LTE Authentication Procedure Call Flow
LTE Authentication is the EPS AKA procedure that proves the UE and network are working with the right subscriber security context before protected NAS continuation starts. It is built around Authentication Request, Authentication Response, and the failure branches that follow when validation does not succeed.
If this procedure fails, later NAS security, attach acceptance, TAU continuation, or service restoration will not proceed normally.
Introduction
The LTE Authentication procedure uses HSS-provided EPS AKA vectors and UE-side USIM validation to confirm subscriber authenticity. It normally appears during attach, combined attach, TAU, or other registration-related continuation when fresh authentication is needed.
The main nodes are UE, eNB, MME, and HSS. The eNB transports the NAS exchange, the MME drives the procedure, and the HSS supplies authentication material over S6a.
What Is LTE Authentication in Simple Terms?
- What starts the procedure: The network needs to verify the subscriber before later protected NAS continuation.
- What the UE and network want to achieve: Confirm the subscriber identity and derive the basis for later NAS security activation.
- What success looks like: The MME sends Authentication Request and the UE returns Authentication Response.
- What failure means: The UE returns failure or reject, or the exchange never completes with valid subscriber confirmation.
Why this procedure matters
This is the checkpoint that decides whether the network can trust the subscriber context before it moves into NAS security and later service continuation.
Quick Fact Sheet
| Procedure name | LTE Authentication Procedure |
|---|---|
| Domain | EPS AKA subscriber authentication |
| Main trigger | Fresh subscriber validation needed during attach, TAU, or similar NAS continuation |
| Start state | UE has started a NAS procedure, but subscriber authenticity is not yet confirmed for this branch |
| End state | MME has a successful authentication result or a clear failure outcome |
| Main nodes | UE, eNB, MME, HSS |
| Main protocols | NAS, S1AP, Diameter |
| Main success outcome | Authentication succeeds and the flow can move into NAS security |
| Main failure outcome | Authentication fails or is rejected and the higher-level procedure stops or restarts |
| Most important messages | Authentication Request, Authentication Response, Authentication Failure, Authentication Reject |
| Main specs | TS 24.301, TS 33.401, TS 29.272, TS 23.401 |
Preconditions
- The UE has already started a NAS procedure such as attach or TAU.
- The MME has enough identity context to request authentication vectors from the HSS.
- The HSS can return valid EPS AKA material for the subscriber.
- Radio and S1-MME transport are healthy enough to carry the challenge and response.
Nodes involved
| Node | Role in this procedure |
|---|---|
| UE | Validates AUTN in the USIM and returns the AKA result. |
| eNB | Transports the NAS authentication exchange between UE and MME. |
| MME | Requests authentication vectors, sends the challenge, and evaluates the UE response. |
| HSS | Provides authentication vectors and subscription support for the authentication branch. |
Interfaces used
| Interface | Path | Role |
|---|---|---|
| LTE Uu | UE <-> eNB | Carries the RRC transport used for downlink and uplink NAS authentication messages. |
| S1-MME | eNB <-> MME | Carries NAS transport between access and the core. |
| S6a | MME <-> HSS | Carries vector retrieval and subscriber profile exchange over Diameter. |
End-to-end call flow
UE eNB MME HSS
| | | |
| | |-- AIR / AIA --->|
| | |<-- vectors -----|
|<-- Authentication Request ------- | |
|-- Authentication Response ------> | |
| | | |
| next branch: NAS security or failure handling |Major phases
| Phase | What happens |
|---|---|
| 1. Vector retrieval | The MME gets authentication vectors from the HSS. |
| 2. Challenge delivery | The MME sends Authentication Request to the UE. |
| 3. UE validation | The USIM validates AUTN and builds the AKA result. |
| 4. Response or failure | The UE returns Authentication Response, Failure, or the network moves into reject handling. |
Step-by-step breakdown
Step 1: Vector retrieval
Sender -> receiver: MME <-> HSS
Message(s): Diameter authentication vector request and answer
Purpose: Obtain valid EPS AKA material for the subscriber.
State or context change: The MME has RAND, AUTN, and the expected AKA result basis.
Note: If vectors are stale or late, the radio side may look normal while authentication still fails.
Step 2: Authentication Request
Sender -> receiver: MME -> eNB -> UE
Message(s): Authentication Request
Purpose: Challenge the UE with the AKA material.
State or context change: The UE now validates the challenge against the USIM state.
