5G UE Registration and Attach Procedure: Step-by-Step Guide and AMF Selection Criteria

5G UE Registration Procedures

In 5G, UE registration is a critical process that establishes the UE’s presence on the network, authorizes it for services, and enables mobility tracking.The 5G Attach procedure (also called the Registration procedure in 5GC architecture) is a critical process through which a UE connects to a 5G Standalone network, registers itself with the core, and obtains access to data services. It includes RRC establishment, NAS registration, authentication, security setup, and PDU session configuration. The following sections explain the entire flow post-RACH.

Why Register?

Registration serves several purposes:

• Initial Access: Allows UEs to connect to the 5G network for the first time.
• Mobility Management: Updates network information as the UE moves between Tracking Areas (TAs).
• Capability Updates: Informs the network of any changes to the UE’s capabilities or supported protocols.
• Periodic Updates: Maintains a connection with the network during periods of inactivity.
• Emergency Registration: Enables limited service access for emergency situations.

ref : Figure 4.2.2.2.2-1: Registration procedure

NAS Registration Trigger

Once RRC connection is established, the UE sends its first NAS message.

RRCSetupComplete + Registration Request (UE → gNB)

The UE initiates communication with the network, signalling its intent to register and receive services.The UE sends RRCSetupComplete along with an embedded NAS Registration Request in the dedicatedNAS-Message container.

This message includes critical identification and subscription information:

• Registration Type (e.g., initial registration, periodic, mobility-triggered)
• UE identity (SUCI or GUTI)
• Requested NSSAI (slicing info)
• UE Capabilities
• Optionally, a list of PDU sessions to be activated

This is the first NAS message sent towards the 5GC.

AMF Interaction & UE Context Management

Initial UE Message (gNB → AMF)

The gNB forwards the NAS Registration Request to the AMF using NGAP Initial UE Message.

This message includes:

• RAN UE NGAP ID (assigned by gNB)
• NAS-PDU (Registration Request)
• UE location information, and
• RRC Establishment Cause

It represents the UE’s context from the RAN point of view and enables AMF selection and session anchoring.

UE Context Retrieval (New AMF → Old AMF)

If the UE was previously registered elsewhere, the new AMF retrieves context from the old AMF using UEContextTransferRequest.
This includes transfer of:

• SUPI (permanent ID), PEI
• Last known TAI
• Radio capabilities and other session state
  The new AMF stores this information for continuity and optimization.

UE Identity and Authentication

Identity Request/Response (AMF ↔ UE)

If identity is not available or verification is needed, AMF sends a NAS Identity Request. The UE responds with Identity Response.
UE typically provides SUCI (encrypted SUPI) to protect privacy. This helps the AMF verify the subscriber securely.

Authentication via AUSF (AMF → AUSF → UDM)

The AMF contacts the Authentication Server Function (AUSF) using the SUCI. AUSF, in turn, requests authentication vectors from the Unified Data Management (UDM).
UDM provides:

• Authentication method (5G AKA or EAP-AKA’)
• Random challenge (RAND)
• Authentication token (AUTN)

This enables cryptographic verification of the UE.

NAS Authentication Request/Response (AMF ↔ UE)

AMF initiates authentication with NAS Authentication Request, and the UE replies with Authentication Response.
The UE computes a response using its stored credentials and compares the received AUTN to authenticate the network. A correct RES* is sent to the AMF for validation.

NAS Security Mode Setup

Security Mode Command/Complete (AMF ↔ UE)

AMF sends NAS Security Mode Command to select security algorithms. UE responds with Security Mode Complete.
The selected NAS ciphering and integrity algorithms are confirmed here. The UE also includes IMEISV (equipment identity) for device validation via EIR. After this, NAS signaling is fully secure.

Equipment Identity Check

EIR Check (AMF → 5G-EIR)

The AMF checks if the device is blacklisted by sending PEI to the Equipment Identity Register (EIR).
This ensures that stolen or non-compliant UEs do not access the network. If blacklisted, the procedure terminates.

Subscription Profile Retrieval

AMF Registration with UDM + Data Sync

The AMF:

• Registers itself with UDM
• Retrieves:
  • Access & Mobility Subscription Data
  • SMF Selection Data
  • UE Context in SMF

This phase ensures that all policies, slices, and session configuration parameters are aligned between AMF, UDM, and SMF.

Policy Control Function Interaction

PCF Policy Setup

AMF contacts the PCF using Npcf_AMPolicyControl_Create to create a policy association for the UE.
This step ensures that appropriate access, mobility, and charging policies are enforced. PCF also subscribes to events like handovers, location changes, etc.

PDU Session Establishment via SMF

PDU Session Setup

If PDU Sessions were requested, the AMF initiates session creation with the SMF.
SMF:

• Allocates UE IP address
• Selects User Plane Function (UPF)
• Sets up a session using PFCP (Packet Forwarding Control Protocol) with the UPF

Downlink data is buffered at UPF until the UE is ready.

Initial Context Setup with gNB

Initial Context Setup Request (AMF → gNB)

The AMF sends this NGAP message to the gNB. It contains:

• AMF UE NGAP ID
• PDU Session Resource Setup List
• NAS Registration Accept
• Security keys and UE capabilities

This message tells the gNB how to configure user plane resources for the UE.

Access Stratum (AS) Security Setup

Security Mode Command/Complete (AS Layer)

gNB and UE perform AS-level security setup including:

• Derivation of K-gNB
• Setup of integrity and encryption keys

After SecurityModeComplete, ciphering and integrity protection start for RRC messages.

RRC Reconfiguration

RRCReconfiguration / RRCReconfigurationComplete

The gNB sends RRCReconfiguration to:

• Setup DRBs for user data
• Add secondary cells (if dual connectivity)
• Trigger measurement reporting
• Deliver NAS Registration Accept

UE confirms with RRCReconfigurationComplete.

Registration Complete

NAS Registration Complete

UE sends Registration Complete NAS message to AMF.
This signals successful completion of the entire registration flow and confirms UE is fully onboarded.

Data Transfer Starts

Uplink and Downlink Activation

• UE begins sending data (via Uplink TEID)
• Downlink data from UPF is delivered using Downlink TEID
• PFCP session modification is finalized

This marks the full readiness of the UE for end-to-end IP-based communication over 5GC.

After all these steps, the UE is:

• Ready for data exchange via the UPF
• Fully authenticated and secure
• Registered with the 5G Core
• Assigned IP address and bearer

RRC Inactive Assistance Information: This can be provided to the RAN to help it manage the UE’s radio resources when inactive.

Network Slicing Subscription Changes: If the UDM indicates changes in the UE’s network slicing subscription, the AMF informs the UE, which then updates its local configuration

Reference : LinkedIn

5GUERegistration #5GInitialAccess #5GNetworkMobility #5GCapabilityUpdates #5GPeriodicUpdates #5GEmergencyRegistration #5GAMFSelection #5GSecuritySetup #5GAuthentication #5GNetworkSlicing #5GPDUUpdates #5GPolicyManagement #5GConnectivity #5GNR #5GProtocol