A solution of relay node authentication is proposed. The solution includes mutual authentication of relay node and relay UICC, mutual authentication of relay node and network, secure channel establishment between relay UICC and relay node. AKA procedure in TS 33.401 is re-used so that no extra NAS message is needed. IMEI is sent to network in the initial NAS message, according to which MME-RN can retrieve RN's public key from HSS, and perform access control for DeNB. MME-RN will generate a session key based on IMSI, IMEI and Kasme, and encrypt it by RN's public key and send it to RN. UICC will also generate the same key and thus RN can authenticate both UICC and network. When the key or other parameters sent between UICC and RN do not match, UICC or RN will send Authentication Reject message with a new cause to inform network.