diff --git a/src/libvlr/vlr_auth_fsm.c b/src/libvlr/vlr_auth_fsm.c
new file mode 100644
index 0000000..0eb86e7
--- /dev/null
+++ b/src/libvlr/vlr_auth_fsm.c
@@ -0,0 +1,605 @@
+/* Osmocom Visitor Location Register (VLR) Autentication FSM */
+
+/* (C) 2016 by Harald Welte <laforge@gnumonks.org>
+ *
+ * All Rights Reserved
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+
+#include <osmocom/core/fsm.h>
+#include <osmocom/core/utils.h>
+#include <osmocom/gsm/gsup.h>
+#include <openbsc/vlr.h>
+#include <openbsc/debug.h>
+
+#include "vlr_core.h"
+#include "vlr_auth_fsm.h"
+
+#define S(x)	(1 << (x))
+
+static const struct value_string fsm_auth_event_names[] = {
+	OSMO_VALUE_STRING(VLR_AUTH_E_START),
+	OSMO_VALUE_STRING(VLR_AUTH_E_HLR_SAI_ACK),
+	OSMO_VALUE_STRING(VLR_AUTH_E_HLR_SAI_NACK),
+	OSMO_VALUE_STRING(VLR_AUTH_E_HLR_SAI_ABORT),
+	OSMO_VALUE_STRING(VLR_AUTH_E_MS_AUTH_RESP),
+	OSMO_VALUE_STRING(VLR_AUTH_E_MS_AUTH_FAIL),
+	OSMO_VALUE_STRING(VLR_AUTH_E_MS_ID_IMSI),
+	{ 0, NULL }
+};
+
+const struct value_string vlr_auth_fsm_result_names[] = {
+	OSMO_VALUE_STRING(VLR_AUTH_RES_ABORTED),
+	OSMO_VALUE_STRING(VLR_AUTH_RES_UNKNOWN_SUBSCR),
+	OSMO_VALUE_STRING(VLR_AUTH_RES_PROC_ERR),
+	OSMO_VALUE_STRING(VLR_AUTH_RES_AUTH_FAILED),
+	OSMO_VALUE_STRING(VLR_AUTH_RES_PASSED),
+	{0, NULL}
+};
+
+/* private state of the auth_fsm_instance */
+struct auth_fsm_priv {
+	struct vlr_subscr *vsub;
+	bool by_imsi;
+	bool is_r99;
+	bool is_utran;
+	bool auth_requested;
+
+	int auth_tuple_max_use_count; /* see vlr->cfg instead */
+};
+
+/***********************************************************************
+ * Utility functions
+ ***********************************************************************/
+
+/* Always use either vlr_subscr_get_auth_tuple() or vlr_subscr_has_auth_tuple()
+ * instead, to ensure proper use count.
+ * Return an auth tuple with the lowest use_count among the auth tuples. If
+ * max_use_count >= 0, return NULL if all available auth tuples have a use
+ * count > max_use_count. If max_use_count is negative, return a currently
+ * least used auth tuple without enforcing a maximum use count.  If there are
+ * no auth tuples, return NULL.
