5G NAS - Network Slice-Specific Authentication Command

Message Fact Sheet

Protocol	nas	Network	5g
Spec	3GPP TS 24.501	Spec Section	8.2.31
Direction	AMF to UE	Message Type	5GMM signaling

Full message name	5G NAS - Network Slice-Specific Authentication Command
Protocol	NAS
Technology	5G
Direction	AMF to UE
Interface	N1
Signaling bearer / channel	NAS signaling / Dedicated NAS message
Typical trigger	Sent when a requested S-NSSAI requires network slice-specific authentication and authorization.
Main purpose	Challenges the UE for slice-specific authentication and authorization in addition to baseline registration handling.
Main specification	3GPP TS 24.501, 8.2.31
Release added	Release 17
Procedures where used	Slice Authentication

What is Network Slice-Specific Authentication Command in simple terms?

Network Slice-Specific Authentication Command is the NAS message the network uses to start slice-specific authentication for a requested S-NSSAI.

Challenges the UE for slice-specific authentication and authorization in addition to baseline registration handling.

Why this message matters

This message means the network wants extra authentication for a specific requested network slice.

Where this message appears in the call flow

Slice Authentication

Call flow position: Network challenge step for slice-specific authentication of a requested S-NSSAI.

Typical state: UE is already in a broader registration flow or registered context but slice access is still being decided.

Preconditions:

The requested S-NSSAI requires slice-specific authentication.

Next likely message: Network Slice-Specific Authentication Complete

Call flow position

Previous message(s): Registration Request, Allowed NSSAI evaluation

Next message(s): Network Slice-Specific Authentication Complete, Network Slice-Specific Authentication Result

Message direction and transport

Sender and receiver: AMF to UE

Interface: N1

Domain: Core-side mobility-management and slicing authorization signaling

Signaling bearer: NAS signaling

Logical channel: Dedicated NAS message

Transport / encapsulation: NAS 5GS message carried end-to-end between AMF and UE

Security context: Used after the UE already has enough core context for slice-specific authentication handling.

Message Structure Overview

This message belongs to the newer slice-specific authentication branch and is not part of every ordinary registration flow.

ASN.1 Message Syntax for 5G NAS - Network Slice-Specific Authentication Command

This message is not typically analyzed as ASN.1 on the wire. It is usually read as a NAS or protocol field structure instead.

This is a NAS 24.501 message introduced for slice-specific authentication handling.

5G NAS - Network Slice-Specific Authentication Command - Example Dump

Network Slice-Specific Authentication Command
  Extended Protocol Discriminator: 5G Mobility Management
  Security Header Type: Integrity protected and ciphered
  Message Type: Network Slice-Specific Authentication Command
  S-NSSAI: SST 1, SD 0x112233
  EAP Message: Request

How to read this dump

This message is most useful when correlated with Requested NSSAI, Allowed NSSAI, and rejected slice context.

Important Information Elements

IE	Required	Description
`S-NSSAI`	Yes	Identifies the network slice for which authentication is being requested.
`EAP message`	Yes	Carries the slice-specific authentication challenge payload.

Detailed field explanation

`S-NSSAI`

Identifies the network slice for which authentication is being requested.

Presence: Required

In practice: This is the slice context that ties the session to the network selection outcome. In roaming or slice-specific cases, it is one of the strongest indicators of whether the session landed on the expected slice.

`EAP message`

Carries the slice-specific authentication challenge payload.

Presence: Required

In practice: If present, it reflects the external DN authentication result. It is worth checking when the session succeeds on NAS but service access still depends on an external authentication flow.

What to check in logs and traces

Confirm the requested slice really requires slice-specific authentication.
Check which S-NSSAI the command applies to.
Correlate the command with the following slice-specific complete and result messages.

Common Issues and Troubleshooting

A requested slice is never granted even though registration succeeds.

Likely cause: Slice-specific authentication may have been triggered and failed or never completed.

What to inspect: Check NSSAA command, complete, and result messages together with Allowed NSSAI updates.

Next step: Move analysis from baseline registration success into slice-specific authorization handling.

FAQ

What is Network Slice-Specific Authentication Command?

It is the network's NAS message that starts slice-specific authentication for a requested S-NSSAI.

Related message pages

Related Procedures

Related Tools

Use This Reference in Practice

Decode this message with the 3GPP Decoder, inspect the related message database, or open the matching call flow to see where this signaling step fits in the full procedure.