5G NAS Security Mode Procedure Call Flow
5G NAS Security Mode is the procedure that turns authentication success into real protected NAS signaling.
It is where the AMF chooses the NAS protection behavior, the UE accepts or rejects it, and later control-plane signaling becomes operationally trustworthy.
Introduction
The procedure begins only after a valid authentication outcome exists. Its role is to activate the chosen NAS integrity and ciphering behavior for ongoing signaling.
In practical traces, it sits between Authentication Procedure and later protected continuation such as registration completion, identity handling, or service restoration.
What Is NAS Security Mode Procedure in Simple Terms?
- What starts the procedure: Authentication has succeeded and the AMF must activate protected NAS signaling.
- What the UE and network want to achieve: Agree on and activate the NAS protection mode for later signaling.
- What success looks like: The UE accepts Security Mode and later NAS continues under the expected protection context.
- What failure means: Algorithm choice, capability alignment, or context continuity breaks the protected NAS branch.
Why this procedure matters
This procedure is the bridge between subscriber trust and operationally protected signaling. When it fails, the access path may look authenticated but still be unusable for real 5G control-plane continuation.
Quick Fact Sheet
| Procedure name | 5G NAS Security Mode Procedure |
|---|---|
| Domain | 5G NAS security activation after successful authentication |
| Main trigger | Primary authentication has succeeded and the AMF must activate protected NAS signaling |
| Start state | The UE is authenticated but later NAS messages are not yet running under the selected protected mode |
| End state | NAS integrity and the selected NAS security behavior are active for later signaling |
| Main nodes | UE, gNB, AMF |
| Main protocols | NAS, N1, algorithm selection, key usage |
| Main success outcome | The UE accepts the selected NAS security algorithms and protected NAS signaling can continue |
| Main failure outcome | Security Mode is rejected, key context is inconsistent, or later protected NAS still fails |
| Most important messages | Security Mode Command, Security Mode Complete, Security Mode Reject |
| Main specs | TS 24.501, TS 23.502, TS 33.501 |
Preconditions
- A valid authentication result already exists for the UE access attempt.
- The AMF has the correct security-anchor context to activate NAS protection.
- The UE capability information is available and trustworthy.
- The access path is stable enough to carry the Security Mode exchange.
Nodes and Interfaces
Nodes involved
| Node | Role in this procedure |
|---|---|
| UE | Applies the selected NAS security algorithms and confirms whether protected continuation is possible. |
| gNB | Provides the radio transport for NAS security activation between the UE and AMF. |
| AMF | Chooses the NAS protection algorithms and activates them using the authentication-derived context. |
Interfaces used
| Interface | Path | Role |
|---|---|---|
| NR-Uu | UE <-> gNB | Carries the radio transport for the NAS Security Mode exchange. |
| N1 | UE <-> AMF via gNB | Carries Security Mode Command, Security Mode Complete, and possible Security Mode Reject. |
| N2 | gNB <-> AMF | Carries access-side context while the AMF activates protected NAS continuation. |
End-to-End Call Flow
UE gNB AMF
| | |
|<- Security Mode Command ------------|
|-- Security Mode Complete / Reject ->|
|==== Later NAS continues under protected mode ====|Major Phases
| Phase | What happens |
|---|---|
| 1. Post-authentication handoff | Authentication has succeeded and the AMF now has the security anchor needed to protect NAS signaling. |
| 2. Algorithm selection | The AMF chooses integrity and ciphering behavior based on UE capability and operator policy. |
| 3. NAS security activation | The AMF sends Security Mode Command and the UE applies the selected security mode. |
| 4. Protected continuation | The UE responds with Security Mode Complete and later NAS procedures continue under protection. |
Step-by-Step Breakdown
Authentication success creates the input for NAS protection
Sender -> receiver: Authentication context -> AMF
Message(s): Authentication result and security-anchor continuity
Purpose: Provide the AMF with the trusted basis for later NAS algorithm activation.
State or context change: The access attempt is trusted, but ongoing NAS signaling is not yet fully running in the chosen protected mode.
Note: If authentication succeeded but Security Mode fails, the breakpoint is often in this handoff between phases.
AMF selects NAS algorithms and context
Sender -> receiver: AMF internal policy and UE capability evaluation
Message(s): Algorithm choice and key-context preparation
Purpose: Pick the integrity and ciphering behavior that both sides can support.
State or context change: The network is ready to instruct the UE how to protect later NAS signaling.
Note: Inspect both UE capability and operator policy. A valid algorithm on one side is useless if the other side will not accept it.
AMF sends Security Mode Command
Sender -> receiver: AMF -> UE
Message(s): Security Mode Command
Purpose: Activate the selected NAS protection mode for later signaling.
State or context change: The UE must now apply the selected algorithms using the active security context.
Note: This is the point where unsupported algorithms and stale key context become visible quickly.