+ */
+static struct gsm_auth_tuple *
+_vlr_subscr_next_auth_tuple(struct vlr_subscr *vsub, int max_use_count)
+{
+	unsigned int count;
+	unsigned int idx;
+	struct gsm_auth_tuple *at = NULL;
+	unsigned int key_seq = GSM_KEY_SEQ_INVAL;
+
+	if (!vsub)
+		return NULL;
+
+	if (vsub->last_tuple)
+		key_seq = vsub->last_tuple->key_seq;
+
+	if (key_seq == GSM_KEY_SEQ_INVAL)
+		/* Start with 0 after increment modulo array size */
+		idx = ARRAY_SIZE(vsub->auth_tuples) - 1;
+	else
+		idx = key_seq;
+
+	for (count = ARRAY_SIZE(vsub->auth_tuples); count > 0; count--) {
+		idx = (idx + 1) % ARRAY_SIZE(vsub->auth_tuples);
+
+		if (vsub->auth_tuples[idx].key_seq == GSM_KEY_SEQ_INVAL)
+			continue;
+
+		if (!at || vsub->auth_tuples[idx].use_count < at->use_count)
+			at = &vsub->auth_tuples[idx];
+	}
+
+	if (!at || (max_use_count >= 0 && at->use_count > max_use_count))
+		return NULL;
+
+	return at;
+}
+
+/* Return an auth tuple and increment its use count. */
+static struct gsm_auth_tuple *
+vlr_subscr_get_auth_tuple(struct vlr_subscr *vsub, int max_use_count)
+{
+	struct gsm_auth_tuple *at = _vlr_subscr_next_auth_tuple(vsub,
+							       max_use_count);
+	if (!at)
+		return NULL;
+	at->use_count++;
+	return at;
+}
+
+/* Return whether an auth tuple with the given max_use_count is available. */
+static bool vlr_subscr_has_auth_tuple(struct vlr_subscr *vsub,
+				      int max_use_count)
+{
+	return _vlr_subscr_next_auth_tuple(vsub, max_use_count) != NULL;
+}
+
+static bool check_auth_resp(struct vlr_subscr *vsub, bool is_r99,
+			    bool is_utran, const uint8_t *res,
+			    uint8_t res_len)
+{
+	struct gsm_auth_tuple *at = vsub->last_tuple;
+	struct osmo_auth_vector *vec = &at->vec;
+	bool check_umts;
+	OSMO_ASSERT(at);
+
+	LOGVSUBP(LOGL_DEBUG, vsub, "received res: %s\n",
+		 osmo_hexdump(res, res_len));
+
+	/* RES must be present and at least 32bit */
+	if (!res || res_len < sizeof(vec->sres)) {
+		LOGVSUBP(LOGL_NOTICE, vsub, "AUTH RES missing or too short "
+			 "(%u)\n", res_len);
+		goto out_false;
+	}
+
+	check_umts = false;
+	if (is_r99 && (vec->auth_types & OSMO_AUTH_TYPE_UMTS)) {
+		check_umts = true;
+		/* We have a R99 capable UE and have a UMTS AKA capable USIM.
+		 * However, the ME may still choose to only perform GSM AKA, as
+		 * long as the bearer is GERAN */
+		if (res_len != vec->res_len) {
+			if (is_utran) {
+				LOGVSUBP(LOGL_NOTICE, vsub,
+					 "AUTH via UTRAN but "
+					 "res_len(%u) != vec->res_len(%u)\n",
+					 res_len, vec->res_len);
+				goto out_false;
+			}
+			check_umts = false;
+		}
+	}
+
+	if (check_umts) {
+		if (res_len != vec->res_len
+		    || memcmp(res, vec->res, res_len)) {
+			LOGVSUBP(LOGL_INFO, vsub, "UMTS AUTH failure:"
+				 " mismatching res (expected res=%s)\n",
+				 osmo_hexdump(vec->res, vec->res_len));
+			goto out_false;
+		}
+
+		LOGVSUBP(LOGL_INFO, vsub, "AUTH established UMTS security"
+			 " context\n");
+		vsub->sec_ctx = VLR_SEC_CTX_UMTS;
+		return true;
+	} else {
+		if (res_len != sizeof(vec->sres)
+		    || memcmp(res, vec->sres, sizeof(vec->sres))) {
+			LOGVSUBP(LOGL_INFO, vsub, "GSM AUTH failure:"
+				 " mismatching sres (expected sres=%s)\n",
+				 osmo_hexdump(vec->sres, sizeof(vec->sres)));
+			goto out_false;
+		}
+
+		LOGVSUBP(LOGL_INFO, vsub, "AUTH established GSM security"
+			 " context\n");
+		vsub->sec_ctx = VLR_SEC_CTX_GSM;
+		return true;
+	}
+
+out_false:
+	vsub->sec_ctx = VLR_SEC_CTX_NONE;
+	return false;
+}
+
+static void auth_fsm_onenter_failed(struct osmo_fsm_inst *fi, uint32_t prev_state)
+{
+	struct auth_fsm_priv *afp = fi->priv;
+	struct vlr_subscr *vsub = afp->vsub;
+
+	/* If authentication hasn't even started, e.g. the HLR sent no auth
+	 * info, then we also don't need to tell the HLR about an auth failure.
