The present invention relates to a system and method for authenticating a subscriber of a first network, e.g., a GPRS/GSM network, to access application services through a second network, wherein the second network is a packet data network (PDN), e.g. the Internet. The system according to the preferred embodiments of the invention includes a mobile station MS (2) connected to a cellular network and apt to generate access-request messages enclosed in data packets, said access-request messages being expressed with a syntax that complies 'with an application-level protocol; an allocation server AAA (7) apt to allocate an address in said second network to said subscriber (subscriber's address) and to provide a mapping between the subscriber's address and a first subscriber's identifier; a gateway (6), e.g., a GGSN, which interfaces the first network to the second network and assigns the subscriber's address to the MS 2; a service token injector STI (10) linked with the gateway (6) and aptto intercept the data packets generated from the endpoint station and directed to the second network through the gateway (6) and to capture in the data packet at least the subscriber's address, and an Identity Authority logical entity IA (9) linked with the STI 10 and apt to perform the following functions: to receive the subscriber's address and the access-request message from the first logical entity, to recognize the application-level protocol of the access-request message, to request the first subscriber's identifier to the allocation server, to generate an authentication token according to the application-level protocol, said token including a second subscriber's identifier, and to associate the authentication token to the access-request message.