23.501中英对照（32）：在PDU会话建立期间由DN-AAA服务器进行二次认证/授权

本文链接：https://blog.csdn.net/yifei800327/article/details/145384219

前言

本文是对5G最基础也是最重要的规范

TS23.501的中英对照翻译。

但不是全文翻译，有以下重要说明：

不是全文翻译，一些国内不可能用到的特性不翻。
原文有些章节没有内容，或者意义不大，直接跳过。
所以是从第4章开始翻译。
一句英文原文，一句中文。方便对照。
采用最新的2024年12月发布的R18.8版本。
任何问题，欢迎微信交流。
作者微信：gprshome201101，微信名：爱卫生

5.6.6 在PDU会话建立期间由DN-AAA服务器进行二次认证/授权

5.6.6 Secondary authentication/authorization by a DN-AAA server during the establishment of a PDU Session

At PDU Session Establishment to a DN:

在建立到 DN 的 PDU 会话时：

The DN-specific identity (TS 33.501 [29]) of a UE may be authenticated/authorized by the DN.
UE 的 DN 特定身份（TS 33.501 [29]）可以由 DN 进行认证/授权。

NOTE 1: the DN-AAA server may belong to the 5GC or to the DN.

注 1：DN-AAA 服务器可以属于 5GC 或 DN。

If the UE provides authentication/authorization information corresponding to a DN-specific identity during the Establishment of the PDU Session and the SMF determines that Secondary authentication/authorization of the PDU Session Establishment is required based on the SMF policy associated with the DN, the SMF passes the authentication/authorization information of the UE to the DN-AAA server via the UPF if the DN-AAA server is located in the DN. If the SMF determines that Secondary authentication/authorization of the PDU Session Establishment is required but the UE has not provided a DN-specific identity as part of the PDU Session Establishment request, the SMF requests the UE to indicate a DN-specific identity using EAP procedures as described in TS 33.501 [29]. If the Secondary authentication/authorization of the PDU Session Establishment fails, the SMF rejects the PDU Session Establishment.
如果 UE 在建立 PDU 会话期间提供与 DN 特定身份对应的认证/授权信息，并且 SMF 根据与 DN 关联的 SMF 策略确定需要对 PDU 会话建立进行二次认证/授权，则如果 DN-AAA 服务器位于 DN 中，SMF 将 UE 的认证/授权信息通过 UPF 传递到 DN-AAA 服务器。如果 SMF 确定需要对 PDU 会话建立进行二次认证/授权，但 UE 没有提供 DN 特定身份作为 PDU 会话建立请求的一部分，则 SMF 请求 UE 使用 TS 33.501 [29] 中描述的 EAP 过程指示 DN 特定身份。如果 PDU 会话建立的二次认证/授权失败，则 SMF 拒绝 PDU 会话建立。

NOTE 2: If the DN-AAA server is located in the 5GC and reachable directly, then the SMF may communicate with it directly without involving the UPF.

注 2：如果 DN-AAA 服务器位于 5GC 中并且可以直接访问，则 SMF 可以直接与其通信，而无需涉及 UPF。

The DN-AAA server may authenticate/authorize the PDU Session Establishment.
DN-AAA 服务器可以认证/授权 PDU 会话建立。
When DN-AAA server authorizes the PDU Session Establishment, it may send DN Authorization Data for the established PDU Session to the SMF. The DN authorization data for the established PDU Session may include one or more of the following:
当 DN-AAA 服务器授权 PDU 会话建立时，它可以将已建立 PDU 会话的 DN 授权数据发送到 SMF。已建立 PDU 会话的 DN 授权数据可以包括以下一项或多项：
A DN Authorization Profile Index which is a reference to authorization data for policy and charging control locally configured in the SMF or PCF.
DN 授权配置文件索引，它是对 SMF 或 PCF 中本地配置的策略和计费控制的授权数据的引用。
a list of allowed MAC addresses for the PDU Session; this shall apply only for PDU Session of Ethernet PDU type and is further described in clause 5.6.10.2.
PDU 会话的允许 MAC 地址列表；这仅适用于以太网 PDU 类型的 PDU 会话，并在第 5.6.10.2 条中进一步描述。
a list of allowed VLAN tags for the PDU Session; this shall apply only for PDU Session of Ethernet PDU type and is further described in clause 5.6.10.2.
PDU 会话的允许 VLAN 标签列表；这仅适用于以太网 PDU 类型的 PDU 会话，并在第 5.6.10.2 条中进一步描述。
DN authorized Session AMBR for the PDU Session. The DN Authorized Session AMBR for the PDU Session takes precedence over the subscribed Session-AMBR received from the UDM.
PDU 会话的 DN 授权会话 AMBR。PDU 会话的 DN 授权会话 AMBR 优先于从 UDM 接收的签约会话 AMBR。
Framed Route information (see clause 5.6.14) for the PDU Session.
PDU 会话的成帧路由信息（参见第 5.6.14 条）。
L2TP information, such as LNS IP address and/or LNS host name, as described in TS 29.561 [132].
L2TP 信息，例如 LNS IP 地址和/或 LNS 主机名，如 TS 29.561 [132] 中所述。