+	 */
+	if (afp->auth_requested)
+		vlr_subscr_tx_auth_fail_rep(vsub);
+}
+
+static bool is_umts_auth(struct auth_fsm_priv *afp,
+			 uint32_t auth_types)
+{
+	if (!afp->is_r99)
+		return false;
+	if (!(auth_types & OSMO_AUTH_TYPE_UMTS))
+		return false;
+	return true;
+}
+
+/* Terminate the Auth FSM Instance and notify parent */
+static void auth_fsm_term(struct osmo_fsm_inst *fi, enum vlr_auth_fsm_result res)
+{
+	struct auth_fsm_priv *afp = fi->priv;
+	struct vlr_subscr *vsub = afp->vsub;
+
+	LOGPFSM(fi, "Authentication terminating with result %s\n",
+		vlr_auth_fsm_result_name(res));
+
+	/* Do one final state transition (mostly for logging purpose) */
+	if (res == VLR_AUTH_RES_PASSED)
+		osmo_fsm_inst_state_chg(fi, VLR_SUB_AS_AUTHENTICATED, 0, 0);
+	else
+		osmo_fsm_inst_state_chg(fi, VLR_SUB_AS_AUTH_FAILED, 0, 0);
+
+	/* return the result to the parent FSM */
+	osmo_fsm_inst_term(fi, OSMO_FSM_TERM_REGULAR, &res);
+	vsub->auth_fsm = NULL;
+}
+
+/* back-end function transmitting authentication. Caller ensures we have valid
+ * tuple */
+static int _vlr_subscr_authenticate(struct osmo_fsm_inst *fi)
+{
+	struct auth_fsm_priv *afp = fi->priv;
+	struct vlr_subscr *vsub = afp->vsub;
+	struct gsm_auth_tuple *at;
+
+	/* Caller ensures we have vectors available */
+	at = vlr_subscr_get_auth_tuple(vsub, afp->auth_tuple_max_use_count);
+	if (!at) {
+		LOGPFSML(fi, LOGL_ERROR, "A previous check ensured that an"
+			 " auth tuple was available, but now there is in fact"
+			 " none.\n");
+		auth_fsm_term(fi, VLR_AUTH_RES_PROC_ERR);
+		return -1;
+	}
+
+	LOGPFSM(fi, "got auth tuple: use_count=%d key_seq=%d\n",
+		at->use_count, at->key_seq);
+
+	OSMO_ASSERT(at);
+
+	/* Transmit auth req to subscriber */
+	afp->auth_requested = true;
+	vsub->last_tuple = at;
+	vsub->vlr->ops.tx_auth_req(vsub->msc_conn_ref, at,
+				   is_umts_auth(afp, at->vec.auth_types));
+	return 0;
+}
+
+/***********************************************************************
+ * FSM State Action functions
+ ***********************************************************************/
+
+/* Initial State of TS 23.018 AUT_VLR */