Note: RAND and AUTN timing are often enough to line up core and air traces.
Step 3: UE validation
Sender -> receiver: UE internal processing
Message(s): No visible transport message yet
Purpose: Verify AUTN freshness and calculate the correct AKA result.
State or context change: The UE chooses between Response, Failure, or another negative branch.
Note: This is where MAC failure or synch failure becomes meaningful.
Step 4: Response or failure
Sender -> receiver: UE -> eNB -> MME
Message(s): Authentication Response, Authentication Failure, or network-driven Authentication Reject
Purpose: Close the AKA branch with a positive or negative subscriber authentication result.
State or context change: The next path becomes NAS security, retry, or rejection.
Note: Security Mode should not be expected unless the AKA branch really succeeded.
Important messages
| Message | Protocol | Direction | Purpose in this procedure | What to inspect briefly |
|---|---|---|---|---|
| Authentication Request | NAS | MME -> UE | Delivers the AKA challenge to the UE. | RAND, AUTN, and relation to HSS vector retrieval. |
| Authentication Response | NAS | UE -> MME | Returns the positive AKA result. | Timing and whether Security Mode follows cleanly. |
| Authentication Failure | NAS | UE -> MME | Signals that AKA validation failed at the UE side. | Failure cause and whether sync recovery is expected. |
| Authentication Reject | NAS | MME -> UE | Stops the authentication branch after failure handling. | Whether the network terminated the procedure explicitly. |
Important parameters to inspect
| Parameter | What it is | Where it appears | Why it matters | Common issues |
|---|---|---|---|---|
| IMSI / GUTI | The subscriber identity tied to vector retrieval. | Before authentication and HSS interaction | Explains which subscriber context the MME is authenticating. | Stale GUTI, wrong identity correlation. |
| RAND | The random AKA challenge value. | Authentication Request | Part of the challenge the USIM uses to compute the response. | Trace misread, vector mismatch. |
| AUTN | The authentication token used for network authentication and freshness checks. | Authentication Request | Explains MAC failure and synchronization failure cases. | MAC failure, synch failure, stale vector use. |
| Failure cause | The reason returned when AKA validation fails. | Authentication Failure | Separates sync problems from broader validation failure. | Cause misread, no later sync recovery attempt. |
| Next-message continuity | The message immediately after successful authentication. | After Authentication Response | Confirms whether the procedure moved correctly into NAS security. | Authentication appears successful but Security Mode never starts. |
Successful completion of the procedure
Success is confirmed when the MME receives Authentication Response and the flow moves forward into LTE Security Mode Procedure or another protected continuation path.
Common failures in LTE Authentication
| Symptom | Likely cause | Where to inspect | Relevant message(s) | Relevant interface(s) | Likely next step |
|---|---|---|---|---|---|
| Authentication Failure with MAC or sync issue | USIM validation failed or the sequence state is out of sync. | Authentication Request contents and failure cause. | Authentication Request, Authentication Failure | NAS, S6a | Check whether vector freshness or sync recovery explains the branch. |
| No Authentication Response returns | UE did not accept the challenge or uplink transport broke. | Radio continuity and response timing. | Authentication Request, Authentication Response | LTE Uu, S1-MME | Separate UE-side AKA failure from transport loss. |
| Authentication looks successful, but no Security Mode follows | The next procedure broke or the trace is incomplete. | Immediate post-authentication continuity. | Authentication Response and next message | NAS, S1-MME | Check whether the flow moved toward Security Mode or another branch. |
What to check in logs and traces
- Correlate HSS vector retrieval with the later Authentication Request timing.
- Inspect AUTN-related failure causes before assuming a generic reject.
- Confirm that Authentication Response really reaches the MME.
- Use the first later message after Authentication Response to verify continuity into Security Mode.
Related Pages
Related sub-procedures
Related message reference pages
Related troubleshooting pages
Notes
Authentication and Security Mode are different steps. Authentication proves the AKA branch first; Security Mode activates the NAS protection state afterward.
The cleanest trace pivot is often Authentication Response followed immediately by Security Mode Command.
FAQ
What is LTE Authentication?
It is the EPS AKA procedure used to validate the subscriber before later protected NAS continuation.
Which node provides authentication vectors?
The HSS provides them to the MME over S6a.
What usually follows successful authentication?
LTE Security Mode usually follows next.
What does Authentication Failure mean?
It means the UE could not validate the AKA challenge successfully.