HP-UX AAA Server A.08.01 administrator s guideh20628. · HP-UXAAAServerA.08.01 administrator’sguide HP-UX11iv2andHP-UX11iv3 HPPartNumber:T1428-90072 Published:May2010 Edition:Edition10

HP-UX AAA Server A.08.01administrator’s guideHP-UX 11i v2 and HP-UX 11i v3

HP Part Number: T1428-90072Published: May 2010Edition: Edition 10

Copyright © 2002–2010 Hewlett-Packard Development Company, L.P.

Confidential computer software. Valid license required from HP for possession, use or copying. Consistent with FAR 12.211 and12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items arelicensed to the U.S. Government under vendor’s standard commercial license.

The information contained herein is subject to change without notice. The only warranties for HP products and services are setforth in the express warranty statements accompanying such products and services. Nothing herein should be construed asconstituting additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

UNIX is a registered trademark of The Open Group.

Java™ is a US trademark of Sun Microsystems.

Microsoft®, Windows ®, and Windows NT ® are U.S. registered trademarks of Microsoft Corporation.

Oracle ® is a registered US trademark of Oracle Corporation, Redwood City, California.

OpenLDAP ® is a registered trademark of the OpenLDAP Foundation

Netscape Navigator ™ is a registered trademark of Time Warner, Inc.

Table of ContentsAbout This Document ..................................................................................................................27

Intended Audience.............................................................................................................27New and Changed Information in This Edition.................................................................27Document Organization.....................................................................................................27Publishing History..............................................................................................................28Typographic Conventions..................................................................................................29HP-UX Release Name and Release Identifier.....................................................................30Related Information............................................................................................................30HP Encourages Your Comments........................................................................................30

I Introduction...............................................................................................................................311 Overview: The HP-UX AAA Server .......................................................................................34

RADIUS Topology ........................................................................................................35Establishing a RADIUS Session.....................................................................................36Product Structure..........................................................................................................38

HP-UX AAA Server Daemon, Libraries, and Utilities ............................................38HP-UX AAA Server Manager Program ..................................................................38Documentation.........................................................................................................38

HP-UX AAA Server Architecture .................................................................................39Configuration Files ..................................................................................................40AATV Plug-Ins ........................................................................................................40The Software Engine: Finite State Machine ............................................................40

HP-UX AAA Server Commands, Utilities and Daemons.............................................41Handling an Access Request.........................................................................................41

Authentication to Verify the Client and User .........................................................42Authorization to Control Sessions and Access to Services .....................................44

Authorization Steps ...........................................................................................45Session Logs For Accounting .......................................................................................48IPv6 Support for External Services................................................................................48

HP-UX AAA Server as a Client................................................................................482 Upgrading to Version A.08.01.............................................................................................49

The HP-UX AAA Server Upgrade Process...................................................................49Upgrading from Versions A.07.00, A.06.02, A.06.01, or A.07.01 to Version A.08.01.....49Upgrading from Version A.06.00.x to Version A.08.01.................................................51Upgrading from Version A.05.x to Version A.08.01......................................................53Merging the Dictionary File..........................................................................................53Merging the radius.fsm File.....................................................................................53Merging the vendors File............................................................................................53

3 Installing and Securing the HP-UX AAA Server.......................................................................54Acquiring the HP-UX AAA Server Software................................................................54Installing and Uninstalling the HP-UX AAA Server....................................................54

Table of Contents 3

To Install the HP-UX AAA Server...........................................................................54To Uninstall the HP-UX AAA Server Software.......................................................55

HP-UX AAA Server File Locations ..............................................................................56Securing the HP-UX AAA Server..................................................................................63

Changing the Default HP-UX AAA Server Settings ...............................................63Changing the Default Tomcat User Name and Password..................................63Changing the Default RMI Objects Secret..........................................................64Changing the Default test_user Settings............................................................64Changing the Default localhost Proxy Settings..................................................64

Environment Specific Security Procedures .............................................................64Using Secure Socket Layer (SSL) for Secured Remote Server ManagerAdministration...................................................................................................64Creating a Tomcat Identity Specifically for the HP-UX AAA Server ................66Running the HP-UX AAA Server on Hosts with System HardeningSoftware..............................................................................................................67Running the HP-UX AAA Server as a Non-Root User......................................68Setting Up the HP-UX AAA Server to Start as Non-Root User After Reboot....68

4 Enabling the HP-UX AAA Server for GUI-based Administration................................................71Accessing the Server Manager......................................................................................71

Starting and Stopping the RMI Objects...................................................................72Starting and Stopping Tomcat.................................................................................72

Testing the Installation .................................................................................................72To Test the Installation.............................................................................................72

Starting HP-UX AAA Servers Using Server Manager..................................................74AAA Server Start Options........................................................................................75Server Manager’s Reload Feature............................................................................76

Starting HP-UX AAA Servers From the Command Line.............................................77Configuring the HP-UX AAA Server to Start Automatically Upon System Reboot..................................................................................................................................80

Stopping or Restarting HP-UX AAA Servers...............................................................81Using Server Manager..............................................................................................81From the Command Line.........................................................................................81

Adding an HP-UX AAA Server to Your Network........................................................82II Configuring the HP-UX AAA Server Manager Using the Server Manager GUI ................................84

5 The HP-UX AAA Server Manager Interface.............................................................................88Commonly Used Icons in the GUI................................................................................89

6 Managing HP-UX AAA Servers.............................................................................................90Using the Server Connections Screen............................................................................90Adding a New Server Connection................................................................................91Modifying Connection Attributes.................................................................................92Deleting a Server Connection........................................................................................93Managing Multiple Servers...........................................................................................93Loading and Saving Your Configuration......................................................................94

4 Table of Contents

Loading and Saving Your Configuration Using RMI Server...................................95Enhancing Loading and Saving Performance Using Secure Copy Protocol...........96Setting up Key-Based Authentication......................................................................97

Creating a Public-Private key set with ssh-keygen........................................97Sharing the Public key with Remote Hosts........................................................98

Verifying Key-Based Authentication.......................................................................997 Configuring RADIUS Clients Using the Access Devices Screen...............................................100

Navigating the Access Devices Screen........................................................................100Adding a RADIUS Client............................................................................................100Modifying a RADIUS Client’s Properties....................................................................103Deleting a RADIUS Client...........................................................................................104

8 Configuring Realms...........................................................................................................105Using the Local Realms Screen....................................................................................105Adding a Realm...........................................................................................................105Modifying Realms.......................................................................................................108Special Entries..............................................................................................................109Deleting a Realm.........................................................................................................110Configuring Realms for Authentication using an External Server.............................111

Configuring Realms for Database Access via SQL................................................111Configuring Realms for LDAP ..............................................................................112

Modifying a Directory Configuration..............................................................115Deleting a Directory Configuration..................................................................115Tuning the AAA Server to LDAP Server Connection......................................116

9 Configuring Proxies...........................................................................................................117Navigating the Proxy Screen.......................................................................................117Changing the Default localhost Proxy Settings...........................................................118Creating or Modifying a Proxy...................................................................................118

Forwarding Authentication and Dynamic Authorization Requests From a ProxyServer......................................................................................................................121Forwarding Authentication Requests to a Remote Server.....................................122

Changing RADIUS Port Numbers..............................................................................123Forwarding Requests to Alternate RADIUS Ports.................................................123

Forwarding Accounting Requests...............................................................................124Proxying Authentication and Accounting Messages to the Same Server...................124Proxying Accounting Requests to a Central Server....................................................125Deleting a Proxy..........................................................................................................125

10 Configuring Users............................................................................................................127Navigating the Users Screen.......................................................................................127Changing the Default test_user Settings.....................................................................127Adding a User Profile .................................................................................................128

Tabs on the Add Users Screen................................................................................130Specifying Attributes Using the Free Attributes Pane......................................130

Modifying User Profiles..............................................................................................131

Table of Contents 5

Deleting a User Profile.................................................................................................131To Delete a User Profile From the Default users File..........................................132To Delete a User Profile in a Local Realms File......................................................132

11 Modifying Server Properties..............................................................................................133Navigating the Server Properties Screen.....................................................................133DHCP Relay Properties...............................................................................................133DNS Updates Properties.............................................................................................134Message Handling Properties.....................................................................................135SNMP Properties.........................................................................................................136

Enable SNMP Support...........................................................................................136Tunneling Properties...................................................................................................136

Tunneling Reply Items (Optional).........................................................................137Certificate Properties...................................................................................................137File Size Properties......................................................................................................138

Maximum Logfile Size...........................................................................................138Miscellaneous Properties.............................................................................................138

Permit Microsoft Client Authenticate As Computer.............................................138Local Users File Properties..........................................................................................139ProLDAP Properties....................................................................................................139AAA Server As A Client Properties............................................................................140Client Action Properties..............................................................................................140

12 Logging and Monitoring ..................................................................................................142Overview.....................................................................................................................142Server Log Files ..........................................................................................................142

Using Server Manager to Retrieve Logfile Information.........................................142Search Parameters.............................................................................................143Message Types .................................................................................................144

Using Server Manager to Retrieve Statistics .........................................................144Accounting Log Files ..................................................................................................145

Using Server Manager to Retrieve Accounting Logfiles........................................146Format of Accounting Records in the Default Merit Style....................................147

Time-Based Values............................................................................................147Client A-V Pairs................................................................................................148User Entry A-V Pairs.........................................................................................148Session Tracking................................................................................................148

Writing Livingston CDR Accounting Records.......................................................149Livingston CDR Session Record Format..........................................................150

Changing the Accounting Log Filename...............................................................150Changing the Accounting Log Rollover Interval...................................................151Rolling Over the Log File and Accounting Stream and Setting the Log Level......151

III Advanced Configuration Information........................................................................................15313 Securing LAN Access With EAP........................................................................................159

Overview.....................................................................................................................159

6 Table of Contents

The Secure LAN Advisor.......................................................................................159Preparing Your LAN ...................................................................................................160Determining the EAP Authentication Method to Use................................................161Securing WLANs with the HP-UX AAA Server.........................................................164Digital Certificate Administration...............................................................................164

Using the “Self-Signed” Digital Certificates..........................................................165Installing Your Own Digital Certificates and Keys................................................166

Installing Server Certificates and Keys.............................................................166Installing Client Certificates and Keys.............................................................167Defining Certificate Locations on the HP-UX AAA Server..............................167

14 Managing Sessions.........................................................................................................169Session Logs.................................................................................................................169

Displaying Session Attributes................................................................................169Stopping a Session..................................................................................................170

Session Limits..............................................................................................................170Setting Limits on a User-by-User Basis..................................................................171

Setting Timeout Values.....................................................................................171Establishing a Filter...........................................................................................171Limiting Access Points (NAS-Port, NAS-ID, Calling-Station ID, andothers)...............................................................................................................171Denying Access (Called-Station-ID and others)...............................................172Limiting Simultaneous Sessions.......................................................................172

Setting Limits for Users on a Global Basis.............................................................173Setting Limits for All User Profiles Grouped by Realms.................................173

15 Assigning IP Addresses....................................................................................................174Assigning Static IP Addresses.....................................................................................174

To Assign a Static IP (IPv4) Address to a Profile in Flat Files................................174To Assign a Static IPv6 Address to a Profile in Flat Files......................................175To Assign Static Traditional IP (IPv4) Addresses to a User Profile in an LDAPLDIF File.................................................................................................................177To Assign Static IPv6 Addresses to a User Profile in an LDAP LDIF File.............178

Assigning Dynamic IP Addresses Using DHCP.........................................................17816 OATH Standards-Based OTP Authentication.......................................................................179

OTP and OATH Overview..........................................................................................179HP-UX AAA Server and OATH Support....................................................................180Supported OTP Functions for RADIUS Standard Password (PAP) and MS-CHAPv2.................................................................................................................................182Components Required to Configure OTP Authentication..........................................182Configuring OTP Authentication on the HP-UX AAA Server ..................................183

OTP Authentication Configuration Flowchart......................................................183Basic or Typical Configuration...............................................................................186Advanced Configuration........................................................................................187

Advanced OTP Authentication Configuration Concepts.................................187

Table of Contents 7

Attributes for Configuring OTP Authentication.........................................192Advanced Deployment Scenarios.....................................................................199

Validating OTP Alone..................................................................................200Configuring Two-Factor Authentication.....................................................202OTP or Password Validation at External RADIUS Server...........................210

Predefined Mapping and Conversion Functions...................................................217Sample Configuration Files....................................................................................217

The sqlaccess.config Sample File.............................................................217Sample Policy Files...........................................................................................220

The oath-request-ingress.grp Sample File......................................221The oath-reply-egress.grp Sample File............................................221The oath-proxy-egress.grp Sample File............................................222

17 Configuring EAP-SIM and EAP-AKA Authentication Methods................................................224EAP-SIM......................................................................................................................224

Overview................................................................................................................224EAP-SIM Authentication Using HP-UX AAA Server............................................225Features..................................................................................................................227Benefits...................................................................................................................228Configuring EAP SIM............................................................................................228

EAP-SIM Client Configuration.........................................................................228EAP-SIM User Credential Lookup Configuration............................................228EAP-SIM Realm-Based Configurations............................................................229

Realm-Based EAP-SIM Configuration Information in authfile..................229Realm-Based EAP-SIM Configuration Information in EAP.authfile...........232

Global EAP-SIM Configuration in aaa.config..................................................235EAP-AKA....................................................................................................................236

Overview................................................................................................................236EAP-AKA Authentication Using HP-UX AAA Server..........................................236Features..................................................................................................................237Benefits...................................................................................................................238Configuring EAP-AKA..........................................................................................239

EAP-AKA Client Configuration.......................................................................239EAP-AKA User Credential Lookup Configuration..........................................239EAP-AKA Realm-Based Configurations..........................................................240

Realm-Based EAP-AKA Configuration Information in authfile.................240Realm-Based EAP-AKA Configuration Information in EAP.authfile.........242

Global EAP-AKA Configuration in aaa.config.................................................247Fast Re-Authentication................................................................................................248

Configuring for Fast Re-Authentication................................................................248Configuring for Fast Re-Authentication in EAP.authfile...........................248

Sample EAP.authfile Configuration for Fast Re-authentication...........250Configuring for Fast Re-Authentication in aaa.config File.........................251

Sample aaa.config Configuration for Fast Re-authentication................251

8 Table of Contents

Guidelines to Write EAP-SIM and EAP-AKA Fast Re-Authentication DatabaseAATVs....................................................................................................................252

Fast Re-Authentication Database Update AATV.............................................253Update AATV Inputs...................................................................................253Update AATV Outputs................................................................................254AATV Functionality and Return Events.....................................................254

Fast Re-Authentication Database Lookup AATV.............................................254Lookup AATV Inputs..................................................................................254Lookup AATV Outputs...............................................................................255Lookup AATV Functionality and Return Events........................................256

Pseudonym Identities..................................................................................................256Random Pseudonyms............................................................................................256Algorithm-Based Pseudonyms..............................................................................257Configuring for Pseudonym Identity Support......................................................258

Sample EAP.authfile Configuration for Random Pseudonym IdentitySupport.............................................................................................................260Sample EAP.authfile Configuration for Algorithm-based PseudonymIdentity Support................................................................................................261Sampleaaa.configConfiguration for Algorithm-based Pseudonym IdentitySupport.............................................................................................................262

Guidelines to Write EAP-SIM and EAP-AKA Pseudonym Database AATVs.......262Pseudonym Database Update AATV...............................................................264

Update AATV Inputs...................................................................................264Update AATV Outputs................................................................................265AATV Functionality and Return Events.....................................................265

Pseudonym Database Lookup AATV...............................................................265Lookup AATV Inputs..................................................................................265Lookup AATV Outputs...............................................................................266Lookup AATV Functionality and Return Events........................................268

Generating Authentication Vectors Using A3, A8, and AKA Algorithms.................2683GPP Milenage A3, A8, and AKA Algorithm........................................................269

18 Configuring HP-UX AAA Server for Scalability and High-Availability ....................................273Overview.....................................................................................................................273Scalability and High-Availability Concepts................................................................274

Grouping HP-UX AAA Servers.............................................................................274HP-UX AAA Server Attributes..............................................................................274

HP-UX AAA Server Deployment for Scalability and High-Availability....................274Managing Multiple HP-UX AAA Servers For Scalability and High-Availability......276

Administering HP-UX AAA Servers Using HP-UX AAA Server Manager..........276Logging In.........................................................................................................277Adding a Group................................................................................................278Modifying a Group...........................................................................................279Deleting a Group..............................................................................................279

Table of Contents 9

Adding a Server................................................................................................280Modifying a Server...........................................................................................284Deleting a Server...............................................................................................284Cloning a Server................................................................................................284

Administering HP-UX AAA Servers Using HP-UX AAA Server Admin Tool(Command Line)....................................................................................................287

rad_admin Syntax.............................................................................................287Examples of Administering Multiple HP-UX AAA Servers............................288Administering HP-UX AAA Servers Using Interactive User Interface............288

Disaster Recovery of the HP-UX AAA Server Manager.............................................28919 Configuring the HP-UX AAA Server for Client Functionality .................................................291

Overview.....................................................................................................................291CLIENT AATV.............................................................................................................292

Configuring CLIENT AATV..................................................................................292Working of the CLIENT AATV..............................................................................292

Supported APIs...........................................................................................................294Internal Attributes and Mapping Functions...............................................................295

20 Configuring the HP-UX AAA Server for Dynamic Authorization.............................................297Dynamic Authorization Overview..............................................................................297HP-UX AAA Server and Dynamic Authorization......................................................297Processing of Dynamic Authorization Requests.........................................................298Configuring for Dynamic Authorization....................................................................300

Basic Configuration................................................................................................301Advanced Configuration........................................................................................302

Migrating Existing SQL Access Deployments for Dynamic Authorization.....302Configuring Multiple HP-UX AAA Servers as a Group..................................304

Configuring for Disconnect and CoA Request Processing.........................306Dedicated HP-UX AAA Servers for Dynamic Authorization.....................311

Dynamic Authorization in Authorize Only Mode...........................................316Configuring for Dynamic Authorization in Authorize Only Mode...........317

Configuring for Proxy Functionality................................................................319Configuring for Dynamic Authorization Proxy Functionality...................320

Configuring for Failover...................................................................................321Security Consideration in Dynamic Authorization..........................................321

Replay Protection........................................................................................321Message-Authenticator................................................................................324Reverse Path Forwarding Check for Proxies...............................................324

Sample Configuration Files.........................................................................................326The client-request-init.grp.dynauth Sample File.................................327The client-reply-ingress.grp.dynauth Sample File...............................327The sqlaccess.config.dynauth Sample File................................................327The sqlaccess.config.dynauth_server_group Sample File....................329The dbsetup.sql.dynauth_server_group Sample File...............................331

10 Table of Contents

IV Integrating the HP-UX AAA Server With External Services..........................................................33221 LDAP Authentication.........................................................................................................335

LDAP Server Compatibility ........................................................................................335Related LDAP Documentation ...................................................................................335Authentication with LDAP .........................................................................................335

Configuring the LDAP Server ...............................................................................335The HP-UX AAA Server LDAP Schema...........................................................336To Configure Netscape Directory Server v6.....................................................337To Configure iPlanet Directory Server v5.........................................................337To Configure OpenLDAP 2.0.x.........................................................................337

22 SQL Access....................................................................................................................338SQL Access Overview.................................................................................................338

SQL Access Concepts.............................................................................................339RADIUS Attribute to SQL Statement Mapping................................................340Mapping Functions...........................................................................................341Conversion Functions.......................................................................................341SQL Action Processing and Result Handling...................................................342

Implementing SQL Access..........................................................................................342Sample Implementation Files.................................................................................342

sqlaccess.config Sample File....................................................................343dbsetup.sql Sample File...............................................................................345Finite State Machine Sample.............................................................................346

Pre-requisites for SQL Access................................................................................346Database Server and Schema............................................................................346

Database Security........................................................................................347High Availability.........................................................................................347

Database Client.................................................................................................347Shared Library Path Configuration.............................................................348

Database Client Connector Libraries................................................................348SQL Access Implementation Details......................................................................348sqlaccess.config File Configuration........................................................................349

Database Connection Definition.......................................................................350SQL Actions......................................................................................................352Mapping Syntax................................................................................................353

RAD Mapping.............................................................................................355DBC Mapping..............................................................................................356DBP Mapping..............................................................................................357RET Mapping...............................................................................................359Mapping Functions......................................................................................359Conversion Functions..................................................................................361

SQL Statement..................................................................................................362SQL Result Mapping.........................................................................................364

Result Handling for Retrieval Requests......................................................366

Table of Contents 11

Global Definitions.............................................................................................369Advanced SQL Mapping Configuration................................................................369

Developing Custom Functions.........................................................................369Null SQL Statements.........................................................................................370Null Source and Target Mapping.....................................................................370Time Synchronization.......................................................................................371Finite State Table Configuration in the FSM.....................................................372Stored Procedures.............................................................................................373

Administering Users and Tokens Stored in an SQL Database....................................374Managing Users.....................................................................................................375

Adding Users to an SQL Database...................................................................375Modifying User Credentials.............................................................................377

Managing Users Using OTP to Authenticate.........................................................378Importing Tokens into the Database.................................................................378Assigning Tokens to Users................................................................................379

Assigning a Specific Token to a User...........................................................379Allocating Any Available Tokens to a User.................................................380

Enrolling Tokens (Procedure for Users)...........................................................380Synchronizing Tokens (Procedure for Users)...................................................382Terminating Tokens..........................................................................................383

Viewing User and Token Statistics.........................................................................383Valid Token Status Values......................................................................................383Invoking the User Database Administration Manager Interface from ServerManager.................................................................................................................384

Multi-Row Support For SQL Access...........................................................................38523 Simple Network Management Protocol (SNMP) Support.....................................................386

Setting Up SNMP to Monitor the HP-UX AAA Server...............................................38624 VPN Tunneling................................................................................................................388

Establishing a Tunnel for a User..................................................................................38825 Using DHCP...................................................................................................................390

Required DHCP Server Features.................................................................................390Recommended DHCP Server Features..................................................................390

Defining DHCP Address Pools for Specific Users......................................................390To Associate an Address Pool with a User Profile in AAA Server Flat Files.........390To Associate an Address Pool with a User Profile in an LDAP LDIF File.............391

Associating Address Pools with Realms and Other Conditions.................................391V Customizing the HP-UX AAA Server..........................................................................................392

26 Customizing the HP-UX AAA Server Using the Finite State Machine......................................396States ...........................................................................................................................396

Using Xstring to call Policy ...................................................................................399Using Xstring to Call an Alternate authfile ...........................................................399

Event Names ...............................................................................................................399Predefined Event Names .......................................................................................400


Creating New Names ............................................................................................403Actions ........................................................................................................................403

FSM Tables.............................................................................................................405Custom State Tables ....................................................................................................406

Tracking Versions ..................................................................................................406Examples ...............................................................................................................406

Preprocessing Module .....................................................................................406Interim Logging .....................................................................................................408Custom Logging Format .......................................................................................408Proxy Accounting Messages..................................................................................409

27 Customizing the HP-UX AAA Server Using Policies..............................................................411Policy Overview..........................................................................................................411Defining a Policy in a Decision File.............................................................................412

Action Commands.................................................................................................413The delete Command....................................................................................414The insert Command....................................................................................415The modify Command....................................................................................417The exit Command.........................................................................................418The log Command...........................................................................................419The if Command.............................................................................................420

Attribute Specifications..........................................................................................422Attribute Names...............................................................................................422Vendor Names..................................................................................................422Attribute Instance Specifications......................................................................422

No Instance Specification............................................................................423Numeric Instance Specification...................................................................423Keyword Instance Specification..................................................................423

Attribute Functions...........................................................................................424The count Attribute Function....................................................................424The length Attribute Function..................................................................424The strcat Attribute Function..................................................................425The substr Attribute Function..................................................................426The tolower Attribute Function................................................................429The toupper Attribute Function................................................................430

Value Types............................................................................................................430Arithmetic Expressions..........................................................................................431

Arithmetic Operator Precedence and Association...........................................431Supported Boolean Operators................................................................................432

Boolean Operator Precedence and Association................................................433Type Compatibility................................................................................................434

Invoking a Policy.........................................................................................................435Invoking Policies Through Predefined Policy Hooks............................................435

Request Ingress Policy......................................................................................435


User Policy........................................................................................................436Invoking Policy from User Profiles.............................................................437

Reply Egress Policy...........................................................................................437Proxy Egress Policy...........................................................................................438Proxy Ingress Policy..........................................................................................439

Useful Attributes for Policy Conditions.................................................................440Modifying the FSM for Specific Customizations ..................................................441

Sample Policy Implementations..................................................................................442Dynamic Access Control........................................................................................442

Step 1 – Modifying the Default FSM for DAC..................................................442Step 2 – Defining the DAC Policies...................................................................443

DNIS Routing.........................................................................................................444Step 1 – Modifying the Default FSM for DNIS Routing...................................444Step 2 – Defining the DNIS Routing Policies....................................................444

28 Customizing the HP-UX AAA Server Using the SDK.............................................................446SDK Overview.............................................................................................................446Migrating Plug-ins Created Using Previous Versions of the SDK..............................448Prerequisites for Using the SDK..................................................................................448SDK Directory Structure..............................................................................................448SDK Concepts..............................................................................................................448

Overview of AATVs...............................................................................................448AATV Components................................................................................................449

The init Function...........................................................................................449The action Function..........................................................................................449The timer or callback Function.........................................................................450The cleanup Function.......................................................................................450

Creating Plug-ins.........................................................................................................450Using AATVs to Create a Plug-in..........................................................................451Compiling and Loading a Plug-in.........................................................................452Testing and Debugging a Plug-in..........................................................................453

Using the GNU Project Debugger....................................................................453Using gdb to Debug Your Software Module...............................................453

Creating Plug-ins for AATVs......................................................................................454A3 and A8 Algorithm Plug-in for EAP-SIM..........................................................454

Creating A3, A8 Plug-ins..................................................................................455AKA Algorithm Plug-in for EAP-AKA.................................................................456

Creating AKA Plug-ins.....................................................................................457VI Troubleshooting.....................................................................................................................461

29 Troubleshooting Overview................................................................................................464AAA Environment Components.................................................................................464HP-UX AAA Server Operation...................................................................................465Probable Causes for Failure.........................................................................................467

Configuration Problems.........................................................................................467


External Service Problems......................................................................................467Protocol Limitations...............................................................................................468RADIUS Client and Supplicant Considerations....................................................468

30 Troubleshooting Procedures..............................................................................................469Troubleshooting Flowchart.........................................................................................469

Troubleshooting Flowchart Process.......................................................................471Troubleshooting the Server Manager Administration Utility.....................................472

Common Problems With the Server Manager.......................................................473Troubleshooting Server Manager Launch Problems........................................475Troubleshooting Remote Management Problems............................................476

Troubleshooting the HP-UX AAA Server...................................................................477Troubleshooting HP-UX AAA Server Startup Problems.......................................478

Common Problems with HP-UX AAA Server Startup.....................................478Troubleshooting Bind Errors at HP-UX AAA Server Startup.....................482

Troubleshooting an Unresponsive HP-UX AAA Server........................................483Troubleshooting Common Configuration Problems........................................484Troubleshooting External Services...................................................................488

Identifying External Service Failures using Logfile Error Messages..........488Identifying Unrecorded External Datastore Failures..................................493Identifying Proxy Server Failures................................................................493Identifying Unrecorded DHCP Failures.....................................................493

Troubleshooting Access-Rejects from the HP-UX AAA Server.............................494Common Authentication Failure Problems......................................................494

EAP Problems........................................................................................................502Troubleshooting Provisioning Errors.....................................................................506Troubleshooting the HP-UX AAA Server Admin Utility......................................506

31 Troubleshooting Resources................................................................................................509HP-UX AAA Server Troubleshooting Utilities............................................................509

The radcheck Utility: For Checking the Server Status........................................509The radpwtst Utility: For Testing Authentication...............................................510The raddbginc Utility: For Setting Debug Output Levels..................................510The radsignal Utility: For Rolling Over the Debug Output to New Files.........511

The HP-UX AAA Server Logfile and Debug File........................................................511The HP-UX AAA Server Logfile............................................................................511The HP-UX AAA Server Debug File......................................................................511

32 Reporting Problems.........................................................................................................513Server Set Up Information...........................................................................................513Server Manager Related Information..........................................................................514External Components..................................................................................................514

External Databases.................................................................................................514SNMP Servers.........................................................................................................514DHCP Servers.........................................................................................................514OpenSSL.................................................................................................................514


EAP Related Information............................................................................................514Clients.....................................................................................................................515Access Points..........................................................................................................515

VII Reference.............................................................................................................................51633 Configuration Files .........................................................................................................519

HUP Processing...........................................................................................................519The aaa.config File.................................................................................................520

Variables in the aaa.config File.........................................................................520The strict_duplicate_check Variable.....................................................520The aatv.ProLDAP Property..........................................................................521The iaaa.SNMP Property.................................................................................521The log_threshold_limit and suppression_interval Variables......522The list_copy_limit Variable....................................................................522The localUsersFile.FilterType Property.............................................522The default_users_file_cis_search Property.....................................523The log_forwarding Variable.......................................................................523The log_generated_request Variable.......................................................523The ourhostname Variable.............................................................................523The packet_log Variable...............................................................................524The radius_log_fmt Variable.......................................................................524The reply_check Variable.............................................................................524

OTP Authentication-Related Configuration Items................................................525Dynamic Authorization-Related Configuration Items..........................................525

The clients File........................................................................................................526Prefixed Users and authfile...............................................................................527Wildcard Support for IPv4 and IPv6......................................................................527

The users File ............................................................................................................528Syntax of a User Entry ...........................................................................................528Syntax of IPv6 Attributes.......................................................................................528

NAS-IPv6-Address...........................................................................................528Framed-Interface-Id..........................................................................................529Framed-IPv6-Prefix...........................................................................................529Login-IPv6-Host................................................................................................529Framed-IPv6-Route...........................................................................................530Framed-IPv6-Pool.............................................................................................530

With Tunneling ......................................................................................................530The dictionary File .................................................................................................531

Attribute Entries ....................................................................................................532Pruning Expressions ..............................................................................................533Value Entries ..........................................................................................................534

The las.conf File .....................................................................................................535LAS Session Timing Parameters ...........................................................................535Token Pool Configuration .....................................................................................536


Realm Configuration .............................................................................................537The vendors File .......................................................................................................538

Syntax of a vendors File.......................................................................................538The log.config File .................................................................................................539

Syntax of a Stream Entry........................................................................................539Default Entry .........................................................................................................541End Entry ...............................................................................................................541Logging Multiple Streams .....................................................................................541

Values Logged by Default.................................................................................541Examples................................................................................................................542

Livingston Call Detail Record (CDR) Format...................................................542Multiple Logging Streams ...............................................................................542Logging Based on attributes.............................................................................543Accounting Log Based on Attribute Value.......................................................544Changing the Accounting Log Rollover Interval.............................................545

34 Attribute-Value Pairs.........................................................................................................546Specifying Attribute-Value Pairs.................................................................................546

Attribute-Value Formats........................................................................................546Examples................................................................................................................547Tagged Attributes ..................................................................................................547

Attributes in User Profiles...........................................................................................547Configuration Attributes........................................................................................548

Local Authorization Service (LAS) Configuration...........................................549Simultaneous-Use Attribute........................................................................550Attributes Concerning OTP Authentication...............................................550

Check (and Deny) Items..............................................................................................550Attributes Concerning the NAS.............................................................................551Policy Attributes.....................................................................................................552Other Attributes.....................................................................................................552

Reply Items..................................................................................................................553General Attributes..................................................................................................554Attributes Concerning Login Users.......................................................................556Attributes for Framed Users..................................................................................556Tunneling Attributes..............................................................................................558Other Attributes.....................................................................................................560

Attributes in Accounting Records...............................................................................561Additional Session Information.............................................................................561

35 MIB Objects...................................................................................................................566MIB Objects..................................................................................................................566

A Supported IETF RFCs..............................................................................................................573B Supported Authentication Methods...........................................................................................575C RADIUS Data Packets.............................................................................................................577

Data Packet Format...........................................................................................................577


Attribute-Value Pair Format .......................................................................................578D Header Files, Data Structures, and APIs in the HP-UX AAA Server SDK........................................579

Header Files and Data Structures in the SDK...................................................................579APIs in the HP-UX AAA Server SDK...............................................................................579

A-V Pair APIs..............................................................................................................580sdk_avp_t *sdk_avp_allocate()..............................................................................580void sdk_avp_free()................................................................................................580int sdk_get_avp_info()...........................................................................................580int sdk_set_avp()....................................................................................................581int sdk_set_vend_avp()..........................................................................................581

Authreq APIs...............................................................................................................582sdk_avp_t *sdk_find_avp()....................................................................................582sdk_avp_t *sdk_find_vend_avp()..........................................................................583int sdk_del_avp()....................................................................................................584int sdk_insert_avp()...............................................................................................584int sdk_get_authreq_info().....................................................................................585

Logging APIs...............................................................................................................587int sdk_logit().........................................................................................................587int sdk_log_debug()...............................................................................................588

Asynchronous Event and I/O APIs.............................................................................589int sdk_pollfd_register().........................................................................................590int sdk_pollfd_unregister()....................................................................................590int sdk_schedule_event()........................................................................................590

Secondary APIs............................................................................................................591sdk_authreq_t *sdk_get_authreq_by_id()..............................................................591char *sdk_get_config_dir().....................................................................................591int sdk_set_authreq_info........................................................................................591int sdk_get_client_info().........................................................................................592int sdk_decrypt_passwd()......................................................................................593int sdk_encrypt_passwd()......................................................................................594sdk_authreq_t * sdk_authreq_allocate...................................................................594void sdk_authreq_free...........................................................................................594int sdk_enqueue_authreq.......................................................................................594

E Syntax of the Decision Files in Earlier Versions of the HP-UX AAA Server......................................596Expressions ......................................................................................................................596Specifying Attributes in Group Entries ...........................................................................597

Dynamic Access Control ............................................................................................597Internal Values ............................................................................................................598

Using Indirection .............................................................................................................598Example Group Entries ....................................................................................................599

DNIS.grp for DNIS Routing........................................................................................599


DAC.grp for Dynamic Access Control.......................................................................600Glossary of Terms......................................................................................................................603Index........................................................................................................................................609


List of Figures1-1 Typical AAA Network Topology................................................................................361-2 Client-Server RADIUS Transaction.............................................................................371-3 Authentication Process................................................................................................401-4 Default Action Sequence.............................................................................................421-5 Authentication Steps...................................................................................................431-6 Authorization Steps....................................................................................................454-1 Return Value After Successfully Starting a AAA Server............................................754-2 Server Manager’s Start Options Screen.......................................................................754-3 Algorithm for Determining Which FSM to Load........................................................805-1 The HP-UX AAA Server Manager User Interface......................................................896-1 Server Manager’s Connected Server Screen................................................................916-2 The Add Connection Screen........................................................................................916-3 The Modify Connection Screen...................................................................................926-4 The Delete Server Connections Screen........................................................................936-5 Server Manager’s Server Status Frame........................................................................946-6 Server Manager’s Load Configuration Screen............................................................956-7 Server Manager’s Save Configuration Screen.............................................................967-1 Server Manager’s Access Device Screen....................................................................1007-2 Server Manager’s Access Device Attributes Screen..................................................1017-3 The Delete Access Device Screen..............................................................................1048-1 Server Manager’s Local Realms Screen.....................................................................1058-2 Server Manager’s Local Realm Attributes Screen.....................................................1068-3 The Delete Local Realm Screen.................................................................................1118-4 User Storage Parameters for Database Access via SQL............................................1129-1 Proxy Configuration..................................................................................................1179-2 Server Manager’s Proxy Screen.................................................................................1189-3 Server Manager’s Proxy Attributes Screen................................................................1199-4 The Delete Proxy Screen............................................................................................12610-1 Server Manager’s Users Screen.................................................................................12710-2 The Add Users Screen...............................................................................................12810-3 The Modify Users Screen..........................................................................................13110-4 The Delete Users Screen............................................................................................13211-1 Server Manager’s Server Properties Screen...............................................................13312-1 Server Manager’s Logfile Screen...............................................................................14312-2 Server Manager’s Statistics Screen............................................................................14512-3 AAA Server Statistics Example.................................................................................14512-4 Accounting Logfile Search Screen in Server Manager .............................................14612-5 Detailed Accounting Record for a Selected User......................................................14713-1 The Secure LAN Advisor For Securing WLANs......................................................16013-2 Server Manager’s Certificate Properties Screen........................................................16714-1 Sessions Search Filter Screen.....................................................................................169

20 List of Figures

14-2 Example Return for a Sessions Search ......................................................................17014-3 Example of a Session’s Attributes..............................................................................17015-1 The Users Screen.......................................................................................................17415-2 The Framed User Attributes Form............................................................................17515-3 The Users Screen.......................................................................................................17615-4 The Framed User Attributes Form............................................................................17716-1 OATH Standards-Based OTP Authentication Flow and the HP-UX AAA Server....18116-2 OTP Authentication Configuration Flowchart for RADIUS Standard Password....18516-3 OTP Authentication Configuration Flowchart for MS-CHAP v2.............................18616-4 Usage of Bit Masks to set OTP Authentication Actions............................................19017-1 EAP-SIM Authentication Using HP-UX AAA Server...............................................22518-1 HP-UX AAA Server Deployment for Scalability and High-Availability..................27518-2 Server Connections....................................................................................................27818-3 Adding a Group........................................................................................................27818-4 Sample Group Created..............................................................................................27918-5 Modify Group............................................................................................................27918-6 Adding a Server.........................................................................................................28018-7 Selecting the Server for Loading...............................................................................28518-8 Loading Configuration Completed...........................................................................28518-9 Cloning Server...........................................................................................................28618-10 Saving Configuration................................................................................................28619-1 CLIENT AATV Flowchart.........................................................................................29420-1 HP-UX AAA Server Performing Dynamic Authorization Operation......................29820-2 Dynamic Authorization Request Processing............................................................30020-3 Flowchart for Basic and Advanced Configuration...................................................30120-4 Multiple HP-UX AAA Servers in a Group for Dynamic Authorization...................30520-5 Server Properties.......................................................................................................30920-6 Server Properties (CLIENT)......................................................................................30920-7 Server Properties: Modify Property..........................................................................31020-8 Client Action Properties............................................................................................31020-9 Server Properties.......................................................................................................31420-10 Server Properties (CLIENT)......................................................................................31520-11 Server Properties: Modify Property..........................................................................31520-12 Client Action Properties............................................................................................31520-13 Dynamic Authorization in Authorize Only Mode....................................................31620-14 Proxy Functionality...................................................................................................32020-15 Server Properties.......................................................................................................32320-16 Server Properties (CLIENT)......................................................................................32320-17 Server Properties: Modify Property (Event Timestamp)..........................................32420-18 Server Properties.......................................................................................................32520-19 Server Properties (CLIENT)......................................................................................32620-20 Reverse Path Forwarding Check...............................................................................32622-1 SQL Access Components...........................................................................................33922-2 RADIUS Attribute to SQL Statement Mapping........................................................341

21

22-3 The User Database Administration Manager ..........................................................37522-4 The Add User Screen.................................................................................................37622-5 The Token Validate Screen........................................................................................37922-6 The Enroll Token Screen............................................................................................38122-7 The Synchronize Token Screen..................................................................................38222-8 The User Statistics Screen..........................................................................................38326-1 Default FSM State Transitions...................................................................................39727-1 Flow of the Request Ingress Policy............................................................................43627-2 Flow of the User Policy..............................................................................................43727-3 Flow of the Reply Egress Policy................................................................................43827-4 Flow of the Proxy Egress Policy................................................................................43927-5 Flow of the Proxy Ingress Policy...............................................................................44028-1 SDK Plug-in Example................................................................................................44729-1 AAA Environment Components...............................................................................46529-2 HP-UX AAA Server Operation.................................................................................46630-1 Troubleshooting Flowchart.......................................................................................470C-1 RADIUS Request/Reply Message Format.................................................................577C-2 Attribute-Value Pair Format......................................................................................578