UE confirms or rejects the NAS protection mode
Sender -> receiver: UE -> AMF
Message(s): Security Mode Complete or Security Mode Reject
Purpose: Tell the network whether protected continuation can proceed safely.
State or context change: Successful completion activates protected NAS continuation; rejection stops the branch and may force broader recovery.
Note: A clean Complete should be followed by real protected NAS continuation, not just by a silent stall.
Important Messages in This Flow
| Message | Protocol | Direction | Purpose in this procedure | What to inspect briefly |
|---|---|---|---|---|
| Security Mode Command | NAS | AMF -> UE | Instructs the UE to activate the selected NAS protection mode. | Inspect selected integrity and ciphering algorithms plus any attached context indicators. |
| Security Mode Complete | NAS | UE -> AMF | Confirms that the UE accepted and applied the security mode. | Verify that later NAS messages really appear under the expected protection context. |
| Security Mode Reject | NAS | UE -> AMF | Shows that the UE could not accept the proposed NAS security mode. | Read the rejection cause before deciding whether the issue is capability, context, or procedure order. |
Important Parameters to Inspect
| Parameter | What it is | Where it appears | Why it matters | Common issues |
|---|---|---|---|---|
| Selected integrity algorithm | The NAS integrity scheme chosen by the AMF. | Security Mode Command | Integrity protection is usually mandatory for trustworthy NAS continuation. | Unsupported or mismatched choice leads to reject or later validation failure. |
| Selected ciphering algorithm | The NAS ciphering behavior chosen for the UE. | Security Mode Command | Determines how confidentiality is applied to later NAS signaling. | Wrong policy or unsupported choice can block continuation. |
| Security context linkage | The active authentication-derived context used to activate NAS protection. | Security Mode processing | Explains whether the algorithm choice is being applied to the correct security anchor. | Stale or mixed context is a classic source of failure. |
| UE security capability | The algorithm support reported earlier by the UE. | Registration and Security Mode selection | Constrains what the AMF is allowed to choose. | Capability mismatch often surfaces here, not during authentication. |
| Later protected NAS continuity | The first protected NAS messages after Security Mode Complete. | Post-procedure trace | Proves that security activation was operationally successful, not only syntactically complete. | If no protected follow-on exists, the real issue may be after the Complete. |
Success Criteria
- The AMF selects algorithms the UE can support.
- The authentication-derived context is handed off correctly into NAS protection activation.
- The UE returns Security Mode Complete.
- Later protected NAS signaling continues without abnormal retries or rejects.
Common Failures and Troubleshooting
| Symptom | Likely cause | Where to inspect | Relevant message(s) | Relevant interface(s) | Likely next step |
|---|---|---|---|---|---|
| Security Mode Command is sent but the UE rejects it | The UE could not support or trust the proposed NAS protection mode. | Selected algorithms, capability alignment, and security context continuity. | Security Mode Command, Security Mode Reject | N1 | This is often an algorithm-selection or context-usage issue rather than a radio issue. |
| Security Mode completes but later NAS still fails | The mode activated syntactically, but the protected continuation path is still inconsistent. | First protected NAS messages after completion and AMF context continuity. | Security Mode Complete and later NAS | N1, N2 | Do not stop at the Complete if the user journey still stalls. |
| Security Mode appears before authentication is stable | The procedure order or context handoff is wrong. | Authentication result timing and AMF state sequencing. | Authentication Result, Security Mode Command | N1, N12 | Ordering problems can create confusing mixed security symptoms. |
| NAS protection loops or retries | The AMF or UE keeps losing continuity about the active security state. | AMF state, UE state, and whether the same branch restarts after partial success. | Security Mode Command, Security Mode Complete | N1 | Repeated security activation is usually a wider state-management symptom. |
What to Check in Logs and Traces
- Confirm that authentication succeeded first and that Security Mode is not being activated out of order.
- Inspect the selected integrity and ciphering algorithms against UE capability.
- Check whether the first protected NAS messages after Security Mode Complete really continue the user journey.
- If reject appears, read the reject cause before assuming a generic security mismatch.
Related Pages
Related sub-procedures
- 5G Authentication Procedure
- 5G AS Security Activation Procedure
- 5G Security Context Update
- 5G Re-Authentication / Identity Recovery Procedure
Related message reference pages
Related troubleshooting pages
FAQ
What is the 5G NAS Security Mode Procedure?
It is the procedure that activates the chosen NAS protection mode after authentication succeeds.
Is this the same as authentication?
No. Authentication proves subscriber legitimacy, while NAS Security Mode activates the selected protection behavior for later NAS signaling.
What usually follows Security Mode Complete?
Protected NAS continuation such as registration progress, identity handling, or later service procedures.
What should I inspect first in a failure?
Start with algorithm choice, UE capability, and whether the authentication-derived security context was handed off correctly.
Why can Security Mode fail after successful authentication?
Because algorithm support, context continuity, and protection activation are separate concerns from primary subscriber authentication.