage, activation order, and first protected radio messages. | RRC Reconfiguration and later protected RRC | NR-Uu | This is the clearest direct sign of AS activation failure. |
| NAS security is fine but radio continuity breaks | The core-side trust model was healthy, but the radio-side context handoff failed. | NAS to AS continuity and gNB-side activation details. | Security Mode Complete and first protected RRC | N1, N2, NR-Uu | Do not blame authentication if only the radio side is broken. |
| AS security only fails under mobility | The access context activated locally but did not survive movement or relocation. | Mobility-linked key refresh and target-side context transfer. | RRC Reconfiguration and handover messages | N2, NR-Uu | This is often a mobility-security continuity issue rather than a basic activation issue. |
| Protected traffic is intermittent after activation | One plane or node is using stale access-side context. | Later radio and traffic traces after apparent activation success. | Protected follow-on signaling | NR-Uu, N2 | Intermittent failure usually means partial alignment, not total failure. |
What to Check in Logs and Traces
- Confirm the NAS-side preconditions finished before AS activation begins.
- Inspect the first protected RRC messages after the handoff.
- If failures appear only during handover, correlate AS security continuity with mobility logs.
- Treat intermittent radio-security trouble as a likely partial alignment issue, not always a full procedure failure.
Related Pages
Related sub-procedures
Related message reference pages
Related troubleshooting pages
FAQ
What is 5G AS Security Activation?
It is the activation of access-stratum protection for radio-side signaling and related continuity after core-side trust is established.
How is it different from NAS Security Mode?
NAS Security Mode protects NAS signaling, while AS security activation protects radio-side access-stratum exchanges.
What should I inspect first in a problem trace?
Start with whether NAS-side prerequisites completed and then inspect the first protected RRC messages.
Why can AS security fail when NAS security succeeded?
Because the radio-side context handoff and key usage are separate from NAS-side activation.
When is the problem most visible?
Often during the first protected RRC continuation or during later mobility rather than at the exact activation moment.