22 List of Figures

List of Tables1 HP-UX AAA Server Administrator’s Guide Printing History...................................282 HP-UX 11i Releases.....................................................................................................301-1 Commands, Utilities, and Daemons...........................................................................411-2 How Requests are Altered Using the proxy-egress and proxy-ingress Policies........463-1 File Locations Upon Installation.................................................................................563-2 Files Generated During Operation..............................................................................633-3 Ports Associated with RMI Objects that must be Configured....................................674-1 Server Start Options....................................................................................................754-2 radiusd Options..........................................................................................................774-3 New Server Connection Screen Fields........................................................................826-1 Fields in the Connection Attributes Form...................................................................916-2 Icons in Server Manager’s Server Status Frame..........................................................947-1 Add Access Device Configuration Form Options.....................................................1028-1 Fields in the Local Realm Attributes Form...............................................................1068-2 Special Entries...........................................................................................................1108-3 Values for Configuring Realms for LDAP.................................................................1139-1 Proxy Configuration Options....................................................................................1209-2 Options for Forwarding Requests.............................................................................1229-3 Accounting Logging Options....................................................................................12410-1 General Attributes in the Add User Screen...............................................................12911-1 DHCP Relay Properties.............................................................................................13311-2 DNS Update Properties.............................................................................................13411-3 Message Handling Properties...................................................................................13511-4 Certificate Path Properties.........................................................................................13711-5 ProLDAP Properties..................................................................................................13911-6 AAA Server As A Client Properties..........................................................................14011-7 Client Action Properties............................................................................................14112-1 Filter Parameters for Searching Logfiles...................................................................14312-2 Statistic Search Parameters .......................................................................................14512-3 Accounting Logfile Search Parameters ....................................................................14612-4 Reasons Why The Record Was Generated................................................................14813-1 LAN Configuration Items.........................................................................................16113-2 Supported EAP Methods and Their Features...........................................................16316-1 Supported OTP Functions for PAP and MS-CHAP v2.............................................18216-2 Bit Masks to Configure OTP Authentication Tasks..................................................18816-3 Common OTP Authentication Actions.....................................................................19016-4 Attributes for Configuring OTP Authentication.......................................................19216-5 System-Wide OTP Configuration Items....................................................................19616-6 SQL actions and Stored Procedures that Support OTP Authentication...................21817-1 The iaaaFile authfile Configuration Parameters.............................................23017-2 EAP.authfile Configuration Parameters..............................................................233

23

17-3 The aaa.config Configuration Block Parameters.................................................23517-4 AKA Vector Parameters............................................................................................24017-5 EAP.authfile Configuration Parameters..............................................................24217-6 The aaa.config Configuration Block Parameters.................................................24717-7 EAP.authfile Configuration Parameters..............................................................24917-8 The aaa.config Configuration Block Parameters for Fast Re-authentication......25117-9 Vendor-Specific Attributes for Fast Re-Authentication Database Update AATV....25317-10 Vendor-Specific Attributes for Fast Re-Authentication Database Lookup AATV....25417-11 Lookup AATV Output Attributes.............................................................................25517-12 EAP.authfile Configuration Parameters..............................................................25817-13 The aaa.config Parameters for Algorithm-based Pseudonym Identity...............26017-14 Vendor-Specific Attributes for Pseudonym Database Update AATV......................26417-15 Vendor-Specific Attributes for Pseudonym Database Lookup AATV......................26517-16 Lookup AATV Output Attributes.............................................................................26617-17 Lookup AATV Attributes for EAP-SIM....................................................................26717-18 Lookup AATV Attributes for EAP-AKA..................................................................26717-19 3GPP Milenage Parameters.......................................................................................26917-20 Configuration Parameters of aatv.3GPP-Milenage{} Block..............................27018-1 Server Attributes.......................................................................................................28118-2 rad_admin Options...................................................................................................28719-1 APIs Supporting Client Functionality.......................................................................29419-2 Pre-defined Mapping Functions for Client Functionality.........................................29619-3 Internal Attributes for Client Functionality..............................................................29620-1 SQL Actions that Support Dynamic Authorization..................................................32720-2 SQL Actions that Support Dynamic Authorization in Groups.................................32920-3 Tables and Stored Procedures in the dbsetup.sql.dynauth_server_group

File.............................................................................................................................33121-1 The HP-UX AAA Server LDAP Schema...................................................................33622-1 The sqlaccess.config Sample File.....................................................................34322-2 Database Access Parameters.....................................................................................35122-3 Input Mapping Data Types and Syntax....................................................................35422-4 Output Mapping Data Types and Syntax.................................................................35422-5 RAD Mapping Parameters........................................................................................35522-6 DBC Mapping Parameters.........................................................................................35722-7 DBP Mapping Parameters.........................................................................................35822-8 Pre-defined Mapping Functions...............................................................................36022-9 Pre-defined Conversion Functions............................................................................36122-10 Return Values and Description for OCI and ODBC APIs.........................................36522-11 Fields in the Add Users Form...................................................................................37622-12 Fields in the Enroll Token Device Form....................................................................38122-13 Fields in the Synchronize Token Form......................................................................38322-14 Valid Token Status Values.........................................................................................38422-15 Internal Attributes for Implementing Multi-Row Functionality..............................38526-1 Predefined Event Names...........................................................................................400

24 List of Tables

26-2 Available Actions.......................................................................................................40326-3 Predefined FSM Tables..............................................................................................40527-1 Examples Illustrating the Use of the delete Command.........................................41427-2 Behavior of the insert Command in Various Scenarios........................................41627-3 Examples Illustrating the Use of the insert Command.........................................41627-4 Examples Illustrating the Use of the modify Command.........................................41827-5 Examples of the strcat Attribute Function............................................................42527-6 Supported Arithmetic Operators..............................................................................43127-7 Supported Boolean Operators...................................................................................43227-8 Compatible Attribute Types......................................................................................43527-9 Attributes Typically Used in Policy Group Conditions and Replies........................44027-10 Interlink-specific Attributes Used by DAC...............................................................44230-1 Common Problems with the Server Manager...........................................................47330-2 Common Problems with HP-UX AAA Server Startup.............................................47830-3 Common Configuration Problems............................................................................48430-4 External Service Failure Problems............................................................................48830-5 Common Authentication Failure Problems..............................................................49430-6 EAP Problems............................................................................................................50330-7 ...................................................................................................................................50631-1 Debugging Levels in the HP-UX AAA Server..........................................................51233-1 Dynamic Authorization-Related Configuration Items.............................................52533-2 Default LAS Session Timing Parameters..................................................................53633-3 Information Recorded by LOG_V2_o.......................................................................54134-1 Reply Item Attributes................................................................................................55334-2 Session Termination Causes......................................................................................56335-1 MIB Objects and Definitions.....................................................................................566A-1 Supported IETF RFCs................................................................................................573A-2 Additional IETF RFCs Supported by HP-UX AAA Server.......................................573A-3 AAA RFCs Supported by HP-UX AAA Server.........................................................574C-1 RADIUS Request/Reply Message Format Description ............................................577C-2 Attribute Value Pair Format Description .................................................................578D-1 Actions Performed as a Result of the loc_avp A-V Pair.............................................585D-2 Information Types.....................................................................................................586D-3 HP-UX AAA Server Debug Levels............................................................................589D-4 Possible Values of the infotype Parameter..................................................................592E-1 A-V Pair Expression Operators.................................................................................596E-2 A-V Pair Expression Examples..................................................................................597

25

List of Examples22-1 Define the Oracle Database Connection Parameters................................................35222-2 Define the MySQL Database Connection Parameters...............................................35222-3 User and Password Input and Output Mappings.....................................................35922-4 SQL Statement to Delete a Row................................................................................36322-5 SQL Statement with Result Mapping - OCI..............................................................36722-6 SQL Statement with Result Mapping - OCI Using the New Syntax.........................36822-7 SQL Action with Null Source and Target Mappings................................................37122-8 Timestamp Synchronization.....................................................................................37222-9 FSM with Accounting Log via SQL Access...............................................................37322-10 Remove Session Stored Procedure Definition...........................................................37427-1 An example of a policy file that restricts Session-Timeout to one hour for guests,

removes unwanted attributes, and provides administrative privileges toadministrators...........................................................................................................413

27-2 Examples Illustrating the Use of the if Command..................................................42127-3 Examples Illustrating the Use of the offset Keyword...........................................42727-4 Examples Illustrating the Use of the before Keyword...........................................42827-5 Examples Illustrating the Use of the after Keyword.............................................42927-6 Using arithmetic expressions....................................................................................43227-7 Examples Illustrating Precedence Rules...................................................................43428-1 Example of a Pre-Paid Billing Application Using a Plug-in Created Using the HP-UX

AAA Server SDK.......................................................................................................44733-1 Examples of NAS-IPv6-Address Attribute Syntax...................................................52933-2 Examples of Framed-Interface-Id Attribute Syntax..................................................52933-3 Examples of Framed-IPv6-Prefix Attribute Syntax...................................................52933-4 Examples of Login-IPv6-Host Attribute Syntax.......................................................53033-5 Example of a Framed-IPv6-Route Attribute Syntax.................................................53033-6 Example of a Framed-IPv6-Pool Attribute Syntax....................................................530

26 List of Examples

About This DocumentThis document provides an overview of the HP-UX AAA Server and describes how toconfigure, administer, and troubleshoot the product. This document does not coverinstalling the product.The document printing date and part number on the cover indicate the document’scurrent edition. The printing date and part number changes when a new edition isprinted. Minor changes can be made at reprint without changing the printing date.The document part number will change when extensive changes are made.Document updates may be issued between editions to correct errors or documentproduct changes. To ensure that you receive the updated or new editions, subscribe tothe appropriate product support service. Contact your HP sales representative fordetails.The latest version of this document is available at:http://www.docs.hp.com/en/internet.html#AAA%20Server%20%28RADIUS%29.

Intended AudienceThis document is intended for HP-UX AAA Server administrators who understandthe HP-UX operating system.

New and Changed Information in This EditionThe following additions and changes are made for edition 10:• Includes support for log level filters. For details, see “Starting HP-UX AAA Servers

From the Command Line” (page 77)• Includes support for string concatenation in policy files. For details, see chapter

“The strcat Attribute Function” (page 425).• Includes support for arithmetic operations in policy files. For details, see

“Arithmetic Expressions” (page 431).Other minor changes have been made throughout the document, as required.

Document OrganizationThe HP-UX AAA Server A.08.01 Administrator's Guide is organized as follows:• Part I — Introduction provides general information about the HP-UX AAA Server

product and the RADIUS protocol. It also describes how to secure your HP-UXAAA Server installation.

• Part II — Configuring the HP-UX AAA Server Manager Using the Server ManagerGUI describes how to use the Server Manager to administer your AAAenvironment.

Intended Audience 27

http://www.docs.hp.com/en/internet.html#AAA%20Server%20%28RADIUS%29

• Part III — Advanced Configuration Information provides information on advancedtopics, such as securing LAN access using EAP, session management, assigningIP addresses, configuring OTP and two-factor authentication, configuring forEAP-SIM and EAP-AKA authentication methods, configuring for scalability andhigh-availability, configuring for the client functionality, and configuring for thedynamic authorization capability of the HP-UX AAA Server.

• Part IV — Integrating the HP-UX AAA Server With External Services describeshow to integrate the HP-UX AAA Server with external services such as LightweightDirectory Access Protocol (LDAP), SQL Access, Dynamic Host ConfigurationProtocol (DHCP), Simple Network Management Protocol (SNMP), and VirtualPrivate Network (VPN).

• Part V — Customizing the HP-UX AAA Server describes how to customize theHP-UX AAA Server to meet various deployment scenarios.

• Part VI — Troubleshooting provides guidelines and error messages to helptroubleshoot issues with the HP-UX AAA Server.

• Part V — Reference provides information to supplement the task-based informationin the previous parts of the document. Use the information in this section to learnmore about non-task-based topics such as configuration files, and attribute-valuepairs.

• Appendix A (page 573) lists all the RFCs that are supported by the HP-UX AAAServer.

• Appendix B (page 575) lists and describes all the authentication methods that aresupported by the HP-UX AAA Server.

• Appendix C (page 577) provides information about the RADIUS data packet format.• Appendix D (page 579) lists and describes all the header files, data structures, and

APIs included in the HP-UX AAA Server SDK.• Appendix E (page 596) discusses the syntax of decision files that are supported by

previous versions of the HP-UX AAA Server.

Publishing HistoryThe following table shows the printing history of this document. The first entry in thetable corresponds to the current edition, and previous editions are listed in reversechronological order.

Table 1 HP-UX AAA Server Administrator’s Guide Printing History

Supported OSSupportsSoftwareVersion

Document ReleaseDate (month/year)

Document Part Number

HP-UX 11i v2 and HP-UX 11i v3A.08.0105/10T1428-90072

HP-UX 11i v2 and HP-UX 11i v3A.08.0002/09T1428-90071

HP-UX 11i v1, 11i v2, 11i v3A.07.0103/08T1428-90066

28

Table 1 HP-UX AAA Server Administrator’s Guide Printing History (continued)

Supported OSSupportsSoftwareVersion

Document ReleaseDate (month/year)

Document Part Number

HP-UX 11i v1, 11i v2, 11i v3A.07.0009/07T1428–90064

HP-UX 11i v1, 11i v2A.07.0009/065991-6434

HP-UX 11i v1, 11i v2A.06.0211/05T1428-90061

HP-UX 11.00, 11i v1, 11i v2A.06.01.x01/04T1428-90050

HP-UX 11.00, 11i v1A.06.01.x10/03T1428-90042

HP-UX 11.00, 11i v1A.06.00.0804/03T1428-90025

HP-UX 11.00, 11i v1A.06.00.0702/03T1428-90014

HP-UX 11.00, 11i v1A.05.01.0106/02T1428-90001

Typographic ConventionsThis document uses the following typographical conventions:audit(5) An HP-UX manpage. In this example, audit is the name and 5 is the

section in the HP-UX Reference. On the web and on the InstantInformation CD, it may be a link to the manpage itself. From theHP-UX command line, you can enter “man audit” or “man 5audit” to view the manpage. See man( 1).

Book Title The title of a book. On the web and on the Instant Information CD,it may be a link to the book itself.

KeyCap The name of a keyboard key. Note that Return and Enter both referto the same key.

Emphasis Text that is emphasized.Emphasis Text that is strongly emphasized.Term The defined use of an important word or phrase.ComputerOut Text displayed by the computer.UserInput Commands and other text that you type.Command A command name or qualified command phrase.Variable The name of a variable that you may replace in a command or

function or information in a display that represents several possiblevalues.

[ ] The contents are optional in formats and command descriptions. Ifthe contents are a list separated by |, you can choose one of the items.

Typographic Conventions 29

{ } The contents are required in formats and command descriptions. Ifthe contents are a list separated by |, you can choose one of the items.

... The preceding element can be repeated an arbitrary number of times.| Separates items in a list of choices.

HP-UX Release Name and Release IdentifierEach HP-UX 11i release has an associated release name and release identifier. Theuname(1) command with the -r option returns the release identifier. The followingtable lists the releases available for HP-UX 11i.

Table 2 HP-UX 11i Releases

Release NameRelease Identifier

HP-UX 11i v1B.11.11

HP-UX 11i v2B.11.23

HP-UX 11i v3B.11.31

Related InformationIn addition to this document, additional information about the HP-UX AAA servercan be found in the Internet and Security Solutions collection underAAAServer (RADIUS)at:http://www.docs.hp.com/en/internet.html#AAA%20Server%20%28RADIUS%29

HP Encourages Your CommentsHP encourages your comments concerning this document. We are committed toproviding documentation that meets your needs.Send your comments to: [email protected] the document title, manufacturing part number, and any comment, error found,or suggestion for improvement you have concerning this document.

30

http://www.docs.hp.com/en/internet.html#AAA%20Server%20%28RADIUS%29

mailto:[email protected]

mailto: [email protected]

Part I IntroductionThis part of the HP-UX AAA Server Administrator’s Guide contains the following chapters:• Chapter 1: “Overview: The HP-UX AAA Server ” (page 34)• Chapter 2: “Upgrading to Version A.08.01” (page 49)• Chapter 3: “Installing and Securing the HP-UX AAA Server” (page 54)• Chapter 4: “Enabling the HP-UX AAA Server for GUI-based Administration” (page 71)

31

Table of Contents1 Overview: The HP-UX AAA Server .............................................................................................34

RADIUS Topology .............................................................................................................35Establishing a RADIUS Session..........................................................................................36Product Structure................................................................................................................38

HP-UX AAA Server Daemon, Libraries, and Utilities .................................................38HP-UX AAA Server Manager Program .......................................................................38Documentation..............................................................................................................38

HP-UX AAA Server Architecture ......................................................................................39Configuration Files .......................................................................................................40AATV Plug-Ins .............................................................................................................40The Software Engine: Finite State Machine ..................................................................40

HP-UX AAA Server Commands, Utilities and Daemons..................................................41Handling an Access Request..............................................................................................41

Authentication to Verify the Client and User ...............................................................42Authorization to Control Sessions and Access to Services ..........................................44

Authorization Steps ................................................................................................45Session Logs For Accounting .............................................................................................48IPv6 Support for External Services.....................................................................................48

HP-UX AAA Server as a Client.....................................................................................482 Upgrading to Version A.08.01...................................................................................................49

The HP-UX AAA Server Upgrade Process.........................................................................49Upgrading from Versions A.07.00, A.06.02, A.06.01, or A.07.01 to Version A.08.01..........49Upgrading from Version A.06.00.x to Version A.08.01.......................................................51Upgrading from Version A.05.x to Version A.08.01...........................................................53Merging the Dictionary File................................................................................................53Merging the radius.fsm File...........................................................................................53Merging the vendors File.................................................................................................53

3 Installing and Securing the HP-UX AAA Server.............................................................................54Acquiring the HP-UX AAA Server Software.....................................................................54Installing and Uninstalling the HP-UX AAA Server..........................................................54

To Install the HP-UX AAA Server.................................................................................54To Uninstall the HP-UX AAA Server Software.............................................................55

HP-UX AAA Server File Locations ....................................................................................56Securing the HP-UX AAA Server.......................................................................................63

Changing the Default HP-UX AAA Server Settings ....................................................63Changing the Default Tomcat User Name and Password.......................................63Changing the Default RMI Objects Secret...............................................................64Changing the Default test_user Settings..................................................................64Changing the Default localhost Proxy Settings.......................................................64

Environment Specific Security Procedures ..................................................................64


Using Secure Socket Layer (SSL) for Secured Remote Server ManagerAdministration.........................................................................................................64Creating a Tomcat Identity Specifically for the HP-UX AAA Server .....................66Running the HP-UX AAA Server on Hosts with System Hardening Software......67Running the HP-UX AAA Server as a Non-Root User............................................68Setting Up the HP-UX AAA Server to Start as Non-Root User After Reboot.........68

4 Enabling the HP-UX AAA Server for GUI-based Administration......................................................71Accessing the Server Manager............................................................................................71

Starting and Stopping the RMI Objects.........................................................................72Starting and Stopping Tomcat.......................................................................................72

Testing the Installation .......................................................................................................72To Test the Installation...................................................................................................72

Starting HP-UX AAA Servers Using Server Manager.......................................................74AAA Server Start Options.............................................................................................75Server Manager’s Reload Feature..................................................................................76

Starting HP-UX AAA Servers From the Command Line...................................................77Configuring the HP-UX AAA Server to Start Automatically Upon System Reboot.......................................................................................................................................80

Stopping or Restarting HP-UX AAA Servers.....................................................................81Using Server Manager...................................................................................................81From the Command Line..............................................................................................81

Adding an HP-UX AAA Server to Your Network.............................................................82


1Overview: The HP-UX AAA ServerThe Remote Authentication Dial In User Service (RADIUS) protocol defines a standardfor information exchange between a network device or software application and anauthentication, authorization, and accounting (AAA) server to manage and track useraccess to network services.A RADIUS AAA server provides authentication (verifying user credentials),authorization (supplying provisioning information for the user), and accounting (storageof usage information into accounting logs) services to devices and software applications(AAA clients) that support the IETF RADIUS standards.The AAA or RADIUS client is the access device or application that acts as an enforcementpoint to control access to a resource. The user device itself or application requestingaccess to the resource is referred to as the supplicant.

34 Overview: The HP-UX AAA Server

RADIUS TopologyThe RADIUS protocol follows the client-server architecture. The client sends userinformation to the AAA server using Access-Request or accounting-Request messages.The AAA server processes the request locally, or, if acting as a proxy server, forwards(proxies) the request to a secondary RADIUS Server.When processing a RADIUS request locally, the AAA server can utilize additionalexternal services (LDAP, external database access, DHCP, and so on.) to service therequest.The processing of RADIUS requests is usually configured on a per-realm basis. A realmis a group of users sharing a common component in the Network Access Identifier(NAI) attribute in the RADIUS request (for example,"example.org" is the realmcomponent for "[email protected]").In Figure 1-1 (page 36), a sample Internet Service Provider (ISP) uses four AAA serversto handle user requests. User organizations are grouped into realms. Each user connectsto one of the ISP's servers through a local Network Access Server (NAS). The NASsends a RADIUS Access-Request containing the user's credentials to one of the AAAservers. In turn, the AAA server accesses user and policy information from the repositoryspecified for the user's realm. The repository can be in flat text files associated with theAAA Server, an external database or LDAP Server, or an HP-UX Unix user repository.When authenticating users stored in replicated LDAP directory servers or databases,the server can be configured to perform load balancing and failover to achieve greaterscalability and availability.

RADIUS Topology 35

Figure 1-1 Typical AAA Network Topology

Establishing a RADIUS SessionA RADIUS session tracks the life of a user session through a series of message exchanges.RADIUS sessions are used to limit simultaneous access to a resource for users whoshare the same credential, and to manage the allocation and release of IP addressesacquired on behalf of the user by the AAA server. Figure 1-2 (page 37) illustrates thetransaction between a RADIUS AAA server and a client:


Figure 1-2 Client-Server RADIUS Transaction

When the user's device connects to the client, the client sends a RADIUS Access-Requestto the AAA server. When the server receives the request, it validates the sending client.If the client is permitted to send requests to the server, the server then takes informationfrom the Access-Request and attempts to match the request to a user profile. If allconditions are met, the server sends an Access-Accept packet to the client; otherwise,the server sends an Access-Reject packet. An Access-Accept data packet often includesauthorization information that specifies the services the user can access and othersession information, such as a timeout value that indicates when the user must bedisconnected from the system.When the client receives an Access-Accept packet, it generates an Accounting-Requestto start the session and send the request to the server. The Accounting-Request datapacket describes the type of service being delivered and the user of the service. Theserver then responds with an Accounting-Response to acknowledge that the requestwas successfully received and recorded. The user's session ends when the clientgenerates an Accounting-Request that is triggered by the user, the client, or aninterruption in service-to stop the session. The server acknowledges theAccounting-Request with an Accounting-Response.

Establishing a RADIUS Session 37

Product StructureThe HP-UX AAA Server is based on the client-server architecture. The HP-UX AAAServer consists of the following components:• HP-UX AAA Server daemon, libraries, and utilities• The AAA Server Manager program that performs administration and configuration

tasks from a web browser for one or more AAA servers• Documentation (Administrator’s Guide, READMEs, and the Secure LAN Advisor

help system)

NOTE: To secure the communication between the Server Manager and HP-UX AAAServer, install the Server Manager and the HP-UX AAA Server in a secure network.

HP-UX AAA Server Daemon, Libraries, and UtilitiesThe server daemon, libraries, and utilities perform the authentication, authorization,and accounting functions while processing requests. The HP-UX AAA Server alsoincludes the AAA RMI objects. The RMI objects provide communication between theHP-UX AAA Server and the HP-UX Tomcat-based Servlet Engine which hosts theHP-UX AAA Server Manager.

HP-UX AAA Server Manager ProgramThe HP-UX AAA Server Manager utilizes the HP-UX Tomcat-based Servlet Engine toprovide a configuration interface between a web browser and one or more HP-UXAAA Servers. The Server Manager is used for configuring and managing the servers.In addition, the Server Manager can retrieve logged server sessions and accountinginformation for an administrator. By specifying a set of HP-UX AAA Servers, the ServerManager can be used to manage a group of HP-UX AAA Servers with a commonconfiguration.

DocumentationThe following documentation is accessible through the Server Manager:• Context-sensitive help on the Server Manager's buttons and options• A Secure LAN Advisor help system to guide you through securing your Wireless

Local Area Networks (WLANs) with the HP-UX AAA Server. The Secure LANAdvisor provides information only; it does not edit configuration files

• The HP-UX AAA Server Administrator's Guide in .pdf format. Use this documentfor step-by-step instructions on configuring the HP-UX AAA Server.


IMPORTANT: For the most recent product documentation, see http://www.docs.hp.com.

HP-UX AAA Server ArchitectureThe HP-UX AAA Server architecture consists of the following components:• Configuration files. Files to provide the information necessary for the server to

perform authentication, authorization, and accounting requests for your system.In most cases, these files can be modified by using the Server Manager.

• AATV plug-ins. Dynamically loaded libraries that perform discrete actions, suchas initiating an authentication request, replying to an authentication request, orlogging an accounting record.

• The radiusd software engine, which includes the Finite State Machine (FSM) andassociated routines. At server startup, the FSM reads instructions from the statetable in the /etc/opt/aaa/radius.fsm configuration file. The state tableoutlines what AATV actions to call and what order to call them in.

When the server is initialized, it loads and initializes the AATV plug-ins. It also readsthe configuration files to initialize the data required for the actions to execute accordingto the application's requirements.Figure 1-3 illustrates the general process of server initialization and response to anauthentication request.

HP-UX AAA Server Architecture 39

http://www.docs.hp.com

http://www.docs.hp.com

Figure 1-3 Authentication Process

Configuration FilesFor detailed information on the server configuration files, Chapter 33: “ConfigurationFiles ” (page 519).

AATV Plug-InsAn AATV plug-in defines the actions that perform a variety of functions, includingauthenticating requests, authorization, and logging. Built-in actions supportauthentication of users using information from several different repositories, andaccounting requests using several different polices and storage formats.For more information on these built-in actions, see “Actions ” (page 403)

The Software Engine: Finite State MachineThe Finite State Machine (FSM) controls the step-by-step process that the server followsto process and respond to an authentication request. You can configure the FSM tocustomize your server configuration without programming software modules. For


more information on the Finite State Machine, see Chapter 26: “Customizing the HP-UXAAA Server Using the Finite State Machine” (page 396).

HP-UX AAA Server Commands, Utilities and DaemonsTable 1-1 provides an overview of the HP-UX AAA Server commands, utilities, anddaemons.

Table 1-1 Commands, Utilities, and Daemons

DescriptionCommand

Sends RADIUS status and protocol requests to a AAA server and displays thereplies. Receiving the reply confirms that the HP-UX AAA Server is operational.

radcheck

The radcheck utility can be invoked on any host by any user. However theHP-UX AAA Server returns more information to registered clients.

Sets debug logging level for the HP-UX AAA Server running correctly. Turndebugging on and off, or set the level of output while the AAA Server is running.

raddbginc

Rolls over the server log file and accounting stream while the AAA Server isrunning. Also, sets the log level based on the RADIUS message type.

radsignal

RADIUS server daemon. Services user authentication and accounting requestsfrom RADIUS clients. Authentication and accounting requests are transmitted

radiusd

to the radiusd daemon in the form of UDP packets that conform to the RADIUSprotocol. Theradiusddaemon can be started from the Server Manager, commandline, or at boot time using the /etc/rc.config.d/radiusd.conf file.

Tool to administer one or more HP-UX AAA Servers configured on the host.rad_admin.sh

RADIUS client utility that can process commands to send requests to and checkresponses from a RADIUS server. This can be used as a Dynamic AuthorizationServer to receive and respond to Disconnect and CoA requests.

radpwtst

Handling an Access RequestWhen the HP-UX AAA server receives a RADIUS message, it calls the FSM and definesa starting event according to the type of message. This event is stored in theInterlink-Proxy-Action attribute. In the default FSM, the first action for allrequests is request-ingress POLICY. If this POLICY is executed successfully, the nextaction is determined by the event stored in Interlink-Proxy-Action. By default,for an Access-Request this action is iaaaUsers. Figure 1-4 (page 42) shows how theFSM actions interact to process the Access-Request for authentication and authorization.

HP-UX AAA Server Commands, Utilities and Daemons 41

Figure 1-4 Default Action Sequence

Authentication to Verify the Client and UserThe authentication of an access request has a number of distinctive steps, as shown inFigure 1-5 (page 43). The rounded rectangles represent configuration files that theHP-UX AAA Server uses and the ovals represent one or more authentication types.


Figure 1-5 Authentication Steps

Authentication StepsFollowing lists the authentication steps followed by the HP-UX AAA Server:1. After the HP-UX AAA server receives an Access-Request, it attempts to match the

client making the request to an entry in the clients file. The server attempts toauthenticate a request only if a match can be made.

Handling an Access Request 43

2. The iaaaUsers action checks the local users file. In this step, the User-Nameattribute value from the Access-Request is used to find an entry for the user in the/etc/opt/aaa/users file.• If User-Name matches an entry, the server retrieves that profile and then

authentication moves to step 5.• If User-Name does not match an entry, authentication moves to step 3.

3. If the iaaaUsers action does not find a matching user profile in the users file,the FSM calls theiaaaRealm action. TheiaaaRealm action parses the User-Nameattribute value for a realm name, and searches authfile to determine the datastore where the user profiles for the parsed realm are located. A default entry canbe used to handle any realms that are not explicitly configured in authfile.

NOTE: If no realm is specified in the NAI, the server assigns the value NULL forthe realm. You can configure NULL realm behavior in the same manner as namedrealms.

4. The iaaaRealmaction calls another action that attempts to retrieve a matchinguser profile from the data store for the realm, as indicated by authfile:• A realm-specific AAA users file;• An external data store, such as LDAP or a database;• A Unix user profile service via the getpwent() system call.If the realm is defined as a proxy, the RADIUS request is forwarded to the targetRADIUS server defined for this realm.

5. The user is authenticated according to the protocol established by theAccess-Request. If a password-based protocol (PAP,CHAP, MSCHAP) is specified,the user's password is verified. If an EAP method is used, mutual authenticationis carried out according to the EAP type (PEAP, TLS, TTLS, or PEAP).

If User-Name matches no entry, either in a local text file or an external data source, theauthentication fails.

Authorization to Control Sessions and Access to ServicesThe HP-UX AAA server can authorize users using one of the following methods:• Provisioning on a user-by-user basis with check items and by adding reply items

to an Access-Accept message (simple policy)• Through Local Authorization Server (LAS) functions based on realms• Through stored policy decisions based on other logical groups that can add check

and reply items to the requestLike authentication, the authorization of an access request has a number of distinctivesteps, as shown in Figure 1-6 (page 45). The rounded rectangles represent configurationfiles and the ovals represent one or more actions called by the FSM.


Figure 1-6 Authorization Steps

Authorization Steps1. The server receives the Access-Request.2. The server evaluates the request-ingress policy. This is the first step in the FSM,

before the request is despatched for processing. The request ingress policy can beused to alter the request in one of the following ways:• A-V pairs may be added, changed, or removed.• The request classification may be altered.• The request may be rejected immediately.• The request may be dropped entirely, and no reply is sent.If the request-ingress policy is evaluated successfully, the HP-UX AAA Servercontinues with the authorization process.

3. If a request is being proxied, then the HP-UX AAA Server evaluates theproxy-egress and proxy-ingress policies. The HP-UX AAA Server applies theproxy-egress policy before the RADIUS proxy request message is created and sent.The proxy-ingress policy is applied after the proxy response is received. Table 1-2discusses how these policies are used to alter requests.


Table 1-2 How Requests are Altered Using the proxy-egress and proxy-ingressPolicies

Use of the proxy-ingress PolicyUse of the proxy-egress Policy

A-V pairs can be added, modified, or removed.A-V pairs can be added, modified, or removed.

The reply type may be altered.The request may be rejected immediately.

The request may be dropped entirely and noreply is sent.

The request may be dropped entirely and noreply is sent.

The request may be rejected immediately.The proxy target host may be changed.

4. Check Items. After authentication each check item in the user profile is processedor matched against the request's corresponding Attribute-Value (A-V) pairs.• If all the check and deny items associated with User-Name are satisfied, the

CHK_DNY action returns an ACK value to the FSM.• If any check or deny item, including the user's password, is not matched

correctly, the authentication module returns a NAK value to the FSM. Therequest fails, and an Access-Reject message is returned to the client.

5. User Policy. All requests are subjected to user policy after authentication. The userpolicy is applied only after successful authentication. A user policy can be specifiedin a Policy-Pointer attribute on the request as either a check item or a reply item.If the Policy-Pointer attribute is found in the check items, then the HP-UX AAAServer does not look for one in the reply items. The value of the Policy-Pointerattribute should specify the URL for the decision file to be evaluated. If a requestcontains a Policy-Pointer attribute, as either a check item or a reply item, thespecified policy is applied. If the request does not contain a Policy-Pointer, thenno user policy is applied. In this case the POLICY action returns an ACK event tothe FSM.Some policies that can be implemented include:• Dialed Number Identification Service (DNIS)-routing requests according to

the number called from or called;• Grouping users by NAS addresses or ports;• Control session duration, concurrent usage, or delivered services by logical

groupings defined by the contents of specified A-V pairs;• Control access according to any time-based criteria.

6. Local Authorization Server (LAS). The LAS refers to the routines and code in theserver that handles authorization. LAS and POSTLAS actions are part of the LAS.Session control with LAS is based on realms. Local Session tracking must beexplicitly enabled for a realm via the Server Manager or the /etc/opt/aaa/las.conf file. If the realm is not listed, LAS does not enforce any session controlfor users from that realm. When the LAS handles an Access-Request for a user in


a local realm configured in the las.conf file, the LAS module performs thefollowing actions:• Checks the user profile for a Simultaneous-Session attribute-value pair, which

determines the maximum number of active sessions the user can have. Defaultvalue is 1.

• Authorizes or denies service based on Service-Class.The POSTLAS action performs Simultaneous Access Token (SAT) control, whichis used to implement realm-based simultaneous session control.

NOTE: HP recommends not to enable local session tracking for any realmsutilizing session management via SQL Access.

7. Reply items refer to the generation of an Access-Accept or Access-Reject messageby the ReplyPrep action. By adding reply items to a user's profile or throughpolicy decisions, ReplyPrep can provide a NAS with provisioning informationin an Access-Accept data packet. Depending on the capabilities of the NAS, thereply items can be used to control a user's session. For example, the following userentry limits the length of the session and the hosts that can be accessed:[email protected] Password = "public" Filter = "library", Session-Timeout = 3600

Users can authenticate as [email protected] using password public toconnect for one hour (3600 seconds) to the library hosts that the filter libraryallows.The ReplyPrep action also checks for a Service-Type value, equates the valuewith user entries, and then appends reply items to the request accordingly. Theattribute values for these items specify the default values to use when configuringthe connection specified by Service-Type. The special user entries are not used forauthentication; the reply items for one of these entries are appended to a requestfrom any user requesting the corresponding service type. If duplicate A-V pairsexist, pruning is applied to determine the A-V pair that must be included in theAccess-Accept or Access-Reject message.

8. The HP-UX AAA Server evaluates the reply-egress policy just before the RADIUSreply message is created and sent. The reply-egress policy can be used to alter therequest in one of the following ways:• A-V pairs may be added, modified, or removed• The reply type may be modified• The request may be dropped entirely and no reply is sent.


Session Logs For AccountingDuring operation, the HP-UX AAA Server processes information received in anAccounting-Request from the client. By default, session logging information is writtento a file following a predefined format, such as Merit or Livingston. You can modifyhow and where the server generates the logs by editing the log.config file. You canalso schedule logging by editing the FSM. In addition, modifying the FSM andconfiguring SQL Access enables you to use a database to store session log information.For more information, see Chapter 22: “SQL Access” (page 338).

IPv6 Support for External ServicesThe HP-UX AAA Server can be configured to use IPv6 addresses and support IPv6attributes for most of the protocols and services it supports. The HP-UX AAA Servercurrently supports only IPv4 for Dynamic user IP address assignment using DHCP.

IMPORTANT: The HP-UX AAA Server supports the use of RADIUS IPv6 attributeswith HP-UX 11i v2 (and subsequent releases). RADIUS communication over IPv6transports is supported with HP-UX 11i v2 (and subsequent releases).

HP-UX AAA Server as a ClientTypically, the HP-UX AAA Server works in the server mode. It receives requests fromclients, processes them, and sends out appropriate responses, based on the requesttype. However, under some circumstances, it is desirable for the HP-UX AAA Serverto perform client functions. This functionality involves the ability to send HP-UX AAAServer-initiated messages and assimilate responses. For example, it is advantageousto have the HP-UX AAA Server disconnect sessions or change session characteristicsin real time, by sending Disconnect and Change-Of-Authorization (CoA)requests. Therefore, starting with the HP-UX AAA Server A.08.01 release, the HP-UXAAA Server also performs certain client functionalities.For more information, see Chapter 19 (page 291).


2 Upgrading to Version A.08.01This chapter explains how to upgrade to the HP-UX AAA Server A.08.01 from previousversions.

The HP-UX AAA Server Upgrade ProcessThe following process describes the HP-UX AAA Server A.08.01 product installationon a system where a previous version of the HP-UX AAA server is currently installed:1. The contents of the existing configuration in /etc/opt/aaa/ are copied to /etc/

opt/aaa.old/. If any files with the same names exist in /etc/opt/aaa.old/,they will be overwritten.

2. The old product binaries are removed and new product binaries are installed.3. Old unmodified configuration files are replaced with the new default configuration

files in /etc/opt/aaa/.4. Backup of the default A.08.01 files are installed in /opt/aaa/newconfig/etc/

opt/aaa/ for your reference.5. Generally, no additional migration is necessary, except as specified in the following

sections:• “Upgrading from Versions A.07.00, A.06.02, A.06.01, or A.07.01 to Version

A.08.01.”• “Upgrading from Version A.06.00.x to Version A.08.01” (page 51)• “Upgrading from Version A.05.x to Version A.08.01” (page 53)

NOTE: Contact your HP Support representative if you are upgrading from versionA.05.x and require assistance.

