LTE Authentication Reject

Message Fact Sheet

Protocol	nas	Network	lte
Spec	3GPP TS 24.301	Spec Section	5.4.2, 8.2.6
Direction	MME to UE	Message Type	EMM signaling

Full message name	LTE Authentication Reject
Protocol	NAS
Technology	LTE
Direction	MME to UE
Interface	N1 over LTE access / S1-MME control path
Signaling bearer / channel	NAS signaling / Commonly carried in downlink NAS transport after Authentication Request and any later authentication answer handling
Typical trigger	Sent when the MME decides that the current authentication attempt cannot be accepted after challenge handling.
Main purpose	Explicitly stops the current EPS authentication branch from the network side after the MME decides that authentication cannot continue successfully.
Main specification	3GPP TS 24.301, 5.4.2, 8.2.6
Release added	Release 8
Procedures where used	EPS NAS Authentication Procedure, LTE Attach Procedure, Tracking Area Updating Procedure, LTE Service Request Procedure
Related timers	T3460

What is LTE Authentication Reject in simple terms?

Authentication Reject is the EPS NAS message the network sends when the LTE/EPS authentication attempt is not accepted and the current procedure cannot continue.

Explicitly stops the current EPS authentication branch from the network side after the MME decides that authentication cannot continue successfully.

Why this message matters

Authentication Reject means the network refused to continue the current LTE/EPS authentication procedure.

Where this message appears in the call flow

Initial LTE attach authentication reject

LTE initial attach authentication reject flow showing Authentication Request, optional Authentication Response, and Authentication Reject before attach termination — In the attach path, Authentication Reject is the network's explicit negative outcome after the authentication branch.

Call flow position: Negative network outcome sent after Authentication Request in the attach procedure.

Typical state: The attach branch is still unauthenticated and the MME has decided not to continue it.

Preconditions:

The UE entered the attach authentication branch.
The network decided that authentication cannot continue successfully.

Next likely message: Procedure stop or later fresh attach

Tracking area update authentication reject

Call flow position: Negative network outcome sent when TAU triggered NAS authentication but the network does not accept the authentication branch.

Typical state: The UE was trying to preserve existing EPS context, but the MME terminated the authentication branch instead of continuing TAU.

Preconditions:

The UE entered a TAU-related authentication branch.
The MME rejected the authentication continuation.

Next likely message: Procedure stop or later fresh mobility recovery

Service restoration authentication reject

Call flow position: Negative network outcome sent when service restoration triggered NAS authentication but the network rejected that authentication branch.

Typical state: The UE tried to restore service using existing EPS context, but the MME terminated the branch instead of granting later service continuation.

Preconditions:

The UE sent Service Request and the network inserted authentication.
The MME rejected the authentication branch.

Next likely message: Procedure stop or later fresh recovery

Call flow position

Previous message(s): Authentication Request, Authentication Response, Attach Request, Tracking Area Update Request, Service Request

Next message(s): Procedure termination, Fresh attach attempt, Fresh tracking area update attempt, Fresh service recovery attempt

Message direction and transport

Sender and receiver: MME to UE

Interface: N1 over LTE access / S1-MME control path

Domain: Core-side EPS mobility management rejection signaling used when subscriber authentication is terminated by the network

Signaling bearer: NAS signaling

Logical channel: Commonly carried in downlink NAS transport after Authentication Request and any later authentication answer handling

Transport / encapsulation: EPS NAS message sent by the MME and delivered to the UE through the eNodeB as part of the NAS authentication procedure

Security context: Authentication Reject belongs to the negative authentication branch and is tied to a path where later secure continuation is not granted.

Message Structure Overview

Authentication Reject is an EPS mobility-management message rather than an ASN.1 LTE RRC structure.
The message is intentionally short. The useful interpretation comes from the earlier authentication challenge and response branch.
In real traces, Authentication Reject is the network's explicit stop signal for the current LTE/EPS authentication path.

ASN.1 Message Syntax for LTE Authentication Reject

Authentication Reject

How to read this message syntax

Authentication Reject is a NAS layer-3 message, not an ASN.1 LTE RRC message. Its troubleshooting value comes from reading it together with the earlier Authentication Request and any Authentication Response or Authentication Failure.

LTE Authentication Reject - Example Dump

Authentication Reject
  Protocol discriminator: EPS mobility management
  Security header type: Plain NAS message
  Message type: Authentication Reject

How to read this dump

Do not over-read the message body because Authentication Reject is intentionally minimal.
The useful trace work is to correlate it with the earlier authentication challenge and the UE behavior that follows.
Check whether the branch ended after Authentication Response or after another abnormal authentication outcome.

What to check in logs and traces

Confirm which higher-level NAS procedure triggered the authentication branch.
Check whether the UE already sent Authentication Response or Authentication Failure.
Correlate the reject with the earlier Authentication Request.
Check whether the UE releases the branch, retries later, or restarts from a broader mobility procedure.
Use T3460 only as procedure context, not as a carried IE in Authentication Reject.

Common Issues and Troubleshooting

Authentication starts but stops without later Security Mode Command.

Likely cause: The network may have terminated the authentication branch with Authentication Reject.

What to inspect: Check Authentication Request, any Authentication Response or Authentication Failure, and then Authentication Reject as one sequence.

Next step: Shift analysis back to the earlier subscriber-authentication exchange instead of only looking for later security messages.

Attach or TAU fails after entering common NAS authentication.

Likely cause: The MME rejected the authentication branch and therefore did not allow later continuation.

What to inspect: Read the full attach or TAU path up to Authentication Reject and compare with a known-good authentication branch.

Next step: Treat it as a network-side negative authentication decision, not just a missing follow-up message.

Service restoration never reaches Service Accept after authentication was triggered.

Likely cause: The service branch may have been terminated by Authentication Reject.

What to inspect: Check Service Request, Authentication Request, any UE authentication answer, and Authentication Reject together.

Next step: Read the failure as service restoration blocked by common NAS authentication rejection.

LTE / 5G / Variant Comparison

Compared with Authentication Request

Authentication Request is the network challenge. Authentication Reject is the network decision to terminate that challenge branch.

Compared with Authentication Response

Authentication Response is the UE answer to the challenge. Authentication Reject is the network's negative outcome after that authentication branch.

Compared with Authentication Failure

Authentication Failure is the UE reporting a problem with the challenge. Authentication Reject is the network rejecting the authentication branch from its side.

FAQ

What is Authentication Reject in LTE?

It is the EPS NAS message the network sends when it refuses to continue the current authentication procedure.

What should I inspect first in Authentication Reject?

Start with the earlier Authentication Request and any UE answer such as Authentication Response or Authentication Failure.

What usually comes after Authentication Reject?

The current procedure stops, and the UE may later restart with a fresh attach, TAU, or other recovery attempt.

Why is Authentication Reject important in troubleshooting?

Because it confirms a network-side negative authentication decision, which shifts analysis back to the earlier challenge-response branch.

Related message pages

Related Procedures

Related Tools

Use This Reference in Practice

Decode this message with the 3GPP Decoder, inspect the related message database, or open the matching call flow to see where this signaling step fits in the full procedure.