SMF policies may require DN authorization without Secondary authentication/authorization. In that case, when contacting the DN-AAA server for authorization, the SMF provides the GPSI of the UE if available.

SMF 策略可能需要 DN 授权而无需二次认证/授权。在这种情况下，当联系 DN-AAA 服务器进行授权时，SMF 提供 UE 的 GPSI（如果可用）。

Such Secondary authentication/authorization takes place for the purpose of PDU Session authorization in addition to:

除了以下内容之外，此类二次认证/授权还用于 PDU 会话授权：

The 5GC access authentication handled by AMF and described in clause 5.2.
由 AMF 处理并在第 5.2 条中描述的 5GC 接入认证。
The PDU Session authorization enforced by SMF with regards to subscription data retrieved from UDM.
SMF 根据从 UDM 检索到的签约数据强制执行的 PDU 会话授权。

Based on local policies the SMF may initiate Secondary authentication/authorization at PDU Session Establishment. The SMF provides the GPSI, if available, in the signalling exchanged with the DN-AAA during Secondary authentication/authorization.

根据本地策略，SMF 可以在 PDU 会话建立时发起二次认证/授权。SMF 在二次认证/授权期间与 DN-AAA 交换的信令中提供 GPSI（如果可用）。

After the successful Secondary authentication/authorization, a session is kept between the SMF and the DN-AAA.

成功进行二次认证/授权后，SMF 和 DN-AAA 之间将保持会话。

The UE provides the authentication/authorization information required to support Secondary authentication/authorization by the DN over NAS SM.

UE 提供支持 DN 通过 NAS SM 进行二次认证/授权所需的认证/授权信息。

If a UE is configured with DNNs, which are subject to secondary authentication/authorization, the UE stores an association between the DNN and corresponding credentials for the secondary authentication/authorization.

如果 UE 配置了需要进行二次认证/授权的 DNN，则 UE 存储 DNN 与二次认证/授权的相应凭据之间的关联。

NOTE 3: How the UE is aware that a DNN is subject to secondary authentication/authorization (e.g. based on local configuration) is out of scope of this specification.

注 3：UE 如何知道 DNN 需要进行二次认证/授权（例如，基于本地配置）超出了本规范的范围。

The UE may support remote provisioning of credentials for secondary authentication/authorization, as specified in clause 5.39.

UE 可以支持二次认证/授权凭据的远程配置，如第 5.39 条中所述。

A UE that supports to be provisioned with the credentials used for secondary authentication/authorization over UP remote provisioning shall use connectivity over an S-NSSAI/DNN which can access the provisioning server to establish a PDU session for remote provisioning as defined in clause 5.39.

支持通过 UP 远程配置来配置用于二次认证/授权的凭据的 UE 应使用可以访问配置服务器的 S-NSSAI/DNN 上的连接来建立用于远程配置的 PDU 会话，如第 5.39 条中所定义。

NOTE 4: The credentials for secondary authentication/authorization are not specified.

注 4：未指定用于二次认证/授权的凭据。

SMF policies or subscription information (such as defined in Table 5.2.3.3.1 of TS 23.502 [3]) may trigger the need for SMF to request the Secondary authentication/authorization and/or UE IP address / Prefix from the DN-AAA server.

SMF 策略或签约信息（例如 TS 23.502 [3] 的表 5.2.3.3.1 中定义的）可能会触发 SMF 需要从 DN-AAA 服务器请求二次认证/授权和/或 UE IP 地址/前缀。

When SMF adds a PDU Session Anchor (such as defined in clause 5.6.4) to a PDU Session Secondary authentication/authorization is not carried out, but SMF policies may require SMF to notify the DN when a new prefix or address has been added to or removed from a PDU Session or N6 traffic routing information has been changed for a PDU Session.