Upgrading from Versions A.07.00, A.06.02, A.06.01, or A.07.01 toVersion A.08.01

Starting with HP-UX AAA Server A.08.00 release, EAP-LEAP AATV is obsolete. TheEAP-LEAP authentication method is replaced by the EAP-PEAP authentication method.HP recommends that you use EAP-PEAP in place of EAP-LEAP for improved security.Unlike EAP-LEAP, EAP-PEAP supports mutual authentication and uses an encryptedtunnel to transmit the user's credentials.If you have configured a realm for EAP-LEAP authentication, remove the realm entryfrom the /etc/opt/aaa/authfile and /etc/opt/aaa/EAP.authfile andre-configure the realm. For information on EAP-PEAP, see Chapter 13 “Securing LANAccess With EAP”.Starting with HP-UX AAA Server A.08.00 release, the Oracle authentication moduleis obsolete. The Oracle authentication module is supported using SQL Access. HP

The HP-UX AAA Server Upgrade Process 49

recommends that you set up your HP-UX AAA Server to interact with the Oracledatabase using the SQL Access feature.If you have configured a realm for ORACLE authentication, remove the realm entryfrom the /etc/opt/aaa/authfile and /etc/opt/aaa/EAP.authfile andre-configure the realm. For Database via SQL using the HP-UX AAA Server Manager,see Chapter 8 “Configuring Realms”. For information on how to implement SQLAccess, see Chapter 22 “SQL Access”.Starting with HP-UX AAA Server A.08.00 release, the SecurID authentication is obsolete.The SecurID authentication is replaced by the Open AuTHentication (OATH)standards-based One-Time Password (OTP) authentication. OATH is an industry-widecollaboration to develop open-reference architecture for strong authentication. TheOATH standards-based OTP authentication solution supports hardware and softwaretokens from multiple vendors.If you have configured a realm for SecurID authentication, remove the realm entryfrom the /etc/opt/aaa/authfile and the /etc/opt/aaa/EAP.authfile andre-configure the realm. For information on OATH standards-based authentication, seeChapter 16 “OATH Standards-Based OTP Authentication”.No migration is required. If you have modified /etc/opt/aaa/dictionary, andwant to use SQL Access, OTP authentication, or pre-defined policy hooks in the FSM,merge the dictionary file. For information on merging the dictionary file, see“Merging the Dictionary File” (page 53).If you have modified the radius.fsm file, and you want to use OTP authentication,Dynamic Authorization, EAP-SIM, EAP-AKA, or use pre-defined policy hooks in theFSM, merge the radius.fsm file. For information on merging the radius.fsm file,see “Merging the radius.fsm File” (page 53).If you have configured realms with LDAP as the back end, and you want to enable CISsearch, then you must specify the Filter-Type in the realm configuration in theauthfile as follows:

50 Upgrading to Version A.08.01

<realm name> -DEFAULT ProLDAP ""{ Filter-Type CIS Directory "directory_name" { Host <ldap-server-hostname> Port <ldap-server-port> Administrator <ldap-server-administrator> Password <Password> Searchbase <search-base> Authenticate <auto | search | bind> }}

Additions have been made to the vendors file in this version of the HP-UX AAAServer. If you have modified the vendors file, you must merge the vendors file. Forinformation on merging the vendors file, see“Merging the vendors File” (page 53).

Upgrading from Version A.06.00.x to Version A.08.01To upgrade the configuration files, complete the following steps:1. Backup your existing HP-UX AAA server configuration.2. Install the HP-UX AAA Server A.08.01 without removing your existing HP-UX

AAA Server software.3. Copy the following files from /etc/opt/aaa.old/ to /etc/opt/aaa/. You

do not need to modify these files when migrating to A.08.01:• The clients file• The las.conf file• The iaaaAgent.conf file• The engine.config file• The DAC.grp file and additional policy files• New or modified certificate files (to be copied from /etc/opt/aaa.old/

security/ to /etc/opt/aaa/security/)4. Update the following A.08.01 files in/etc/opt/aaa/ to include any modifications

you made for your legacy configuration. Perform this step to include your legacyconfiguration in the new A.08.01 file format. Refer to the copy of your legacy filesin /etc/opt/aaa.old/ and update the corresponding A.08.01 files listed below:• The vendors file• The log.config file• The radius.fsm file• The dictionary file• The aaa.config file

Upgrading from Version A.06.00.x to Version A.08.01 51

5. Copy your legacy users files from /etc/opt/aaa.old/ to /etc/opt/aaa/(including the default users file and all files with the .users extension). Update theusers files as follows:• Remove all DEFAULT, dumbuser, pppuser, and slipuser entries. The

following shows example entries for each:DEFAULT DEFAULT Authentication-Type = Realm

Filter-Id = "unlim"

dumbuser dumbuser Authentication-Type = None Service-Type = Login, Login-Service = Telnet, Login-IP-Host = 255.255.255.255

pppuser pppuser Authentication-Type = None Service-Type = Framed, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP

slipuser slipuser Authentication-Type = None Service-Type = Framed, Framed-Protocol = SLIP, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP

• Remove all Authentication-Type=Realm andAuthentication-Type=File strings from the remaining user entries. Thefollowing is a sample sed command you can modify to remove these entries:$ sed -e ’s/Authentication-Type[ ]*=[ ]*Realm[ ,,]*//g’-e ’s/Authentication-Type[ ]*=[ ]*File[ ,,]*//g’ <users or*.users file name>

6. Use Server Manager to re-configure all of your legacy realm and outbound proxyentries on A.08.01. Refer to your legacy authfile at /etc/opt/aaa.old/authfile:• Use Server Manager’s Proxies link to re-configure entries in /etc/opt/

aaa.old/authfile with the following syntax:realm.com RADIUS <Realm_host_name>

• Use Server Manager’s Local Realms link to re-configure the realm entries asthey appear in /etc/opt/aaa.old/authfile.

• If you have configured realm for EAP-LEAP, ORACLE or SecurIDauthentication, complete the Migration procedure listed in “Upgrading fromVersions A.07.00, A.06.02, A.06.01, or A.07.01 to Version A.08.01”.

52 Upgrading to Version A.08.01

7. If you are using a Netscape Directory server, update the RADIUS schema file forthe directory server. Copy /opt/aaa/examples/proldap/55iaaa-radius.ldif to the Netscape Directory server. Stop and restart slapdafter copying the schema file to the Netscape server.

8. If you are using an OpenLDAP server, update the RADIUS schema file for thedirectory server. Copy /opt/aaa/examples/proldap/iaaa-radius.ldifto the OpenLDAP server. Stop and restart slapd after copying the schema file tothe OpenLDAP server.

Upgrading from Version A.05.x to Version A.08.01Contact your HP Support representative if you are upgrading from Version A.05.x toVersion A.08.01 or if you need assistance with your migration.

Merging the Dictionary FileTo merge the legacy dictionary file changes to the new A.08.01 dictionary file,complete the following steps:1. Copy the new dictionary file from /opt/aaa/newconfig/etc/opt/aaa/ to

/etc/opt/aaa/.2. Update the /etc/opt/aaa/dictionary file to include any modification you

made for your legacy dictionary file.Refer to the copy of your legacy dictionary file in /etc/opt/aaa.old/.

Merging the radius.fsm FileTo merge the legacy radius.fsm file changes to the new A.08.01 radius.fsm file,complete the following steps:1. Copy the new radius.fsm file from /opt/aaa/newconfig/etc/opt/aaa/

to /etc/opt/aaa/.2. Update the /etc/opt/aaa/radius.fsm file to include any modification you

made for your legacy radius.fsm file.Refer to the copy of your legacy radius.fsm file in /etc/opt/aaa.old/

Merging the vendors FileTo merge the legacy vendors file changes to the new A.08.01 vendors file, completethe following steps:1. Copy the new vendors file from /opt/aaa/newconfig/etc/opt/aaa/ to

/etc/opt/aaa/.2. Update the /etc/opt/aaa/vendors file to include any modification you made

for your legacy vendors file.

Upgrading from Version A.05.x to Version A.08.01 53

3 Installing and Securing the HP-UX AAA ServerThis chapter explains how to acquire, install, and secure the HP-UX AAA Serverproduct. Always refer to the HP-UX AAA Server Release Notes for importantinformation specific to each version of the product, including requirements anddependencies.

Acquiring the HP-UX AAA Server SoftwareYou can get the most recent version of the HP-UX AAA Server product at the HPSoftware Depot: http://www.hp.com/go/softwaredepot.

IMPORTANT: Be sure to review the HP-UX AAA Server Release Notes beforeinstallation. The Release Notes list the requirements for each release, including:installation, patch, and browser requirements.You can access the Release Notes online at:http://docs.hp.com/en/internet.html#HP-UX%20AAA%20Server%20%28RADIUS%29)

Installing and Uninstalling the HP-UX AAA ServerThe following components are installed when you install the HP-UX AAA Server:• AAA Server binaries, libraries, and utilities• RMI objects that facilitate communication from the AAA server to Server Manager• AAA server AATV modules

To Install the HP-UX AAA ServerComplete the following steps to install the HP-UX AAA Server:1. Log in to your system as root.2. Verify that the product dependencies are installed:

# export PATH=$PATH:/usr/sbin# swlist |egrep “hpuxws22Tomcat|hpuxwsApache|T1456AA”

IMPORTANT: Be sure you have the correct versions of the product dependenciesinstalled -- refer to the HP-UX AAA Server Release Notes.

3. Verify that the patch dependencies are installed. Skip this step if you are installingthe HP-UX AAA Server on an HP–UX 11i v2 or HP-UX 11i v3 operating system.# swlist -l product | grep aC

Review the patch requirements in the product Release Notes if the following valueis not returned:HP aC++ -AA runtime libraries (aCC A.03.37)

54 Installing and Securing the HP-UX AAA Server

http://www.hp.com/go/softwaredepot

http://docs.hp.com/en/internet.html#HP-UX%20AAA%20Server%20(RADIUS)

NOTE: Check the Release Notes for the HP-UX AAA Server version you areinstalling to verify patch requirements.

4. Download the AAA Server depot file from http://www.software.hp.comand move it to /tmp

5. Verify that you have downloaded the file correctly:# swlist -d -s /tmp/<AAA Server>.depot

6. Stop any active Tomcat processes:/opt/hpws22/tomcat/bin/shutdown.sh

7. Install the AAA Server:# swinstall -s /tmp/<AAA Server>.depot HPUX-AAAServer

NOTE: If the installation is not successful, an error message is displayed. Thecause of the failure will appear at the end of /var/adm/sw/swagent.log file.

8. After installing the product, add the following entries to the /etc/services file:# RADIUS protocolradius 1812/udpradacct 1813/udp radius-dynauth 3799/udp

NOTE: These RADIUS values are the server’s defaults and are specified in theRADIUS RFC 2865. Dynamic Authentication ports and defaults are specified inRFC 5176.

To Uninstall the HP-UX AAA Server SoftwareComplete the following steps to uninstall the HP-UX AAA Server:1. From the navigation tree, click Administration.2. Verify the AAA server you want to stop is selected in the Server Status Frame.3. Click Stop to stop the server.4. From the command line, stop the RMI objects and Tomcat. See “Starting and

Stopping the RMI Objects” (page 72) and “Starting and Stopping Tomcat” (page 72)for more information.

NOTE: Enter the following command if you have not done it already:# export JAVA_HOME=/opt/java1.5

5. Remove all files residing in the /var/opt/aaa/ and/opt/hpws22/tomcat/webapps/aaa/aaalog/ subdirectories.

6. Logout anyone using HP-UX AAA Server administrator login “aaa”.

Installing and Uninstalling the HP-UX AAA Server 55

7. As root user, enter swremove HPUX-AAAServer or swremove at the commandprompt to invoke the standard HP-UX GUI to select HPUX-AAAServer bundlefor removal. Refer theswremovemanpage for more information on this command.

HP-UX AAA Server File LocationsAlthough HP-UX AAA Server can be run as root user, HP recommends running it asa non-root user.A user and group, both named aaa, is created during installation. The HP-UX AAAServer can be run as non-root user, using the default aaa user created during installation,or any other user who is part of the aaa group.

IMPORTANT: Do not remove the default login aaa and group aaa created duringinstallation, even if you prefer not to use them.

Table 3-1 File Locations Upon Installation

FileDirectory

Server modules and plug-ins/opt/aaa/aatv

Server daemons and utilities:/opt/aaa/bin

• las.test.sh: script to create simulated sessions fortesting

• radcheck: AAA Server test utility (like the pingcommand)

• raddbginc: controls server debug output• radsignal: controls server debug output and rolls over

the server log file and accounting stream• radiusd: AAA Server executable• rad_admin.sh: Tool to administer one or more HP-UX

AAA Servers configured on the host• radpwtst: AAA test client utility


Table 3-1 File Locations Upon Installation (continued)

FileDirectory

Finite state machine, sample policy files:/opt/aaa/examples/config

• *.fsm: Sample FSM tables• sqlaccess-acct.fsm: Sample FSM required to

implement accounting without session managementusing SQL Access

• sqlaccess-acct-sess.fsm: Sample FSM requiredto implement accounting with session management usingSQL Access

• *.grp: Sample decision files• OTP sample reference implementation files:

— oath-request-ingress.grp

— oath-reply-ingress.grp

— oath-proxy-egress.grp

• Dynamic Authorization Reference Implementation files:— client-request-init.grp.dynauth

— client-reply-ingress.grp.dynauth

HP-UX AAA Server File Locations 57


FileDirectory

userdb: Contains the files required for management of usersprofile and tokens in SQL compliant database

/opt/aaa/examples/sqlaccess/userdb



FileDirectory

Sample AATVs and plug-ins:/opt/aaa/examples/examples/sdk

• /opt/aaa/examples/sdk/ace/samplesc.c: SampleChallenge-Response Authentication AATV

• /opt/aaa/examples/sdk/cis/checkCSI.c: SamplePre-Authentication AATV

• /opt/aaa/examples/sdk/sim_a3a8/sample_sim_a3a8.c: Sample EAP-SIM A3 or EAP-SIMA8 algorithm plug-in module

• /opt/aaa/examples/sdk/aka_algo/sample_aka_algo.c: Sample EAP-AKA algorithmplug-in module

Configuration files and scripts that enable the HP-UX AAAServer to use an ODBC client to interact with a MySQLdatabase:

/opt/aaa/examples/sqlaccess/mysql-1

• sqlaccess.config: Sample configuration file thatdefines database connections, SQL statements, andRADIUS - database mappings

• sqlaccess.config.dynauth: Sample configurationfile that defines SQL actions required for implementingthe dynamic authorization functionality.

• sqlaccess.config.dynauth_server_group:Sample configuration files that define SQL actionsrequired for implementing the dynamic authorizationfunctionality when multiple HP-UX AAA Servers areconfigured as a group.

• dbsetup.sql: Script that creates the database tables forthe sample configuration and inserts a test user in adatabase table

• dbsetup.sql.dynauth_server_group: Script thatcreates the database tables and stored procedures for thedynamic authorization sample configuration.

NOTE: Refer to Chapter 22: “SQL Access” (page 338) fordetails on using the SQL Access feature.For information on dynamic authorization, see Chapter 20(page 297).

Configuration file and script that enable the HP-UX AAAServer to use an OCI client to interact with an Oracledatabase server:

/opt/aaa/examples/sqlaccess/oracle-1

• sqlaccess.config: Sample configuration file thatdefines database connections, SQL statements, andRADIUS - database mappings

• sqlaccess.config.dynauth: Sample configurationfile that defines SQL actions required for implementingthe dynamic authorization functionality.



FileDirectory

• sqlaccess.config.dynauth_server_group:Sample configuration files that define SQL actionsrequired for implementing the dynamic authorizationfunctionality when multiple HP-UX AAA Servers areconfigured as a group.

• dbsetup.sql: Script that creates the database tables forthe sample configuration and inserts a test user in adatabase table

• dbsetup.sql.dynauth_server_group: Script thatcreates the database tables and stored procedures for thedynamic authorization sample configuration.

NOTE: Refer to Chapter 22: “SQL Access” (page 338) fordetails on using the SQL Access feature.For information on dynamic authorization, see Chapter 20(page 297).

Header files for SDK/opt/aaa/include

• sdk.h: Header file contains the definitions for all theSDK data structures, constants and APIs.

• plugin.h: Header file containing interfaces plug-ins



FileDirectory

Connector libraries that enable HP-UX AAA Server tocommunicate with supported database clients:

/opt/aaa/lib/dbcon/alternate

• libdbcon_oci.so: OCI client connector library• libdbcon_odbc.so: MySQL Unix ODBC client

connector library

NOTE: Refer to Chapter 22: “SQL Access” (page 338) fordetails on using the client connector libraries.

LDAP schema and sample LDIF files/opt/aaa/examples/proldap

Shared libraries:/opt/aaa/lib

• libradlib.sl: Contains functions that interface withthe main server

• librpilib.sl: Contains functions for programs andutilities

• libjniAgent.sl: Contains functions for ServerManager.

NOTE: Shared library files have .so file extensions onHP-UX 11i v2 (B.11.23) and HP-UX 11i v3 (B.11.31).

Default configuration files. Files residing here are copied to/etc/opt/aaa directory during installation.

/opt/aaa/newconfig

Directory containing a unique set of self-signed digitalcertificates created during installation.

/etc/opt/aaa/security/

Directories where manpages are installed/opt/aaa/share/man/man5 and~/man1m

Directory containing Administrator’s Guide and productdocumentation.

/opt/aaa/share/doc/



FileDirectory

Configuration files:/etc/opt/aaa

• aaa.config: runtime and tunneling configuration file• authfile: realm to authentication-type mapping file• clients: client to shared secret mapping file• dictionary: definition file required by the radiusd

daemon• las.conf: authorization and accounting configuration

file• log.config: session logging configuration file• radius.fsm: external FSM table for the server• users: holds user security profiles and reply items• vendors: holds Internet Assigned Numbers Authority

(IANA) numbers and other vendor specific details• engine.config: stores most of the AAA server

properties.• EAP.authfile: configures EAP authentication for user

profiles• iaaaAgent.conf: specifies how often the AAA server’s

SNMP subagent will check to see if a master agent isactive

• aaa.config.license: Do not alter this file• RADIUS-ACC-SERVER-MIB.txt: describes RADIUS

Accounting MIB definitions.• RADIUS-AUTH-SERVER-MIB.txt: describes RADIUS

Authentication MIB definitions.• RADIUS-DYNAUTH-CLIENT-MIB.txt: RADIUS Client

Dyanmic Authorization MIB definition• Default policy files:

— request-ingress.grp

— reply-egress.grp

— proxy-egress.grp

— proxy-ingress.grp

— client-request-init.grp

— client-request-egress.grp

— client-reply-ingress.grp

Table 3-2 lists the files generated during operation and located in /var/opt/aaa/ bydefault:


Table 3-2 Files Generated During Operation

FileDirectory

Default session accounting logs, Merit style/acct/session.yyyy-mm-dd.log

Currently active sessions log file/data/session.las

Shared memory files related to the interface used for someauthentication types.

IMPORTANT: You must not alter or delete the sharedmemory (*.sm) files. The server does not operate correctlyif the files are changed or removed from the ipc directory.

/ipc/*.sm

The server log file/logs/logfile

Compressed daily or weekly log files/logs/logfile.yyyymmdd

For session accounting logs in Livingston call detail recordsdirectory style format (not generated by default configuration)

/radacct/*

Contains the process id (pid) for the server./run/radius.pid

Securing the HP-UX AAA ServerPerforming the steps in this section increases the security of your HP-UX AAA Serverinstallation. HP recommends all customers perform the steps in“Changing the DefaultHP-UX AAA Server Settings ” (page 63). Perform the steps in “Environment SpecificSecurity Procedures ” (page 64) depending on your environment.

Changing the Default HP-UX AAA Server SettingsThe following information explains how to increase the security of your HP-UX AAAServer by changing some of the default settings. HP recommends that all customerschange the default values.

Changing the Default Tomcat User Name and PasswordAll Tomcat servers come with the same default user name and password. You mustchange the user name and password to unique values.Complete the following steps to change the Tomcat user name and password:1. Open /opt/hpws22/tomcat/conf/tomcat-users.xml.2. Look for entries with the roles=“tomcat” string. These entries are valid Tomcat

user names and passwords.3. Modify the file to include only the user name and password you want to use. Use

the following format:<user username="new user name" password="new password" roles="tomcat"/>

Securing the HP-UX AAA Server 63

Changing the Default RMI Objects SecretHP recommends changing the default RMI Objects secret.Complete the following steps to change the default RMI objects secret:1. Open/opt/hpws22/tomcat/webapps/aaa/WEB-INF/gui.properties.2. Look for the following entry:

rmi.config.secret = "secret"

3. Change the “secret” portion to a new value4. Open the /opt/aaa/remotecontrol/rmiserver.properties file.5. Look for the following entry:

rmi.config.secret = "secret"

6. Change the “secret” portion to the same value configured in Step 3.

IMPORTANT: The rmi.config.secret in /opt/aaa/remotecontrol/rmiserver.properties and in /opt/hpws22/tomcat/webapps/aaa/WEB-INF/gui.properties must be identical.

Changing the Default test_user SettingsHP recommends changing the default test_users password. This password can bechanged only after starting the Server Manager. More information on how to changethe default test_users password is provided in “Changing the Default test_user Settings”(page 127)

Changing the Default localhost Proxy SettingsHP recommends changing the default localhost proxy settings. This setting can bechanged only after starting the Server Manager. More information on how to changethe default localhost proxy settings is provided in “Changing the Default localhostProxy Settings” (page 118).

Environment Specific Security ProceduresDepending on your environment needs, you can perform any of the following stepsfor additional security:

Using Secure Socket Layer (SSL) for Secured Remote Server Manager AdministrationUse the following steps to configure SSL (HTTPS):


1. Generate a certificate for Tomcat to establish the SSL connection. Use the followingsteps to create a self-signed certificate with the Java command line keytool utility:1. Remove $HOME/.keystore if it already exists2. Enter the following command:

$ export JAVA_HOME=/opt/java1.5

3. Enter the following command:$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA

4. Enter a password for the key store when prompted.5. Enter the certificate information (company, contact name, etc.), when

prompted. This information must be accurate because it is displayed to userswho attempt to administer Server Manager.

6. Enter a password for the key when prompted. Use the same password youused for the key store

2. Uncomment the following underlined comments in /opt/hpws22/tomcat/conf/server.xml: 

3. Add the keystorePass attribute to the uncommented field in /opt/hpws22/tomcat/conf/server.xml to establish the key store and key password onTomcat. Add the keystorePass attribute as shown in the following:<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" keystorePass="<password>" />

IMPORTANT: Replace <password> with the password used to generate thekeystore in Step 1.

4. Stop and start Tomcat:• Stop -/opt/hpws22/tomcat/bin/shutdown.sh• Start - /opt/hpws22/tomcat/bin/startup.sh

5. Point your web browser to:https://<hostname>:8443/aaa


Creating a Tomcat Identity Specifically for the HP-UX AAA ServerIf several applications use Tomcat, you can configure Tomcat to have a user name andpassword specifically for the AAA Server. All other applications using Tomcat willhave a different user name and password.Complete the following steps to create a Tomcat identity specifically for your HP-UXAAA Server:1. Search for the following line in/opt/hpws22/tomcat/conf/server.xml:



Add the following code above this line: <Context path="/aaa" docBase="aaa" debug="0" reloadable="false" crossContext="false"> <Realm className="org.apache.catalina.realm.MemoryRealm" debug="0" pathname="conf/aaa-users.xml"/> </Context>

2. Open the /opt/hpws22/tomcat/conf/aaa-users.xml file.3. Replace adminaaa with the new user name and password4. Enter the following command:

$ export JAVA_HOME=/opt/java1.5

5. Stop Tomcat if it is running:$ /opt/hpws22/tomcat/bin/shutdown.sh

6. Restart Tomcat:$ /opt/hpws22/tomcat/bin/startup.sh

NOTE: Before starting and stopping the Remote Method Invocation (RMI) server,the JAVA_HOME environment variable must be set to appropriate path. Forexample, to use Java6, export JAVA_HOME to the /opt/java6 path. If theJAVA_HOME environment variable is not set or set incorrectly, the default value/opt/java1.5 is used to start and stop the RMI Server.

7. Stop the RMI objects if they are running:$ /opt/aaa/remotecontrol/rmistop.sh

8. Set the shared library path to the OCI client or ODBC driver in the /opt/aaa/remotecontrol/rmistart.sh script if you are implementing the SQL Accessfeature. See the following README files for more information:• /opt/aaa/examples/sqlaccess/oracle-1/README: for Oracle - OCI• /opt/aaa/examples/sqlaccess/mysql-1/README: for MySQL - ODBCSee Chapter 22: “SQL Access” (page 338) for more information on the SQL Accessfeature.

9. Start the RMI objects:


/opt/aaa/remotecontrol/rmistart.sh

10. Point your web browser to:http://<hostname>:8081/aaa

11. Login with the new AAA Server-specific user name and password

Running the HP-UX AAA Server on Hosts with System Hardening SoftwareIf you are setting up the HP-UX AAA Server on a system that is being hardened usinglock-down software such as Bastille, you must ensure that the ports used by the HP-UXAAA Server are kept open. The following ports must be kept open if you are runningthe HP-UX AAA Server:• Port 1812 (Radius authentication port)• Port 1813 (Radius accounting port)• Port 8081 (port used by the Server Manager. Needed only if this host is going to

run the Server Manager)• Port 2099 (port used by the RMI server. Needed only if the HP-UX AAA Server

on this host needs to be remotely managed from another host.)• RMI Server ports listed in Table 3-3. By default, these ports change each time the

RMI objects are started.

NOTE: These ports are default ports. However, you can configure these services touse other ports.

If the HP-UX AAA Server on the host needs to be remotely managed from anotherhost, then some additional ports need to be opened. By default, these ports are chosenrandomly and keep changing every time the RMI server is restarted. To make it moreconvenient to open, these ports can be configured in /opt/aaa/remotecontrol/rmiserver.properties. Table 3-3 lists the ports that need to be configured andopened for the corresponding remote management functionality required.

Table 3-3 Ports Associated with RMI Objects that must be Configured

FunctionalityPort

If you are using the administrative functions• adm.server.port

If you are modifying, loading, or saving theconfiguration

• conf.server.port

• file.server.port

If you are using maintenance features such asaccounting, logging, reporting, getting statistics, orsession management

• stat.server.port

• acct.server.port

• log.server.port

• sess.server.port


Running the HP-UX AAA Server as a Non-Root UserSome organizations require network server processes to run as the non-root user.Complete the following steps to run the AAA server as a non-root user:1. Login to the system as the root user.2. Add the user name www to the aaa group.


3. Use the following command to start the RMI objects as the aaa user:$ su - aaa -c /opt/aaa/remotecontrol/rmistart.sh

4. Use the following command to start Tomcat as the www user:$ su - www -c "export JAVA_HOME=/opt/java1.5; /opt/hpws22/tomcat/bin/startup.sh"

5. Point your web browser to:http://<hostname>:8081/aaa

NOTE: Any log files created when the HP-UX AAA server was running as the rootuser will not be accessible after performing this procedure. To view these logfiles,change the ownership to match the UID of when the log files were created. For moreinformation, see the chown manpage for more information.

Setting Up the HP-UX AAA Server to Start as Non-Root User After RebootComplete the following steps to set up the HP-UX AAA Server to start as non-root userafter reboot:1. Set the RADIUSD variable to 1 in the /etc/rc.config.d/radiusd.conf file.2. Open the /sbin/init.d/radiusd.rc file and look for the following entry:

DAEMONNM=radiusd CONFFILE=$AAAPATH/clients DAEMONEXE=/opt/aaa/bin/${DAEMONNM}

3. Change the DAEMONEXE line to set radiusd to start as the aaa user after reboot:Change:DAEMONEXE=/opt/aaa/bin/${DAEMONNM}

To:DAEMONEXE=”/usr/bin/su - aaa -c /opt/aaa/bin/${DAEMONNM}”

4. Look for the following entry:


echo "$DAEMONNM started with <$retval>"if [[ -x /opt/aaa/remotecontrol/rmistart.sh ]];then /usr/bin/nohup /opt/aaa/remotecontrol/rmistart.sh >/dev/null 2>&1fi

5. Change the then statement to start the RMI objects as the aaa user after reboot:Change:if [[ -x /opt/aaa/remotecontrol/rmistart.sh ]];then /usr/bin/nohup /opt/aaa/remotecontrol/rmistart.sh>/dev/null 2>&1fi

To:if [[ -x /opt/aaa/remotecontrol/rmistart.sh ]];then /usr/bin/nohup /usr/bin/su - aaa -c /opt/aaa/remotecontrol/rmistart.sh >/dev/null 2>&1fi

6. Look for the following entry:# stop the daemon!!! if [[ -x /opt/aaa/remotecontrol/rmistop.sh ]]; then /opt/aaa/remotecontrol/rmistop.sh >/dev/null 2>&1 fi

7. Change the then statement to stop the RMI objects as the aaa user duringshutdown:Change:if [[ -x /opt/aaa/remotecontrol/rmistop.sh ]];then /opt/aaa/remotecontrol/rmistop.sh >/dev/null 2>&1fi

To:if [[ -x /opt/aaa/remotecontrol/rmistop.sh ]]; then /usr/bin/su - aaa -c /opt/aaa/remotecontrol/rmistop.sh >/dev/null 2>&1fi

8. Look for the following entry:/opt/aaa/bin/rad_admin.sh start all > /dev/null 2>&1

9. To start all the HP-UX AAA Servers as the aaa user during reboot, modify thestatement as follows:/usr/bin/su - aaa -c /opt/aaa/bin/rad_admin.sh start all >/dev/null 2>&1


10. Look for the following entry:/opt/aaa/bin/rad_admin.sh stop all > /dev/null 2>&1

11. To stop all the HP-UX AAA Servers as the aaa user during shutdown, modify thestatement as follows:/usr/bin/su - aaa -c /opt/aaa/bin/rad_admin.sh stop all >/dev/null 2>&1

12. If you are implementing the SQL Access feature, add the following environmentvariable settings in the user’s .profiles file in the home directory:(For ODBC only)export ODBCINI=path/odbc.ini

(For OCI and ODBC)export SHLIB_PATH=${SHLIB_PATH}:Path for odbc/oci client libraries


4 Enabling the HP-UX AAA Server for GUI-basedAdministration

This chapter explains how to enable your HP-UX AAA server software to beginadministration.This chapter addresses the following topics:• “Accessing the Server Manager” (page 71)• “Testing the Installation ” (page 72)• “Starting HP-UX AAA Servers Using Server Manager” (page 74)• “Starting HP-UX AAA Servers From the Command Line” (page 77)• “Stopping or Restarting HP-UX AAA Servers” (page 81)• “Adding an HP-UX AAA Server to Your Network” (page 82)

Accessing the Server ManagerTo start the HP-UX AAA Server and the Server Manager graphic user interface, completethe following steps:1. Enter the following command:

# export JAVA_HOME=/opt/java1.5


2. Start the Remote Method Invocation (RMI) objects to allow the AAA server softwareto communicate with Server Manager. Use the following command:# /opt/aaa/remotecontrol/rmistart.sh

3. Start the HP-UX Tomcat-based Servlet Engine. Use the following command:# /opt/hpws22/tomcat/bin/startup.sh

NOTE: To use IPv6 addresses, enter the following command before starting theHP-UX Tomcat-based Servlet Engine:# export JAVA_OPTS="$JAVA_OPTS \-Djava.net.preferIPv4Stack=false"

4. Enable the Java Runtime Environment (JRE) and Javascript for the browser, sothat the browser can run the Server Manager applets and execute Javascripts.

Accessing the Server Manager 71

5. Point your web browser to the following URL to manage the HP-UX AAA Serverwith the Server Manager interface:http://<IP-Address or FQDN>:8081/aaa

6. To access the Server Manager, enter your user name and password.

NOTE: The default Server Manager username is tomcat. The default ServerManager password is tomcat.

Starting and Stopping the RMI ObjectsBefore starting and stopping the Remote Method Invocation (RMI) server, theJAVA_HOME environment variable must be set to appropriate path. For example, touse Java6, export JAVA_HOME to the /opt/java6 path. If the JAVA_HOMEenvironment variable is not set or set incorrectly, the default value /opt/java1.5 isused to start and stop the RMI Server.To start and stop the RMI objects, use the following commands:• To start: /opt/aaa/remotecontrol/rmistart.sh• To stop: /opt/aaa/remotecontrol/rmistop.sh• Status: netstat -a | grep 7790

Starting and Stopping TomcatTo start and stop Tomcat, use the following commands:• To start: /opt/hpws22/tomcat/bin/startup.sh• To stop: /opt/hpws22/tomcat/bin/shutdown.sh• Status: netstat -a | grep 8081

Testing the InstallationTo test the server installation quickly, perform the following procedure using ServerManager:• Add a loopback connection to a AAA server• Start the AAA server• Check the status for a response

To Test the InstallationComplete the following steps to test the server installation:1. Connect to Server Manager and start the AAA server. See “Accessing the Server

Manager” (page 71).2. From the navigation tree, click the Server Connections link and then click the

Connect to Server link.

72 Enabling the HP-UX AAA Server for GUI-based Administration

3. In the Add Connection screen that opens, enter the values for you server as shownin the following format:Name The identifying string of a remote server.Domain Name or IP Address The IP address (traditional IPv4 address in

dotted-quad notation, or IPv6 address inIPv6 literal format notation), or validDomain Name System (DNS) host name ofthe AAA server that the connection mapsto.Example: IPv4 address- 192.0.2.0IPv6 address- fedc:ba98:7654:3210Domain Name- example.org

4. Click Create.5. Verify the server is listed and selected in the Server Status frame.6. From the navigation tree, click Administration.7. Click Start.8. Verify the server has started. A green “GO” icon in the Server Status frame indicates

the server is running.9. Verify the server is selected in the Server Status frame and then select the Status

option.10. Check Server Manager’s Message Frame for the status reply. The following reply

at the bottom of the Message Frame indicates the server is running correctly:“<server name> (port#)” is responding

Testing the Installation 73

11. Verify that your HP-UX AAA Server is installed and operating correctly by usingthe testing user (namedtest_user) created during installation. Aftertest_useris authenticated and the AAA server sends an Access-Accept, the client sends anAccounting-Request to start the session. After the session is terminated, the clientsends an Accounting-Request stop message to stop the session logging and theAAA server writes the session information to a file.a. Enter the following command:

# /opt/aaa/bin/radpwtst -s localhost -i 192.0.2.0 -l test_user

This command simulates an Access-Request from port 1 of a NAS with an IPaddress of 192.0.2.0. When prompted for a password, enter: password. Thecommand must return the following output:’test_user’ authentication OK

b. Enter the following command:# /opt/aaa/bin/radpwtst -c 4 -s localhost -i 192.0.2.0 -l 1 -u ppp -:Acct-Status-Type=Start test_user

This command simulates an Accounting-Request start message, activatingthe users’s PPP session. The command must return the following output:Accounting Response received

c. Enter the following command:# /opt/aaa/bin/radpwtst -c 4 -s localhost -i 192.0.2.0 -l 1 -u ppp -:Acct-Status-Type=Stop test_user

This command simulates an Accounting-Request stop message, terminatingthe users’s session. The command must return the following output:Accounting Response received

d. View the session logs for test_user’s start and stop accounting messagesby selecting Accounting in Server Manager’s navigation tree and clickingDisplay.

IMPORTANT: HP recommends removing test_user or changing it’s defaultpassword before deploying the HP-UX AAA Server in a production environment. See“Securing the HP-UX AAA Server” (page 63) for more information.

Starting HP-UX AAA Servers Using Server ManagerTo start AAA servers using Server Manager, complete the following steps:1. From the navigation tree, click Administration.2. Select the servers you want to start in the Server Status frame.


NOTE: Server commands will only be executed on servers selected in the ServerStatus frame.

3. Click Start.Figure 4-1 shows the return value in Server Manager’s message frame when a serveris successfully started.

Figure 4-1 Return Value After Successfully Starting a AAA Server

AAA Server Start Options

Select the Start button’s corresponding icon to display the Start Options screenshown in Figure 4-2. Table 4-1 describes the start options you can use.

Figure 4-2 Server Manager’s Start Options Screen

Table 4-1 Server Start Options

DescriptionOption

Specifies the UDP port number to listen to authentication requests. Thedefault Authentication port number is 1812.

Authentication

Specifies the UDP port number to listen to accounting requests. The defaultAccounting port number is 1813.

Accounting

Starting HP-UX AAA Servers Using Server Manager 75

Table 4-1 Server Start Options (continued)

DescriptionOption

Specifies the UDP port number to listen for the dynamic authorizationrequests. The default value is 3799.

Dynamic Authorization

Specifies the UDP port number to relay authentication requests. This optionis useful when proxying requests to a AAA server that is not listening onthe default port.

Authentication Relay

Specifies the UDP port number to relay accounting requests. This option isuseful when proxying requests to a AAA server that is not listening on thedefault port.

Accounting Relay

Specifies the local UDP port number to which the Client AATV binds tolisten for the incoming client requests. This field is optional. If no value isentered, the HP-UX AAA Server uses any available port.

Client

Specifies the debug level. Higher levels write more information to theradius.debug file. Increasing this value can cause performance to decline.The default value is 0.

Debug Level

Specifies the level of information logged in the log file based on the RADIUSmessage type. The Default value logs detailed information in the log file.

Log Control

Empties the logfile and debug file when the server is started.Reset Logfile

Empties stored session table at server startup.

IMPORTANT: This option is only intended for experimental use or testingand not for a live production server. If you reset a production server, theserver loses track of the sessions that are still active.

Reset Session Table

NOTE: All options specified when the server is started are written to the server’slogfile.

IMPORTANT: Modified start options will not take effect until the server is stopped(by selecting the stop button) and then restarted.

Server Manager’s Reload FeatureThe Reload button signals the HP-UX AAA Server to reload specific configurationinformation while the server is running. The result of the command will be displayedin the Message frame. The HP-UX AAA server will reload the following files and theclient policy files after you select Reload:• users

• clients

• authfile

• aaa.config


• engine.config (all values except the certificate properties, which require youto stop and restart the server to be refreshed)

• las.conf

• EAP.authfile

• aaa.config.license

• sqlaccess.config

• request-ingress.grp

• reply-egress.grp

• proxy-egress.grp

• proxy-ingress.grp

• client-request-init.grp

• client-request-egress.grp

• client-reply-ingress.grp

In order for other configuration changes to take effect, you must stop and restart theserver.

IMPORTANT: Save the configuration before reloading the configuration information.

Starting HP-UX AAA Servers From the Command LineThe radiusd daemon is a process that services user authentication and accountingrequests from RADIUS clients. Authentication and accounting requests come to theradiusd daemon in the form of UDP packets conforming to the RADIUS protocol.You can start the radiusd daemon from the Server Manager GUI, command line, orthrough an inetd service.

radiusd Syntaxradiusd [-c workdir] [-C] [-d configdir] [-da aatvdir] [-dl logdir] [-di ipcdir] [-dr rundir] [-dd datadir] [-dm meritdir] [-ip ipaddress][-ll msg_type:msg_sub_type:log_level] [-p authport] [-q acctport][-cp clientport] [-dp dynauthport] [-f fsm] [-l] [-n] [-pp authproxy][-qq acctproxy] [-g logtype] [-h] [-s] [-sn SNMP Contextname] [-ttimeout] [-v] [-z] [-x] [-x] [-x] [-x]

Table 4-2 describes all the radiusd options.

Table 4-2 radiusd Options

DescriptionOption

Sets current working directory. This option can be useful for determiningthe location of system generated files, such as core files.

-c Working-directory

Enables token caching.-C tokcachedir

Starting HP-UX AAA Servers From the Command Line 77

Table 4-2 radiusd Options (continued)

DescriptionOption

Specifies the directory where the configuration files are located. Ifomitted, the default directory is /etc/opt/aaa.

-d Config-directory

Specifies the directory where the AATV libraries are located. If omitted,the default directory is /opt/aaa/aatv.

-da AATV-directory

Specifies the directory where the log and debug files are located. Ifomitted, the default directory is /var/opt/aaa/logs.

-dl Logfile-directory

Specifies the directory where the files generated for shared memoryoperation are located. If omitted, the default directory is /var/opt/aaa/ipc.

-di IPC-directory

Specifies the directory where the server's process id file (radiusd.pid)is located. If omitted, the default directory is /var/opt/aaa/run.

-dr Run-directory

Specifies the directory where the active session file (session.las) islocated. If omitted, the default directory is /var/opt/aaa/data.

-dd Data-directory

Specifies the directory where Merit style accounting log files (sessionlogs) are located. If omitted, the default directory is /var/opt/aaa/acct.