+static void auth_fsm_needs_auth(struct osmo_fsm_inst *fi, uint32_t event, void *data)
+{
+	struct auth_fsm_priv *afp = fi->priv;
+	struct vlr_subscr *vsub = afp->vsub;
+
+	OSMO_ASSERT(event == VLR_AUTH_E_START);
+
+	/* Start off with the default max_use_count, possibly change that if we
+	 * need to re-use an old tuple. */
+	afp->auth_tuple_max_use_count = vsub->vlr->cfg.auth_tuple_max_use_count;
+
+	/* Check if we have vectors available */
+	if (!vlr_subscr_has_auth_tuple(vsub, afp->auth_tuple_max_use_count)) {
+		/* Obtain_Authentication_Sets_VLR */
+		vlr_subscr_req_sai(vsub, NULL, NULL);
+		osmo_fsm_inst_state_chg(fi, VLR_SUB_AS_NEEDS_AUTH_WAIT_AI,
+					GSM_29002_TIMER_M, 0);
+	} else {
+		/* go straight ahead with sending auth request */
+		osmo_fsm_inst_state_chg(fi, VLR_SUB_AS_WAIT_RESP,
+					vlr_timer(vsub->vlr, 3260), 3260);
+		_vlr_subscr_authenticate(fi);
+	}
+}
+
+/* Waiting for Authentication Info from HLR */
+static void auth_fsm_wait_ai(struct osmo_fsm_inst *fi, uint32_t event,
+			     void *data)
+{
+	struct auth_fsm_priv *afp = fi->priv;
+	struct vlr_subscr *vsub = afp->vsub;
+	struct osmo_gsup_message *gsup = data;
+
+	if (event == VLR_AUTH_E_HLR_SAI_NACK)
+		LOGPFSM(fi, "GSUP: rx Auth Info Error cause: %d: %s\n",
+			gsup->cause,
+			get_value_string(gsm48_gmm_cause_names, gsup->cause));
+
+	/* We are in what corresponds to the
+	 * Wait_For_Authentication_Sets state of TS 23.018 OAS_VLR */
+	if ((event == VLR_AUTH_E_HLR_SAI_ACK && !gsup->num_auth_vectors)
+	    || (event == VLR_AUTH_E_HLR_SAI_NACK &&
+		gsup->cause != GMM_CAUSE_IMSI_UNKNOWN)
+	    || (event == VLR_AUTH_E_HLR_SAI_ABORT)) {
+		if (vsub->vlr->cfg.auth_reuse_old_sets_on_error
+		    && vlr_subscr_has_auth_tuple(vsub, -1)) {
+			/* To re-use an old tuple, disable the max_use_count
+			 * constraint. */
+			afp->auth_tuple_max_use_count = -1;
+			goto pass;
+		}
+		/* result = procedure error */
+		auth_fsm_term(fi, VLR_AUTH_RES_PROC_ERR);
+		return;
+	}
+
+	switch (event) {
+	case VLR_AUTH_E_HLR_SAI_ACK:
+		vlr_subscr_update_tuples(vsub, gsup);
+		goto pass;
+		break;
+	case VLR_AUTH_E_HLR_SAI_NACK:
+		auth_fsm_term(fi,
+			      gsup->cause == GMM_CAUSE_IMSI_UNKNOWN?
