Telecom engineering reference for protocols, messages, call flows, troubleshooting, releases, and tools.
Menu
NASLTEMME to UE3GPP TS 24.301
LTE Security Mode Command
Security Mode Command is the EPS NAS message the MME sends to activate the selected NAS security algorithms and move the LTE/EPS procedure into protected signaling.
Message Fact Sheet
Protocol
nas
Network
lte
Spec
3GPP TS 24.301
Spec Section
5.4.3, 8.2.20
Direction
MME to UE
Message Type
EMM signaling
Full message name
LTE Security Mode Command
Protocol
NAS
Technology
LTE
Direction
MME to UE
Interface
N1 over LTE access / S1-MME control path
Signaling bearer / channel
NAS signaling / Commonly carried in downlink NAS transport after successful authentication and before later attach, TAU, or service continuation
Typical trigger
Sent after successful authentication when the MME is ready to activate NAS security before later LTE/EPS procedure continuation.
Main purpose
Commands the UE to start using the selected NAS ciphering and integrity algorithms so later attach, TAU, or service handling can continue under NAS security.
Main specification
3GPP TS 24.301, 5.4.3, 8.2.20
Release added
Release 8
Procedures where used
EPS NAS Security Mode Control Procedure, LTE Attach Procedure, Tracking Area Updating Procedure, LTE Service Request Procedure
What is LTE Security Mode Command in simple terms?
Security Mode Command is the EPS NAS message the MME sends to activate the selected NAS security algorithms and move the LTE/EPS procedure into protected signaling.
Commands the UE to start using the selected NAS ciphering and integrity algorithms so later attach, TAU, or service handling can continue under NAS security.
Why this message matters
Security Mode Command is the network telling the UE which LTE/EPS NAS security settings to start using.
Where this message appears in the call flow
Initial LTE attach NAS security activation
In the attach path, Security Mode Command is the MME step that moves the procedure from successful authentication into protected NAS continuation.
Call flow position: Security activation step after successful authentication and before later attach continuation.
Typical state: The UE is authenticated, but the MME has not yet switched the procedure into the selected protected NAS state.
Preconditions:
Authentication completed successfully.
The MME selected NAS security algorithms and key context.
Next likely message: Attach continuation under protected NAS signaling
Tracking area update NAS security activation
In the TAU path, Security Mode Command activates protected NAS handling before the mobility-refresh branch continues.
Call flow position: Security activation step when the TAU branch needs protected NAS continuation after authentication.
Typical state: The UE is preserving EPS registration context, but the network wants later TAU handling to continue under the selected NAS security state.
Preconditions:
TAU entered common NAS authentication and that branch completed successfully.
The MME selected the NAS security context for continuation.
Next likely message: Later TAU continuation under NAS security
Service restoration NAS security activation
In the service-restoration path, Security Mode Command explains why the branch continues under protected NAS handling before later service messages appear.
Call flow position: Security activation step when service restoration needs protected NAS continuation after successful authentication.
Typical state: The UE is restoring service using existing EPS context, and the MME is moving the branch into protected NAS signaling before later service handling.
Preconditions:
Service Request triggered common NAS authentication and that branch completed successfully.
The network selected NAS security algorithms and key context.
Next likely message: Later service continuation under NAS security
Interface: N1 over LTE access / S1-MME control path
Domain: Core-side EPS mobility management and security signaling used to activate protected NAS communication
Signaling bearer: NAS signaling
Logical channel: Commonly carried in downlink NAS transport after successful authentication and before later attach, TAU, or service continuation
Transport / encapsulation: EPS NAS message sent by the MME and delivered to the UE through the eNodeB as part of the NAS security mode control procedure
Security context: This message is the transition point into protected EPS NAS signaling, so it is read together with the selected algorithms, key set context, and the authentication branch that came before it.
Message Structure Overview
Security Mode Command is an EPS mobility-management message rather than an ASN.1 LTE RRC structure.
The practical reading path starts with the selected NAS security algorithms, the NAS key set identifier, and the replayed UE security capabilities.
In real traces, this message is the clearest sign that common NAS handling is crossing from authentication into protected EPS signaling.
ASN.1 Message Syntax for LTE Security Mode Command
Security Mode Command
Selected NAS security algorithms
NAS key set identifier
Replayed UE security capabilities
IMEISV request OPTIONAL
NonceUE OPTIONAL
How to read this message syntax
Security Mode Command is a NAS layer-3 message, not an ASN.1 LTE RRC message. Read it together with the earlier authentication branch because the selected algorithms and key set only make sense after successful subscriber verification.
LTE Security Mode Command - Example Dump
Security Mode Command
Protocol discriminator: EPS mobility management
Security header type: Integrity protected and ciphered with new EPS NAS security context
Message type: Security Mode Command
Selected NAS security algorithms
Ciphering algorithm: EEA1
Integrity algorithm: EIA1
NAS key set identifier: native KSI 3
Replayed UE security capabilities: EEA0 EEA1 EEA2 EIA1 EIA2
IMEISV request: not requested
How to read this dump
Start with the selected algorithms and the security header treatment because they show how the MME is activating NAS protection.