-dm Accounting-directory

Specifies the IP address to listen for requests.-ip ip address

Sets the log level based on the RADIUS message type. If the option isused multiple times, then the log level for each of the specified RADIUS

-llmsg_type:msg_sub_type:log_level

message types will be set. The msg_type parameter specifies the RADIUSmessage type for which the log level should be set. The msg_typeparameter should be one of the following:• auth: Authentication messages.• acct: Accounting messages.• disconn: Disconnect messages.• coa: Change-Of-Authorization messages.• all: All the above messages.The msg_sub_type parameter specifies the sub type of the msg_typeparameter for which the log level should be set. The msg_sub_typeparameter should be one of the following:• req: Request messages.• resp: Response messages.• ack: Ack response messages.• nak: Nak response messages.• all: All the above messages.



DescriptionOption

The log_level parameter specifies the log level to be set for the msg_typeand msg_sub_type parameters. The log_level parameter should be oneof the following:• suppress: Suppresses all the log messages for the msg_type and

msg_sub_type parameters.• low: Provides minimal information in the log messages for the

msg_type and msg_sub_type parameters.• default: Provides detailed information in the log messages for the

msg_type and msg_sub_type parameters. This is the default behavior.

Specifies the UDP port number to listen to auth requests. If omitted, thelocal host services will be queried for the RADIUS port (see services(4)).

-p Authentication-port

If unable to obtain the port from host services, the RADIUS standarddefault of 1812 will be used.

Specifies the UDP port number to listen for acct requests. If omitted,the local host services will be queried to obtain the radacct port (see

-q Accounting-port

services(4)). If unable to obtain the port from host services, the RADIUSstandard default of 1813 will be used.

Allows the user to specify an alternate Finite State Machine (FSM) tablefile instead of the default radius.fsm file. The default FSM file (/etc/opt/aaa/radius.fsm) follows Merit style accounting behavior.

-f FSM

strftime(3) format for naming logfiles. The -l option specifies thelogfile name format with timestamp precision and dictates when a logfile

-l Log-format

must start logging. For example, the following specifies the logging tostart every hour:$ ./radiusd -l logfile.%Y%m%d%H

Resets the session table. If omitted, the default is to restore the sessiontable from a previous run.

-n

Specifies the UDP port number to forward (proxy) authenticationrequests.

-pp Authentication-proxy

Specifies the UDP port number to forward (proxy) accounting requests.-qq Accounting-proxy

Selects logfile, syslog, or stderr logging.-g Logtype

Displays help message-h

Single process (non-spawning) mode-s

Inactivity timeout value (minutes) when theradiusddaemon is startedthrough inetd.

-t Timeout

Displays AAA server version.-v

Empties the logfile and the debug file if -x option is used.-z

Starting HP-UX AAA Servers From the Command Line 79


DescriptionOption

Adds to debug flag value.-x

Specifies the port on which the CLIENT AATV must listen.-cp

Specifies the port on which the HP-UX AAA Server must listen forproxied Dynamic Authorization messages.

-dp

Specifies the SNMP context name that the HP-UX AAA Server SNMPsubagent uses to register with the master agent. If the context name is

-sn <context name>

not specified, it is omitted. The context name is required for identificationwhen multiple instances of the HP-UX AAA Server are running on asingle host.

NOTE: The radiusd daemon determines what action must be taken when receivingrequests based upon an FSM that it loads into memory when the server is started. TheFSM can be configured, but it is static after server startup. The server uses the algorithmshown in Figure 4-3 to determine which FSM must be loaded into memory:

Figure 4-3 Algorithm for Determining Which FSM to Load

IMPORTANT: When started by the inetd service, radiusd times out if it does notreceive a message in 15 minutes. With the -t Timeout option, you can override thisvalue. If the value is set to 0, it waits indefinitely without timing out.

Configuring the HP-UX AAA Server to Start Automatically Upon System RebootYou can configure the HP-UX AAA Server (radiusd) and RMI objects to startautomatically after a system reboot.


• Set theRADIUSDvariable in/etc/rc.config.d/radiusd.conf to 1. The defaultsetting is 0.

CAUTION: Modifying the content in the/sbin/init.d/radiusd.rc file otherthan radiusd options can disallow booting of the system.

NOTE: You can also start the Server Manager interface after reboot. In the /etc/rc.config.d/hpws22_tomcatconf file, set HPWS22_TOMCAT_START to 1,and set JAVA_HOME to/opt/java1.5.

Stopping or Restarting HP-UX AAA ServersYou must stop or restart AAA servers to update configuration changes. To avoidentering the configuration values every time an instance must be started or stopped,the HP-UX AAA Server Admin Tool is provided. The HP-UX AAA Server Admin Toolsimplifies the start and stop tasks. Therefore, it is recommended that you use the HP-UXAAA Server Admin Tool to start or stop an instance using CLI.

CAUTION: Do not stop a live server in production as it interrupts services to users.

Using Server Manager1. From the navigation tree, click Administration.2. Select the servers you want to stop in the Server Status frame.

NOTE: Server commands will only be executed on servers selected in the ServerStatus frame.

3. Click Stop.A message prompt enables you to confirm whether you wish to stop the server. If theserver cannot be stopped, the administrator is notified of the problem in the messageframe.

From the Command LineTo stop radiusd, enter the following command at the HP-UX prompt:# kill -9 `cat /var/opt/aaa/run/radiusd.pid|awk '{print$1}'`

To restart radiusd, enter the following command at the prompt:# kill -9 `cat /var/opt/aaa/run/radiusd.pid|awk '{print$1}'` \;/opt/aaa/bin/radiusd

Stopping or Restarting HP-UX AAA Servers 81

Adding an HP-UX AAA Server to Your NetworkMultiple servers can be configured and run using the AAA Server Manager graphicinterface. You must establish at least one connection before you begin configuration.Only one connection can be local to the Server Manager program.You can install a server to any machine that meets the system requirements and thatcan establish a UDP connection to the machine hosting the Server Manager.To add an HP-UX AAA Server to your network, complete the following steps:1. From the navigation tree, click the Server Connections link and then click the

Connect to Server link.2. On the Create New Server Connection screen that appears, enter values as shown

in Table 4-3.

Table 4-3 New Server Connection Screen Fields

Value to EnterField

An identifying string for a server running the AAA softwareName


Table 4-3 New Server Connection Screen Fields (continued)

Value to EnterField

Full DNS name or IP address (traditional IPv4 or IPv6 address) ofan HP-UX AAA server

Domain or IP Address

Examples: IPv4 address- 192.0.2.0IPv6 address- fedc:ba98:7654:3210Domain name- example.org

3. Click Create.If the client program successfully connects to the server, the name you specifiedmust appear in the Status Frame displayed in the lower left corner of the programsinterface.

Adding an HP-UX AAA Server to Your Network 83

Part II Configuring the HP-UX AAA Server Manager Usingthe Server Manager GUI

This part of the HP-UX AAA Server Administrator’s Guide contains the following chapters:• Chapter 5: “The HP-UX AAA Server Manager Interface” (page 88)• Chapter 6: “Managing HP-UX AAA Servers” (page 90)• Chapter 7: “Configuring RADIUS Clients Using the Access Devices Screen” (page 100)• Chapter 8: “Configuring Realms” (page 105)• Chapter 9: “Configuring Proxies” (page 117)• Chapter 10: “Configuring Users” (page 127)• Chapter 11: “Modifying Server Properties” (page 133)• Chapter 12: “Logging and Monitoring ” (page 142)

84

Table of Contents5 The HP-UX AAA Server Manager Interface..................................................................................88

Commonly Used Icons in the GUI......................................................................................896 Managing HP-UX AAA Servers..................................................................................................90

Using the Server Connections Screen.................................................................................90Adding a New Server Connection......................................................................................91Modifying Connection Attributes......................................................................................92Deleting a Server Connection.............................................................................................93Managing Multiple Servers................................................................................................93Loading and Saving Your Configuration...........................................................................94

Loading and Saving Your Configuration Using RMI Server........................................95Enhancing Loading and Saving Performance Using Secure Copy Protocol................96Setting up Key-Based Authentication...........................................................................97

Creating a Public-Private key set with ssh-keygen..............................................97Sharing the Public key with Remote Hosts.............................................................98

Verifying Key-Based Authentication............................................................................997 Configuring RADIUS Clients Using the Access Devices Screen.....................................................100

Navigating the Access Devices Screen.............................................................................100Adding a RADIUS Client..................................................................................................100Modifying a RADIUS Client’s Properties.........................................................................103Deleting a RADIUS Client................................................................................................104

8 Configuring Realms................................................................................................................105Using the Local Realms Screen.........................................................................................105Adding a Realm................................................................................................................105Modifying Realms.............................................................................................................108Special Entries...................................................................................................................109Deleting a Realm...............................................................................................................110Configuring Realms for Authentication using an External Server..................................111

Configuring Realms for Database Access via SQL.....................................................111Configuring Realms for LDAP ...................................................................................112

Modifying a Directory Configuration....................................................................115Deleting a Directory Configuration.......................................................................115Tuning the AAA Server to LDAP Server Connection............................................116

9 Configuring Proxies................................................................................................................117Navigating the Proxy Screen............................................................................................117Changing the Default localhost Proxy Settings................................................................118Creating or Modifying a Proxy.........................................................................................118

Forwarding Authentication and Dynamic Authorization Requests From a ProxyServer...........................................................................................................................121Forwarding Authentication Requests to a Remote Server..........................................122

Changing RADIUS Port Numbers....................................................................................123


Forwarding Requests to Alternate RADIUS Ports......................................................123Forwarding Accounting Requests....................................................................................124Proxying Authentication and Accounting Messages to the Same Server........................124Proxying Accounting Requests to a Central Server..........................................................125Deleting a Proxy................................................................................................................125

10 Configuring Users.................................................................................................................127Navigating the Users Screen.............................................................................................127Changing the Default test_user Settings..........................................................................127Adding a User Profile ......................................................................................................128

Tabs on the Add Users Screen.....................................................................................130Specifying Attributes Using the Free Attributes Pane...........................................130

Modifying User Profiles....................................................................................................131Deleting a User Profile......................................................................................................131

To Delete a User Profile From the Default users File................................................132To Delete a User Profile in a Local Realms File...........................................................132

11 Modifying Server Properties...................................................................................................133Navigating the Server Properties Screen..........................................................................133DHCP Relay Properties....................................................................................................133DNS Updates Properties...................................................................................................134Message Handling Properties...........................................................................................135SNMP Properties..............................................................................................................136

Enable SNMP Support.................................................................................................136Tunneling Properties.........................................................................................................136

Tunneling Reply Items (Optional)...............................................................................137Certificate Properties........................................................................................................137File Size Properties............................................................................................................138

Maximum Logfile Size.................................................................................................138Miscellaneous Properties..................................................................................................138

Permit Microsoft Client Authenticate As Computer...................................................138Local Users File Properties...............................................................................................139ProLDAP Properties.........................................................................................................139AAA Server As A Client Properties.................................................................................140Client Action Properties....................................................................................................140

12 Logging and Monitoring .......................................................................................................142Overview...........................................................................................................................142Server Log Files ................................................................................................................142

Using Server Manager to Retrieve Logfile Information..............................................142Search Parameters..................................................................................................143Message Types .......................................................................................................144

Using Server Manager to Retrieve Statistics ...............................................................144Accounting Log Files .......................................................................................................145

Using Server Manager to Retrieve Accounting Logfiles.............................................146Format of Accounting Records in the Default Merit Style..........................................147


Time-Based Values.................................................................................................147Client A-V Pairs......................................................................................................148User Entry A-V Pairs..............................................................................................148Session Tracking.....................................................................................................148

Writing Livingston CDR Accounting Records............................................................149Livingston CDR Session Record Format................................................................150

Changing the Accounting Log Filename.....................................................................150Changing the Accounting Log Rollover Interval........................................................151Rolling Over the Log File and Accounting Stream and Setting the Log Level...........151


5 The HP-UX AAA Server Manager InterfaceHP-UX AAA Server Manager (Server Manager) is a browser-based application. It usesthe HP-UX Tomcat-based Servlet Engine to provide a configuration interface betweena web browser and one or more AAA servers. The Server Manager is used to start,stop, configure, and modify the servers. In addition, Server Manager can retrieveinformation about logged server sessions and accounting information for anadministrator.Figure 5-1 shows the various parts of the Server Manager interface.The Server Manager user interface consists of the following three sections:• The navigation tree- Click on links in the navigation tree to open the corresponding

section in the Main Screen.• The Main Screen- Configure the HP-UX AAA Server on this screen.• HP-UX AAA Server Status Frame-View the status of your servers on this screen.

88 The HP-UX AAA Server Manager Interface

NOTE: The Default (Server Connections) group, including a server, calledlocalhost, is present by default. This group is compatible with the ServerConnections present in releases earlier than HP-UX AAA Server A.08.01. All ServerConnections managed by the HP-UX AAA Server Manager in the earlier versionsof HP-UX AAA Server are moved to the Default (Server Connections) group duringmigration.

Figure 5-1 The HP-UX AAA Server Manager User Interface

Commonly Used Icons in the GUI

• Click to add new servers, realms, or users.

• Click to delete the corresponding entry.

• Click to display a context-sensitive Help screen.

• Click to edit the corresponding entry.

• indicates that the configuration file cannot be modified using the ServerManager. Edit the configuration file manually using a command line editor.

Commonly Used Icons in the GUI 89

6Managing HP-UX AAA ServersYour server configuration can be synchronized and controlled across one or more serverinstallations. These server installations can be on the same machine as the ServerManager program, or on different machines. Server Manager identifies each AAAinstallation as a server connection and maps a hostname to the IP address (bothtraditional IPv4, and IPv6 address formats are supported) or DNS name of a remotemachine where a AAA server is installed.Starting with HP-UX AAA Server A.08.00 release, HP-UX AAA Server Manager supportsadministering multiple HP-UX AAA Servers on the same host for scalability. Also,HP-UX AAA Servers can be distributed on different hosts for high-availability. Formore information, see Chapter 18 (page 273)

NOTE: Before defining a connection, ensure that the HP-UX Tomcat-based ServletEngine is running on the machine.

You cannot configure servers until a server connection is established. All configurationmodifications are saved locally and are not associated with any server. A connectionnamed localhost is configured as a server connection by default during installation.This section addresses the following topics:• “Using the Server Connections Screen” (page 90)• “Adding a New Server Connection” (page 91)• “Modifying Connection Attributes” (page 92)• “Deleting a Server Connection” (page 93)• “Managing Multiple Servers” (page 93)• “Loading and Saving Your Configuration” (page 94)

Using the Server Connections ScreenThe Server Connections screen shown in Figure 6-1 allows you to add a new server orgroup, and modify or delete an existing server or group.

90 Managing HP-UX AAA Servers

Figure 6-1 Server Manager’s Connected Server Screen

Adding a New Server ConnectionTo add a new server connection, complete the following steps:

1. Click to display the Add Connection screen.The Add Connection screen appears as shown in Figure 6-2.

Figure 6-2 The Add Connection Screen

2. In the Connection Attributes form, enter your connection attributes according tothe format shown in Table 6-1

Table 6-1 Fields in the Connection Attributes Form

AttributesField Name

The identifying string of a remote serverName

The client IP address or DNS name. Both traditional IP (IPv4), and IPv6address formats are supported. The HP-UX AAA server can resolvethe DNS name format entries to both IPv4 and IPv6 addresses.

Domain Name or IPAddress

Enter an IPv4 address in dotted-quad notation. Enter an IPv6 addressin IPv6 Literal format notation. For example:IPv4 address — 192.0.2.0IPv6 address — fedc:ba98:7654:3210

Adding a New Server Connection 91

3. Click Create to create the server connection.ClickCancel to return to the Managed Servers screen without creating a new serverconnection.

IMPORTANT: When adding a connection to a new remote server, you must startthe RMI objects on that host to allow Server Manager to administer the server.Before starting and stopping the RMI server, the JAVA_HOME environmentvariable must be set to appropriate path. For example, to use Java6, exportJAVA_HOME to the /opt/java6 path. If the JAVA_HOME environment variableis not set or set incorrectly, the default value /opt/java1.5 is used to start andstop the RMI Server. You can start the RMI objects from the command line withthe following command:$ /opt/aaa/remotecontrol/rmistart.sh

Modifying Connection Attributes

In the Server Connections screen, select the icon corresponding to the server whoseattributes you wish to modify. The Modify Connection screen appears as shown inFigure 6-3.

Figure 6-3 The Modify Connection Screen


HP-UX AAA Server Properties section of the form includes a list of pathnames thatcannot be modified. These pathnames must match the installation directories of theremote server.

IMPORTANT: When setting an option to a given directory, the directory must existand be editable on the machine. You must specify the logfile directory to access sessionlogs through the maintenance functions listed in the navigation tree menu.

Deleting a Server ConnectionTo delete a server connection, complete the following steps:

1. In the Server Connections screen, click the icon corresponding to the serverconnection that you want to delete.The Delete Server Connections screen appears as shown in Figure 6-4. This screenallows you to preview the properties of the server connection before you confirmdeletion.

Figure 6-4 The Delete Server Connections Screen

2. Click Delete to remove the server connection. Click Cancel to return to the ServerConnections screen without removing the server connection.

Managing Multiple ServersThe Server Status frame, located in the lower left corner of the Server Manager'sinterface, provides a list of server connections belonging to a group, as shown inFigure 6-5.

Deleting a Server Connection 93

Figure 6-5 Server Manager’s Server Status Frame

When your network includes multiple HP-UX AAA Servers, click the check box thatprecedes each listed connection to specify whether a command applies to thecorresponding server.When a server command, such as Start, is submitted, it will only be sent to checkedservers. When you retrieve server logging, statistics, active sessions, or accountinformation, only information from the checked servers will be displayed.Table 6-2 displays the icons that can appear in Server Manager’s Server Status frameand describes them briefly.

Table 6-2 Icons in Server Manager’s Server Status Frame

DefinitionIcon

Running - Indicates the server is connected and running.

Stopped - Indicates that the server is connected but is not currentlyrunning.

Failure - Indicates a communication error between the Server Managerand the AAA server.

Loading and Saving Your ConfigurationThis section describes the following:• “Loading and Saving Your Configuration Using RMI Server” (page 95)• “Enhancing Loading and Saving Performance Using Secure Copy Protocol”

(page 96)


• “Setting up Key-Based Authentication” (page 97)• “Verifying Key-Based Authentication” (page 99)

Loading and Saving Your Configuration Using RMI ServerAAA configuration files consist of one or more entries. While accessing these filesthrough the Server Manager interface, the initial screen lists each existing entry andprovides controls to open HTML forms. You can add or modify the AAA server’sconfiguration files by entering values in these forms. You must then submit these valuesto the program. The fields in the HTML forms include text boxes, drop-down lists, andother form controls. Fields with bold labels require values for a complete configuration.Server Manager stores changes you make to the server configuration, but does notimmediately save them on a remote server. When you select the Load Configurationlink from the navigation tree, the interface (shown in Figure 6-6) displays a prompt.You can edit the server configuration settings using this prompt. Information for theaccess device, proxies, local realms, users, and server properties in the loadedconfiguration will replace the existing information for all server configuration items.

Figure 6-6 Server Manager’s Load Configuration Screen

After you have made changes to the server configuration items, you can save themodified configuration on any server that has an active connection with the ServerManager program. When you click Save Configuration, the Server Manager interface

Loading and Saving Your Configuration 95

displays a prompt (shown in Figure 6-7). Using this prompt, you can select the serverson which the settings must be saved.

CAUTION: Clicking Save saves the entire server configuration settings (access device,proxies, local realms, users, and server properties) on the specified servers.

Figure 6-7 Server Manager’s Save Configuration Screen

NOTE: If you do not wish to save changes that have been made, you can revert tothe previous settings by loading the original configuration.

A running server does not recognize configuration modifications. After the changeshave been saved on a server, you have to restart the server.

NOTE: More than one administrator cannot edit the same functional area (accessdevice, proxies, local realms, users, server properties) of a server configuration at thesame time. After you access the configuration screens for a functional area, the ServerManager does not allow others to access that functional area until you have moved toa different item.

NOTE: Selecting Save Server Attributes Only saves the group and server attributeson the host running Tomcat (HP-UX AAA Server Manager) to the host running HP-UXAAA Servers. However, the configuration files of the individual HP-UX AAA Serversare not saved.

Enhancing Loading and Saving Performance Using Secure Copy ProtocolYou can load and save configuration files using the RMI Server or the Secure CopyProtocol (SCP). SCP reduces the time required to load and save configuration files.To use SCP during saving or loading configuration, you must enable key-basedauthentication, which does not require a password, between the user account configuredto start Tomcat (HP-UX AAA Server Manager) on the local host and the user accountconfigured to start the RMI Server on the remote host. In the user account configured


to start the RMI Server on the remote host, the default : aaa,rmiserver.aaa.userproperty in thermiserver.properties file can be modifiedto change the default aaa value.

NOTE: If you do not choose to use SCP, RMI Server is used by default.

Setting up Key-Based AuthenticationThis section describes how to set up key-based authentication between the user accountconfigured to start Tomcat (HP-UX AAA Server Manager) on the local host and theuser account configured to start the RMI Server on the remote host.Setting up key-based authentication involves creating a public-private key set withssh-keygen, generating public-private rsa key pair, and sharing the public key withthe user account configured to start the RMI Server on the remote host.This section describes the following procedures:• “Creating a Public-Private key set with ssh-keygen” (page 97)• “Sharing the Public key with Remote Hosts” (page 98)

Creating a Public-Private key set with ssh-keygenTo create a public-private key set with ssh-keygen on the local host, complete thefollowing steps:1. Log in using the name used to start Tomcat.2. To create the ssh directory, enter the following command at the HP-UX prompt:

# mkdir ~/.ssh

3. Change the permissions of the directory as follows:# chmod 700 ~/.ssh

4. Change to the ssh directory as follows:# cd ~/.ssh


5. To create the SSH key pair, complete the following steps:1. Enter the following command at the HP-UX prompt:

# ssh-keygen -t rsa

The SSH key pair is created.2. Enter the file in which you want to save the key. Click Enter to select the

default path (<your_local_home>/.ssh/id_rsa).3. Enter the passphrase. If you do not want a passphrase, click Enter.

The identification is saved in (<your_local_home>/.ssh/id_rsa) if thedefault path is selected.The public key is saved in (<your_local_home>/.ssh/id_rsa.pub) ifthe default path is selected.

Sharing the Public key with Remote HostsTo share the public key with the user account configured to start the RMI Server onthe remote host from the local host where HP-UX Server Manager GUI is running,complete the following steps:1. To transfer the public key to the remote system, enter the following command at

the HP-UX prompt:# scp <public key path> <user>@<remoteserver>:/<desired path>

NOTE: Replace public key path with the file path where the public key is saved.Replace user with the name of the user who starts the RMI server on thecorresponding host.Replace remoteserver with the name of the remote server where RMI server isrunning.Replace desired path with the path on the remote server where you want to copythe public key.

2. To log in to the remote system, enter the following command at the HP-UX prompt:# ssh <user>@<remote server>

3. Create a new directory as follows:# mkdir .ssh

4. Change the permissions of the directory as follows:# chmod 700 .ssh

5. To append the public key to the authorized_keys directory, enter the followingcommand at the HP-UX prompt:# cat <desired path>/<public key file> >> .ssh/authorized_keys


6. Change the permissions of the directory as follows:# chmod 644 .ssh/authorized_keys

7. Log out of the system.

NOTE: You must repeat this procedure for all the user accounts on all the remoteRMI servers with which you want to share the public key.

Verifying Key-Based AuthenticationTo verify key-based authentication, log in to the remote system from the local hostwhere HP-UX Server Manager GUI is running, as follows:# ssh <user>@<remoteserver>

If a password is not required to log in, key-based authentication is configuredsuccessfully.


7 Configuring RADIUS Clients Using the Access DevicesScreen

The server configuration must include all the clients (NASs, access points and othernetwork devices) that can communicate with the HP-UX AAA Server. If an accessdevice is not included in the configuration, the server will not handle requests from,or send requests to the client. The Access Devices screen allows you to add a new client,and modify, or delete an existing client in the server configuration.

Navigating the Access Devices ScreenThe Access Devices screen shown in Figure 7-1 allows you to configure a new RADIUSclient, modify, or delete an existing RADIUS client.

Figure 7-1 Server Manager’s Access Device Screen

Adding a RADIUS ClientTo add a RADIUS client through the Access Devices screen, complete the followingsteps:

100 Configuring RADIUS Clients Using the Access Devices Screen

1. In the Access Devices screen, click corresponding to the New Access Devicelist.The Add Access Device Screen appears as shown in Figure 7-2.

Figure 7-2 Server Manager’s Access Device Attributes Screen

2. In the Access Device Attributes form, enter information according to the informationin Table 7-1.

Adding a RADIUS Client 101

Table 7-1 Add Access Device Configuration Form Options

FunctionOption

Enter the network location of the network device. This may be an IPv4 address(in dotted-quad notation), an IPv6 address (in colon-separated notation), or

Name

a valid DNS host name. When specifying Name as a DNS host name, youmust use the name returned by thehostname command.

Notes:• Ensure that your DNS is configured correctly (with both forward and

reverse entries) for your AAA server. The AAA server determines thename of the machine that it is running on. If this name does not matchwith your local DNS servers database, you cannot configure the accessdevice correctly.

• You can use wildcards to provide access for all traditional IP (IPv4) clientsin a particular subnet. Examples of valid IPv4 wildcard patterns are:

*

192.*

192.0.*

192.0.2.*

• You can use wildcards to provide access for all IPv6 clients in a particularsubnet. The allowed IPv6 wildcard patterns are constructed by appendingan ‘*’ to a partial IPv6 address or by specifying a single ‘*’. Examples ofvalid IPv6 wildcard patterns are:

*

fedc:ba98:7654:3210:fe*

fedc:ba98:7654:3210*

The special IPv6 syntax of compressing zeroes using "::" is not allowed inIPv6 Wildcard patterns. For example: ‘fedc::ba98:fe*’ is not allowed.

Enter the shared secret, or the encryption key between the client and theserver. The shared secret must be less than 255 characters. A request from aclient for which the server does not have a shared secret is silently discarded.

Shared Secret

Confirm the secret by typing it again.Confirm SharedSecret

Enter the UDP port number of the dynamic authorization server to whichthe HP-UX AAA Server must send the dynamic authorization requests. Thedefault value is 3799.

DynamicAuthorization RelayPort

Enter the number of client retry requests the HP-UX AAA Server must sendto perform a client function, such as Disconnect or Change of Authorization.The default value is 2.

Retry Count

Specifies the time interval between two successive client requests. The HP-UXAAA Server sends a client retry request at the end of the specified retry

Retry Interval

interval if the initial request does not receive a response from the respectiveserver. The default value is 3.


Table 7-1 Add Access Device Configuration Form Options (continued)

FunctionOption

Enter the vendor-specific attributes that must be returned to the access devicein a reply. In most applications, you can select the hardware vendor of the

Vendor

device or Generic if the device is not listed. You can make multiple selectionsby holding down the control key as you select vendor names.The server prunes vendor-specific attributes for a given vendor if thatvendor’s name is not properly defined in the vendors file, and its attributesare not properly defined in the dictionary file.

NOTE: The Generic vendor prunes all vendor-specific attributes before amessage is returned to a NAS. This attribute can be used to help preventproblems that occur if an unencapsulated vendor attribute is not correctlymapped in the vendors file.

IMPORTANT: To define a wireless access point using the MS-CHAP protocol,you must select Microsoft as one of the vendor selections.

Select any of the check boxes to specify additional message-handling options.Following are the options:

Options

RAD_RFC Verifies that the Access-Request conforms with the RADIUSRFC. Nonconforming messages are dropped.

ACCT_RFC Verifies that the Accounting-Request conforms with theAccounting RFC. Nonconforming messages are dropped.

Debug Dumps packets into the server’s debug output file.No Check Helps enhance server performance. When this option is

checked the HP-UX AAA Server does not check all attributesto determine if the request is a duplicate. Check this optionif you know that the client sends standard messages that caneasily be detected as duplicates.

No Encaps Does not encapsulate vendor response (if the client requiresunencapsulated A-V pairs)

Old Chap For clients that perform pre-RFC CHAP.

NOTE: Dynamic Authorization Relay Port, Retry Count and Retry Interval areused only if the HP-UX AAA Server is configured to perform client functionalities.

3. ClickCreate to submit the new RADIUS client to the Server Manager. ClickCancelto return to the Access Device screen without making any changes to your serverconfiguration.

Modifying a RADIUS Client’s PropertiesTo modify the properties of an existing RADIUS client, complete the following steps:

Modifying a RADIUS Client’s Properties 103

1. In the Access Device screen, click corresponding to the client whose propertiesyou want to edit.The Modify Access Device screen appears similar to the one shown in Figure 7-2.

2. Edit the fields in the Access Device Attributes form. See Table 7-1 for moreinformation on how to fill the form.

3. Click Modify to save changes.Click Cancel to return to the Access Devices screen without saving any changes.

Deleting a RADIUS ClientTo delete a RADIUS client, complete the following steps:

1. In the Access Device screen, click the icon corresponding to the RADIUSclient you want to delete.The Delete Access Device screen appears as shown in Figure 7-3. This screen allowsyou to preview the access device entry before you confirm deletion.

Figure 7-3 The Delete Access Device Screen

2. Click Delete to delete the RADIUS client. Click Cancel to return to the AccessDevices screen without deleting the RADIUS client.


8 Configuring RealmsA realm is a group of users who share a common characteristic, such as being customersof the same Internet Service Provider (ISP). All users of a given realm are handled inthe same way, either proxied to a remote server or locally authenticated using a specifiedmethod according to the authentication type assigned to the realm.

Using the Local Realms ScreenThe Local Realms screen (shown in Figure 7-1) allows you to configure realms for theHP-UX AAA RADIUS server by adding a new realm, modifying, or deleting an existingrealm in the server’s authfile.

Figure 8-1 Server Manager’s Local Realms Screen

Adding a RealmTo add a realm entry, complete the following steps:1. From the navigation tree, click Local Realms.

The Local Realms screen appears as shown in Figure 8-1.

2. To add a new realm, click the icon.The Add Local Realm screen appears as shown in Figure 8-2.

Using the Local Realms Screen 105

Figure 8-2 Server Manager’s Local Realm Attributes Screen

3. Complete the form on the Local Realm Attributes screen according to theinformation given in Table 8-1.

Table 8-1 Fields in the Local Realm Attributes Form

FunctionOption

Name of the realm that must be mapped. This name does not have to be aDNS host name. However HP recommends that the realm name match a

Name

domain name. The user will then be able to recognize the user@realmsyntaxthat resembles their email address.

106 Configuring Realms

Table 8-1 Fields in the Local Realm Attributes Form (continued)

FunctionOption

Identifies the authentication method used for the realm:UserAuthentication • Enable EAP: Select this option if user authentication by an EAP challenge

is required. Select one or more EAP types.At least one authenticationmethod must be selected. For PEAP (EAP-GTC), you must configure theNULL realm.The PEAP version ‘0’ only checkbox is displayed if you selectPEAP(EAP-GTC), PEAP(EAP-MSCHAP), or PEAP(EAP-MD5). Select thischeckbox if your supplicant uses the PEAP version 0 protocol.

• Enable RADIUS Standard: Default. Select this option if user authenticationvia password checking is required.

If Enable EAP and Enable RADIUS Standard are selected, authentication iscarried out based on the Authentication-Type configuration attribute set inthe RADIUS request.

To indicate the location where the AAA server must retrieve user profiles:User ProfileStorage • users: Choose this option to store user information locally in AAA Server

flat files. Choosing this option allows you to administer user informationwith Server Manager. Server Manager can administer user informationstored locally in the AAA Server flat files only.

• Database Access via SQL or LDAP Server: Choose this option if the userprofile information is stored in an external database. See the individualchapters for more information.

• OS Security Database: HP-UX operating system HP-UX operating systemsuse a number of repositories or “databases” to store information abouthosts, users, passwords, etc. User password lookup is performed throughthe name-service switch configured in /etc/nsswitch.conf. See thensswitch.conf man page for more information.

• No Store: EAP-TLS Certificates: Choose this option if you are using TLSand do not want to store user information. If you are using TLS, you arenot required to store user information because the TLS certificates providethe user information needed for authentication.

• No Store: Allow All Users: Choose this option to allow all requests from arealm.

• No Store: Deny All Users: Choose this option to deny all requests from arealm.

Identifies the location, access, and policy parameters for the selected UserProfile Storage.

User StorageParameters

Optional. A paranthesized list of one or more aliases, delimited by commas.Each realm alias is equivalent to the realm name. An alias is provided for user

Alias

convenience or other purposes, such as to save typing when logging on toyour network. Aliases are allowed on wild card entries and are interpretedas meaning *.alias.

Adding a Realm 107

Table 8-1 Fields in the Local Realm Attributes Form (continued)

FunctionOption

Optional. Allows the specification of a packet filter name to be associated withauthentication through this realm name. It overrides any explicit filter namespecified in a user profile.

Filter ID

Optional. Determines if session tracking is enabled for a realm. When youenable session tracking, accounting records are generated for a realm and

Session Tracking

active sessions can be searched using the Session option on the navigationtree.

NOTE: The EAP-LEAP authentication method is obsolete in this release of theHP-UX AAA Server. The EAP-LEAP authentication method is replaced by theEAP-PEAP authentication method. HP recommends that you use EAP-PEAP inplace of EAP-LEAP for improved security. Unlike EAP-LEAP, EAP-PEAP supportsmutual authentication and uses an encrypted tunnel to transmit the user'scredentials.The SecurID authentication is obsolete in this release of the HP-UX AAA Server.The SecurID authentication can be replaced by Open AuTHentication (OATH)standards-based One-Time Password (OTP) authentication. OATH is anindustry-wide collaboration to develop open-reference architecture for strongauthentication. The OATH standards-based OTP authentication solution supportshardware and software tokens from multiple vendors. For more information onOATH standards-based OTP authentication solution, see Chapter 16 (page 179)The Oracle authentication module is obsolete in this release of the HP-UX AAAServer. The Oracle authentication module is supported using SQL Access. HPrecommends that you set up your HP-UX AAA Server to interact with the Oracledatabase using the SQL Access feature. For more details on implementing SQLAccess, see Chapter 22 (page 338)

4. To add a new realm, click Create to submit the new realm to the Server Manager.To return to the Realms screen without making any changes to your serverconfiguration, click Cancel.

Modifying RealmsTo modify the properties of an existing realm, complete the following steps:1. From the navigation tree, click Local Realms.

The Local Realms screen appears as shown in Figure 8-1.


2. Click the icon corresponding to the realm whose properties you want tomodify.The Modify Local Realm screen appears similar to the screen shown in Figure 8-2.

3. Modify the properties on the Local Realm Attributes screen according to theinformation given in Table 8-1.

4. To submit changes to the realm entry to the Server Manager, click Modify.To return to the Realms screen without making any changes to your serverconfiguration, click Cancel.

NOTE: indicates that the configuration file cannot be modified using the ServerManager. Edit the file manually using a command line editor.

Special EntriesThere are a few special entries that you can use while configuring realms. Table 8-2shows the various special entries you can use.

Special Entries 109

Table 8-2 Special Entries

When to UseSpecial Entries

When specifying the primary realm for an entry, you can use a wildcard syntax such as *.realm. This syntax provides a shorthand for

Wildcard Entries

associating several related realms with a single authentication type.For example, a company may have several branches,eastern.company.com, western.company.com, andcentral.company.com. The wild card entry for that company woulddefine *.company.com as the realm. This notation would include allthree realms. HP recommends that any such wild card entry be listedafter more specific entries. This order allows the preceding, specificentries to override the wild card entry.

The DEFAULT realm acts as a matching realm entry for all realms.By default, the DEFAULT realm is configured to authenticate against

DEFAULT Realm

the default set of users. Disable the DEFAULT realm by choosing theNo Store - Deny All Users option in the User Profile Storagedrop-down list.

The Null realm authenticates users that do not identify their realmwhen requesting access (for example, the AAA server receives an

NULL Realm

access request from user, instead of [email protected]). Bydefault, the NULL realm is disabled with the No Store: Deny All Userssetting.

Deleting a RealmComplete the following steps to delete a realm:


1. In the Local Realms screen, click the icon corresponding to the realm youwant to delete.The Delete Local Realm screen appears as shown in Figure 8-3. This screen allowsyou to preview the realm attributes before you confirm deletion.

Figure 8-3 The Delete Local Realm Screen

2. ClickDelete to delete the realm. ClickCancel to return to the Local Realms screenwithout deleting the realm.

Configuring Realms for Authentication using an External ServerThis section discusses how to configure realms for authentication using Database viaSQL Access and Lightweight Directory Access Protocol (LDAP) module.

Configuring Realms for Database Access via SQLA realm can be configured for Database Access via SQL only after setting up the HP-UXAAA Server to connect to the database and configuring the connection parameters andSQL actions in sqlaccess.config. See Chapter 22: “SQL Access” (page 338) fordetails on setting up the HP-UX AAA Server for SQL Access.Perform the following steps to configure the realm for Database Access via SQL.1. From the navigation tree, click Local Realms.2. On the Local Realms screen, click New Local Realm to open the Local Realm

Attributes screen.

Configuring Realms for Authentication using an External Server 111

3. In the Name field, enter the name of the realm for which the user profiles are storedin a database and accessed using the SQL Access feature.The name does not have to be a DNS host name. However, HP recommends thatyou set the realm name to correspond with the domain name. This enables theuser@realm syntax to resemble the e-mail address for all the users in the domain.

4. In the User Profile Storage field, select Database Access via SQL.The user storage parameters for Database Access via SQL are displayed as shownin.

Figure 8-4 User Storage Parameters for Database Access via SQL

5. In the User Storage Parameters Field, select one of the following options:• RADIUS Attribute: Specify the RADIUS attribute in the

<vendorID>:<attribute> format. This RADIUS attribute must containthe SQL action used for authentication. If vendorID is not specified, 0 thatcorresponds to standard RADIUS attribute will be used.

NOTE: The <vendorID> component must be a value that is defined in thevendors file and the<attribute> component must be a value that is definedin the dictionary file.

• SQL Action Id: Select the SQL action from the drop-down list.

IMPORTANT: Ensure that the appropriate SQL action is selected from thedrop-down list. Selecting an incorrect SQL action can result in an authenticationfailure or unintentional changes to the database records.

6. Complete any remaining optional fields as necessary for your configuration.7. Click Create. If the realm is successfully created, the Local Realms screen will list

the new realm.8. From the navigation tree, click Save Configuration

If you have multiple remote servers, you will be prompted to select and confirmthe servers where the realm configuration will be applied.

Configuring Realms for LDAPThis section discusses how to configure realms for Lightweight Directory Access Protocol(LDAP). These realms can be configured only after setting up the LDAP server. See


Chapter 21: “LDAP Authentication” (page 335) for information on setting up an LDAPserver.To configure each realm using LDAP, you must specify the directory server, searchbase, and other parameters necessary to find profiles for the users in the realm.Complete the following steps to configure realms for LDAP:1. From the navigation tree, click Local Realms.2. On the Local Realms screen, click New Local Realm to open the Local Realm

Attributes screen.3. In the Name field, enter the name of the realm to map to the defined LDAP location.

This name does not have to be a DNS host name. However HP recommends thatthe realm name corresponds with the domain name. This way, the user recognizesthe user@realm syntax which resembles their e-mail address.

4. In the User Authentication Field, select the authentication methods to authenticateusers for the realm. If you are using TTLS-PAP, TTLS-MSCHAP, or TTLS-CHAP,select Enable RADIUS Standard. For all other methods, select Enable EAP andchoose at least one EAP method from the drop-down list.

5. In the User Profile Storage field, select LDAP.The user storage parameters for LDAP appear when you select LDAP from theUser Profile Storage drop-down list. These parameters identify a section of thedirectory tree on one or more LDAP servers where the HP-UX AAA software willattempt to retrieve user profiles.