+				      VLR_AUTH_RES_UNKNOWN_SUBSCR
+				      : VLR_AUTH_RES_PROC_ERR);
+		break;
+	}
+
+	return;
+pass:
+	osmo_fsm_inst_state_chg(fi, VLR_SUB_AS_WAIT_RESP,
+				vlr_timer(vsub->vlr, 3260), 3260);
+	_vlr_subscr_authenticate(fi);
+}
+
+/* Waiting for Authentication Response from MS */
+static void auth_fsm_wait_auth_resp(struct osmo_fsm_inst *fi, uint32_t event,
+				    void *data)
+{
+	struct auth_fsm_priv *afp = fi->priv;
+	struct vlr_subscr *vsub = afp->vsub;
+	struct vlr_instance *vlr = vsub->vlr;
+	struct vlr_auth_resp_par *par = data;
+	int rc;
+
+	switch (event) {
+	case VLR_AUTH_E_MS_AUTH_RESP:
+		rc = check_auth_resp(vsub, par->is_r99, par->is_utran,
+				     par->res, par->res_len);
+		if (rc == false) {
+			if (!afp->by_imsi) {
+				vlr->ops.tx_id_req(vsub->msc_conn_ref,
+						   GSM_MI_TYPE_IMSI);
+				osmo_fsm_inst_state_chg(fi,
+						VLR_SUB_AS_WAIT_ID_IMSI,
+						vlr_timer(vlr, 3270), 3270);
+			} else {
+				auth_fsm_term(fi, VLR_AUTH_RES_AUTH_FAILED);
+			}
+		} else {
+			auth_fsm_term(fi, VLR_AUTH_RES_PASSED);
+		}
+		break;
+	case VLR_AUTH_E_MS_AUTH_FAIL:
+		if (par->auts) {
+			/* First failure, start re-sync attempt */
+			vlr_subscr_req_sai(vsub, par->auts,
+					   vsub->last_tuple->vec.rand);
+			osmo_fsm_inst_state_chg(fi,
+					VLR_SUB_AS_NEEDS_AUTH_WAIT_SAI_RESYNC,
+					GSM_29002_TIMER_M, 0);
+		} else
+			auth_fsm_term(fi, VLR_AUTH_RES_AUTH_FAILED);
+		break;
+	}
+}
+
+/* Waiting for Authentication Info from HLR (resync case) */
+static void auth_fsm_wait_ai_resync(struct osmo_fsm_inst *fi,
+				    uint32_t event, void *data)
+{
+	struct auth_fsm_priv *afp = fi->priv;
+	struct vlr_subscr *vsub = afp->vsub;
+	struct osmo_gsup_message *gsup = data;
+
+	/* We are in what corresponds to the
+	 * Wait_For_Authentication_Sets state of TS 23.018 OAS_VLR */
+	if ((event == VLR_AUTH_E_HLR_SAI_ACK && !gsup->num_auth_vectors) ||
+	    (event == VLR_AUTH_E_HLR_SAI_NACK &&
+	     gsup->cause != GMM_CAUSE_IMSI_UNKNOWN) ||
+	    (event == VLR_AUTH_E_HLR_SAI_ABORT)) {
+		/* result = procedure error */
+		auth_fsm_term(fi, VLR_AUTH_RES_PROC_ERR);
+	}
+	switch (event) {
+	case VLR_AUTH_E_HLR_SAI_ACK:
+		vlr_subscr_update_tuples(vsub, gsup);
+		goto pass;
+		break;
+	case VLR_AUTH_E_HLR_SAI_NACK:
+		auth_fsm_term(fi,
+			      gsup->cause == GMM_CAUSE_IMSI_UNKNOWN?
+				      VLR_AUTH_RES_UNKNOWN_SUBSCR
+				      : VLR_AUTH_RES_PROC_ERR);
+		break;
+	}
+
+	return;
+pass:
+	osmo_fsm_inst_state_chg(fi, VLR_SUB_AS_WAIT_RESP_RESYNC,
+				vlr_timer(vsub->vlr, 3260), 3260);
+	_vlr_subscr_authenticate(fi);
+}
+
