Non-public network authentication in 5G

The invention claimed is: 1. A method by a first core network node of a core network of a wireless communication system for authenticating a user equipment, UE, to the core network, comprising: receiving a first authentication request to authenticate the UE to the core network; transmitting an identifier associated with the UE to a second core network node in response to receiving the first authentication request; receiving a message from the second core network node instructing the first core network node to transmit the authentication request to an external authentication entity; determining that the UE should be authenticated by the external authentication entity that is external to the wireless communication system; transmitting a second authentication request to the external authentication entity, the second authentication request identifying the UE; receiving an authentication response from the external authentication entity verifying authenticity of the UE, the authentication response including a master key; and deriving a first key for securing communications with the UE from the master key. 2. The method of claim 1 , further comprising: performing an extensible authentication protocol, (EAP) exchange, with the external authentication entity after transmitting the authentication request to the external authentication entity. 3. The method of claim 2 , further comprising: transmitting an indication to the UE to derive the first key from the master key in an EAP message in the EAP exchange. 4. The method of claim 3 , wherein transmitting the indication comprises transmitting the indication in an Anti-Bidding down Between Architectures (ABBA) parameter. 5. The method of claim 1 , wherein the core network comprises a 5GC core network, wherein the first core network node comprises a Authentication Server Function (AUSF) node, and wherein the second core network node comprises a Unified Data Management, (UDM) node. 6. The method of claim 1 , wherein the external authentication entity is associated with a non-public network. 7. The method of claim 1 , wherein the first authentication request includes a subscriber concealed identity, SUCI, of the UE, the method further comprising: determining a subscriber permanent identity, SUPI, of the UE, wherein determining that the UE should be authenticated by the external authentication entity is performed based on the SUCI or the SUPI of the UE. 8. The method of claim 1 , wherein determining that the UE should be authenticated by the external authentication entity is performed based on a home network of the UE. 9. The method of claim 1 , wherein: the core network comprises a 5GC core network; the first core network node comprises a Authentication Server Function, AUSF, node; the master key comprises a master session key, MSK; and the first key comprises an AUSF security key, K AUSF . 10. The method of claim 1 , further comprising: transmitting an indication to the UE to derive the first key from the master key. 11. The method of claim 1 , wherein determining that the UE should be authenticated by the external authentication entity is performed according to a predetermined static configuration. 12. The method of claim 1 , wherein the authentication response includes an encapsulated message for the UE indicating successful authentication. 13. The method of claim 1 , wherein the first authentication request is received from an Access and Mobility Management Function (AMF) node in the core network. 14. A network node, comprising: a first core network; a processor circuit; a transceiver coupled to the processor circuit; and a memory coupled to the processor circuit, the memory comprising machine readable program instructions that, when executed by the processor circuit, cause the network node to perform operations of: receiving first authentication request to authenticate the UE to a core network; transmitting an identifier associated with the UE to a second core network node in response to receiving the first authentication request; receiving a message from the second core network node instructing the first core network node to transmit the authentication request to an external authentication entity; determining that the UE should be authenticated by the external authentication entity that is external to a wireless communication system that includes the core network; transmitting a second authentication request to the external authentication entity, the second authentication request identifying the UE; receiving an authentication response from the external authentication entity verifying authenticity of the UE, the authentication response including a master key; and deriving a first key for securing communications with the UE from the master key. 15. A method by a user equipment, UE, in a wireless communication system, comprising: transmitting a registration message to a core network node of the wireless communication system; receiving an indication from the core network node that the UE should derive a security key for communicating with the core network from a master key (MSK) known to an authentication entity outside the wireless communication system; deriving the security key from the MSK; and securing communications with the core network node using the security key. 16. The method of claim 15 , wherein the indication is received in a non-access stratum security establishment message from the core network node. 17. The method of claim 16 , wherein the indication is received as part of an extensible authentication protocol (EAP) exchange performed in response to the registration message. 18. The method of claim 17 , wherein the indication is received in an Anti-Bidding down Between Architectures (ABBA) parameter, of an EAP message received as part of the EAP exchange. 19. The method of claim 15 , wherein the security key comprises a Authentication Server Function (AUSF) key (K AUSF ). 20. A user equipment, UE, comprising: a processor circuit; a transceiver coupled to the processor circuit; and a memory coupled to the processor circuit, the memory comprising machine readable program instructions that, when executed by the processor circuit, cause the UE to perform operations of: transmitting a registration message to a core network node of wireless communication system; receiving an indication from the core network node that the UE should derive a security key for communicating with the core network from a master key (MSK) known to an authentication entity outside the wireless communication system; deriving the security key from the MSK; and securing communications with the core network node using the security key.