6. In the User Storage Parameters Field, select New LDAP Directory or the name ofan existing LDAP Directory.

7. In the LDAP screen that appears, configure the LDAP directory using theinformation described in Table 8-3.

Table 8-3 Values for Configuring Realms for LDAP

DescriptionValue

Start of a directory configuration. Give a name to the directory,which can be an arbitrary string. If the name contains spaces or tabs,the string must be enclosed in single or double quotes.

Directory Name


Table 8-3 Values for Configuring Realms for LDAP (continued)

DescriptionValue

Name of the host on which the LDAP directory server runs. Thevalue must be a fully qualified DNS name, although an IP address

Host

also works. Both traditional IP (IPv4) and IPv6 address formats aresupported. The HP-UX AAA Server can resolve DNS name formatentries to IPv4 and IPv6 addresses.Enter an IPv4 address in dotted-quad notation. Enter an IPv6 addressin IPv6 Literal format notation. For example:IPv4 address — 192.0.2.0IPv6 address — fedc:ba98:7654:3210

Port number on which the directory server is running. Default valueis 389.

Port (Optional)

Enables or disables SSL connections between the HP-UX AAA Serverand the LDAP directory. If you are enabling SSL, you must specify

Use SSL

the server's CA certificate path or fully qualified file name in theServer Properties -> ProLDAP Properties window.

Special user ID used when an authenticated search is allowed onthe LDAP directory server. This administrator does not need to be

Administrator

a real administrator of the LDAP directory server, but must haveread access to all the users (and their passwords). Intended to beauthenticated by the AAA server.

Password for Administrator to bind (authenticate) itself to the LDAPdirectory server.

Password

Pointer into the directory where the search for users in a realm starts.Specifying a search base improves server performance by limiting

Search Base

the scope of search operations on user information for a particularrealm. A search base contains a list of A-V pairs that trace a pathfrom a location in the directory's schema to the top of the directory.For example, a search base of o=hp, c=US represents a search forone of the users on the following tree: c=US____________|_______ | o=hp____________|____________________| | | |uid=Joe uid=Bob uid=Dawn uid=Maria

The A-V pairs used depend on the schema of your particulardirectory server.

NOTE: It is more efficient to start your search lower in the directorystructure rather than higher. HP recommends that you eliminatespaces between Search Base components (i.e., instead ofou=abc,o=cde, c=us, use ou=abc,o=cde,c=us).


Table 8-3 Values for Configuring Realms for LDAP (continued)

DescriptionValue

Filter flag allows authentication to be based either on the LDAP uidattribute, which normally is CIS, or on the AAA Server User-Id

Filter

attribute, which is normally BIN. User-Id is a AAA Server-specificRADIUS attribute. This optional flag defaults to uid.

IMPORTANT: With multiple LDAP directory servers, the Filterused for lookups must be consistent across all directories specifiedfor a particular realm. Potential filters are uid, User-Id or some otherkey that uniquely identifies a subject to be authenticated on thesystem. Currently, the LDAP module does not enforce the use ofconsistent filters, but using inconsistent filters may produceunpredictable authentication failures.

Authentication Type • AUTO performs a search as the configured Administrator(searches anonymously if no administrator is configured),anticipating the password is in the result. It binds as the user ifthe password is not available. This mode makes the AAA serverflexible in accommodating LDAP directories. If directories areconfigured to return passwords with search, AUTO is equivalentto SEARCH.

• BIND binds as the user for authentication.• SEARCH performs a search as the configured Administrator and

expects the user's password in the search result.

8. In the LDAP screen, click Save.9. Repeat steps 6 and 7 for each redundant directory you wish to use for failover.10. Complete any remaining optional fields as necessary for your configuration.11. Click Create.12. From the navigation tree, click Save Configuration

If you have multiple remote servers you will be prompted to select and confirmwhich servers you wish to add the entry to.

Modifying a Directory ConfigurationComplete the following steps to modify a directory configuration:1. On the Local Realms screen, select the name of the directory definition you wish

to modify.2. Change the values if needed.3. Click Modify.

Deleting a Directory ConfigurationComplete the following steps to delete a directory configuration:


1. On the Local Realms screen, select the name of the directory definition you wishto delete.

2. Click Delete.

Tuning the AAA Server to LDAP Server ConnectionThe AAA server to LDAP server connection can be modified by adding the followingentry to /etc/opt/aaa/aaa.config and then stopping and starting the server:aatv.ProLDAP{ Retry-Interval 60 Retry-Wait 1 Timeout 60 TCP-Timeout 3 Debug 0}

• Retry-Interval sets the number of seconds for the AAA server to wait before tryingto reconnect to a LDAP directory server when a realm has failover directory serversconfigured. Default value is 60 seconds.

• Retry-Wait sets the number of seconds that the AAA server will wait beforeattempting to connect to the same failover LDAP server. When all failover directoryservers configured for a realm are down, the AAA server will try to reconnect toone every time an access request is received. In that situation, this parameterguarantees that the software does not spend too much time in trying to reconnectthose directory servers. Default value is 1 second.

• Timeout sets the number of seconds that an LDAP connection will remain openwhen the AAA server has not been able to successfully perform any successfulLDAP operation. This parameter allows better handling of the situation where theLDAP directory times out client connections.

• TCP-Timeout sets the number of seconds that the AAA server will wait for anLDAP server when trying to establish the Transmission Control Protocol (TCP)connection.

• Debug determines whether OpenLDAP debug messages should be written to theAAA server radius.debug file. A value of 0 disables writing these messages; avalue of -1 enables writing these messages. The syntax of this property follows ablock syntax that is different from the other aaa.config variables.


9 Configuring ProxiesAAA proxy is an entity that acts as both a client and a server. When a request is receivedfrom a client, the proxy acts as a AAA server. When the same request needs to beforwarded to another AAA entity, the proxy acts as a AAA client.Figure 9-1 illustrates both ends of a proxy configuration relative to the local host. Whenthe local host receives a request that it will authenticate, the server that forwarded therequest is called the proxy server. When the local host forwards a request for anotherserver to authenticate, the other server is called the remote (or home) server. A requestcan be forwarded through several networks before it reaches the home server.

Figure 9-1 Proxy Configuration

Navigating the Proxy ScreenThe server configuration must include all the servers that forward messages to orreceive forwarded messages from the AAA server. If a remote server is not includedin the configuration, the server does not handle or forward requests. The Proxies screenshown in Figure 9-2 allows you to add, modify, or delete a proxy in the serverconfiguration.

Navigating the Proxy Screen 117

Figure 9-2 Server Manager’s Proxy Screen

Changing the Default localhost Proxy SettingsThe HP-UX AAA Server includes a preconfigured proxy entry named localhost for usein loop-back testing. You must change the default shared secret value for thelocalhostproxy, or delete it if you do not plan to use loop-back testing.To change the shared secret for the default localhost proxy, complete the followingsteps:1. From the navigation tree, click Proxies.2. On the Proxies screen, click the localhost link.3. Change the default shared secret and confirm it by entering it again.4. Click Modify.

IMPORTANT: Changing the default password increases the security of your HP-UXAAA Server. HP recommends changing the default values to all customers.

Creating or Modifying a ProxyWhen adding a proxy entry to the server configuration or modifying an existing entry,you must supply values for the proxy attributes through the Server Manager’s ProxyAttributes Screen.To add a new proxy, or modify an existing proxy, complete the following steps:

118 Configuring Proxies

1. From the navigation tree, clickProxies, and then clickNewProxy if you are creatinga new proxy. If you are modifying an existing proxy, select the proxy you want tomodify.The Proxy Attributes screen appears as shown in Figure 9-3.

Figure 9-3 Server Manager’s Proxy Attributes Screen

2. Fill up the form on the Proxy Attributes screen according to the information givenin Table 9-1.

Creating or Modifying a Proxy 119

Table 9-1 Proxy Configuration Options

FunctionOption

Enter the network location of the proxy server. The name can be an IPv4address (in dotted-quad notation), an IPv6 address (in colon-separated

Name

notation), a valid fully qualified DNS name, or an IP (IPv4 or IPv6) addressthat contains a wildcard pattern.When specifying Name as a DNS host name, you must use the name returnedby the hostname command.

Notes:• To accept forwarded requests from any IPv4 address or from any IPv4

address of a particular subnet, specify a wildcard pattern. Examples ofvalid IPv4 wildcard patterns are:— *— 192.*— 192.0.*— 192.0.2.*

• To allow access from any IPv6 address or from a group of IPv6 addresses,specify an IPv6 wildcard pattern. The allowed IPv6 wildcard patterns areconstructed by appending an ‘*’ to a partial IPv6 address or by specifyinga single ‘*’. Examples of valid IPv6 wildcard patterns are:— *— fedc:ba98:7654:3210:fe*— fedc:ba98:7654:3210*The special IPv6 syntax of compressing zeroes using "::" is not allowed inIPv6 Wildcard patterns. For example- ‘fedc::ba98:fe*’ is not allowed.

Enter the shared secret held between the two authentication servers. Theshared secret must be less than 255 characters. A request from a forwarding

Shared Secret

server for which the remote server does not have a shared secret will not beauthenticated.

Enter the shared secret once more to confirm it.Confirm SharedSecret

Enter the vendor-specific attributes to be returned to the proxy server in areply. Select Generic (the default) if you do not want any vendor-specificattributes to be returned.

Vendor

If you select Generic (the default) no vendor-specific attributes are returned.You can make multiple selections by holding down the control key as youselect vendor names.


Table 9-1 Proxy Configuration Options (continued)

FunctionOption

Select any of the check boxes to specify additional message-handling options.The following options are valid:

Response Options

RAD_RFC Verifies that the Access-Request conforms with the RADIUSRFC. Nonconforming messages are dropped.

ACCT_RFC Verifies that the Accounting-Request conforms with theAccounting RFC. Nonconforming messages are dropped.

CHECK_ALL Checks all attributes to determine if the request is a duplicate(for messages from a proxy server). This occurs if the remoteserver sends nonstandard messages that are not easilydetected as duplicates.

PRUNE Forces pruning as if the response is being returned to anaccess device. When this option is checked, the Genericvendor prunes all vendor-specific attributes before a messageis returned to the proxy server. This can be used to helpprevent problems that might occur if unencapsulated vendorattribute is not correctly mapped in the vendors file.

The server prunes vendor-specific attributes for a given vendor if that vendoris not properly defined in the vendors file, and its attributes are not properlydefined in the dictionary file.

IMPORTANT: If you have specified the Prune response option for the proxyserver and the HP-UX AAA server is using the MS-CHAP protocol forauthentication, you must select Microsoft as one of the vendors.

3. If you are adding a new proxy entry, click Create to submit the new proxy to theServer Manager.If you are modifying an existing entry, click Modify to submit changes made tothe proxy entry to the Server Manager.Click Cancel to return to the Proxy screen without making any changes to yourserver configuration.

4. From the navigation tree, click Save Configuration.5. On the Save Configuration screen that appears, click Save.

NOTE: Clicking Save saves the entire server configuration (access devices, proxies,local realms, users, and server properties) to the servers you specify.

Forwarding Authentication and Dynamic Authorization Requests From a Proxy ServerTo forward authentication requests from a proxy server, complete the following steps:1. Follow the steps listed in “Creating or Modifying a Proxy” (page 118).2. In the Proxy Configuration Form, configure the options described in Table 9-2.

Creating or Modifying a Proxy 121

Table 9-2 Options for Forwarding Requests

DescriptionOption

All requests originating from the realm listed in this drop-down list will beforwarded to the remote server. To add a realm to the list, select Add Realm

Realms to forward

from the list. To modify or delete a listed realm, select the realm name fromthe drop-down list. When you add or modify a realm, you specify the realmname and whether its accounting messages should be forwarded to theremote server. By default, accounting messages are forwarded to the proxyserver.

This port number value overrides the servers startup switches that specifythe UDP port used to relay authentication requests. The default (when novalue is entered in this field and no startup switch is specified) is 1812.

Authentication relayport

This port number value overrides the servers startup switches that specifythe UDP port used to relay accounting requests. The default (when no valueis entered in this field and no startup switch is specified) is 1813.

Accounting relayport

Enter the UDP port number of the dynamic authorization server to whichthe HP-UX AAA Server must send the dynamic authorization requests. Thedefault value is 3799.

DynamicAuthorization RelayPort

Enter the number of client retry requests the HP-UX AAA Server must sendto perform a client function, such as Disconnect or Change of Authorization.The default value is 2.

Retry Count

Specifies the time interval between two successive client requests. The HP-UXAAA Server sends a client retry request at the end of the specified retry

Retry Interval

interval if the initial request does not receive a response from the respectiveserver. The default value is 3.

When receiving a response from a remote server, Yes will instruct the serverto append all the forwarded A-V pairs to new A-V pairs included in the

Append Attributes

response. This setting is useful when a remote server does not return all ofthe A-V pairs that it received.

3. Click Create.4. From the Navigation pane, click Save Configuration.5. On the Save Configuration screen that appears, click Save.

CAUTION: Clicking Save saves the entire server configuration (access devices,proxies, local realms, users, and server properties) to the servers you specify.

NOTE: By default, accounting requests originating from the realm are also forwardedto the remote server.

Forwarding Authentication Requests to a Remote ServerTo forward authentication requests to a remove server, complete the following steps:


1. Follow the steps listed in “Creating or Modifying a Proxy” (page 118).2. In the Realms to Forward field, select the Add Realms option.3. Complete the Proxy Realm screen that appears by entering the name of the realm.4. Select Yes if accounting requests are not to be forwarded to the proxy server.5. On the Proxy Realm screen, click Save.6. Repeat steps 2 to 4 for each realm that must be forwarded to the remote server. To

remove a realm that has been added, select the realm name from the Realms toforward drop-down list and click Delete.

7. Complete the remaining fields if necessary.8. Click Create.9. From the navigation tree, click Save Configuration.10. On the Save Configuration screen that appears, click Save.

CAUTION: Clicking Save saves the entire server configuration (access devices,proxies, local realms, users, and server properties) to the servers you specify.

NOTE: By default, accounting requests originating from the realm are alsoforwarded to the remote server.

Changing RADIUS Port NumbersIf a remote server is listening for authentication or accounting requests on ports thatare not the RADIUS defaults, you must configure the local server to forward messagesto the correct port. The current RADIUS default ports are 1812 and 1813. For DynamicAuthorization, the default port is 3799. Many older RADIUS servers listen for requestson ports 1645 and 1646.

Forwarding Requests to Alternate RADIUS PortsComplete the following steps to forward requests to alternate RADIUS ports:1. If you have not already configured the remote server, complete the steps listed in

“Creating or Modifying a Proxy” (page 118). If the proxy configuration alreadyexists, access it from the proxy screen.

2. In the Authentication relay port and Accounting relay port fields of the Proxyattributes screen, specify the alternate ports.

3. Click Create.

Changing RADIUS Port Numbers 123

4. From the navigation tree, click Save Configuration.

CAUTION: Clicking Save Configuration saves the entire server configuration(access devices, proxies, local realms, users, and server properties) to the serversyou specify.

Forwarding Accounting RequestsThe HP-UX AAA Server forwards accounting start and stop messages to the remoteproxy server. The server can be configured to suppress forwarding of accounting startand stop messages by local session logging. Table 9-3 lists the account message loggingcombinations that are possible.

Table 9-3 Accounting Logging Options

Logging LocationConfiguration

• Local• Account forwarding set to Yes for a proxyconfiguration • Proxy accounting forwarded to remote server

• No. Account forwarding to a central server

• Local only• Account forwarding set to No for a proxyconfiguration

• No Account forwarding to a central server

• No local logging• Account forwarding set to Yes for a proxyconfiguration • Proxy accounting forwarded to remote server

• Account forwarding to a central server • All accounting forwarded to central server

• No local or proxy accounting• Account forwarding set to No for a proxyconfiguration • All accounting forwarded to central server

• Account forwarding to a central server

Follow the steps in “Proxying Authentication and Accounting Messages to the SameServer” (page 124) to set account forwarding to yes for a proxy configuration. Followthe steps in “Proxying Accounting Requests to a Central Server” (page 125) to forwardaccounting requests to a central server.

Proxying Authentication and Accounting Messages to the Same Server1. If you have not already configured the remote server, follow the procedure to

create or modify proxies (see “Creating or Modifying a Proxy” (page 118)). If theproxy configuration already exists, access it from the proxy screen.

2. From the Realms to forward drop-down list, select the name for the realm thatyou want to forward the accounting messages to. If the realm is not already in thedrop-down list, select Add Realm and follow the instructions in the Proxy Realmdialog box that appears.

3. In the Proxy Realm window that appears, enter the realm name.


4. In the Proxy Realm window, click Save.5. Click Create.6. From the navigation tree, click Save Configuration.


NOTE: By default, accounting messages are forwarded to the remote proxy server.Select Yes for Use Local Session Tracking to Suppress Forwarding of AccountingRequests to record accounting start and stop messages locally.

Proxying Accounting Requests to a Central ServerYou can forward all received accounting messages to a central server by modifying thefinite state table. This configuration disables all local accounting.1. Copy the file /opt/aaa/examples/config/proxyacct.fsm to the

radius.fsm file.2. Open radius.fsm in a text editor and locate the following lines:

Acctwait: *.*.ACK RAD2RAD REPLYHold Xstring=”default.accounting.proxy.server” *.*.ACCT_DUP RAD2RAD REPLYHold Xstring=”default.accounting.proxy.server”

3. Replace the two instances of default.accounting.proxy.server with the DNS nameor IP address of the server that you want to forward the accounting messages to.To forward the accounting to a different port, use the following syntax:Acct:Port.

IMPORTANT: The server you specify must be added to your proxy configuration.

4. Save radius.fsm.5. Restart the server if it is already running.

Deleting a ProxyComplete the following steps to delete a proxy:

Proxying Accounting Requests to a Central Server 125

1. In the Proxies screen, click corresponding to the proxy you want to delete.The Delete Proxy screen appears as shown in Figure 9-4. This screen allows youto preview the proxy attributes before you confirm deletion.

Figure 9-4 The Delete Proxy Screen

2. Click Delete to delete the displayed proxy entry. Click Cancel to return to theProxy screen without deleting the entry.


10 Configuring UsersUser profiles associate information with a user name for authentication andauthorization. This information is defined by attribute-value pairs. The serverconfiguration must include profiles for all the users that can access services throughthe AAA server. If a user profile is not included in the configuration, the server willreject the users access request.Profiles are stored in flat text files or in an external source. This section covers userprofiles stored in a text file.

IMPORTANT: You must enter the user’s fully-qualified name when adding a user tothe default users file (using the Users link in the navigation tree). For example, [email protected] instead of only entering user1.

Navigating the Users ScreenThe Users screen allows you to add, modify, or delete a user stored in a text file. Youcan access this screen by selecting the Users link from the graphic interfaces navigationtree or through the Realms screen by selecting the Users icon for a realm that isconfigured for the User File.When you create, modify, or delete a user, the correspondingscreen displays.

Figure 10-1 Server Manager’s Users Screen

Changing the Default test_user SettingsThe HP-UX AAA Server includes a preconfigured user entry named test_user foruse in loop-back testing. You must change the default password for test_user, ordelete it if you do not plan to use loop-back testing.To change the password for the default test_user settings, complete the followingsteps:

Navigating the Users Screen 127

1. From the navigation tree, click Users to access the Users screen shown inFigure 10-1.

2. Select test_user by clicking the Edit icon corresponding to it.The Modify Users pane appears similar in appearance to the Add Users paneshown in Figure 10-2.

3. Change the default password and confirm it by entering it again.4. Click Modify.

Adding a User ProfileWhen adding a new user profile to the server configuration, or modifying an existingentry, you supply values for the user profile attributes through the form in the Add /Modify Users screen. This form is tabbed according to groups of attribute-value pairs.Initially, the General tab is active. Use the other tabs to specify A-V pairs. For moreinformation, see “Tabs on the Add Users Screen” (page 130).To add, or modify a user’s profile, complete the following steps:1. From the navigation tree, click Users.

The Users screen appears as shown in Figure 10-1.

2. To add a new user, click the icon corresponding to the New user link. TheAdd Users screen appears as shown in Figure 10-2.

Figure 10-2 The Add Users Screen

3. Enter values in the form as per the instructions in Table 10-1.

128 Configuring Users

Table 10-1 General Attributes in the Add User Screen

DescriptionAttribute Name

Value to compare to the User-Name attribute value in therequest. It must be less than 64 characters. &, “, ~, \, /,%, $, ‘,and space characters cannot be used.

User Name

Use this field to supersede the Authentication type specifiedin the user’s realm. Selecting Local will use the authenticationmethod specified by the user’s realm.

Authentication Type

Enter the password in the Password field. Enter the samepassword in the Confirm Password to confirm it.

Password and Confirm Password

Choose how you want to store user passwords by selecting ahashing method. Select Plain Text to be compatible with most

Password Hashing Mechanism

client password hashing methods. If you prefer not to use PlainText, be sure the password storing mechanism you choose iscompatible with the client password hashing method.

Adding a User Profile 129

Table 10-1 General Attributes in the Add User Screen (continued)

DescriptionAttribute Name

Indicates a type of provided service. When used as a replyitem, the server returns the value to the access device as an

Service Type: Check/Reply

instruction to determine the service to provide. When used asa check item, the server will reject an Access-Request thatdoes not include a hint for the specified service type.

Sets the maximum number of seconds of service to be providedto the user before termination of the session or prompt.

Session Timeout (optional)

Sets the maximum number of consecutive seconds of idleconnection allowed to the user before termination of the sessionor prompt.

Idle Timeout (optional)

This attribute indicates the name of the filter list for this user.Different attribute values can be used to add more than one

Filter ID (optional)

Filter-ID reply item to an entry. Identifying a filter list by nameallows the filter to be used on different NAS(s) without regardto filter-list implementation details.

This attribute indicates a dialing string to be used for callback.Callback Number (optional)

This attribute indicates the name of a place to be called, to beinterpreted by the NAS.

Callback ID (optional)

4. Click Create in the User Attributes screen.5. Repeat steps 2 to 4 for each user profile you wish to add to the realm.6. From the navigation tree, click Save Configuration.


Tabs on the Add Users ScreenEach of the four tabs (General, NAS/Login, Framed, and Others) corresponds to anattribute that can be used in a user profile as a check or reply item. When specifyingattribute values through these tabs, all A-V pairs that ordinarily can be used as eithercheck or reply items in a server configuration are automatically added as a reply item,unless the Free tab is used.

Specifying Attributes Using the Free Attributes PaneTo specify attributes using the Free Attributes pane, complete the following steps:1. To access the Free Attributes pane, click the Free tab.2. List A-V pairs one per line in the syntax shown below:

Attribute=Value


3. ClickCreate if you are adding a new user profile. ClickModify if you are modifyingan existing user profile. ClickCancel to return to the Users screen without makingany changes.If each field contains a valid value, the profile will be created or modified;otherwise, an error message is displayed.

Modifying User ProfilesComplete the following steps to modify a user’s properties:1. From the navigation tree, click Users.


2. Click corresponding to the user whose profile you want to modify.The Modify Users screen appears as shown in Figure 10-3.

Figure 10-3 The Modify Users Screen

3. Fill the fields in the form according to the information given in Table 10-1.4. Click Modify to save changes.

Click Cancel to exit without saving changes

Deleting a User ProfileYou can delete a user profile in the default users file or in a realm file, which is thefile created for a realm that uses file type authentication.

Modifying User Profiles 131

To Delete a User Profile From the Default users FileTo delete a user profile in the default users file, complete the following steps:

1. In the Users screen, click the icon corresponding to the user profile you wantto delete. The Delete User screen appears as shown in Figure 10-4. This screenallows you to preview the user attributes before you confirm deletion.

Figure 10-4 The Delete Users Screen

2. Click Delete to delete the displayed user profile. Click Cancel to return to theUsers screen without deleting the user profile.

To Delete a User Profile in a Local Realms FileComplete the following steps to delete a user profile in a local realms file:

1. In the Local Realms screen, select the icon for a listed realm that is configuredfor file type authentication.The Users screen appears displaying a list of users in that realm.

2. Click the icon corresponding to the user profile you want to delete.The Delete User screen appears as shown in Figure 10-4. This screen allows youto preview the user attributes before you confirm deletion.

3. Click Delete to delete the displayed user profile. Click Cancel to return to theUsers screen without deleting the user profile.


11 Modifying Server PropertiesYou can modify server variables to override built-in defaults. Server startup optionsoverride a corresponding server property setting. You can modify server variablesusing the Server Properties screen. Enter values for the given parameters to modify aserver variable.

Navigating the Server Properties ScreenThe Server Properties screen can be accessed by selecting the Server Properties link theServer Manager Navigation tree. In the Server Properties screen shown in Figure 11-1,you can modify the HP-UX AAA Server’s properties. Clicking on any Server Propertieslinks in the Server Properties screen takes you to the corresponding screen.

Figure 11-1 Server Manager’s Server Properties Screen

DHCP Relay PropertiesClicking the DHCP Relay Properties link takes you to the DHCP Relay Properties screenwhere you can modify the properties described in Table 11-1.

NOTE: IPv6 support is not available for DHCP Relay.

Table 11-1 DHCP Relay Properties

FunctionOption

The UDP port to send DHCP requests to. If no value is specified,67 is used.

DHCP Server Port (optional)

The UDP port to receive DHCP responses on. If no value isspecified, 67 is used.

DHCP Relay Port (optional)

Navigating the Server Properties Screen 133

Table 11-1 DHCP Relay Properties (continued)

FunctionOption

Determines which attribute in the DHCP message will carry theIP address pool name. If set to Yes, the pool name is sent in the

Send User Class

User-Class option. If set to No, the pool name is sent in theVendor-Class-Identifier option.

The time in seconds before the initial retransmission of a requestto the DHCP server. If no value is specified, 4 is used.

Initial Retransmission Interval(optional)

The maximum value in seconds for the DHCP requestretransmission interval. If no value is specified, 60 is used.

Maximum Retransmission Interval(optional)

This value is passed to the DHCP server. The valid values are 0(NONE) and 1 (ETHER). If no value is specified, or any othervalue is entered, 1 is used.

Client Hardware Type (optional)

If Yes, always select the Maximum DHCP Message Length as themessage size sent to the DHCP server. This is required by some

Send Maximum DHCP Message Size

DHCP servers. If No, use the minimum possible message size.The preselected value is No.

DNS name of the DHCP server. This value is only used if theDHCP server IP address value is not specified.

DHCP Server Name (optional)

The IP address of the DHCP server. This parameter takesprecedence over the DHCP Server Name parameter.

DHCP Server IP Address (optional)

The maximum number of DHCPDISCOVER retransmissions. Ifunspecified, there is no limit to the number of retransmissions.

Maximum Discover Retransmissions(optional)

The maximum number of DHCPREQUEST retransmissions. Ifunspecified, there is no limit to the number of retransmissions.

Maximum Request Retransmissions(optional)

The maximum size of the message that can be received from theDHCP.

Maximum DHCP Message Length

DNS Updates PropertiesClicking the DNS Update Properties link takes you to the DNS Update Propertiesscreen where you can modify the properties described in Table 11-2.

Table 11-2 DNS Update Properties

FunctionOption

Time (in seconds) used to periodically refresh the IP addresses forclients and proxies that are configured by host. If no value isspecified, 3600 (one hour) is used.

DNS Refresh Interval (optional)

When the DNS Refresh Interval for a host name has expired, allother host names that will be refreshed within the specified number

DNS Refresh Time Frame (optional)

of seconds are refreshed immediately. If no value is specified, 60 isused.

134 Modifying Server Properties

Message Handling PropertiesClicking the Message Handling Properties link takes you to the Message HandlingProperties screen where you can modify the properties described in Table 11-3.

Table 11-3 Message Handling Properties

FunctionOption

The time in seconds to store requests (and the associated replies)in the retransmission queues. The Hold Replies time is calculated

Hold Replies (optional)

from the time when the replies were initially sent. If no value isspecified, 6 will be used.

Notes:• Requests that are forwarded (proxied) to another server are

not held in the retransmission queues.• A value of zero causes the replies to be held for 30 seconds.

Specifies the maximum number of retransmissions receivedbefore a RETRY event occurs. Processing RETRY events requires

Global Retry Limit (optional)

customization of the Finite State Machine (FSM). Refer toChapter 26: “Customizing the HP-UX AAA Server Using theFinite State Machine” (page 396) for more information on theFSM.

Specifies the limit for processing requests that appear to beduplicates (created by early implementations of MS-CHAP onsome older PPP clients). If no value is specified, 0 is used.

Special Duplicate Limit (optional)

Sets the maximum number of simultaneous accounting requeststo be handled by the system. When this limit is exceeded, therequests are dropped with a message in the logfile.

Max. Accounting Requests (optional)

The time in seconds each accounting request should be held afterthe Hold Replies time. This option is used for debuggingpurposes only. If no value is specified, 0 will be used.

Hold Accounting Requests (optional)

Message Handling Properties 135

Table 11-3 Message Handling Properties (continued)

FunctionOption

The maximum number of simultaneous authentication requeststo be stored in a retransmission queue. When this limit is

Max. Authentication Requests

exceeded, all new authentication requests are discarded. HPrecommends that this value matches the value used for Max.Accounting Requests. If no value is specified, 1000 will be used.

NOTE: When this authentication queue limit is exceeded, theserver stops responding to the Status command.

The time in seconds each authentication request should be heldafter the Hold Replies time. This option is used for debuggingpurposes only. If no value is specified, 0 is used.

Hold Authentication Requests(optional)

Serves as a debugging function for certain custom HP-UX AAAServers that might transmit very large packets, and helps to

Max. Send Message Size (optional)

debug code written to prevent an excessively large packet fromcorrupting the server.

Serves as a debugging function for certain custom HP-UX AAAServers that might transmit very large packets, and helps to

Max. Receive Message Size

debug code written to prevent an excessively large packet fromcorrupting the server.

SNMP PropertiesClicking the SNMP Properties link takes you to the SNMP Properties screen where youcan modify the Enable SNMP Support property.

Enable SNMP SupportWhen this option is set to Yes, the HP-UX AAA Server automatically checks the localhost(and not the network) for an SNMP master agent. master agent to communicate with,and the server can be monitored by an SNMP workstation. When this option is set toNo, the server does not communicate with an SNMP master agent and cannot bemonitored by an SNMP workstation. The default value is No.

Tunneling PropertiesClicking the Tunneling Properties link takes you to the Tunneling Properties screenwhere you can modify Tunneling Reply Items.


Tunneling Reply Items (Optional)Use the drop-down menu to specify the behavior when the HP-UX AAA Server receivesan Access-Request that does not contain any Tunnel Hint attributes (like Tunnel-Type).The options are as follows:• Return-Configured-Tunnel-Attributes: Allows the return of tunnel attributes in

the authentication reply.• Return-No-Tunnel-Attributes: Does not return any tunnel attributes in the

authentication reply.• Reject-Access-Request: Fails the authentication by silently discarding the

Access-Request.If no value is selected, Return-Configured-Tunnel-Attributes is used.

Certificate PropertiesClicking Certificate Properties takes you to the Certificate Properties screen where youcan modify the properties described in Table 11-4.

Table 11-4 Certificate Path Properties

FunctionOption

For TLS, TTLS, and PEAP. Fully-qualified file name to theAAA server certificate in .pem or .cer format.

Server Certificate Path

Fully-qualified file name to a file in .pemor .cer formatthat contains the private key used to generate the AAAserver certificate. This file cannot be encrypted.

Server Private Key Path

For TLS only. Fully-qualified file name to the CertificateAuthority (CA) certificate for the client certificate. Used

Client Certificate Authority Path

by the AAA server to authenticate client certificates. TheCA certificate for the client certificate must be in .pemformat.

For TLS, TTLS, and PEAP. Fully-qualified file name to therandom seed used to generate keys.

Random Seed Path

Certificate Properties 137

Table 11-4 Certificate Path Properties (continued)

FunctionOption

For TLS only. Identifies the attribute in the user digitalcertificate to retrieve the user's name. This attribute must

Client User Name Attribute

match the user name configured on the supplicant (client)software. The AAA server will check the user name in thecertificate against the user name supplied in the EAP-TLSauthentication request. Select one of the options listedbelow:• Subject Common name (default): Use the

CommonName (CN) in the Subject attribute.• Subject EmailAddress: Use the Email Address(E) in

the Subject attribute.• SubjectAltName RFC822Name: Use the RFC822Name

in the SubjectAltName attribute.• Check all attributes: Search all of the above three fields

for a matching name.• Disable: Ignore comparing User name with Certificate

name.

For TLS. Fully-qualified file name to a list of prohibitedclient certificates. File must be in .pem or .cer format.

Certificate Revocation List Path

File Size PropertiesClicking File Size Properties takes you to the File Size Properties screen where you canmodify the Maximum Logfile Size property.

Maximum Logfile SizeThis property refers to the maximum size (in bytes) of the server’s logfiles andaccounting logfiles. The minimum value for this parameter is 65,536 and the maximumis 2,147,483,647. Once the configured size is reached, the file is closed and a new logfile is created. If no value is specified, 2,147,483,647 is used.

Miscellaneous PropertiesClicking Miscellaneous Properties takes you to the Miscellaneous Properties screenwhere you can modify the Permit Microsoft Client Authenticate As Computer property.

Permit Microsoft Client Authenticate As ComputerEnable (Yes) to support the Microsoft client authenticate as computer feature. TheMicrosoft supplicants must also be configured to authenticate as computers. If thisparameter is enabled (Yes), the AAA Server ignores any "host/" prefix in the user namepassed from the client request. The default setting is Yes (enable). If this parameter isenabled, the HP-UX AAA Server can still authenticate supplicants that do not have“authenticate as a computer” configured.


Local Users File PropertiesEnable (Yes) to enable case-insensitive searching in the default users file. The defaultsetting is No (case sensitive search is disabled by default).

ProLDAP PropertiesClicking ProLDAP Properties takes you to the ProLDAP Properties screen where youcan modify the properties described in Table 11-5.

Table 11-5 ProLDAP Properties

DescriptionOption

Determines whether OpenLDAP debug messagesmust be logged in the HP-UX AAA Server

Debug

radius.debug file. To disable logging OpenLDAPmessages, enter a value of 0. To enable logging,enter a value of -1. By default, logging is disabled.

Number of milliseconds that the HP-UX AAAServer waits for an LDAP server while trying to

Connection Timeout (milliseconds)

establish the TCP connection. The default value is300 milliseconds.

Number of seconds that an LDAP connectionremains open if the HP-UX AAA Server is unable

Timeout

to successfully perform any LDAP operation. Thedefault value is 60 seconds.

Number of seconds that the HP-UX AAA serverwaits before attempting to reconnect to an LDAP

Retry Wait

server, if there are no active connections. The defaultvalue is 1 second.

Used if any realm is configured with two or moreLDAP Servers and at least one of them is connected.

Retry Wait for Alternate Servers

Specifies the number of seconds the HP-UX AAAServer waits before attempting to reconnect to theLDAP servers that are not connected. The defaultvalue is 60 seconds.

Used if any of the LDAP directories are configuredto use SSL. Specifies the path of the file that contains

Certificate Authority File

one or more CA certificates used to authenticateLDAP directory server certificates. There is nodefault value.

Used if any of the LDAP directories are configuredto use SSL. Specifies the path of a directory that

Certificate Authority Directory

contains Certificate Authority Certificates inseparate individual files. If the Certificate Authorityfile is specified, Certificate Authority file is alwaysused before Certificate Authority directory. Thereis no default value.

Local Users File Properties 139

AAA Server As A Client PropertiesClicking AAA Server As A Client Properties takes you to the AAA Server As A ClientProperties screen where you can modify the properties described in Table 11-6.

Table 11-6 AAA Server As A Client Properties

DescriptionOption

Specifies the maximum number of client requests that can be storedin the client queue. Client requests exceeding the specified limitare discarded. The default value is 25000.

Max Client Requests

Specifies the maximum number of retries that the Client AATVsends. The default value is 2.

Global Client Retry Limit

The time (in seconds) after which the client initiates the retryrequest and the associated replies if it does not receive a responsefrom the server. The default value is 3.

Global Client Retry Interval

Specifies the size of the hash table that stores the client requestspresent in the retransmission queues. The default value is 32.

Client Reply Hold Table Size

NOTE: Configuring the hash table size requires a customizedvalue.

Specifies the time window (in seconds) within which theEvent-Timestamp value is valid. Any packet whose

Global Client Event TimestampWindow

Event-Timestamp value exceeds the specified limit is dropped.The default value is 9.

NOTE: This value is applicable to all incoming requests.

Enables you to perform the Reverse Path Forwarding Check forproxied dynamic authorization requests. The default value is No(disabled).

Enable Reverse Path ForwardingCheck

Lists the options to create, modify, and delete the client actions.Client Action Properties

Client Action PropertiesClicking Client Action Properties takes you to the Server Properties: Modify Propertyscreen. If you selectNewAction or an existing client action in the Client Actions menu,theClientAction Propertieswindow is displayed, where you can modify the propertiesdescribed in Table 11-7.


Table 11-7 Client Action Properties

DescriptionOption

Specifies a string used to identify a client action.Action Name

Specifies the frequency (in seconds) at which requests are createdfor a client action. The default value is 1 second.

Timer Value

Specifies the maximum numbers of requests that will be createdeach time the client action is invoked. By default, an unlimitednumber of requests is generated.

Maximum Requests

Client Action Properties 141

12 Logging and MonitoringThis chapter covers the server's diagnostic functions that allow you to search anddisplay information related to the server's operation and usage.

OverviewYou can view the log files that record the details of each AAA transaction or the sessionlogs that record information about each user's session. You can also access informationfor active sessions and manually terminate a session if necessary.These functions can be accessed by selecting the Maintenance menu items from theServer Manager navigation tree. When you use any of these functions, you will retrieveinformation from all servers selected in the Server Manager’s Server Status pane.

Server Log FilesThe log file of the AAA server contains all the information concerning the functioningof the server such as: start/stop of the server, all of the RADIUS requests, and someinternal events. The data is automatically stored each day in a different file. They areavailable as long as the corresponding files are still on the disk.• /var/opt/aaa/logs/logfile: the server log file• /var/opt/aaa/logs/logfile_part<01-09>.yyyymmdd: compressed daily

log file

NOTE: If the logfile exceeds its size limit (as configured in the File Size Propertyin the Server Properties link), a new logfile for that day will be created andidentified by the part<01-09> portion logfile file name string.

Using Server Manager to Retrieve Logfile InformationSelecting the Server Logfile link in Server Manager’s navigation tree allows you toretrieve information from log files.

142 Logging and Monitoring

Figure 12-1 Server Manager’s Logfile Screen

Search ParametersYou can filter what dates and times to retrieve from the logfile.

Table 12-1 Filter Parameters for Searching Logfiles

DescriptionOption

The date and time of the first record in the range of data to retrieve.Begin (server time)

The date and time of the last record in the range of data to retrieve.End (server time)

Limits the result of the search command to messages related to a specific user.For example, you can choose to find out why a user is not able to authenticate.

User

Limits the result of the search command to the specified number of messages.Number of Messages

Server Log Files 143

Message TypesYou can filter what data to retrieve according to the type of messages. For each messagetype, you indicate whether the message type should or should not be retrieved byselecting the Yes or No radio buttons. The different message types are:

• Server FailureThis type of message indicates a server internal error or a problem with theconfiguration files.

• WarningThis type of message indicates a problem with the server, but the server is stillable to process RADIUS requests.

• Information MessagesAll the messages that do not fall into any other category. By default, they are notdisplayed.

• Server start / re-startThis message is generated during each server startup or restart.

• Server stopThis message is generated when the administrator shuts down the server.

• Authentication requestThis icon represents an Access-Request message.

• Authentication FailureThis icon represents an Access-Reject message.

• Authentication SuccessThis icon represents an Access-Accept message.

• Accounting RequestThis icon represents an Accounting-Request message.