+/* Waiting for AUTH RESP from MS (re-sync case) */
+static void auth_fsm_wait_auth_resp_resync(struct osmo_fsm_inst *fi,
+					   uint32_t event, void *data)
+{
+	struct auth_fsm_priv *afp = fi->priv;
+	struct vlr_subscr *vsub = afp->vsub;
+	struct vlr_auth_resp_par *par = data;
+	struct vlr_instance *vlr = vsub->vlr;
+	int rc;
+
+	switch (event) {
+	case VLR_AUTH_E_MS_AUTH_RESP:
+		rc = check_auth_resp(vsub, par->is_r99, par->is_utran,
+				     par->res, par->res_len);
+		if (rc == false) {
+			if (!afp->by_imsi) {
+				vlr->ops.tx_id_req(vsub->msc_conn_ref,
+						   GSM_MI_TYPE_IMSI);
+				osmo_fsm_inst_state_chg(fi,
+						VLR_SUB_AS_WAIT_ID_IMSI,
+						vlr_timer(vlr, 3270), 3270);
+			} else {
+				/* Result = Aborted */
+				auth_fsm_term(fi, VLR_AUTH_RES_ABORTED);
+			}
+		} else {
+			/* Result = Pass */
+			auth_fsm_term(fi, VLR_AUTH_RES_PASSED);
+		}
+		break;
+	case VLR_AUTH_E_MS_AUTH_FAIL:
+		/* Second failure: Result = Fail */
+		auth_fsm_term(fi, VLR_AUTH_RES_AUTH_FAILED);
+		break;
+	}
+}
+
+/* AUT_VLR waiting for Obtain_IMSI_VLR result */
+static void auth_fsm_wait_imsi(struct osmo_fsm_inst *fi, uint32_t event,
+				void *data)
+{
+	struct auth_fsm_priv *afp = fi->priv;
+	struct vlr_subscr *vsub = afp->vsub;
+	const char *mi_string = data;
+
+	switch (event) {
+	case VLR_AUTH_E_MS_ID_IMSI:
+		if (vsub->imsi[0]
+		    && !vlr_subscr_matches_imsi(vsub, mi_string)) {
+			LOGVSUBP(LOGL_ERROR, vsub, "IMSI in ID RESP differs:"
+				 " %s\n", mi_string);
+		} else {
+			strncpy(vsub->imsi, mi_string, sizeof(vsub->imsi));
+			vsub->imsi[sizeof(vsub->imsi)-1] = '\0';
+		}
+		/* retry with identity=IMSI */
+		afp->by_imsi = true;
+		osmo_fsm_inst_state_chg(fi, VLR_SUB_AS_NEEDS_AUTH, 0, 0);
+		osmo_fsm_inst_dispatch(fi, VLR_AUTH_E_START, NULL);
+		break;
+	}
+}
+
+static const struct osmo_fsm_state auth_fsm_states[] = {
+	[VLR_SUB_AS_NEEDS_AUTH] = {
+		.name = OSMO_STRINGIFY(VLR_SUB_AS_NEEDS_AUTH),
+		.in_event_mask = S(VLR_AUTH_E_START),
+		.out_state_mask = S(VLR_SUB_AS_NEEDS_AUTH_WAIT_AI) |
+				  S(VLR_SUB_AS_WAIT_RESP),
+		.action = auth_fsm_needs_auth,
+	},
+	[VLR_SUB_AS_NEEDS_AUTH_WAIT_AI] = {
+		.name = OSMO_STRINGIFY(VLR_SUB_AS_NEEDS_AUTH_WAIT_AI),
+		.in_event_mask = S(VLR_AUTH_E_HLR_SAI_ACK) |
+				 S(VLR_AUTH_E_HLR_SAI_NACK),
+		.out_state_mask = S(VLR_SUB_AS_AUTH_FAILED) |
+				  S(VLR_SUB_AS_WAIT_RESP),
+		.action = auth_fsm_wait_ai,
+	},
+	[VLR_SUB_AS_WAIT_RESP] = {
+		.name = OSMO_STRINGIFY(VLR_SUB_AS_WAIT_RESP),
+		.in_event_mask = S(VLR_AUTH_E_MS_AUTH_RESP) |
+				 S(VLR_AUTH_E_MS_AUTH_FAIL),
+		.out_state_mask = S(VLR_SUB_AS_WAIT_ID_IMSI) |