Compare the replayed UE security capabilities against what the UE reported earlier in the procedure.
After this message, the most useful next check is whether the procedure continues cleanly under NAS security.
Important Information Elements
IE
Required
Description
Selected NAS security algorithms
Yes
Indicates the NAS ciphering and integrity algorithms the UE must activate.
NAS key set identifier
Yes
Identifies the NAS key set context that applies to the selected security configuration.
Replayed UE security capabilities
Yes
Lets you confirm that the MME selected security based on the UE capabilities it believes were reported earlier.
IMEISV request
Optional
May ask the UE to return IMEISV during later protected procedure handling.
NonceUE
Optional
May be present in specific continuation cases tied to the NAS security procedure.
Detailed field explanation
Selected NAS security algorithms
Indicates the NAS ciphering and integrity algorithms the UE must activate.
Presence: Required
In practice: In practice, compare this field with the original request and with any later release-dependent optional fields so you can see whether the network accepted the same service model the UE asked for.
NAS key set identifier
Identifies the NAS key set context that applies to the selected security configuration.
Presence: Required
In practice: In practice, compare this field with the original request and with any later release-dependent optional fields so you can see whether the network accepted the same service model the UE asked for.
Replayed UE security capabilities
Lets you confirm that the MME selected security based on the UE capabilities it believes were reported earlier.
Presence: Required
In practice: In practice, compare this field with the original request and with any later release-dependent optional fields so you can see whether the network accepted the same service model the UE asked for.
IMEISV request
May ask the UE to return IMEISV during later protected procedure handling.
Presence: Optional
In practice: In practice, compare this field with the original request and with any later release-dependent optional fields so you can see whether the network accepted the same service model the UE asked for.
NonceUE
May be present in specific continuation cases tied to the NAS security procedure.
Presence: Optional
In practice: In practice, compare this field with the original request and with any later release-dependent optional fields so you can see whether the network accepted the same service model the UE asked for.
What to check in logs and traces
Confirm the message appears only after successful authentication or valid security-context recovery.
Check the selected NAS ciphering and integrity algorithms.
Verify the NAS key set identifier and confirm it matches the expected security context.
Compare replayed UE security capabilities with what the UE reported earlier.
Follow the trace into later attach, TAU, or service continuation and confirm the protected branch continues cleanly.
Common Issues and Troubleshooting
Authentication completed but the LTE/EPS procedure still stalls.
Likely cause: Security Mode Command may not have been accepted or the selected NAS security context may not line up with the UE capabilities.
What to inspect: Check the selected algorithms, NAS key set identifier, replayed capabilities, and the first protected NAS step that follows.
Next step: Treat this as the transition boundary between authentication success and protected continuation.
The branch reaches Security Mode Command but later accept handling does not arrive.
Likely cause: The UE may not have accepted the NAS security activation cleanly, or the MME may not have completed the protected continuation path.
What to inspect: Compare the earlier authentication branch with the security command and the first later protected NAS message.
Next step: Validate NAS security activation before blaming later Attach Accept, TAU Accept, or Service Accept behavior.
Procedure behavior differs between apparently similar attach or TAU traces.
Likely cause: The selected security algorithms or key set context may differ even if the earlier authentication branch looks similar.
What to inspect: Check Security Mode Command side by side across the traces, especially the selected algorithms and replayed capabilities.
Next step: Use the security command as the pivot between authentication and later procedure continuation.
LTE / 5G / Variant Comparison
Compared with LTE Authentication Response
Authentication Response is the UE proof step in the authentication challenge. Security Mode Command comes later when the MME activates protected NAS signaling after that branch succeeds.
Compared with LTE Attach Accept
Security Mode Command activates NAS protection before later accept handling. Attach Accept is the later mobility outcome once the protected branch continues.
Compared with LTE RRC Security Mode Command
This page is the LTE NAS Security Mode Command between the MME and UE. The LTE RRC Security Mode Command is a different access-stratum message between the eNodeB and UE.
FAQ
What is Security Mode Command in LTE NAS?
It is the EPS NAS message the MME sends to tell the UE which NAS security algorithms to activate.
What should I inspect first in Security Mode Command?
Start with the selected NAS ciphering and integrity algorithms, then the NAS key set identifier, then the replayed UE security capabilities.
What usually comes after Security Mode Command?
The procedure usually continues under protected NAS signaling into later attach, TAU, or service handling.
Is this the same as LTE RRC Security Mode Command?
No. This page is the LTE NAS message between the MME and UE, not the LTE RRC access-stratum message between the eNodeB and UE.
Decode this message with the 3GPP Decoder, inspect the related message database, or open the matching call flow to see where this signaling step fits in the full procedure.