Using Server Manager to Retrieve StatisticsFrom the Server Manager’s navigation tree, click Statistics to retrieve a count of eventsthat occurred on the AAA server within a time range. The statistics are displayed usinga bar graph.


Figure 12-2 Server Manager’s Statistics Screen

Table 12-2 Statistic Search Parameters

DescriptionOption

The date and time of the first record in the range of data to retrieve.Begin (server time)

The date and time of the last record in the range of data to retrieve.End (server time)

The AAA server statistics are displayed in a bar graph similar to the example inFigure 12-3.

Figure 12-3 AAA Server Statistics Example

Accounting Log FilesThe Local Authorization Server (LAS) generates accounting log files when theLAS_ACCT module is called by the Finite State Machine. Those files have names inthe format session.yyyy-mm-dd.log, where yyyy is the year, mm the month, dd theday when the file was generated.

Accounting Log Files 145

NOTE: If the logfile exceeds its size limit (as configured in the File Size Property inthe Server Properties link), a new logfile for that day will be created and identified bya part<01-09> portion of the logfile file name string. For example, /var/opt/aaa/acct/session.yyyy-mm-dd_part<01-09>.log

By default, the radius.fsm (logall.fsm) state table calls the LAS_ACCT modulewhen the server receives an Accounting-Request to start or stop the session.

Using Server Manager to Retrieve Accounting LogfilesFrom the navigation tree, clickAccounting to retrieve information from the AAA serveraccounting logfiles.

Figure 12-4 Accounting Logfile Search Screen in Server Manager

Table 12-3 Accounting Logfile Search Parameters

DescriptionOption

The date and time of the first record in the range of data to retrieve.Begin

The date and time of the last record in the range of data to retrieve.End

Only searches for sessions that used the specified ID.User

An accounting search returns a list of users. When you select a user to retrieveinformation for, Server Manager parses the corresponding accounting records anddisplays the information in the Accounting: Detailed Records screen similar to theexample shown in Figure 12-5.


Figure 12-5 Detailed Accounting Record for a Selected User

Format of Accounting Records in the Default Merit StyleRADIUS accounting records store both the users account information and the usershistorical session information. Each record begins with a tab-delimited line of valuesthat represent the default AAA server session information. This information includestime-based values, as well as HP-UX-specific and standard RADIUS A-V pairs. If avalue does not exist, N/A will appear in the values placeholder.The first line of a record appears as:Started-at Reason Log-time resrvd Connect-time Access-ID resrvd Session Token Time-limit From Service-class Filter Service-type

After the first line of a session record, each A-V pair in the accounting message thattriggered the logging activity is listed.

NOTE: The default session format (Merit) corresponds to the log_v2_0 setting for theaatv parameter in the log.config file, refer to “The log.config File ” (page 539).Alternate formats, Livingston for example, may be specified.

Time-Based ValuesStarted at: This is the time when the session first arrived at the RADIUS

server. It is the number of seconds since 00:00:00 GMT, Jan. 1,1970.


Log-time: This is the difference between the time on the machine where andwhen this log was written, and the start-time. This field is usedto compress the data.

Connect time: How long (in seconds) the session was known to the local AAAServer host.

Client A-V PairsRepresent attribute values that describe the client used for authentication andauthorization.

User Entry A-V PairsThe Access-ID, Time-limit, Service-class, and Filter values correspond to A-V pairs(User-Name, Inner-Identity, Session-Timeout, Service-Class, and Filter-Id) that existin the user profile that corresponds to the session record.

Session TrackingThese non-configurable attributes are used by the server to track sessions.Reason: Why the record was generated. This is an integer that may be any one of

the following:

Table 12-4 Reasons Why The Record Was Generated

DescriptionBilled/InfoIntegerReason

Normal disconnect: Modem-Stop record wasreceived for this session.

Billed0AC_NORMAL

Rejected by this LAS: Access rejected by this LAS.Info1AC_REJECT

Access rejected by someone: Access was rejected aftersession was authorized. Modem-Cancel record wasreceived for this session.

Info2AC_CANCEL

Session over maximum time allowed: Session wason for longer than was authorized.

Billed4AC_OVERTIME

Session ended for unknown reason: Stop (instead ofModem-Stop) record was received for this session.

Billed5AC_UNKNOWN

Rejected by LAS: no token was available for thissession.

Info6AC_NOTOKEN

Session not local: This session was not local to thisLAS, but Modem-Stop was received.

Billed7AC_NOTLOCAL

Session suspended: No checkpoint was received forthis session for SESSIONIDLETIME seconds.

Billed8AC_SUSPEND

Authentication failed.Info9AC_FAILED


Table 12-4 Reasons Why The Record Was Generated (continued)

DescriptionBilled/InfoIntegerReason

Session authorized: This record is intended forstatistics only.

Info10AC_AUTHORIZED

The session is released due to NAS reboot.Info11AC_NASREBOOT

The session is for a remote server, failed to forward.Info12AC_REMOTE

Duplicate accounting record received: This record isintended for statistics only.

Info13AC_DUPLICATE

The session is released due to a NAS and portcollision.

Billed14AC_COLLISION

Session: Session identifier, an arbitrary string with a maximum length of eight.The algorithm used to generate a session identifier. The first fourcharacters are the least significant four hexadecimal digits from the timewhen the session first arrived at the access server. the last four charactersrepresent an internal counter, displayed in hexadecimal notation, in theaccess server.

NOTE: The session identifier is stored in the RADIUS Class attribute and usedinternally by the AAA server.

Writing Livingston CDR Accounting RecordsIt is not possible to make these changes through the Server Manager graphic interface,you must modify configuration files with a text editor.1. Open the log.config configuration file (found in/etc/opt/aaa by default).2. Locate the following lines, which should be found at the beginning of the file:

# Default logging configuration if there is no log.config file. # stream *default* { aatv log_v2_0 buffer 1 close on filename session.%Y-%m-%d.log update 900 wrap 3 } end

3. Change aatv log_v2_0 to aatv log_acct.4. Save and close the file.5. Restart the server if it is currently running.


Livingston CDR Session Record FormatEach record of a user’s session begins with Date and Time and a list of Attribute-Valuepairs, one below the other. This information includes time-based values as well asspecific and standard RADIUS A-V pairs.Date and time User-Name = <> NAS-IP-Address = <> NAS-Port = <> Class = <> Acct-Status-Type = <> User-Identifier = <> NAS-Identifier = <> Date-Time = <> Time-Of-Day = <> Day-Of-Week = <> User-Realm = <> LAS-Start-Time = <> LAS-Code = <> LAS-Duration = <>

The above session record will also include any additional A-V pairs that were includedin an Accounting-Request message. The attribute value pair displayed above may differdepending on the server configuration.

NOTE: Merit is the default logging format.

Changing the Accounting Log Filename1. Open the log.config configuration file (found in /etc/opt/aaa by default).2. Locate the following lines, which should be found at the beginning of the file:

# Default logging configuration if there is no log.config file. #stream *default* { aatv log_v2_0 buffer 1 close on filename session.%Y-%m-%d.log update 900 wrap 3 } end

3. Change session.%Y-%m-%d.log to the filename syntax you wish to use.4. Save and close the file.5. Restart the server if it is currently running.


Changing the Accounting Log Rollover IntervalThe log rollover interval (how often a new log file is created to store accounting records)is determined by the timestamp portion of the filename. To change the interval followthe steps in “Changing the Accounting Log Filename” (page 150). The logging intervalwill change to the smallest unit of time in the timestamp portion of the filename. Forexample,%Y-%m-%d-%H, will change the rollover interval to hourly.

Rolling Over the Log File and Accounting Stream and Setting the Log LevelYou can roll over the server log file and accounting stream and set the log level usingthe radsignal command as follows:radsignal [-h] [-v] [[-di ipcdir] pid level ] [[-di ipcdir] pidroll logfile ] [[-di ipcdir] pid roll stream [stream-name]] [[-diipcdir] log level msg_type msg_sub_type log_level ]

Where:pid The process ID of radiusd. This can be determined with

the command% ps -eaf | grep radiusd.

level One of the following debug levels to set: 0 Debug loggingdisabled. 1 Minimal information. 2 Level 1 information,high-level FSM output and some function tracing. 3 Level2 information and complete function tracing. 4 Level 3information along with low-level FSM and configurationfile output.

roll Immediately roll the log file or an accounting stream. Thisshould be used along with the keywords logfile or stream.

logfile The AAA Server log file.stream stream-name The AAA server accounting stream. If stream-name is

not specified then the default stream ( *default* ) willbe used. This should be used along with the keywordroll.

radsignal has the following options:-h Displays a help message.-v Displays version information.-di ipcdir The directory where the radiusd shared memory

files are located. If omitted, the default is /var/opt/aaa/ipc.

log level msg_typemsg_sub_type log_level

Sets the log level for the specified RADIUSmessage type. msg_type specifies the RADIUS


message type for which the log level should beset. msg_type should be one of the following:• auth: Authentication messages.• acct: Accounting messages.• disconn: Disconnect messages.• coa: Change-Of-Authorization messages.• all: All the above messages.msg_sub_type specifies the sub type of msg_typefor which the log level should be set.msg_sub_type should be one of the following:• req: Request messages.• resp: Response messages.• ack: Ack response messages.• nak: Nak response messages.• all: All the above messages.log_level specifies the log level to be set formsg_type and msg_sub_type. log_level should beone of the following:• suppress: Suppresses all the log messages

for msg_type and msg_sub_type.• low: Provides minimal information in the

log messages formsg_type andmsg_sub_type.• default: Provides detailed information in the

log messages formsg_type andmsg_sub_type.This is the default value.

See the radsignal man page for more information.


Part III Advanced Configuration InformationThis part of the HP-UX AAA Server Administrator’s Guide contains the following chapters:• Chapter 13: “Securing LAN Access With EAP” (page 159)• Chapter 14: “Managing Sessions” (page 169)• Chapter 15: “Assigning IP Addresses” (page 174)• Chapter 16: “OATH Standards-Based OTP Authentication” (page 179)• Chapter 17: “Configuring EAP-SIM and EAP-AKA Authentication Methods” (page 224)• Chapter 18: “Configuring HP-UX AAA Server for Scalability and High-Availability ”

(page 273)• Chapter 19: “Configuring the HP-UX AAA Server for Client Functionality ” (page 291)• Chapter 20: “Configuring the HP-UX AAA Server for Dynamic Authorization” (page 297)

153

Table of Contents13 Securing LAN Access With EAP.............................................................................................159

Overview...........................................................................................................................159The Secure LAN Advisor............................................................................................159

Preparing Your LAN ........................................................................................................160Determining the EAP Authentication Method to Use......................................................161Securing WLANs with the HP-UX AAA Server..............................................................164Digital Certificate Administration....................................................................................164

Using the “Self-Signed” Digital Certificates................................................................165Installing Your Own Digital Certificates and Keys.....................................................166

Installing Server Certificates and Keys..................................................................166Installing Client Certificates and Keys...................................................................167Defining Certificate Locations on the HP-UX AAA Server...................................167

14 Managing Sessions...............................................................................................................169Session Logs......................................................................................................................169

Displaying Session Attributes.....................................................................................169Stopping a Session.......................................................................................................170

Session Limits...................................................................................................................170Setting Limits on a User-by-User Basis.......................................................................171

Setting Timeout Values..........................................................................................171Establishing a Filter................................................................................................171Limiting Access Points (NAS-Port, NAS-ID, Calling-Station ID, and others).......171Denying Access (Called-Station-ID and others)....................................................172Limiting Simultaneous Sessions............................................................................172

Setting Limits for Users on a Global Basis..................................................................173Setting Limits for All User Profiles Grouped by Realms.......................................173

15 Assigning IP Addresses..........................................................................................................174Assigning Static IP Addresses..........................................................................................174

To Assign a Static IP (IPv4) Address to a Profile in Flat Files.....................................174To Assign a Static IPv6 Address to a Profile in Flat Files............................................175To Assign Static Traditional IP (IPv4) Addresses to a User Profile in an LDAP LDIFFile...............................................................................................................................177To Assign Static IPv6 Addresses to a User Profile in an LDAP LDIF File..................178

Assigning Dynamic IP Addresses Using DHCP..............................................................17816 OATH Standards-Based OTP Authentication.............................................................................179

OTP and OATH Overview................................................................................................179HP-UX AAA Server and OATH Support.........................................................................180Supported OTP Functions for RADIUS Standard Password (PAP) and MS-CHAP v2....182Components Required to Configure OTP Authentication...............................................182Configuring OTP Authentication on the HP-UX AAA Server ........................................183

OTP Authentication Configuration Flowchart............................................................183


Basic or Typical Configuration....................................................................................186Advanced Configuration.............................................................................................187

Advanced OTP Authentication Configuration Concepts......................................187Attributes for Configuring OTP Authentication..............................................192

Advanced Deployment Scenarios..........................................................................199Validating OTP Alone.......................................................................................200Configuring Two-Factor Authentication..........................................................202OTP or Password Validation at External RADIUS Server................................210

Predefined Mapping and Conversion Functions........................................................217Sample Configuration Files.........................................................................................217

The sqlaccess.config Sample File..................................................................217Sample Policy Files.................................................................................................220

The oath-request-ingress.grp Sample File...........................................221The oath-reply-egress.grp Sample File..................................................221The oath-proxy-egress.grp Sample File..................................................222

17 Configuring EAP-SIM and EAP-AKA Authentication Methods......................................................224EAP-SIM............................................................................................................................224

Overview.....................................................................................................................224EAP-SIM Authentication Using HP-UX AAA Server.................................................225Features........................................................................................................................227Benefits........................................................................................................................228Configuring EAP SIM..................................................................................................228

EAP-SIM Client Configuration..............................................................................228EAP-SIM User Credential Lookup Configuration.................................................228EAP-SIM Realm-Based Configurations.................................................................229

Realm-Based EAP-SIM Configuration Information in authfile........................229Realm-Based EAP-SIM Configuration Information in EAP.authfile................232

Global EAP-SIM Configuration in aaa.config........................................................235EAP-AKA..........................................................................................................................236

Overview.....................................................................................................................236EAP-AKA Authentication Using HP-UX AAA Server...............................................236Features........................................................................................................................237Benefits........................................................................................................................238Configuring EAP-AKA................................................................................................239

EAP-AKA Client Configuration.............................................................................239EAP-AKA User Credential Lookup Configuration...............................................239EAP-AKA Realm-Based Configurations................................................................240

Realm-Based EAP-AKA Configuration Information in authfile......................240Realm-Based EAP-AKA Configuration Information in EAP.authfile..............242

Global EAP-AKA Configuration in aaa.config......................................................247Fast Re-Authentication.....................................................................................................248

Configuring for Fast Re-Authentication......................................................................248Configuring for Fast Re-Authentication in EAP.authfile.................................248


Sample EAP.authfile Configuration for Fast Re-authentication.................250Configuring for Fast Re-Authentication in aaa.config File..............................251

Sample aaa.config Configuration for Fast Re-authentication.....................251Guidelines to Write EAP-SIM and EAP-AKA Fast Re-Authentication DatabaseAATVs.........................................................................................................................252

Fast Re-Authentication Database Update AATV...................................................253Update AATV Inputs........................................................................................253Update AATV Outputs.....................................................................................254AATV Functionality and Return Events...........................................................254

Fast Re-Authentication Database Lookup AATV..................................................254Lookup AATV Inputs.......................................................................................254Lookup AATV Outputs....................................................................................255Lookup AATV Functionality and Return Events.............................................256

Pseudonym Identities.......................................................................................................256Random Pseudonyms..................................................................................................256Algorithm-Based Pseudonyms....................................................................................257Configuring for Pseudonym Identity Support............................................................258

Sample EAP.authfile Configuration for Random Pseudonym IdentitySupport...................................................................................................................260SampleEAP.authfileConfiguration for Algorithm-based Pseudonym IdentitySupport...................................................................................................................261Sample aaa.config Configuration for Algorithm-based Pseudonym IdentitySupport...................................................................................................................262

Guidelines to Write EAP-SIM and EAP-AKA Pseudonym Database AATVs............262Pseudonym Database Update AATV.....................................................................264

Update AATV Inputs........................................................................................264Update AATV Outputs.....................................................................................265AATV Functionality and Return Events...........................................................265

Pseudonym Database Lookup AATV....................................................................265Lookup AATV Inputs.......................................................................................265Lookup AATV Outputs....................................................................................266Lookup AATV Functionality and Return Events.............................................268

Generating Authentication Vectors Using A3, A8, and AKA Algorithms.......................2683GPP Milenage A3, A8, and AKA Algorithm.............................................................269

18 Configuring HP-UX AAA Server for Scalability and High-Availability .........................................273Overview...........................................................................................................................273Scalability and High-Availability Concepts......................................................................274

Grouping HP-UX AAA Servers..................................................................................274HP-UX AAA Server Attributes...................................................................................274

HP-UX AAA Server Deployment for Scalability and High-Availability.........................274Managing Multiple HP-UX AAA Servers For Scalability and High-Availability............276

Administering HP-UX AAA Servers Using HP-UX AAA Server Manager...............276Logging In..............................................................................................................277


Adding a Group.....................................................................................................278Modifying a Group................................................................................................279Deleting a Group....................................................................................................279Adding a Server.....................................................................................................280Modifying a Server.................................................................................................284Deleting a Server....................................................................................................284Cloning a Server.....................................................................................................284

Administering HP-UX AAA Servers Using HP-UX AAA Server Admin Tool(Command Line)..........................................................................................................287

rad_admin Syntax..................................................................................................287Examples of Administering Multiple HP-UX AAA Servers.................................288Administering HP-UX AAA Servers Using Interactive User Interface.................288

Disaster Recovery of the HP-UX AAA Server Manager..................................................28919 Configuring the HP-UX AAA Server for Client Functionality .......................................................291

Overview...........................................................................................................................291CLIENT AATV..................................................................................................................292

Configuring CLIENT AATV........................................................................................292Working of the CLIENT AATV...................................................................................292

Supported APIs.................................................................................................................294Internal Attributes and Mapping Functions.....................................................................295

20 Configuring the HP-UX AAA Server for Dynamic Authorization..................................................297Dynamic Authorization Overview...................................................................................297HP-UX AAA Server and Dynamic Authorization...........................................................297Processing of Dynamic Authorization Requests..............................................................298Configuring for Dynamic Authorization..........................................................................300

Basic Configuration.....................................................................................................301Advanced Configuration.............................................................................................302

Migrating Existing SQL Access Deployments for Dynamic Authorization..........302Configuring Multiple HP-UX AAA Servers as a Group........................................304

Configuring for Disconnect and CoA Request Processing...............................306Dedicated HP-UX AAA Servers for Dynamic Authorization..........................311

Dynamic Authorization in Authorize Only Mode................................................316Configuring for Dynamic Authorization in Authorize Only Mode.................317

Configuring for Proxy Functionality.....................................................................319Configuring for Dynamic Authorization Proxy Functionality.........................320

Configuring for Failover........................................................................................321Security Consideration in Dynamic Authorization...............................................321

Replay Protection..............................................................................................321Message-Authenticator.....................................................................................324Reverse Path Forwarding Check for Proxies....................................................324

Sample Configuration Files..............................................................................................326The client-request-init.grp.dynauth Sample File......................................327The client-reply-ingress.grp.dynauth Sample File....................................327


The sqlaccess.config.dynauth Sample File......................................................327The sqlaccess.config.dynauth_server_group Sample File.........................329The dbsetup.sql.dynauth_server_group Sample File....................................331


13 Securing LAN Access With EAP

IMPORTANT: The EAP-LEAP authentication method is obsolete in this release of theHP-UX AAA Server. The EAP-LEAP authentication method is replaced by theEAP-PEAP authentication method. HP recommends that you use EAP-PEAP in placeof EAP-LEAP for improved security. Unlike EAP-LEAP, EAP-PEAP supports mutualauthentication and uses an encrypted tunnel to transmit the user's credentials.

This chapter provides information about securing LANs with EAP using the HP-UXAAA Server. Refer to the Secure LAN Advisor in the Server Manager interface forstep-by-step instructions.

OverviewThe HP-UX AAA Server provides security framework to support EAP authenticationmechanisms for LAN users. The HP-UX AAA Server allows authentication of wirelessusers with password or non-password based mechanisms and supports dynamic keygeneration for data encryption between the access point and wireless stations.

The Secure LAN AdvisorThe Secure LAN Advisor is an HTML tutorial/help system in the Server Manager GUIthat walks you through the tasks and Server Manager screens for securing WLANswith the HP-UX AAA Server. The Secure LAN Advisor provides information only—itdoes not edit configuration files. Follow the Secure LAN Advisor and use ServerManager to create and deploy basic AAA configurations for securing WLANs.For information on EAP-SIM and EAP-AKA, see Chapter 17 (page 224)The following graphic shows the Secure LAN Advisor used to quickly secure WLANswith the HP-UX AAA Server:

Overview 159

Figure 13-1 The Secure LAN Advisor For Securing WLANs

Preparing Your LANA LAN requires you to synchronize items on the supplicant, access point, and AAAserver. The following table lists the items you need to synchronize on each node andprovides notes on configuring each item.


Table 13-1 LAN Configuration Items

NotesNodesItem

The shared secret configured on the access device andAAA server must match for the two to communicate.

Shared Secret • Access Device• AAA Server

Use the Access Devices link to configure this item onAAA servers.

Most access devices require you to enable EAP. You donot need to specify an EAP method, but you must enablesupport for EAP.

• Access DeviceEAP Support

Verify the supplicants support the EAP methods theAAA server supports. Enable EAP on the supplicants.

EAP Method • Client Supplicant• AAA Server

Configure the same EAP method on the supplicant andthe AAA server. Use the Local Realms link to configurethis item on AAA servers.

Required for TTLS. Verify the supplicant has ananonymous user configured on it, and configure a tunnel

EAP Tunnel Realm • Client Supplicant• AAA Server

realm for that anonymous user on the AAA server. Forexample, if supplicant's anonymous user is:[email protected], you should configure a realmfor: tunnel.com. You must configure tunnel realms forTTLS. Configuring tunnel realms for PEAP is optional.Use the Local Realms link to configure this item on AAAservers.

The AAA server must have access to a repository withinformation for each user. Use the Local Realms link

• AAA ServerUsers

and select the users icon to administer a specific set ofUsers associated with a realm.

For TLS only. The digital certificate identifying the client• Client SupplicantClient Certificate

For TLS only. Used by AAA server to authenticate clientcertificates. Use the Server Properties link and select

• AAA ServerClient CACertificate

Certificate Path Properties. In the Certificate AuthorityPath field, configure the location of the client CAcertificate on the AAA server.

For TLS, TTLS, and PEAP only. The digital certificateidentifying the AAA server. Use the Server Properties

• AAA ServerServer Certificate

link and select Certificate Path Properties. In theCertificate Path field, configure the location of the clientCA certificate on the AAA server.

For TLS, TTLS, and PEAP only. Used by clients toauthenticate the AAA server certificate.

• Client SupplicantServer CACertificate

Determining the EAP Authentication Method to UseChoose EAP methods based on your security requirements and the clients you support.First, create an inventory of the clients you support. Clients need specific supplicant

Determining the EAP Authentication Method to Use 161

software for each EAP method (LAN access devices must only support EAP). Forwireless clients, you must use supplicants that support the hardware platforms,operating systems, and WLAN cards in your environment. Ideally, you should try touse client hardware and software that allows you to use one EAP method for all yourclients. This may mean avoiding solutions that are proprietary or support only a smallvariety of clients.Next, determine which of the following features are important to you:1. Dynamic Key Exchange—Distributes a user-specific encryption key to the client

and access device during the authentication process. Without this feature, all clientsmust share the same static encryption key.

2. Mutual Authentication—Protects against unauthorized (rogue) access devices byallowing clients to authenticate the network they are connecting to.

3. Password-based Authentication—Clients provide a password to authenticate tothe network. Typically the password is sent to the server in a hashed (one-wayencrypted) form. If you are integrating with an existing password storage format,be sure the EAP method you chose is compatible with the password storage format.For the most flexibility, choose an EAP method that allows the AAA server toaccess the password in clear text (for example, the PAP password format). Storingpasswords in clear text requires you to use EAP methods that encrypt the channelbetween the client and the access point (like TTLS or PEAP).

4. Digital Certificate/Token Card-based Authentication—Uses a token card, smartcard, or digital certificate assigned to each user for authentication. This featuremust be deployed in an environment with supporting infrastructure—for example,an organization with a PKI and user-specific certificates.

5. Encrypted Tunnel—Establishes an encrypted channel to securely deliverauthentication messages and encryption keys. The encrypted tunnel encapsulatesanother EAP method that provides the actual user authentication. Encryptedtunnels are good for securing authentication methods that are vulnerable whennot encapsulated in an encrypted tunnel.

6. OATH standards-based OTP and two-factor authentication — Uses the OATHstandards-based HOTP algorithm to provide OTP authentication. Typically, OTPcan be used to provide two-factor authentication, thus providing a higher level ofsecurity than using passwords alone.


NOTE: The HP-UX AAA Server supports only the following EAP authenticationmethods for OTP authentication:• PEAP (EAP-GTC)• TTLS (PAP and MS-CHAP v2)The HP-UX AAA Server also supports EAP-SIM and EAP-AKA for mobilecommunication networks. For information on EAP-SIM and EAP-AKA, seeChapter 17 (page 224)

The following table lists the EAP methods the HP-UX AAA Server supports and whichof the above features each method offers. Use the table and your inventory informationto help decide which EAP method to use.

Table 13-2 Supported EAP Methods and Their Features

DescriptionFeatureEAP Method

Tunneled TLS: Can carry additional EAP or legacyauthentication methods like PAP and CHAP. Integrates with

1, 2, 3, 5, 6TTLS

the widest variety of password storage formats and existingpassword-based authentication systems. Supplicants availablefor a large number of clients

Protected EAP: Functionally very similar to TTLS, but does notencapsulate legacy authentication methods.

1, 2, 5, 6PEAP

Transport Layer Security: Uses TLS (also known as SSL) toauthenticate the client using its digital certificate.

NOTE: Some supplicants require specific extensions tosupport certificates for EAP.

1, 2, 4, 5TLS

Message Digest 5: Passwords are hashed using the MD5algorithm. Can be deployed for protecting access to LAN

3MD5

switches where the authentication traffic will not be transmittedover airwaves. Can also be safely deployed for wirelessauthentication inside EAP tunnel methods (see feature 5 above).

Microsoft Challenge Handshake Accept Protocol: Passwordsare hashed using a Microsoft algorithm. Can be deployed for

2, 3MS-CHAP

protecting access to LAN switches where the authenticationtraffic will not be transmitted over airwaves. Can also be safelydeployed for wireless authentication inside EAP tunnel methods(see feature 5 above).

Generic Token Card: Carries user specific token cards forauthentication.

4, 6GTC

Determining the EAP Authentication Method to Use 163

NOTE: If you are using TLS, TTLS, or PEAP, be sure you configure the requireddigital certificates after you configure all you r realms.

Securing WLANs with the HP-UX AAA ServerThe following is the list of the steps for securing WLANs with the HP-UX AAA Server.Use the Secure LAN Advisor and refer to each specific section in this guide for moreinformation on each step.1. Access Server Manager. See “Accessing the Server Manager” (page 71) for more

information.2. Open the Secure LAN Advisor for online reference by selecting Secure LAN Advisor

in the navigation tree. See “The Secure LAN Advisor” (page 159) for moreinformation.

3. Load a AAA server configuration to Server Manger by selecting Load in thenavigation tree. See “Loading and Saving Your Configuration” (page 94) for moreinformation.

4. Identify the RADIUS clients that will send access requests to the AAA server byselecting Access Devices in the navigation tree. See “Navigating the Access DevicesScreen” (page 100) for more information.

5. Configure realms for the encrypted tunnels if you are using TTLS, or optionallyfor PEAP. See “Adding a Realm” (page 105) for more information).

6. Configure your realms to set the authentication methods the AAA will server useto authenticate your users, and to indicate where it the AAA server should lookfor user information. See “Adding a Realm” (page 105) for more information.

7. Configure digital certificates if you are using TLS, TTLS, or PEAP. See “DigitalCertificate Administration” (page 164) for more information.

8. Configure user profiles to identify each user accessing services through the AAAserver.

9. Deploy the AAA configuration to secure your LAN by:a. saving the configuration to one or more AAA serversb. stopping and starting the AAA servers in the configuration

Digital Certificate AdministrationSome security methods (like TLS, TTLS, or PEAP) use digital certificates assigned toeach user for authentication. If your organization has a Public Key Infrastructure (PKI),you can deploy digital certificates for user authentication. The following is a list of thecertificates involved:• Server certificate—digital certificate identifying the server.• Server CA certificate—a copy of the certificate for the authority that issued the

server certificate.


• Client certificate—if clients will be authenticated by digital certificates (EAP-TLS),install a certificate on each client and add the client CA to the AAA server’s CAlist.

• Client CA certificate—a copy of the certificate for the authority that issued theclient certificate.

NOTE: If you are supporting multiple realms, configure digital certificates after youadd all of your realms.

Using the “Self-Signed” Digital CertificatesThe HP-UX AAA Server creates a unique set of “self-signed” digital certificates duringinstallation that are based on its DNS name. Server Manager uses these certificates bydefault. You can use the self-signed certificates in production environments for TTLSand PEAP, and in testing environments for TLS. The self-signed server certificates arein/etc/opt/aaa/security/.The following is a list of the self-signed certificates located in /etc/opt/aaa/security/:• rsa_cert.pem — AAA server certificate• rsa_key.pem — AAA server key• ca_list.pem — list of client CA certificates• demouser.p12 — sample client certificate• root.cer — CA for AAA server certificate

For TTLS and PEAPIf you are using TTLS or PEAP, the default certificates are safe to deploy in yourproduction environment. The AAA server is its own Certificate Authority. If you aremanaging multiple AAA servers, you must have the same set of digital certificates oneach server in your configuration. Pick one of your AAA servers and copy the set ofself-signed digital certificates to every AAA server in the configuration. You shouldsave each AAA server's original self-signed certificates for future use.Copy/etc/opt/aaa/security/root.cer to the CA storage on supplicants thatenable server certificate checking.

For TLSIf you are using TLS, use the default certificates to familiarize yourself with TLScertificate administration before you deploy your own enterprise certificates.1. Copy/etc/opt/aaa/security/root.cer to the CA storage on the supplicant.

Digital Certificate Administration 165

2. Copy/etc/opt/aaa/security/demouser.p12 to user the certificate storageon the supplicant:• the pass phrase for demouser.p12 is: 1234• the user name fordemouser.p12 is: [email protected]

3. Configure a TLS realm for eap.realm on the AAA server

Installing Your Own Digital Certificates and KeysYou can use your own certificates if your organization has a PKI and you don’t wantto use the self-signed certificates included with the HP-UX AAA Server. Refer to thesupplicant documentation to determine each supplicant’s specific certificaterequirements.

NOTE: HP recommends using the self-signed certificates included with the HP-UXAAA Server to simulate your certificate administration before deploying your ownpersonal certificates in a production environment.

The HP-UX AAA Server has the following digital certificate requirements:• all certificate files stored on the HP-UX AAA Server must be in .pem or .cer

format• the server’s certificate must be generated with a key file that is not encrypted with

a pass-phrase• For TLS only, the Common Name (CN) on the client certificate will be used to as

the user name and therefore must be less than 128 characters ASCII characters andcannot include the < > ( ) [ ] \ / . , ; : or space characters.

NOTE: Refer to the supplicant documentation to determine each supplicant’s specificcertificate requirements. For example, some supplicants require the client and servercertificate to have the Enhanced Key Usage (EKU) field. For the client certificate, theEnhanced Key Usage (EKU) field must contain the Client Authentication certificatepurpose (OID "1.3.6.1.5.5.7.3.2"); and, for the server certificate, the EKU field mustcontain the Server Authentication certificate purpose (OID "1.3.6.1.5.5.7.3.1").

Installing Server Certificates and KeysCopy the server certificate and key file to the HP-UX AAA Server in the /etc/opt/aaa/security/directory.• If you are using TLS, copy the client CA certificate to the /etc/opt/aaa/

security/directory. You can combine multiple CA files into one file.• For TLS users whose certificates have been revoked, copy or append their

certificates to the Certificate Revocation List (CRL) file.


Installing Client Certificates and Keys1. Copy the server CA certificate to the client.2. Copy the client certificate to the client (for TLS only).3. Use your supplicant’s utility to install and configure the certificates.

Defining Certificate Locations on the HP-UX AAA ServerThe HP-UX AAA Server uses its self-signed certificates by default. If you want to useyour own certificates, you must define where the required certificates reside on theAAA server. Following steps illustrate how to define certificate locations:1. In the navigation tree, click Server Properties in the navigation tree.2. Click Certificate Properties.

The Certificate Properties pane opens as shown in Figure 13-2.

Figure 13-2 Server Manager’s Certificate Properties Screen

Digital Certificate Administration 167

3. Define the locations to certificates by entering the path, and clicking Create.Following list explains how to enter the path names in these fields:• Server Certificate Path: For TLS, TTLS, and PEAP. Enter the fully-qualified

file name to the AAA server certificate in .pem or .cer format.• Server Private Key Path: Enter the fully-qualified file name to a file in .pem

or .cer format that contains the private key used to generate the AAA servercertificate. This file cannot be encrypted.

• Client Certificate Authority Path: For TLS only. Enter the fully-qualified filename to the CA certificate for the client certificate. Used by the AAA serverto authenticate client certificates. The CA certificate for the client certificatemust be in .pem format.

• Random Seed Path: For TLS, TTLS, and PEAP. Enter the fully-qualified filename containing any random data used to seed the random engine for TLSbased EAP mechanisms. This file can contain any random data.

• Certificate Revocation List Path: For TLS. Enter the fully-qualified file nameto a list of prohibited client certificates. File must be in .pem or .cer format.

• Client User Name Attribute: Used for EAP-TLS based authentication. Identifiesthe attribute in the user digital certificate to retrieve the user’s name. Thismust match the user name configured on the supplicant (client) software. TheHP-UX AAA Server then checks the user name in the certificate against theuser name supplied in the EAP-TLS authentication request. Select “Disable”to disable this check. You can select any one of the following attribute values:— Subject:CommonName (default)- Use the CommonName (CN) in the

Subject attribute— Subject:EmailAddress- Use the Email Address (E) in the Subject attribute— SubjectAltName:RFC822Name- Use the RFC822Name in the

SubjectAltName attribute— Check All Attributes-Search all the above three fields for a matching name— Disabled- Ignore comparing User name with Certificate name


14 Managing Sessions

NOTE: This chapter does not apply to session management using the SQL Accessfeature. See Chapter 22: “SQL Access” (page 338) for more information on sessionmanagement using the SQL Access feature.

This chapter covers two procedures: reading records of active sessions, and manuallystopping sessions.

Session LogsAfter a user is successfully authenticated and the AAA server sends an Access-Accept,the access device will send an Accounting-Request message to start the session. TheAAA server stores information about the session in an active session record. When theusers session is terminated, the client sends an Accounting-Request message to stopthe session. When a AAA server receives the stop message, it clears its active recordfor the session and writes the session information to a file.

NOTE: This chapter does not apply to session management using the SQL Accessfeature. See Chapter 22: “SQL Access” (page 338) for more information on sessionmanagement using the SQL Access feature.HP recommends that you do not enable local session tracking for realms that areconfigured for session management via the SQL Access feature.

Displaying Session Attributes1. From the navigation tree, click Sessions.2. Enter search parameters in the Session Filter screen that appears. Retrieved session

will be restricted to the specified search parameters.

Figure 14-1 Sessions Search Filter Screen

3. Click Display.The AAA server manager will display a list of active sessions as shown inFigure 14-2.

Session Logs 169

Figure 14-2 Example Return for a Sessions Search

4. Select a session. The AAA server manager will display the attributes for the selectedsession similar to the example shown in Figure 14-3.

Figure 14-3 Example of a Session’s Attributes

5. Click OK when you are done reading the session.

Stopping a SessionThis procedure is intended for sessions that were terminated on the access device butare maintained as active by the AAA server.1. Follow the procedure described in “Displaying Session Attributes” (page 169).2. On the Session Attributes screen, click Stop. The AAA server will clear its record

of the active session, but no action is taken by the access device.

Session LimitsYou can set session limits to control how long the user has access to the network, whatservices the user has access to, and how many active sessions the user may maintain


on the network. Session limits are defined through A-V pairs. These limits can beenforced on a user-by-user or global basis.

Setting Limits on a User-by-User BasisIf the user profile does not currently exist, follow the appropriate procedure to createa new profile. If the user profile does exist, access the user profile from the text file ordatabase that stores the profile.

Setting Timeout ValuesIf the user profile is stored in a AAA server flat file:1. Select the General tab from the User Attributes screen.2. Assign a Session Timeout value to limit how many seconds the user can access

the service.3. Assign an Idle Timeout value to limit how many consecutive seconds of idle

connection time can pass before the session is terminated.If the user profile is stored in an LDAP LDIF file, add the following lines to the userprofile:aaaReply: Session-Timeout = Number-secondsaaaReply: Idle-Timout = Number-seconds

Establishing a Filter1. Define the filter on your network device according to the hardware instructions.

The filter definition should include a filter ID.2. Associate the user profile with the filter ID.

• If the user profile is stored in a AAA server users file (grouped by realm orthe default file), select the General tab from the User Attributes screen andspecify the ID in the Filter ID field.

• If the user profile is stored in an LDAP LDIF file, add the following line to theuser profile:aaaReply: Filter-ID = value

Limiting Access Points (NAS-Port, NAS-ID, Calling-Station ID, and others)You can control what connection point a user must use to access your network byrestricting access to specific NASs or phone numbers.

Session Limits 171

If the user profile is stored in a AAA server users file (grouped by realm or the defaultfile), assign values to the User Attributes fields that can limit access:• Assign a NAS Port value (under the NAS/Login tab) to limit access to a specific

dial-in connection identified by port.• Assign a NAS ID value (under the NAS/Login tab) to limit access to a specific

dial-in connection identified by NAS.• Assign a Calling-Station-ID value (under the Others tab) if the user must always

access service from a single location (defined by a phone number).If the user profile is stored in an LDAP LDIF file, add the following lines to the userprofile:aaaCheck: NAS-Port = Port-numberaaaCheck: NAS-ID = valueaaaCheck: Calling-Station-ID = Phone-number

Denying Access (Called-Station-ID and others)You can deny users access through a connection point by adding deny items to theuser profile.• If the user profile is stored in a AAA server users file (grouped by realm or the

default file), select the Free tab from the User Attributes screen and then enter thefollowing in the Check text box according to the limits you want to set:NAS-Port != Port-numberNAS-ID != value Calling-Station-ID != Phone-number

• If the user profile is stored in an LDAP LDIF file, add the following lines to theuser profile:aaaCheck: NAS-Port = Port-number aaaCheck: NAS-ID = value aaaCheck: Calling-Station-ID = Phone-number

Limiting Simultaneous SessionsYou can limit the number of concurrent sessions a user can maintain when accessingyour network. Before you can configure the simultaneous sessions limit for a userprofile, you must identify the users realm in the servers configuration even if the useris not grouped by realm.1. From the navigation tree, click Local Realms.2. If the users realm is not already identified, follow the appropriate procedure to

add a realm to the server configuration. If the realm is already configured, selectthe realm name from the Realms screen.

3. In addition to completing the other required fields in the Realm Attributes screen,select the Yes radio button for Session Tracking.