+				  S(VLR_SUB_AS_AUTH_FAILED) |
+				  S(VLR_SUB_AS_AUTHENTICATED) |
+				  S(VLR_SUB_AS_NEEDS_AUTH_WAIT_SAI_RESYNC),
+		.action = auth_fsm_wait_auth_resp,
+	},
+	[VLR_SUB_AS_NEEDS_AUTH_WAIT_SAI_RESYNC] = {
+		.name = OSMO_STRINGIFY(VLR_SUB_AS_NEEDS_AUTH_WAIT_SAI_RESYNC),
+		.in_event_mask = S(VLR_AUTH_E_HLR_SAI_ACK) |
+				 S(VLR_AUTH_E_HLR_SAI_NACK),
+		.out_state_mask = S(VLR_SUB_AS_AUTH_FAILED) |
+				  S(VLR_SUB_AS_WAIT_RESP_RESYNC),
+		.action = auth_fsm_wait_ai_resync,
+	},
+	[VLR_SUB_AS_WAIT_RESP_RESYNC] = {
+		.name = OSMO_STRINGIFY(VLR_SUB_AS_WAIT_RESP_RESYNC),
+		.in_event_mask = S(VLR_AUTH_E_MS_AUTH_RESP) |
+				 S(VLR_AUTH_E_MS_AUTH_FAIL),
+		.out_state_mask = S(VLR_SUB_AS_AUTH_FAILED) |
+				  S(VLR_SUB_AS_AUTHENTICATED),
+		.action = auth_fsm_wait_auth_resp_resync,
+	},
+	[VLR_SUB_AS_WAIT_ID_IMSI] = {
+		.name = OSMO_STRINGIFY(VLR_SUB_AS_WAIT_ID_IMSI),
+		.in_event_mask = S(VLR_AUTH_E_MS_ID_IMSI),
+		.out_state_mask = S(VLR_SUB_AS_NEEDS_AUTH),
+		.action = auth_fsm_wait_imsi,
+	},
+	[VLR_SUB_AS_AUTHENTICATED] = {
+		.name = OSMO_STRINGIFY(VLR_SUB_AS_AUTHENTICATED),
+		.in_event_mask = 0,
+		.out_state_mask = 0,
+	},
+	[VLR_SUB_AS_AUTH_FAILED] = {
+		.name = OSMO_STRINGIFY(VLR_SUB_AS_AUTH_FAILED),
+		.in_event_mask = 0,
+		.out_state_mask = 0,
+		.onenter = auth_fsm_onenter_failed,
+	},
+};
+
+struct osmo_fsm vlr_auth_fsm = {
+	.name = "VLR_Authenticate",
+	.states = auth_fsm_states,
+	.num_states = ARRAY_SIZE(auth_fsm_states),
+	.allstate_event_mask = 0,
+	.allstate_action = NULL,
+	.log_subsys = DVLR,
+	.event_names = fsm_auth_event_names,
+};
+
+/***********************************************************************
+ * User API (for SGSN/MSC code)
+ ***********************************************************************/
+
+/* MSC->VLR: Start Procedure Authenticate_VLR (TS 23.012 Ch. 4.1.2.2) */
+struct osmo_fsm_inst *auth_fsm_start(struct vlr_subscr *vsub,
+				     uint32_t log_level,
+				     struct osmo_fsm_inst *parent,
+				     uint32_t parent_term_event,
+				     bool is_r99,
+				     bool is_utran)
+{
+	struct osmo_fsm_inst *fi;
+	struct auth_fsm_priv *afp;
+
+	fi = osmo_fsm_inst_alloc_child(&vlr_auth_fsm, parent,
+					parent_term_event);
+
+
+	afp = talloc_zero(fi, struct auth_fsm_priv);
+	if (!afp) {
+		osmo_fsm_inst_dispatch(parent, parent_term_event, 0);
+		return NULL;
+	}
+
+	afp->vsub = vsub;
+	if (vsub->imsi[0])
+		afp->by_imsi = true;
+	afp->is_r99 = is_r99;
+	afp->is_utran = is_utran;
+	fi->priv = afp;
+	vsub->auth_fsm = fi;
+
+	osmo_fsm_inst_dispatch(fi, VLR_AUTH_E_START, NULL);
+
+	return fi;
+}