当 SMF 将 PDU 会话锚点（例如第 5.6.4 条中定义的）添加到 PDU 会话时，不执行二次认证/授权，但 SMF 策略可能要求 SMF 在将新前缀或地址添加到 PDU 会话或从中删除，或者 PDU 会话的 N6 流量路由信息已更改时通知 DN。

When SMF gets notified from UPF with the addition or removal of MAC addresses to/from a PDU Session, the SMF policies may require SMF to notify the DN-AAA server.

当 SMF 从 UPF 收到关于向/从 PDU 会话添加或删除 MAC 地址的通知时，SMF 策略可能要求 SMF 通知 DN-AAA 服务器。

Indication of PDU Session Establishment rejection is transferred by SMF to the UE via NAS SM.

PDU 会话建立拒绝的指示由 SMF 通过 NAS SM 传输到 UE。

If the DN-AAA sends DN Authorization Data for the authorized PDU Session to the SMF and dynamic PCC is deployed, the SMF sends the PCF the DN authorized Session AMBR and/or DN Authorization Profile Index in the DN Authorization Data for the established PDU Session.

如果 DN-AAA 将授权 PDU 会话的 DN 授权数据发送到 SMF 并且部署了动态 PCC，则 SMF 将已建立 PDU 会话的 DN 授权数据中的 DN 授权会话 AMBR 和/或 DN 授权配置文件索引发送到 PCF。

If the DN-AAA sends DN Authorization Profile Index in DN Authorization Data to the SMF and dynamic PCC is not deployed, the SMF uses the DN Authorization Profile Index to refer the locally configured information.

如果 DN-AAA 将 DN 授权数据中的 DN 授权配置文件索引发送到 SMF 并且未部署动态 PCC，则 SMF 使用 DN 授权配置文件索引来引用本地配置的信息。

NOTE 5: DN Authorization Profile Index is assumed to be pre-negotiated between the operator and the administrator of DN-AAA server.

注 5：假设 DN 授权配置文件索引在运营商和 DN-AAA 服务器的管理员之间预先协商。

If the DN-AAA does not send DN Authorization Data for the established PDU Session, the SMF may use locally configured information.

如果 DN-AAA 没有发送已建立 PDU 会话的 DN 授权数据，则 SMF 可以使用本地配置的信息。

At any time, a DN-AAA server may revoke the authorization for a PDU Session or update DN Authorization Data for a PDU Session. According to the request from DN-AAA server, the SMF may release or update the PDU Session. See clause 5.6.14 when the update involves Framed Route information.

在任何时候，DN-AAA 服务器都可以撤销 PDU 会话的授权或更新 PDU 会话的 DN 授权数据。根据 DN-AAA 服务器的请求，SMF 可以释放或更新 PDU 会话。当更新涉及成帧路由信息时，请参见第 5.6.14 条。

At any time, a DN-AAA server or SMF may trigger Secondary Re-authentication procedure for a PDU Session established with Secondary Authentication as specified in clause 11.1.3 of TS 33.501 [29].

在任何时候，DN-AAA 服务器或 SMF 都可以为通过二次认证建立的 PDU 会话触发二次重新认证过程，如 TS 33.501 [29] 第 11.1.3 条中所述。

During Secondary Re-authentication/Re-authorization, if the SMF receives from DN-AAA the DN authorized Session AMBR and/or DN Authorization Profile Index, the SMF shall report the received value(s) to the PCF.

在二次重新认证/重新授权期间，如果 SMF 从 DN-AAA 接收到 DN 授权会话 AMBR 和/或 DN 授权配置文件索引，则 SMF 应将接收到的值报告给 PCF。

The procedure for secondary authentication/authorization by a DN-AAA server during the establishment of a PDU Session is described in clause 4.3.2.3 of TS 23.502 [3].

在建立 PDU 会话期间由 DN-AAA 服务器进行二次认证/授权的过程在 TS 23.502 [3] 的第 4.3.2.3 条中描述。

The support for L2TP on N6 is further specified in clause 5.8.2.16 and the procedure for establishment of L2TP tunnelling on N6 for a PDU Session is described in clause 4.3.2.4 of TS 23.502 [3].

N6 上的 L2TP 支持在第 5.8.2.16 条中进一步规定，为 PDU 会话建立 N6 上的 L2TP 隧道的过程在 TS 23.502 [3] 的第 4.3.2.4 条中描述。

NOTE 6: The L2TP Tunnel information sent to the SMF can, for example, be provisioned in the DN-AAA server per DNN/S-NSSAI or per SUPI or GPSI.

注 6：例如，发送到 SMF 的 L2TP 隧道信息可以在 DN-AAA 服务器中按 DNN/S-NSSAI 或按 SUPI 或 GPSI 进行配置。