4. Save the realm.


5. Access the user profile and set the simultaneous session limit.• If the user profile is stored in a AAA server users file, select the Free tab from

the User Attributes screen and then enter the following in the Check text boxaccording to the limits you want to set.Simultaneous-Sessions = Max-number-sessions

• If the user profile is stored in an LDAP LDIF file, add the following lines tothe user profile:aaaCheck: Simultaneous-Sessions = Max-number-sessions

Setting Limits for Users on a Global Basis

Setting Limits for All User Profiles Grouped by RealmsYou can set limits to all users by modifying the DEFAULT profile in the default usersfile. The limits specified for the DEFAULT user profile are appended to all requests forall users that are grouped by realm.1. Access the Server Manager ( See “Accessing the Server Manager” (page 71)).2. From the navigation tree, click Local Realms.

3. Click the icon to access the Users screen.4. Assign values for session limits by follow the same procedures for setting limits

to individual users stored in the users file.

Session Limits 173

15 Assigning IP AddressesThe following information explains how the HP-UX AAA Server can be used to assignstatic or dynamic IP addresses to users.

IMPORTANT: Currently, only static IPv6 addresses and prefixes can be assigned usingthe HP-UX AAA Server. Dynamic assignment of IPv6 addresses is not supported.

Assigning Static IP AddressesThe procedure for assigning the static IP (IPv4 and IPv6) addresses depends on wherethe user profile is stored.

To Assign a Static IP (IPv4) Address to a Profile in Flat FilesTo assign a static traditional IP (IPv4) address to a user profile stored in AAA serverflat files, complete the following steps:1. From the navigation tree, click Local Realms.2. Choose the users icon for the realm the user is in.


Figure 15-1 The Users Screen

3. Click the Edit icon next to the user whose static IP address you want to modify.The Modify Users screen appears.

4. Click the Framed tab.The Framed User Attributes form is displayed on the screen as shown inFigure 15-2.

174 Assigning IP Addresses

Figure 15-2 The Framed User Attributes Form

5. Enter the static IP for the user in the Framed IP Address field.6. Click Modify.

To Assign a Static IPv6 Address to a Profile in Flat FilesTo assign a static IPv6 address to a user profile stored in AAA server flat files, completethe following steps:1. From the navigation tree, click Local Realms.2. Choose the users icon for the realm the user is in.


Assigning Static IP Addresses 175

Figure 15-3 The Users Screen

3. Click the Edit icon next to the user whose static IP address you want to modify.The Modify Users screen appears.

4. Click the Framed tab.The Framed User Attributes form is displayed on the screen as shown inFigure 15-4.


Figure 15-4 The Framed User Attributes Form

5. Enter the static IPv6 Interface Id for the user in the Framed Interface ID field.6. Enter the static value for the prefix that needs to be assigned to the user in the

Framed IPv6 Prefix field.

NOTE: See “Syntax of IPv6 Attributes” (page 528) for more information on IPv6attributes.

7. Click Modify.

To Assign Static Traditional IP (IPv4) Addresses to a User Profile in an LDAP LDIF FileTo assign static IP addresses (only IPv4 addresses) to a user profile stored in an LDAPLDIF file, complete the following steps:1. From the command line, open the LDIF file the user profile is stored in.2. Add the following lines to the user profile:

aaaReply: Framed-IP-Address = <value>

3. Save the file.

Assigning Static IP Addresses 177

To Assign Static IPv6 Addresses to a User Profile in an LDAP LDIF FileTo assign static IPv6 addresses to a user profile stored in an LDAP LDIF file, completethe following steps:1. From the command line, open the LDIF file the user profile is stored in.2. Add the following lines to the user profile:

aaaReply: Framed-IPv6-Prefix = <value> aaaReply: Framed-Interface-Id = <value>

3. Save the file.

Assigning Dynamic IP Addresses Using DHCPYou can assign dynamic IP (traditional IPv4) addresses using DHCP.

NOTE: The following steps do not apply to session management using the SQL Accessfeature. See Chapter 22: “SQL Access” (page 338) for more information on sessionmanagement using the SQL Access feature.

To assign dynamic IP addresses using DHCP, complete the following steps:1. Define the DHCP address pools. See “Defining DHCP Address Pools for Specific

Users” (page 390).2. Configure the AAA Server’s DHCP Server Properties. See “DHCP Relay Properties”

(page 133).3. Configure the DHCP Server to synchronize with the AAA server’s DHCP

properties. See “DHCP Relay Properties” (page 133).4. Stop and start the AAA server. See “Accessing the Server Manager” (page 71).

NOTE: Be sure the following properties on the DHCP server do not conflict with theHP-UX AAA Server’s DHCP properties:• The DHCP server’s DHCP Lease value must be greater than the Session-Clear

values.• The DHCP server must be configured to match the DHCP Send User Class setting

configured on the AAA server.


16 OATH Standards-Based OTP Authentication

IMPORTANT: The SecurID authentication is obsolete in this release of the HP-UXAAA Server. The SecurID authentication can be replaced by Open AuTHentication(OATH) standards-based One-Time Password (OTP) authentication. OATH is anindustry-wide collaboration to develop open-reference architecture for strongauthentication. The OATH standards-based OTP authentication solution supportshardware and software tokens from multiple vendors.

This chapter introduces the Open AuTHentication (OATH) standards-based One-TimePassword (OTP) authentication. It also describes how to enable the HP-UX AAA Serverto provide OTP, and OTP and password (two-factor) authentication in differentdeployment scenarios. The term OTP authentication is used throughout this documentto refer to the functionality that enables OTP authentication. The term two-factorauthentication is used for password and OTP authentication.This chapter addresses the following topics:• “OTP and OATH Overview”• “HP-UX AAA Server and OATH Support” (page 180)• “Supported OTP Functions for RADIUS Standard Password (PAP) and MS-CHAP

v2” (page 182)• “Components Required to Configure OTP Authentication” (page 182)• “Configuring OTP Authentication on the HP-UX AAA Server ” (page 183)

— “OTP Authentication Configuration Flowchart” (page 183)— “Basic or Typical Configuration” (page 186)— “Advanced Configuration” (page 187)

◦ “Advanced OTP Authentication Configuration Concepts” (page 187)◦ “Advanced Deployment Scenarios” (page 199)

— “Predefined Mapping and Conversion Functions” (page 217)— “Sample Configuration Files” (page 217)

OTP and OATH OverviewLike a password, OTP can be used to authenticate the user to obtain access to a network.OTP can be used alone or along with a password for authentication. Typically, OTP isused for two-factor authentication. For example, in large organizations, VPN accessoften requires the use of user-name, password, and OTP for remote user two-factorauthentication. Added security is provided when an OTP is used for authentication,because a user must enter a different OTP each time to authenticate to a validationserver.

OTP and OATH Overview 179

OATH is an industry-wide collaboration to develop open-reference architecture forstrong authentication. OATH consortium has developed a set of open royalty-freealgorithms for one-time passwords. The OATH standards-based OTP authenticationsolution uses the HMAC-based One-Time Password (HOTP) algorithm to generate anOTP using a shared secret and sequence counter.The HOTP algorithm is a sequence-based algorithm. Any OATH-compliant clientdevice can interoperate with an HOTP algorithm-enabled OTP validation server.For more information on OATH and the HOTP algorithm, see the following webaddresses:• http://www.openauthentication.org/• ftp://ftp.rfc-editor.org/in-notes/rfc4226.txt

HP-UX AAA Server and OATH SupportThe HP-UX AAA Server supports the OATH standards sequence-based OTPauthentication, which enables the HP-UX AAA Server to interoperate with other OATHcompliant clients.Normally, the authentication process used by the HP-UX AAA Server is confined tovalidating the user password against the password stored in the database. However,with OTP support, the HP-UX AAA Server can now perform the following additionalfunctions:• Validate the OTP• Proxy the OTP or password to an external RADIUS server for OTP or password

validationThe OATH standards-based OTP authentication feature enables the HP-UX AAA Serverto offer the following benefits:• Secures the applications by providing an additional factor (OTP)• Provides a low-cost solution for implementing OATH standards-based

authentication• Provides compatibility with different types of client devices• Offers flexibility to configure OATH standards-based OTP authentication for

various deployment scenariosFigure 16-1 illustrates the role of the HP-UX AAA Server and its components in handlingOTP, or OTP and password authentication requests.


http://www.openauthentication.org/

ftp://ftp.rfc-editor.org/in-notes/rfc4226.txt

Figure 16-1 OATH Standards-Based OTP Authentication Flow and the HP-UX AAA Server.

Following is the OTP authentication process flow:1. The user requests access to a protected resource by sending the user credentials

(password or OTP, or password and OTP), which is encrypted with the sharedsecret, to the authenticator.The OTP can contain either six, seven, or eight digits.

2. The authenticator forwards the request to the HP-UX AAA Server.3. The HP-UX AAA Server validates the OTP and password locally.

NOTE:a. If RADIUS standard Password Authentication Protocol (PAP) is used, the

HP-UX AAA Server can split the user password in to password and OTP andperform one of the following actions:• Validate the OTP, or password, or password and OTP.• Proxy the OTP or password to an external RADIUS server for validation.Splitting of the user password into password and OTP is not supported forMS-CHAP v2 authentication protocol as the user password is a hash. Therefore,partial validation of either OTP or password locally and the remaining part atan external RADIUS server is not possible. The complete validation must beperformed at the local HP-UX AAA Server or at an external RADIUS server.

b. The HP-UX AAA Server can be configured to generate OTPs that can bedelivered to customers through the secondary channel using SMS, e-mail, FTP,and so on. Contact your HP Support representative for assistance whileconfiguring the HP-UX AAA Server to use the secondary channel for OTPdelivery.

If the validation is performed locally, the HP-UX AAA Server updates the databasewith the incremented sequence counter after successful OTP authentication. If thevalidation is performed by an external RADIUS server, the external RADIUS serverupdates the database with the incremented sequence counter after successful OTPauthentication.

HP-UX AAA Server and OATH Support 181

Based on the success or failure of authentication, the HP-UX AAA Server sendsan Access-Accept or Access-Reject message to the user.

Supported OTP Functions for RADIUS Standard Password (PAP) andMS-CHAP v2

OTP support for MS-CHAP v2 is compatible with RFC 4226. Table 16-1 describes thesupported functions for PAP and MS-CHAP v2.

Table 16-1 Supported OTP Functions for PAP and MS-CHAP v2

MS-CHAP v2RADIUS Standard Password (PAP)Functions

YesYesValidate OTP

YesYesValidate Password

YesYesStore OTP

YesYesValidate OTP and Password

YesYesProxy the OTP and password toanother RADIUS server for OTPand password validation

NoYesSplitting the OTP and password,and proxying the OTP orpassword to another RADIUSserver for OTP or passwordvalidation

For information on supported action ids, see Table 16-3 (page 190).

Components Required to Configure OTP AuthenticationThe following components, which are required to configure OTP authentication, areprovided with the HP-UX AAA Server:• Modified Finite State Machine (FSM)• Database schema files• The following sample configuration files:

— sqlaccess.config

— Policy configuration files:◦ oath-proxy-egress.grp

◦ oath-request-ingress.grp

◦ oath-reply-egress.grp

— User Database Administration Manager (This web-based interface enables youto administer user profiles and token information in the SQL databaseeffectively.) For more information, see “Administering Users and Tokens Storedin an SQL Database” (page 374).


The following components required to configure OTP authentication are not providedwith the HP-UX AAA Server:• SQL database• OTP generators (typically, token devices or software that generates OTP) with

their inventory files (files that contain the shared secret and other token information)

Configuring OTP Authentication on the HP-UX AAA ServerThe HP-UX AAA Server uses SQL Access, the FSM, and policy actions to support OTPauthentication. This feature offers the flexibility to customize OTP authenticationdepending on the deployment scenarios.Sample policy files are provided to simplify the process of configuring the HP-UX AAAServer to provide password and OTP authentication.If you are not using the basic or typical configuration (“Basic or Typical Configuration”)append the contents of the sample OTP reference implementation files (located in/opt/aaa/examples/config) to the default policy files (located in/etc/opt/aaa)using the following commands:# cat /opt/aaa/examples/config/oath-request-ingress.grp >> /etc/opt/aaa/request-ingress.grp# cat /opt/aaa/examples/config/oath-reply-egress.grp >> /etc/opt/aaa/reply-egress.grp# cat /opt/aaa/examples/config/oath-proxy-egress.grp >> /etc/opt/aaa/proxy-egress.grp

In addition, you must complete the necessary configuration to use SQL Access. Formore information, see Chapter 22 (page 338).

NOTE: The oath-proxy-egress.grp file is required only if you are proxying theOTP or password to another RADIUS server.

OTP Authentication Configuration FlowchartThe OTP authentication configuration flowchart (Figure 16-2) included in this sectiondocuments some common deployment scenarios. Read the scenarios discussed in theflowchart against your deployment requirements and click the relevant links for moreinformation about the procedure to be followed.To customize your deployment further, additional configuration attributes and itemsare provided that can be configured on a per-user, per-realm, or on a system-widelevel. For more information on these attributes, see “Attributes for Configuring OTPAuthentication” (page 192). For information on actions and customizing actions, see“Advanced OTP Authentication Configuration Concepts” (page 187).

Configuring OTP Authentication on the HP-UX AAA Server 183

Notes:1. The HP-UX AAA Server supports only the token information that is stored in the

SQL database.2. The HP-UX AAA Server supports only the following EAP authentication methods

for OTP authentication:• PEAP (EAP-GTC)• TTLS (PAP and MS-CHAP v2)

IMPORTANT NOTES:• After using the sample reference implementation and before deploying your

implementation in a production environment, you must change the defaultpasswords for database user, test user, and the shared secret of the test user.

• If the shared secret provided by the token vendor is in ASCII format, edit the/etc/opt/aaa/sqlaccess.config file to change the following entry in theRetrieveUserAndToken SQL action:DBC(RAD_TOKENS_TABLE.shared_secret, 128, CHAR) FUNC(AAASetConvertedHexToBinaryString)

toDBC(RAD_TOKENS_TABLE.shared_secret, 128, CHAR) RAD(Otp-Shared-Secret, REPLY)

and reload the configuration changes.If you are using the RetrieveToken SQL action, then the following entry mustbe modified as follows:DBC(shared_secret, 128, CHAR) FUNC(AAASetConvertedHexToBinaryString)

toDBC(shared_secret, 128, CHAR) RAD(Otp-Shared-Secret, REPLY)

and reload the configuration changes.


Figure 16-2 OTP Authentication Configuration Flowchart for RADIUS Standard Password


Figure 16-3 OTP Authentication Configuration Flowchart for MS-CHAP v2

Basic or Typical ConfigurationA basic or typical scenario involves configuring the HP-UX AAA Server to providetwo-factor authentication when user and token information is stored in different tablesin the same SQL database. For more information on configuring two-factorauthentication in this scenario, follow the instructions in the README file at:• /opt/aaa/example/sqlaccess/oracle-1/README - if you are using an

Oracle database• /opt/aaa/example/sqlaccess/mysql-1/README - if you are using a MySQL

database









Advanced ConfigurationAdvanced configuration typically requires some extra customization of the feature tosuit your needs. This section also discusses various deployment scenarios. For moreinformation, see “Advanced Deployment Scenarios” (page 199)Use the following information to understand how to configure the HP-UX AAA Serverand the attributes you can use to customize actions on varying levels.• “Advanced OTP Authentication Configuration Concepts” (page 187)

— “Attributes for Configuring OTP Authentication” (page 192)◦ “System-Wide OTP Configuration Items” (page 195)◦ “Realm Level OTP Attributes” (page 196)◦ “User Level OTP Attributes” (page 198)

Advanced OTP Authentication Configuration ConceptsThe HP-UX AAA Server processes all OTP authentication requests depending on thebit mask set in the OTP-ActionId attribute in the request-ingress.grp file.You can configure the HP-UX AAA Server to perform various OTP authenticationtasks by setting the bit masks in the OTP-ActionId attribute and by configuring otherconfiguration files. For more information on the OTP-ActionId attribute, see


“Attributes for Configuring OTP Authentication” (page 192). Table 16-2 lists the bitmasks that can be used to configure the HP-UX AAA Server to perform various tasks.

Table 16-2 Bit Masks to Configure OTP Authentication Tasks

Action

Support forMS-CHAPv2

Support forRADIUSStandardPasswordBit MaskTask

On receiving the incoming request, theHP-UX AAA Server splits the request into

NoYes7Splits the incomingpassword in topassword and OTP. password and OTP based on the number

of digits specified in OTP token length asfollows:If the number of digits specified in theOTP token length is 7, the last 7 charactersare identified as OTP.

The HP-UX AAA Server validates thepassword from the User-Passwordattribute.

YesYes6Validates thepassword.

The HP-UX AAA Server validates theincoming OTP.

YesYes5Validates the OTP.

The HP-UX AAA server generates andstores the OTP in the Generated-OTPattribute.

YesYes4Stores the generatedOTP inGenerated-OTPattribute.

The HP-UX AAA Server removes thepassword from the incoming password

NoYes3Removes thepassword

and replaces the User-Password attributewith OTP. This bit mask must be used ifthe User-Password attribute contains thepassword and OTP.


Table 16-2 Bit Masks to Configure OTP Authentication Tasks (continued)

Action

Support forMS-CHAPv2

Support forRADIUSStandardPasswordBit MaskTask

The HP-UX AAA Server removes the OTPfrom the incoming password and replaces

NoYes2Removes the OTP

the User-Password attribute withpassword. This bit mask must be used ifthe User-Password attribute contains thepassword and OTP.

The HP-UX AAA Server returns a proxyevent to the FSM. Proxy files can be

NoYes1Sets the proxy eventcode

configured to proxy the request to theproxy target server.

NOTE: The HP-UX AAA Server executes the actions, listed in Table 16-2, in thepredefined descending order of bit masks (from bit mask 7 to bit mask 1).

You can use the bit masks, listed in Table 16-2, in various combinations to configureOTP authentication, two-factor authentication, and other operations depending onyour deployment scenario.For example, to validate the password and the OTP (two-factor authentication) usingRADIUS standard password, the HP-UX AAA Server must perform the followingactions:• Split the password and the OTP (bit mask 7)• Validate the password (bit mask 6)• Validate the OTP (bit mask 5)Figure 16-4 illustrates how you can set the bit mask to validate both password and OTP(two-factor authentication).


Figure 16-4 Usage of Bit Masks to set OTP Authentication Actions

The OTP-ActionId attribute is set at 112 by converting the binary value 01110000 intodecimal.Table 16-3 lists some common actions along with the bit masks that must be used forconfiguration.

Table 16-3 Common OTP Authentication Actions

Bit Mask SetMS-CHAP v2 OTP-ActionIdValue

RADIUSStandard

Action

PasswordOTP-ActionIdValue

01110000 (forOTP-ActionID value112)

48112Validates the password andOTP (two-factor authentication)if the incoming requestcontains password and OTP. 00011000 (for

OTP-ActionID value48)

01101000Not applicable104Validates only the passwordand stores the generated OTPin to Otp-In-Attributeattribute if the incomingrequest contains password andOTP.

01100101Not applicable101Validates only the password,replaces User-Password withthe incoming OTP and sets theproxy event to proxy the


Table 16-3 Common OTP Authentication Actions (continued)


RADIUSStandardPasswordOTP-ActionIdValueAction

request to the configured proxytarget server in theproxy-egress.grp policyfile, for OTP validation, if theincoming request containspassword and OTP.

01010011Not applicable83Validates only the OTP,replaces User-Password withthe incoming password andsets the proxy event to proxythe request to the configuredproxy target server in theproxy-egress.grp policyfile, for password validation, ifthe incoming request containspassword and OTP.

01010000Not applicable80Validates only the OTP if theOTP is sent with the password.

01000101Not applicable69Forwards only the OTP to theconfigured proxy target serverin the proxy-egress.grppolicy file if the incomingrequest contains password andOTP.

01000100Not applicable68Removes the password andstores only the OTP in theUser-Password attribute.

01000011Not applicable67Forwards only the password tothe configured proxy targetserver in theproxy-egress.grp policyfile if the incoming requestcontains password and OTP.

01000010Not applicable66Removes the OTP and storesonly the password inUser-Password A-V pair.


Table 16-3 Common OTP Authentication Actions (continued)


RADIUSStandardPasswordOTP-ActionIdValueAction

001010004040Validates only the passwordand stores the generated OTPin the Otp-In-Attributeattribute if the incomingrequest contains onlypassword.

001000003232Validates only the passwordwhen the incoming requestcontains only the password.This action is equivalent to theconfiguration for passwordauthentication. HPrecommends using the defaultconfiguration for betterperformance.

000100001616Validates the OTP if theincoming request contains onlythe OTP.

0000100088Stores the generated OTP in theOtp-In-Attribute attribute.

00000001Not applicable1Returns the proxy event toproxy the request to theconfigured proxy target serverin the proxy-egress.grppolicy file. This is equivalent tothe default proxyconfiguration. HP recommendsusing the default configurationfor better performance.

Attributes for Configuring OTP Authentication

Table 16-4 lists attributes that provide additional options for customizing yourconfiguration. These attributes can be configured on a user, realm, or a system-widelevel.

Table 16-4 Attributes for Configuring OTP Authentication

DescriptionConfiguration TypeAttribute Name

Specifies the size of the look ahead window.This enables the HP-UX AAA Server

User, realm, orsystem-wide level

Otp-Lookup-Window


Table 16-4 Attributes for Configuring OTP Authentication (continued)


recalculate the next OTP values and checkagainst the received OTP to synchronize thesequence counter. If this attribute is notspecified, the value of system wideconfiguration entry otp_lookup_window isused as the default value.Default Value 10Value Type integer

Specifies an eight-byte counter value. TheHMAC algorithm requires this counter valueto generate an OTP.This counter value must be synchronizedbetween the OTP generator and the HP-UX

User level configurationonly

HOtp-Seq-Counter

AAA Server. This attribute is mandatory foreach user.Value Type unsigned char

Specifies the unique shared secret between theOTP generator and the HP-UX AAA Server


Otp-Shared-Secret

that generates the OTP. The HMAC algorithmrequires this counter value to generate an OTP.The length of the shared secret must be at least128 bits (RFC 4226 recommends 160 bits). Thisattribute is mandatory for each user.Value Type binary string

A unique serial number for OTP generators(token devices or software that generatesOTP).


Otp-Token-Serial-Number

Specifies the lock counter. If the number ofconsecutive failed authentication attempts is

User, realm, orsystem-wide levelconfiguration

Otp-Token-Lock-Counter

greater than the configuredOtp-Token-Lock-Counter value, wherethe time interval between two consecutivefailed authentication attempts is less than 60seconds, the HP-UX AAA Server updates thetoken status to LOCKED. If this attribute is notspecified, the value of system-wideconfiguration itemotp_token_lock_counter is used as thedefault value.Default Value 6

Specifies the OTP length. Tokens can generateOTPs having six, seven, or eight digits. If this


Otp-Token-Length

attribute is not specified, the value of




system-wide configuration itemotp_token_length is used as the defaultvalue.Default Value 6Value Type integer

Specifies the OTP actions to be processed.Realm level configurationonly

Otp-ActionId

Value Type integer




Specifies the action to add the checksum whilevalidating the OTP. If this attribute value is


Otp-Add-Checksum

yes, the HP-UX AAA Server calculates thechecksum for the generated OTP.While validating the OTP, if the calculatedchecksum is identical, the HP-UX AAA Servercontinues with the OTP validation. If thecalculated checksum is not identical, theHP-UX AAA Server attempts to resynchronize.Default Value no

Specifies the SQL action for retrieving thetoken information from the database.

Realm level configurationonly

Otp-Retrieve-TokenInfo-ActionId

Sets the SQL action to be processed afterapplying the reply-egress policy (for example,

Realm level configurationonly

Reply-Egress-ActionId

updating the success or failed authenticationcounter).

NOTE: The attributes listed in Table 16-4 are defined in the dictionary file.The HP-UX AAA Server uses the following precedence rules while executing OTPauthentication requests:• Attributes configured at the user level are given highest precedence• Attributes configured at the realm level are given second highest precedence• If the attributes are not configured on a user or realm level, the system-wide

attributes are given precedence

System-Wide OTP Configuration Items

To configure OTP attributes on a system-wide level, you must use the following syntaxto add the system-wide configurable items, listed in Table 16-5, to the /etc/opt/aaa/aaa.config file as follows:otp_lookup_window <10>otp_token_length <6>otp_token_lock_counter <6>otp_add_checksum <no>


Table 16-5 System-Wide OTP Configuration Items

DescriptionConfiguration Item

Specifies the size of the look ahead window. This enablesthe HP-UX AAA Server recalculate the next OTP values

otp_lookup_window

and check against the received OTP to synchronize thesequence counter.Default Value 10

Specifies the OTP length. Tokens can generate OTPshaving six, seven, or eight digits.

otp_token_length

Default Value 6

Specifies the lock counter. If the number of consecutivefailed authentication attempts is greater than the

otp_token_lock_counter

configured value, where the time interval between twoconsecutive failed authentication attempts is less than 60seconds, the HP-UX AAA Server updates the token statusto LOCKED.Default Value 6

Specifies the action to add the checksum while validatingthe OTP. If this attribute value is yes, the HP-UX AAAServer calculates the checksum for the generated OTP.While validating the OTP, if the calculated checksum isidentical, the HP-UX AAA Server continues with the OTP

otp_add_checksum

validation. If the calculated checksum is not identical, theHP-UX AAA Server attempts to resynchronize.Default Value no

Realm Level OTP Attributes

To configure OTP attributes on a realm level, you must modify the sample entry in therequest-ingress.grp file using the following syntax:

if ((count (User-Name) > 0) && (substr (User-Name after "@" ) = "<realm>")) { # Add Otp-ActionId attribute, if it is not present in the user request. # if (count (Otp-ActionId) = 0) { insert Otp-ActionId = <OTP-ActionId> insert Otp-Retrieve-TokenInfo-ActionId = "<SQL action>" } exit "ACK" }

In this example, the OTP-ActionID and Otp-Retrieve-TokenInfo-ActionIdattributes are configured on a realm-basis. Other realm-level OTP attributes can beadded depending on your configuration.


Configuring OTP Authentication for Tunneled EAP Mechanisms

If you have created EAP tunneled realms using the Server Manager for PEAP (EAP-GTC)or TTLS (PAP or MS-CHAP v2) , refer to the following rules for specifying the realmswhen configuring OTP authentication:

If you have configured the same inner and outer realms

• If you are using PEAP (EAP-GTC) as the authentication mechanism, replace thevariable <realm> with the configured inner realm name, using the followingsyntax in the request-ingress.grp and reply-egress.grp files:

if ( (count (User-Realm) > 0) && (User-Realm = "<realm>/peap"))

If you are proxying the OTP to an external RADIUS server for validation, you mustmodify the reply-egress.grp file as follows, and replace the variable<proxyrealm> with the configured inner realm:

if ( (count(Interlink-Proxy-Action) > 0) && ( (Interlink-Proxy-Action = "ACCT") || (Interlink-Proxy-Action = "LAS_ACCT") ) || ( (count (User-Realm) > 0) && (User-Realm = "<proxyrealm>/peap") ) )

• If you are using TTLS (PAP or MS-CHAP v2) as the authentication mechanism,replace the variable <realm> with the configured inner realm name, using thefollowing syntax in the request-ingress.grp and reply-egress.grp files:

if ( (count (User-Realm) > 0) && (User-Realm = "<realm>/ttls"))

If you are proxying the OTP to an external RADIUS server for validation, you mustmodify the reply-egress.grp file as follows, and replace the variable<proxyrealm> with the configured inner realm name:

if ( (count(Interlink-Proxy-Action) > 0) && ( (Interlink-Proxy-Action = "ACCT") || (Interlink-Proxy-Action = "LAS_ACCT") ) || ( (count (User-Realm) > 0) && (User-Realm = "<proxyrealm>/ttls") ) )

NOTE: When a response from the proxy is returned, the HP-UX AAA Serverimplements the reply-egress policy, and does not increment the sequence counter andthe success or failed authentication counters (since they are incremented by the externalRADIUS server).

If you have configured different inner and outer realms

If you have configured different inner and outer realms, you must specify the innerrealm name when configuring OTP authentication. For example, if you have configuredan inner realm called otprealm that uses TTLS (PAP or MS-CHAP v2) as the


authentication mechanism, specify the realm name in the request-ingress.grp asfollows:

if ( (count (User-Name) > 0) && (substr (User-Name after "@" ) = "otprealm" ) )

Specify the realm name in the reply-egress.grp file as follows:

if ( (count (User-Realm) > 0) && (User-Realm = "otprealm"))

NOTE: Creating different inner and outer realms for OTP authentication is supportedonly for TTLS (PAP and MS-CHAP v2). For information on creating tunneled EAPrealms, see “Adding a Realm” (page 105).

If you are proxying the OTP to a remote server for validation, you must modify thereply-egress.grp file:

if ( (count(Interlink-Proxy-Action) > 0) && ( (Interlink-Proxy-Action = "ACCT") || (Interlink-Proxy-Action = "LAS_ACCT") ) || ( (count (User-Realm) > 0) && (User-Realm = "otprealm" ) ) )

NOTE:• When a response from the proxy is returned, the HP-UX AAA Server implements

the reply-egress policy, and does not increment the sequence counter and thesuccess or failed authentication counters (since they are incremented by the externalRADIUS server).

User Level OTP Attributes

To configure OTP attributes on a user level, you must modify the RetrieveTokenSQLAction in the sqlaccess.config file. You can choose to include the user-specificOTP attributes, listed in Table 16-4 (page 192), using the following syntax:


SQLAction RetrieveToken { { input RAD(User-Id, REPLY) DBP(userid, 253, CHAR)

output DBR(100:*) RET(RETRIEVE_ERROR) DBR(-1:*) RET(ERROR) DBC(serial_number, 128, CHAR) RAD(Otp-Token-Serial-Number, REPLY) DBC(token_status, 128, CHAR) FUNC(AAATokenStatusCheck) DBC(seq_counter, 38, CHAR) RAD(HOtp-Seq-Counter, REPLY) DBC(shared_secret, 128, CHAR) FUNC(AAASetConvertedHexToBinaryString) DBR(0:0) RET(RETRIEVE_SUCCESS) DBR(*:*) RET(RETRIEVE_ERROR)

SQLStatement db_oci { SELECT serial_number, token_status, seq_counter, shared_secret FROM RAD_TOKENS_TABLE WHERE user_name=:userid } }}

In this example, the Otp-Token-Length attribute has been added in the last row. Ifyou are using RetrieveUserAndToken SQL action, similar changes will be requiredthere to configure OTP attributes at a user level.

NOTE: The corresponding values for the attributes configured in thesqlaccess.config file must be stored in the user profile and inRAD_TOKENS_TABLEin the database.

Advanced Deployment ScenariosThis section documents the procedures for configuring OTP and two-factorauthentication in the following deployment scenarios:• “Validating OTP Alone” (page 200)• “Configuring Two-Factor Authentication” (page 202)

— “If User and Token Information is in Different SQL Database Tables” (page 202)— “If User and Token Information is in the Same SQL Database Table” (page 204)— “If User and Token Information is in Different Databases” (page 207)

• “OTP or Password Validation at External RADIUS Server” (page 210)— “Validating Password on the Local Server and Forwarding OTP to Another

RADIUS Server” (page 210)— “Validating OTP on the Local Server and Forwarding Password to Another

RADIUS Server” (page 214)— “Forwarding OTP and Password to Another RADIUS Server for Validation”

(page 217)


Notes:• The scenarios described in this section are applicable whether you are using

RADIUS standard password authentication or EAP authentication.• The HP-UX AAA Server supports only the following EAP authentication methods

for OTP authentication:— PEAP (EAP-GTC)— TTLS (PAP and MS-CHAP v2)

• Creating different inner and outer realms for OTP authentication is supportedonly for TTLS (PAP and MS-CHAP v2). For information on creating tunneled EAPrealms, see “Adding a Realm” (page 105).

Validating OTP Alone

To configure the HP-UX AAA Server to validate OTP alone, complete the followingsteps:1. Configure the realm using the Realms Screen of the Server Manager. While

configuring the realm, use the procedure listed in “Configuring Realms for DatabaseAccess via SQL” (page 111). In the User Storage Parameters field, ensure that theRetrieveToken SQL action is selected and the configuration is saved. For moreinformation on configuring the realm, see “Adding a Realm” (page 105).

2. If not appended , append the contents of the sample OTP reference implementationpolicy files (located in /opt/aaa/examples/config) to the default policy files(located in /etc/opt/aaa) using the following commands:# cat /opt/aaa/examples/config/oath-request-ingress.grp >> /etc/opt/aaa/request-ingress.grp

# cat /opt/aaa/examples/config/oath-reply-egress.grp >> /etc/opt/aaa/reply-egress.grp

3. In the/etc/opt/aaa/request-ingress.grp file, replace the<realm>variableand configure the Otp-ActionId attribute according to the following rules:

Then …If you haveconfigured...

Replace the<realm> variable in the following syntax with the realm name configuredin Step 1:if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>")){

The realmfor RADIUSstandardpassword or

insert Otp-ActionId = 16MS-CHAP exit "ACK"}v2

authentication



Replace the <realm> variable in the following syntax with the inner realm nameconfigured in Step 1:if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>")){

Tunneledrealms withdifferentinner and

insert Otp-ActionId = 16outer exit "ACK"}realms for

EAPauthentication

Tunneledrealms with

1. Delete the following (default) condition in the request-ingress.grp file:if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>")){ same inner insert Otp-ActionId = 112and outer exit "ACK"}realms for

EAPauthentication 2. Based on the EAP authentication method you have configured, add one of the

following conditions in the /etc/opt/aaa/request-ingress.grp file, andreplace the <realm> variable with the inner realm name configured in step 1:• If you have configured the realm for PEAP (EAP-GTC), add the following

condition:if ((count (User-Realm) > 0) && (User-Realm = "<realm>/peap")){ insert Otp-ActionId = 16 exit "ACK"}

• If you have configured the realm for TTLS (PAP) or TTLS (MS-CHAP v2), addthe following condition:if ((count (User-Realm) > 0) && (User-Realm = "<realm>/ttls")){ insert Otp-ActionId = 16 exit "ACK"}

4. In the /etc/opt/aaa/reply-egress.grp file, replace the <realm> variablewith the configured realm name in step 1 as follows:if ( (count (User-Realm) > 0) && (User-Realm = “<realm>”) )

Use the following rules while replacing the <realm> variable, with the realmname:

Then…If you have configured …

Replace <realm> with the realm nameconfigured in step 1

The realm for RADIUS standard passwordauthentication

Replace <realm> with the inner realm nameconfigured in step 1

Tunneled realms with different inner and outerrealms for EAP authentication



Replace <realm> with the inner realm nameconfigured in step 1 using the following syntax:

Tunneled realms with the same inner and outerrealms for EAP authentication

• PEAP (EAP-GTC):<realm>/peap

Or

• TTLS (PAP) or TTLS (MS-CHAP v2):<realm>/ttls

5. Reload the configuration changes by selecting Reload from the Administrationscreen of the Server Manager. If the server is not running, start the HP-UX AAAServer to read the configuration information.

The HP-UX AAA Server is now configured to validate OTP alone.

Configuring Two-Factor Authentication

This section describes how to configure two-factor authentication in the followingdeployment scenarios:• “If User and Token Information is in Different SQL Database Tables” (page 202)• “If User and Token Information is in the Same SQL Database Table” (page 204)• “If User and Token Information is in Different Databases” (page 207)

If User and Token Information is in Different SQL Database Tables

This is the default configuration.To configure two-factor authentication if user and token information is in differenttables in the same SQL database, complete the following steps:1. Configure the realm using the Realms Screen of the Server Manager. While

configuring the realm, use the procedure listed in “Configuring Realms for DatabaseAccess via SQL” (page 111). In the User Storage Parameters field, ensure that theRetrieveUserAndToken SQL action is selected and the configuration is saved.For more information on configuring the realm, see “Adding a Realm” (page 105).






For RADIUS Standard Password, replace the <realm> variable in the followingsyntax with the realm name configured in Step 1:if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>")){



authentication For MS-CHAP v2, replace the <realm> variable in the following syntax with therealm name configured in Step 1:if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>")){ insert Otp-ActionId = 48 exit "ACK"}




EAPauthentication

Tunneledrealms with





• If you have configured the realm for TTLS (PAP), add the following condition:if ((count (User-Realm) > 0) && (User-Realm = "<realm>/ttls")){ insert Otp-ActionId = 112 exit "ACK"}

• If you have configured the realm for TTLS (MS-CHAP v2), add the followingcondition:if ((count (User-Realm) > 0) && (User-Realm = "<realm>/ttls")){ insert Otp-ActionId = 48 exit "ACK"}












Or



The HP-UX AAA Server is now configured for two-factor authentication.

If User and Token Information is in the Same SQL Database Table

The default configuration enables you to store user and token information in differentdatabase tables.To store user and token information in a single table, you must merge the two tables(RAD_USERS_TABLE and RAD_TOKENS_TABLE) into a single table.To configure two-factor authentication if user profile and token information is storedin the same table in the SQL database, complete the following steps:1. Configure the realm using the Realms Screen of the Server Manager. While

configuring the realm, use the procedure listed in “Configuring Realms for DatabaseAccess via SQL” (page 111). In the User Storage Parameters field, ensure that theRetrieveUserAndToken SQL action is selected and the configuration is saved.For more information on configuring the realm, see “Adding a Realm” (page 105).

2. Modify the RetrieveUserAndToken SQL action in the /etc/opt/aaa/sqlaccess.config file to retrieve user and token information from the combinedtable.


3. Modify the following stored procedures in the SQL database for the combinedtable:• update_seq_and_success_count

• update_failedcount_tokenstatus

4. If not appended, append the contents of the sample OTP reference implementationpolicy files (located in /opt/aaa/examples/config) to the default policy files(located in /etc/opt/aaa) using the following commands:# cat /opt/aaa/examples/config/oath-request-ingress.grp >> /etc/opt/aaa/request-ingress.grp







authentication For MS-CHAP v2, replace the <realm> variable in the following syntax with therealm name configured in Step 1:if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>")){ insert Otp-ActionId = 48 exit "ACK"}




EAPauthentication



Tunneledrealms with






• If you have configured the realm for TTLS (MS-CHAP v2), add the followingcondition:if ((count (User-Realm) > 0) && (User-Realm = "<realm>/ttls")){ insert Otp-ActionId = 48 exit "ACK"}













Or




If User and Token Information is in Different Databases

To configure two-factor authentication if user profile and token information is storedin different databases, complete the following steps:1. Configure the realm using the Realms Screen of the Server Manager. Based on the

user profile, configure the realm for the local users file, LDAP, Oracle or MySQLdatabase using SQL Access and save the configuration. For more information onconfiguring the realm, see “Adding a Realm” (page 105).

2. If not appended, append the contents of the sample OTP reference implementationpolicy files (located in /opt/aaa/examples/config) to the default policy files(located in /etc/opt/aaa) using the following commands:# cat /opt/aaa/examples/config/oath-request-ingress.grp >> /etc/opt/aaa/request-ingress.grp






insert Otp-ActionId = 112MS-CHAP insert Otp-Retrieve-TokenInfo-ActionId = "RetrieveToken"v2

authentication exit "ACK"}

For MS-CHAP v2, replace the <realm> variable in the following syntax with therealm name configured in Step 1:if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>")){



insert Otp-ActionId = 48 insert Otp-Retrieve-TokenInfo-ActionId = "RetrieveToken" exit "ACK"}





insert Otp-ActionId = 112outer insert Otp-Retrieve-TokenInfo-ActionId = "RetrieveToken"realms for exit "ACK"}EAP

authentication

Tunneledrealms with

1. Delete the following (default) condition in the /etc/opt/aaa/request-ingress.grp file:if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>")){

same innerand outer

insert Otp-ActionId = 112realms for exit "ACK"}EAP

authentication2. Based on the EAP authentication method you have configured, add one of the

following conditions in the /etc/opt/aaa/request-ingress.grp file, andreplace the <realm> variable with the inner realm name configured in step 1:• If you have configured the realm for PEAP (EAP-GTC) , add the following

condition:if ((count (User-Realm) > 0) && (User-Realm = "<realm>/peap")){ insert Otp-ActionId = 112 insert Otp-Retrieve-TokenInfo-ActionId = "RetrieveToken" exit "ACK"}

• If you have configured the realm for TTLS (PAP), add the following condition:if ((count (User-Realm) > 0) && (User-Realm = "<realm>/ttls")){ insert Otp-ActionId = 112 insert Otp-Retrieve-TokenInfo-ActionId = "RetrieveToken" exit "ACK"}

• If you have configured the realm for TTLS (MS-CHAP v2), add the followingcondition:if ((count (User-Realm) > 0) && (User-Realm = "<realm>/ttls")){ insert Otp-ActionId = 48 insert Otp-Retrieve-TokenInfo-ActionId = "RetrieveToken" exit "ACK"}

NOTE: In this example, the Otp-Retrieve-TokenInfo-ActionId attributeis configured to retrieve token information from the SQL database.












Or

• TTLS (PAP) and TTLS (MS-CHAP v2):<realm>/ttls



OTP or Password Validation at External RADIUS Server

This section discusses different deployment scenarios where the OTP or passwordmust be validated by an external RADIUS server. This section discusses the followingdeployment scenarios:• “Validating Password on the Local Server and Forwarding OTP to Another RADIUS

Server” (page 210)• “Validating OTP on the Local Server and Forwarding Password to Another RADIUS

Server” (page 214)• “Forwarding OTP and Password to Another RADIUS Server for Validation”

(page 217)

NOTE: For MS-CHAP v2 authentication protocol, partial validation of either OTP orpassword locally and the remaining part at an external RADIUS server is not possible.The complete validation must be performed at the local HP-UX AAA Server or at anexternal RADIUS server.

Validating Password on the Local Server and Forwarding OTP to Another RADIUS Server

To configure the HP-UX AAA Server to validate the password and forward the OTPto another RADIUS server for validation, complete the following steps:


1. Configure the realm using the Realms Screen of the Server Manager. Based on theuser profile, configure the realm for the local users file, LDAP, Oracle or MySQLdatabase using SQL database. For more information on configuring the realm, see“Adding a Realm” (page 105).

2. Configure the proxy target server using the Server Manager and save theconfiguration. For more information on configuring proxies, see “ConfiguringProxies” (page 117)



# cat /opt/aaa/examples/config/oath-proxy-egress.grp >> /etc/opt/aaa/proxy-egress.grp




The realmfor RADIUSstandardpasswordauthentication insert Otp-ActionId = 101

exit "ACK"}




EAPauthentication



Tunneledrealms with


same innerand outer






5. In the proxy-egress.grp file, replace the <proxyrealm> variable with therealm name, and the <Proxy Target Server or IP Address> variable withthe proxy target server host name (FQDN) or the IP Address that is configured inStep 2, as follows:if ( (count (User-Realm) > 0) && (User-Realm = "<proxyrealm>") ){ modify Interlink-Proxy-Target = "<Proxy Target Server or IP Address>" exit "ACK"}












Or

• TTLS (PAP):<realm>/ttls

6. Reload the configuration changes by selecting Reload from the Administrationscreen of the Server Manager. If the server is not running, start the HP-UX AAAServer to read the configuration.

7. Configure the proxy target server for OTP validation as follows:• If the target proxy server is an HP-UX AAA Server:

1. Configure the proxy server as a client using the same shared secret of theproxy server. For more information, see “Configuring RADIUS ClientsUsing the Access Devices Screen” (page 100).

2. Configure the proxy target server to validate OTP. For more information,see “Validating OTP Alone” (page 200).

IMPORTANT: While specifying the realm in the remote server’srequest-ingress.grp file always use the following syntax:if ((count (User-Name) > 0) && (substr (User-Name after

"@") = "<realm>"))

{

insert Otp-ActionId = 16

exit "ACK"

}

If you have configured tunneled realms with different inner and outerrealms for EAP authentication, then replace the <realm> variable withthe inner realm name.

• If the target proxy server is not an HP-UX AAA Server, see the documentationof the target RADIUS server to configure OTP authentication.

NOTE: While configuring the proxy target server you must configure it usingthe realm name that you have configured in Step 1.

The HP-UX AAA Server is now configured for validating password on the local serverand forwarding the OTP to another RADIUS server for validation.


Validating OTP on the Local Server and Forwarding Password to Another RADIUS Server

To configure the HP-UX AAA Server to validate the OTP and forward the passwordto another RADIUS server for validation, complete the following steps:1. Configure the realm using the Realms Screen of the Server Manager. While

configuring the realm, use the procedure listed in “Configuring Realms for DatabaseAccess via SQL” (page 111). In the User Storage Parameters field, ensure that theRetrieveToken SQL action is selected and the configuration is saved. For moreinformation on configuring the realm, see “Adding a Realm” (page 105).

2. Configure the proxy target server using the Server Manager and save theconfiguration. For more information on configuring proxies, see “ConfiguringProxies” (page 117).



# cat /opt/aaa/examples/config/oath-proxy-egress.grp >> /etc/opt/aaa/proxy-egress.grp




The realmfor RADIUSstandardpasswordauthentication insert Otp-ActionId = 83

exit "ACK"}






EAPauthentication

Tunneledrealms with


same innerand outer


















Or

• TTLS (PAP):<realm>/ttls

6. In the proxy-egress.grp file, replace the <proxyrealm> variable with therealm name, and the <Proxy Target Server or IP Address> variable withthe proxy target server host name (FQDN) or the IP Address that is configured inStep 2, as follows:if ( (count (User-Realm) > 0) && (User-Realm = "<proxyrealm>") ){ modify Interlink-Proxy-Target = "<Proxy Target Server or IP Address>" exit "ACK"}

NOTE: While specifying the realm, ensure the following:• The realm name used is identical with the name used while configuring the

realm (step 1).• The realm is specified using the realm specification rules listed in step 5.

7. Reload the configuration changes by selecting Reload from the Administrationscreen of the Server Manager. If the server is not running, start the HP-UX AAAServer to read the configuration.

8. Configure the proxy target server for password validation as follows:• If the target proxy server is an HP-UX AAA Server:

1. Configure the proxy server as a client using the same shared secret of theproxy server. For more information, see “Configuring RADIUS ClientsUsing the Access Devices Screen” (page 100).

2. Configure the proxy target server to validate password. For moreinformation, see “Adding a Realm” (page 105).

• If the target proxy server is not an HP-UX AAA Server, see the documentationof the target RADIUS server to configure OTP authentication.

NOTE: While configuring the proxy target server you must configure it usingthe realm name that you have configured in Step 1.

The HP-UX AAA Server is now configured for OTP validation at local server andpassword validation at external server.


Forwarding OTP and Password to Another RADIUS Server for Validation

To forward the OTP and password (complete request) to another RADIUS server, HPrecommends that you use the Server Manager to forward the complete request to theRADIUS server. For more information on forwarding requests, see “ConfiguringProxies” (page 117).

Predefined Mapping and Conversion FunctionsHP provides the following additional predefined mapping functions to configure OTPauthentication:• The AAASerConvertedHexToBinaryString Conversion Function: This

conversion function is used when the shared secret for the token generators areprovided in hexadecimal string. The HMAC algorithm (on which the HOTP isbased) requires shared secrets only in binary format. In such scenarios, you canuse theAAASetConvertedHexToBinaryString function to convert hexadecimalshared secret to binary format.

• The AAATokenStatusCheck Function: This mapping function is used to verifywhether the status of the token is ACTIVE. If the status is ACTIVE, then the HP-UXAAA Server allows the user to continue with the OTP authentication process. Ifthe status is ASSIGN, the user has to activate the token using the User DatabaseAdministration Manager. For any other token status, the HP-UX AAA Serverrejects the request and prompts the user to contact the administrator. For moreinformation about token status, see “Valid Token Status Values” (page 383).

Sample Configuration FilesThis section discusses the syntax of the sample configuration files that are used toconfigure OTP authentication in the HP-UX AAA Server. This section addresses thefollowing topics:• “The sqlaccess.config Sample File” (page 217)• “Sample Policy Files”

The sqlaccess.config Sample FileTo support OTP authentication, the dbsetup.sql sample file creates an additionaldatabase table, RAD_TOKENS_TABLE, with the following columns:


RAD_TOKENS_TABLE serial_number user_name manufacturer token_status seq_counter shared_secret otp_length lookup_window checksum activation_code success_auth_count failed_auth_count failed_lock_count locktime

The SQL actions and stored procedures listed in Table 16-6 are added in thesqlaccess.config file to support OTP authentication.

Table 16-6 SQL actions and Stored Procedures that Support OTP Authentication

OperationTable Operated OnSQL action

Retrieves token information. UsesSQL result mapping to ensure that

RAD_TOKENS_TABLERetrieveToken

at least one row is returned. It alsosets the event toRETRIEVE_SUCCESS on exitingto the FSM.

Retrieves user and tokeninformation. Uses SQL result

RAD_TOKENS_TABLE andRAD_USERS_TABLE

RetrieveUserAndToken

mapping to ensure that at least onerow is returned. It also sets theevent to RETRIEVE_SUCCESS onexiting to the FSM.

A stored procedure that is createdusing dbsetup.sql. This

RAD_TOKENS_TABLEUpdateSequenceCounterAndSuccessAuthCount

procedure updates the sequencecounter that is passed as anargument. This action is calledafter successful OTPauthentication. This storedprocedure also increments thesuccess authentication count.


Table 16-6 SQL actions and Stored Procedures that Support OTP Authentication (continued)

OperationTable Operated OnSQL action

A stored procedure that is createdusing dbsetup.sql. This

RAD_TOKENS_TABLEUpdateFailedAuthCountAndTokenStatus

procedure increments the failedauthentication count after a failedauthentication.This stored procedure alsoincrements the lock counter foreach failed authentication. If thenumber of consecutive failedauthentication attempts is greaterthan the configured token lockcounter value (default 6), wherethe time interval between twoconsecutive failed authenticationattempts is less than 60 seconds, itupdates the token status toLOCKED.Based on your requirements, youcan modify this stored procedureto configure the time interval.You can also modify this storedprocedure to lock the user accountusing a different method.









In addition, the RAD_USERS_TABLE is extended with the following entries:RAD_USERS_TABLE security_question security_answer mailing_address mailing_city mailing_state mailing_pin mailing_country email_id work_phone mobile_phone

Sample Policy FilesThis section describes the sample policy files that are used for configuring OTPauthentication. This section addresses the following topics:• “The oath-request-ingress.grp Sample File.”• “The oath-reply-egress.grp Sample File” (page 221)• “The oath-proxy-egress.grp Sample File” (page 222)


The oath-request-ingress.grp Sample File

Theoath-request-ingress.grp file is the primary sample reference implementationfile for configuring OTP authentication. You can configure OTP authentication-relatedactions by setting the bitmask in the Otp-ActionId attribute, and configuring theOTP-specific attributes listed in “Attributes for Configuring OTP Authentication”(page 192).To configure OTP authentication on a realm level, insert the OTP-ActionId valueand the realm name as follows:

if (( count (User-Name) > 0 ) && (substr (User-Name after "@") = "<realm>")){ # # Add Otp-ActionId attribute if it is not present in the authreq # if (count (Otp-ActionId) = 0) { insert Otp-ActionId = <decimal representation of bit mask value> } exit "ACK"}

For more information on the OTP authentication actions and the bit masks to be set,see “Advanced OTP Authentication Configuration Concepts” (page 187).

The oath-reply-egress.grp Sample File

The oath-reply-egress.grp sample file is the reference implementation policyfile that enables you to increment the sequence counter that is required to completeOATH standards-based One Time Password (OTP) authentication. It also helps toupdate user authentication count and the token status.The following condition checks the value of theInterlink-Proxy-Action attribute,and does not update the counters and token status if the value is anything other thanACK or NAK. For example, in the case of ACCT_START, ACCT_STOP, and ACC_CHALevents, the sequence counter is not updated:

if ( (count(Interlink-Proxy-Action) > 0) && ( (Interlink-Proxy-Action = "ACCT") || (Interlink-Proxy-Action = "LAS_ACCT") ) ){ exit "ACK"}

If authentication is successful for the OTP configured realm, the following sample setsthe SQL action to update the sequence counter and success authentication count. Ifauthentication fails, it sets the SQL action to update the failed authentication count andfailed lock counter to update the token status.Replace <realm> with the realm name that is configured in therequest-ingress.grp.oath file as follows:


if ( (count (User-Realm) > 0) && (User-Realm = "<realm>") )

{In the case of successful authentication, the following sample inserts the Reply-Egress-ActionId attribute with the SQL action UpdateSeqenceCounterAndSuccessAuthCount and returns the POST_REPLY_EGRESS event to update the sequence counter and success authentication count using SQLAccess.

if (Interlink-Reply-Status = "ACK") { if (count (Reply-Egress-ActionId) = 0) { insert Reply-Egress-ActionId = "UpdateSequenceCounterAndSuccessAuthCount" } exit "POST_REPLY_EGRESS" }

}

In the case of failed authentication, the following sample inserts theReply-Egress-ActionId attribute with the SQL actionUpdateFailedAuthCountAndTokenStatus and returns thePOST_REPLY_EGRESSevent to update the failed authentication count and failed lock counter using SQLAccess.

if (Interlink-Reply-Status = "NAK"){ if (count (Reply-Egress-ActionId) = 0) { insert Reply-Egress-ActionId = "UpdateFailedAuthCountAndTokenStatus" } exit "POST_REPLY_EGRESS"}

If the number of consecutive failed authentication attempts is greater than the configuredtoken lock counter value (default 6), where the time interval between two consecutivefailed authentication attempts is less than 60 seconds, the HP-UX AAA Server updatesthe token status to LOCKED.

The oath-proxy-egress.grp Sample File

The oath-proxy-egress.grp sample reference implementation file can be used toproxy OTP, or password, or both to the remote server for validation.To proxy the request to the proxy target server, replace the variable <proxyrealm>with the realm name that is configured in the request-ingress.grp file. You mustalso replace the variable<Proxy Target Server or IP Address>with the proxytarget server host name (FQDN) or the IP Address.

if ( (count (User-Realm) > 0) && (User-Realm = "<proxyrealm>") ){


modify Interlink-Proxy-Target = "<Proxy Target Server or IP Address>" exit "ACK"}


17 Configuring EAP-SIM and EAP-AKA AuthenticationMethods

This chapter introduces you to Extensible Authentication Protocol (EAP) for GlobalSystem for Communications (GSM) Subscriber Identity Module (SIM) and EAP forUniversal Mobile Telecommunications System (UMTS) Authentication and KeyAgreement (AKA) authentication methods.The chapter discusses the following topics:• “EAP-SIM” (page 224)• “EAP-AKA” (page 236)• “Fast Re-Authentication” (page 248)• “Pseudonym Identities” (page 256)• “Generating Authentication Vectors Using A3, A8, and AKA Algorithms” (page 268)

EAP-SIMThis section discusses the EAP-SIM authentication method and its configurations. Thissection addresses the following topics:• “Overview” (page 224)• “EAP-SIM Authentication Using HP-UX AAA Server” (page 225)• “Features” (page 227)• “Benefits” (page 228)• “Configuring EAP SIM” (page 228)

OverviewEAP-SIM is an authentication method capable of operating in wireless networks.EAP-SIM is used for authentication and session key distribution using the GSM SIM.GSM mobile network standard authentication builds on the challenge-responsemechanism. Based on the algorithms specified by the operators, the SIM uses the 128-bitchallenge and the secret key (subscriber key), Ki, to generate a 32-bit response and a64-bit long cipher key, Kc, as output. Kc is used to derive the keying material. The Ki,which is also known as the authentication key, is a 128-bit value used to authenticateSIMs in the network. Each SIM is associated with a unique Ki, which is assigned bythe operator. Therefore, the security of the protocol depends on Kc. However, for datanetworks that require stronger and longer keys, Kc is not very secure. To enhancesecurity, the EAP-SIM mechanism combines multiple challenges to generate several64-bit Kc long cipher keys. Collectively, these keys form stronger keying material.The security of EAP-SIM builds on the GSM mechanism. If the SIM credentials areused only for EAP-SIM, and are not re-used from GSM/GPRS, EAP-SIM is a moresecure method than the underlying GSM mechanisms.

224 Configuring EAP-SIM and EAP-AKA Authentication Methods

EAP-SIM Authentication Using HP-UX AAA ServerEach mobile device that is authorized to use the network has a unique identifier, calledInternational Mobile Subscriber Identity (IMSI), which identifies the subscriber containedin the SIM. The SIM is also embedded or burnt with a unique secret (subscriber) key,Ki, which is pre-shared with the HP-UX AAA Server user storage (also referred to asAuthentication Center, AuC). This forms the basis for securing the access to the network.The authentication software on the user’s mobile device for EAP/802.1x authenticationis referred to as supplicant. The supplicant accessing the SIM card informationcommunicates with the HP-UX AAA Server via the authenticator (access point) to gainaccess to the network. The supplicant sends its messages via EAP over LAN to theaccess point. The access point encapsulates the EAP message and uses the RADIUSprotocol to communicate with the HP-UX AAA Server. The following is the processfor a successful EAP-SIM authentication.Figure 17-1 shows the EAP-SIM authentication using the HP-UX AAA Server.

Figure 17-1 EAP-SIM Authentication Using HP-UX AAA Server

1. The supplicant communicates with the access point.2. The access point responds with an EAP request message asking for its identity.3. The supplicant sends an EAP response message with the IMSI information stored

in the SIM. The EAP response message is encapsulated in the RADIUSAccess-Request message and forwarded to the HP-UX AAA Server.

4. The HP-UX AAA Server responds to the supplicant via the access point, with thelist of supported versions for EAP-SIM key calculating algorithm.

5. The supplicant responds with the selected key algorithm version and a randomnumber (NONCE_MT). TheNONCE_MT is used to derive the key for the HP-UX AAAServer and the supplicant during subsequent requests, and to prevent replayattacks.

6. The HP-UX AAA Server does a lookup of the IMSI’s pre-shared Ki in the user’sprofile storage and calculates the triplets (RAND, Signed RESponse (SRES),Kc) or directly gets the triplets from the user profile storage.The HP-UX AAA Server can use the LDAP directory server or the SQL CompliantSQL Access to retrieve the Ki and calculate ‘n’ GSM triplets (RAND, SRES,

EAP-SIM 225

Kc). Typically, n=2 or n=3. The HP-UX AAA Server also allows adding a customizedplug-in using the Software Development Kit (SDK) to contact any AuC in thenetwork, to directly retrieve the ‘n’ triplets.After calculating the triplets, the HP-UX AAA Server responds with an EAP requestchallenge containing each of the random numbers (RAND), and their respectivemessage authentication codes (AT_MAC).

7. The supplicant first verifies the message authentication code received from theHP-UX AAA Server for each of the RAND. After successfully validating the messageauthentication code for the received SRES, it generates the encryption key (Kc)used for deriving keying material and the signed response (SRES) values for eachof the RAND value it received.The supplicant and the HP-UX AAA Server generate multiple RAND, to generatemultiple encryption key (Kc) to derive stronger keying material.Subsequently, it sends only the message authentication code for each of the SRESvalues in the EAP request challenge message.

8. The HP-UX AAA Server on receiving the challenge compares the received messageauthentication code by calculating its own message authentication code for theSRES values it already has. After the validation is successful, the HP-UX AAAServer derives the keying material for session encryption and sends it with anAccess-Acceptmessage to the access point. TheAccess-Acceptmessage alsohas an encapsulated EAP Success message.

9. The access point forwards the EAP Successmessage to the supplicant, and keepsthe keying material for encrypting the subscriber’s session. The supplicant alsoderives the same encryption key and therefore, the access point does not forwardto the supplicant.

10. With the common session key, the network traffic between the access point andthe supplicant can now be encrypted and the supplicant can securely access thenetwork.

EAP-SIM includes an optional identity privacy support, wherein the supplicant cansend a temporary (pseudonym) identity instead of using the clear text permanentidentity (IMSI) to prevent eavesdroppers. In such cases, the HP-UX AAA Server hasto do a lookup of the real user name (permanent identity) on receiving the pseudonymidentity. The mapping of the permanent identity with the pseudonym and vice-versacan be done using algorithms built inside the HP-UX AAA Server or using an externalstorage like an SQL-compliant database with the mapping information.EAP-SIM also includes an optional fast re-authentication support, wherein thepreviously generated master session key during full authentication process will beused to generate a fresh master session key. Therefore, a new set of triplets is notrequired. A supplicant requesting the fast re-authentication will send the fastre-authentication identity received during the previous full authentication. The HP-UXAAA Server internally maps the fast re-authentication identity to the permanent identity


either using an optional internal cache or using an external storage like anSQL-compliant database with the mapping information.

FeaturesThe EAP-SIM authentication method is fully compliant with RFC 4186. It offers thefollowing features:• International Mobile Subscriber Identity (IMSI) permanent identities on a per realm

basis.• Non-IMSI permanent identities on a per realm basis.• Protected success indications on a per realm basis.• Fast re-authentication on a per realm basis.• Pseudonyms generated using algorithms or randomly, on a per realm basis.• To ensure that permanent user names, pseudonyms, and fast re-authentication

user names are distinct, and can be easily distinguished, the server generatespseudonyms, whose leading character is 2 and fast re-authentication user names,whose leading character is 3. In accordance with the RFC, permanent user namesderived from the IMSI are prefixed with the leading character 1.

• A user's Subscriber key, Ki, along with the names of the appropriate A3 and A8algorithms, can be stored in an external database or a local file. and algorithmsare standard algorithms. If Ki is stored in one of these locations, the serverautomatically generates GSM authentication triplets using this information.

• A set of GSM authentication triplets can be stored in a local file. This is intendedfor use in a lab environment, and requires no additional user-written plug-ins.

• If the customer implements an AATV, the user credentials can be retrieved froman Authentication Center (AuC) that the AATV communicates with. The AuCfunction authenticates SIM cards that attempt to connect to the GSM network bygenerating data known as triplets.

• A3 or A8 (3rd Generation Partnership Project) 3GPP Milenage algorithms areprovided with parameters that can be configured.

• The Milenage A3 or A8 algorithm can be customized with a simple plug-in.• Additional customer-supplied A3 or A8 algorithms can be plugged into the server.• Occurrences and values of received SIM attributes are validated.• Support for pseudonym and fast re-authentication identity mapping is built-in

without the need for an external database. Support is also provided using SQLAccess and built-in AATVs.

EAP-SIM 227

BenefitsEAP-SIM offers the following benefits:• Offers more reliable security than the GSM mechanisms.• Supports protection of the subscriber identity based on pseudonyms or temporary

identifiers.• Supports a fast re-authentication procedure.

Configuring EAP SIMThe configuration files must be edited manually, because EAP-SIM cannot be configuredusing the HP-UX AAA Server Manager.This section addresses the following topics:• “EAP-SIM Client Configuration” (page 228)• “EAP-SIM User Credential Lookup Configuration” (page 228)• “EAP-SIM Realm-Based Configurations” (page 229)• “Global EAP-SIM Configuration in aaa.config” (page 235)

NOTE: Subsequently, you must restart the RADIUS Server for the configurations totake effect.

EAP-SIM Client ConfigurationYou can configure the access point or the access device for the HP-UX AAA Server touse EAP-SIM, using the HP-UX AAA Server Manager. For more information on howto configure, see Chapter 7 (page 100).

EAP-SIM User Credential Lookup ConfigurationThe HP-UX AAA Server on receiving a SIM request does a lookup of the uniqueidentifiers' (real username) credentials. The credentials can be the pre-shared subscriberkey or the triplets from an external storage (like AuC). The following information mustbe provided for the EAP-SIM module to continue processing of the user request:• User's Subscriber's key, Ki. For more information on these Attribute Value Pairs

(AVPs), see “Generating Authentication Vectors Using A3, A8, and AKA


Algorithms” (page 268). The server uses the following AVPs as input to generateauthentication vectors:— Subscriber's key is a string attribute that contains the binary encoded 128-bit

user secret key, Ki. The encoding must be in the network byte order (big-endian).— A3 algorithm is a string attribute that indicates the name of the A3 algorithm

to be applied in GSM triplet generation. The value is case-sensitive.— A8 algorithm is a string attribute that indicates the name of the A8 algorithm

to be applied in GSM triplet generation. Most lines in the configuration filesare limited to 1023 characters. This value is case-sensitive.

• GSM triplets. A GSM triplet is a fixed length binary string (octets) attribute, whichholds an EAP-SIM authentication vector. The attribute value is a 224-bit (28 bytes)binary string. It is partitioned as follows:RAND= The first 128 bits (16 bytes) of value.Kc= The next 64 bits (8 bytes) of value.SRES= The last 32 bits (4 bytes) of value.

The user credentials (Ki) can be stored in any of the following supported data repository:• local realm users file• LDAP database• SQL-compliant database using SQL AccessThe following is an example of a local realm users file:# IMSI configured with 128 bit Subscriber-Key 801448005551000 Subscriber-Key ="\x6d\x37\x71\x8a\xcc\xec\x37\x01\x4e\xdb\xf0\xf0\x3b\xe5\x77\ xda",

NOTE: Subscriber's key is a binary string, and is configured as quoted strings ofhex-escaped octets.

EAP-SIM Realm-Based ConfigurationsMany EAP-SIM parameters can be configured on a per realm basis. These parametersare configured in realm entries stored in the authfile and EAP.authfile files.

Realm-Based EAP-SIM Configuration Information in authfile

The user's SIM credentials lookup information is configured in the authfile on a perrealm basis.The EAP-SIM realm must be configured with the -SIM switch. The following syntaxis used to configure the user credential storage:eapsimrealm.com –SIM <AATV name> <xstring, if any>

EAP-SIM 229

If user-specific plug-in is added for user lookup, the AATV name is replaced with theplug-in name. The following section describes configuration of HP-UX AAA Serveruser, flat file, LDAP directory server and SQL-compliant database for credential lookup(subscriber key).The HP-UX AAA Server receives GSM triplets directly when the external storage(typically an AuC) generates the triplets. An AATV must be written for this. Forinformation on how to write an AATV, see Chapter 28 (page 446)

NOTE: The xstring field in the realm configuration must not have spaces.

iaaaFile Authentication Type

If the user credentials are available in the flat file, the iaaaFile AATV is used for lookup.The configuration of a realm, which employs iaaaFile, is followed by a required {}block. The {} block enables you to configure the following parameters:• Request-Attribute-For-Search

• Policy-Pointer

The iaaaFile authfile configuration parameters are described in Table 17–1.

Table 17-1 The iaaaFile authfile Configuration Parameters

DescriptionParameter

Indicates the search attribute to use for a userlookup. The attribute must be a string-type, suchas string, tag-str, or octets.

Request-Attribute-For-Search

When iaaaFile is used for EAP-SIM, the value oftheRequest-Attribute-For-Searchparametermust be Real-Username.The default value is User-Id.

For information on Policy-Pointer, see“Authorization to Control Sessions and Access toServices ” (page 44).

Policy-Pointer

NOTE: This parameter is optional.

The following is an example of a iaaaFile configuration for credentials lookup:eapsimrealm.com -SIM iaaaFile isp{ Request-Attribute-For-Search Real-Username }}

The following must is the sample content of the isp.users file:########################################################################## file: /etc/opt/aaa/isp.users#######################################################################123456789000000


Subscriber-Key = "\x01\x47\x17\x49\x11\xe3\x96\xc9\x63\x1a\xc1\xb9\x22\x86\xf0\x1f"

123456789000000 Subscriber-Key = "\x11\x1a\xf1\xc7\x11\x20\x26\x08\x4a\x58\xc7\xd8\x22\xe7\xca\x55"

123456789000000 Subscriber-Key = "\x11\x48\xf2\xd4\x68\x71\x59\x11\x3c\x81\x27\xe6\x14\xfb\x64\x66"

PROLDAP Authentication Type

ThePROLDAPAATV is enhanced to support theRequest-Attribute-For-Searchattribute. The Request-Attribute-For-Search attribute indicates the searchattribute to use for a user lookup. The attribute must be a string-type, such as, string,tag-str, and octets. The default value is User-Id. When PROLDAP is used for EAP-SIM,the value of the Request-Attribute-For-Search parameter must beReal-Username.The LDAP Directory server must return the Subscriber-Key (Ki) on successful lookup.The following is an example of PROLDAP authfile configuration for credentialslookup:# This realm uses an LDAP databaseeapsimrealm.com -SIM PROLDAP "LDAP_lookup"{ Request-Attribute-For-Search Real-Username Directory "Directory 1" { Host ldap1.ispx.com Port 389 Administrator "cn=...,ou=...,ou=...,o=radius" Password password SearchBase "...,ou=...,o=radius" Authenticate Search }}

NOTE: The comment field (xstring) (in the above example, "LDAP_lookup") inthe realm configuration must not have spaces.

SQL Access Authentication Type

To use the SQL Access authentication type, you must include the following entry inthe authfile :eapsimrealm.com –SIM SQLAccess ActionId=RetrieveSimUser

Also, you must include theRetrieveSimUser SQL action in thesqlaccess.configfile.The following SQL Action RetrieveSimUser is configured to return the subscriberkey. After successfully retrieving from a SQL compliant database (db_oci) the SQLAction returns RETRIEVE_SUCCESS, else it returns RETRIEVE_ERROR.

EAP-SIM 231

SQLAction RetrieveSIMUser {

{ input RAD(Real-Username, REPLY) DBP(runame, 253, CHAR)

output DBR(100:0) RET(RETRIEVE_ERROR) DBR(-1:*) RET(ERROR) DBC(subscriber_key, 64, CHAR) FUNC(StoreInSubscriberKey) AAAHexToBinaryString DBR(0:0) RET(RETRIEVE_SUCCESS) DBR(*:*) RET(RETRIEVE_ERROR)

SQLStatement db_oci { SELECT subscriber_key FROM RAD_USERS_TABLE WHERE user_name=:runame } }}

NOTE: The subscriber_key column must be added in RAD_USERS_TABLE.StoreInSubscriberKey is the pre-defined mapping function, which stores thebinary string into Subscriber-Key attributes respectively and inserts these AV-Pairsinto AUTHREQ_REPLY_QUEUE.

For more information on SQL Access, see Chapter 22 (page 338).

Realm-Based EAP-SIM Configuration Information in EAP.authfile

The EAP.authfile entry for a realm that supports EAP-SIM can contain an optional{} configuration block following the EAP-Type SIM specification. This block containsrealm-specific EAP-SIM configuration information, such as the algorithm to use forthe realm users, Fast-Reauth and Psueodnym parameters discussed later in thechapter. For more information on Fast-Reauth and Psueodnym, see “PseudonymIdentities” (page 256).If certain parameters are not specified in the EAP-Type SIM{} configuration block,default values are assigned. For those parameters that do not have a default value, youmust specify those values to ensure that the capability is supported.The following rules apply to the EAP-Type SIM{} configuration block parameters:• The parameter names are case-insensitive.• For parameters with on and off binary values, the values, enabled, yes, on,

and true are synonymous, and the values, disabled, no, off, and false aresynonymous.

• String parameter values must be enclosed within single or double quotes.The EAP-Type SIM{} configuration block can contain any subset, including emptysubsets. The EAP.authfile configuration parameters are described in Table 17–3.


Table 17-2 EAP.authfile Configuration Parameters


Specifies the default A3 algorithm for the realm. Ifan A3 algorithm is needed to produce the GSM

A3 Algorithm

triplets for this user's authentication, then the A3algorithm specified in this field is used. There is nodefault value. For information on availablealgorithms, see “Generating Authentication VectorsUsing A3, A8, and AKA Algorithms” (page 268).

Specifies the default A8 algorithm for the realm. Ifan A8 algorithm is needed to produce the GSM

A8 Algorithm

triplets for this user's authentication, then the A8algorithm specified in this field is used. There is nodefault value. For information on availablealgorithms, see “Generating Authentication VectorsUsing A3, A8, and AKA Algorithms” (page 268).

Indicates whether the server must accept permanentidentities of the form 1 + IMSI, for this realm.

Prefixed-IMSI-Permanent-IDs

EAP-SIM RFC 4186 indicates that the permanentidentity must be derived from the IMSI. However,an implementation may choose a permanentidentity that is not based on IMSI. The serversupports both options.The valid values are Enabled and Disabled.The default value is Enabled.

Indicates whether the server must accept genericpermanent identities that are not based on an IMSI,for this realm. For example, fred.

Generic-Permanent-IDs

EAP-SIM RFC 4186 indicates that the permanentidentity must be derived from the IMSI. However,an implementation may choose a permanentidentity that is not based on the IMSI. The serversupports both options.The valid values are Enabled and Disabled.The default value is Disabled.

Specify the minimum and maximum length of IMSIsthat the server accepts.

Minimum-Length-IMSI andMaximum-Length-IMSI

The server performs sanity checks on a permanentidentity that is offered as an IMSI to ensure that theidentity is neither too short nor too long to be anIMSI. EAP-SIM RFC 4186 explicitly states that 15 isthe maximum length. The minimum length is six,based on a three digit MCC, a two digit MNC, anda one digit MSIN. This is a theoretical absolute

EAP-SIM 233

Table 17-2 EAP.authfile Configuration Parameters (continued)


minimum length of an IMSI. Therefore, the checkmade is as follows:6 <= Minimum-Length-IMSI <= Maximum-Length-IMSI <= 15

The default values are 6 and 15.

Indicates how many GSM triplets are needed forauthentication. EAP-SIM RFC 4186 indicates thisvalue must be 2 or 3.

Number-Of-Triplets-For-Authentication

The default value is 2.

Protected success indications are an optionalEAP-SIM feature. The

Protected-Success-Indications

Protected-Success-Indications parameterindicates whether the server offers protected successindications to the peer. The valid values areEnabled and Disabled.The default value is Enabled.

The following is an example of a EAP.authfile file that configures the EAP-SIMprotocol for a SIM realm:########################################################################## Append the following to /etc/opt/aaa/EAP.authfile#######################################################################

eapsimrealm.com -EAP EAP "comment"{ EAP-Type SIM {

# Following parameters specify the name of A3 and A8 algorithm to generate # triplets. You need not configure these values if triplets are retrieved from # an external AuC.

A3-Algorithm "3GPP-Milenage" A8-Algorithm "3GPP-Milenage"

############################################################ # Following are optional parameters ############################################################# Prefixed-IMSI-Permanent-IDs "Enabled" Generic-Permanent-IDs "Enabled" Minimum-Length-IMSI 6 Maximum-Length-IMSI 15

Number-Of-Triplets-For-Authentication 2 Protected-Success-Indications "Enabled" }}


NOTE: The comment field in realm configuration must not have spaces.

Global EAP-SIM Configuration in aaa.configThe aatv.EAP-SIM{} configuration block, located within the aaa.config filecontains global EAP-SIM configuration information. These parameters represent globaldefault values, which do not correspond to any realm-based parameter.The following rules apply to the aatv.EAP-SIM{} configuration block parameters:• The parameter names are case-insensitive.• For parameters with on and off binary values, the values, enabled, yes, on,

and true are synonymous, and the values, disabled, no, off, and falseare synonymous.

• String parameter values must be enclosed in single or double quotes.The aatv.EAP-SIM{} configuration block, in aaa.config file, can contain anysubset, including empty subsets. These parameters are global. Table 17-3 lists theconfiguration block parameters.

Table 17-3 The aaa.config Configuration Block Parameters


Directs the output of EAP-SIM statistics to thelogfile when the server shuts down.

Statistics

The valid values are Enabled and Disabled.If not explicitly configured, the default value isEnabled.

The following is an example of a aaa.config configuration file:aatv.EAP-SIM{# =====================================# The following parameters are global.# =====================================

Statistics "Enabled"

# Enabled or Disabled

}

EAP-SIM 235

EAP-AKAThis section discusses the EAP-AKA authentication method and its configurations.This section addresses the following topics:• “Overview” (page 236)• “EAP-AKA Authentication Using HP-UX AAA Server” (page 236)• “Features” (page 237)• “Benefits” (page 238)• “Configuring EAP-AKA” (page 239)

OverviewEAP AKA is an authentication and session key distribution mechanism used in thethird generation mobile networks: UMTS and CDMA2000. AKA is based on thechallenge-response mechanism and symmetric cryptography.

EAP-AKA Authentication Using HP-UX AAA ServerThe HP-UX AAA Server authenticates the EAP-AKA supplicant to the IP networkusing Wireless LAN (WLAN) access. The authentication process is described as follows:1. The supplicant associates with the access point.2. The access point responds first with an EAP Request message asking for its identity.3. The supplicant sends an EAP response message with the subscriber’s International

Mobile Subscriber Identity (IMSI) contained in the UMTS Subscriber IdentityModule (USIM) or CDMA2000 User Identity Module. The EAP Response messageis encapsulated in the RADIUS Access-Request message and forwarded to theAAA Server.

4. The HP-UX AAA Server on receiving the EAP Response message does a lookupfor the user’s identity to retrieve the pre-shared key and per-user sequence number(SQN) to generate an authentication vector. The SQN is incremented sequentiallyfor every authentication of the user to the network. The authentication vector isactually a security quintet which consists of five numbers: RAND (a 128-bit randomnumber), XRES (a 32 bit signed response to RAND), CK ( a 128-bit sessionencryption key), IK ( a 128bit integrity key) and AUTN ( a 128-bit networkauthentication token). The AAA Server can also be configured to connect to anexternal storage like an Authentication Centre AuC, to provide the authenticationvector.

5. The AAA Server then sends a EAP Request Challenge message with the randomnumber RAND, network authentication token AUTN and the messageauthentication code for EAP Packet.

6. The supplicant runs the AKA algorithm to compare the AUTN it generates withthe received AUTN. If it matches, it has successfully authenticated the AAA Server.The supplicant now sends a EAP Response Challenge via the Access Point contain


the result parameter (RES) generated using the RAND and the pres-hared secretkey. It also includes a message authentication code for integrity protection.

7. The AAA Server on receiving the EAP Response message compares the resultparameter with XRES parameter in corresponding authentication vector. Onsuccessfully comparison and validating the message authentication code, the AAAServer sends an EAP Success message encapsulated inside Access-Accept messageto the Access point with the session key.

8. The Access point forwards the EAP Success message to the supplicant, and keepsthe keying material for encrypting the user’s session. The supplicant also hasderived the same encryption key so the Access point does not forward to thesupplicant.

9. With the common session key, the network traffic between the access point andthe supplicant can now be encrypted and the supplicant can securely access thenetwork.

The EAP-AKA uses an example algorithm for key generation that can be customizedor replaced with operator specific key generation algorithm.EAP-AKA includes optional identity privacy support, wherein the supplicant can senda temporary (pseudonym) identity instead of using the clear text permanent identityto prevent eavesdroppers. In such cases the HP-UX AAA Server has to do a lookup ofthe Real user name i.e the permanent identity on receiving the pseudonym identity.The mapping of the permanent identity with the pseudonym and vice versa can bedone using algorithms built inside the Server or using an external storage like SQLcompliant database with the mapping information.EAP-AKA also includes optional fast re-authentication support, wherein the previouslygenerated Master Session Key during full authentication process will be used to generatea fresh Master Session Key. A supplicant requesting the fast re-authentication will sendthe fast re-authentication identity got during previous full authentication. The HP-UXAAA Server internally maps the fast re-authentication identity to the permanent identityeither using an optional internal cache or using an external storage like SQL compliantdatabase with the mapping information.

NOTE: The HP-UX AAA Server can also generate the AV.

FeaturesThe EAP-AKA authentication method is fully compliant with RFC 4187. It supportsthe following features:• IMSI permanent identities are supported on a per realm basis.• Non-IMSI permanent identities are supported on a per realm basis.• Protected success indications are supported on a per realm basis.• Fast re-authentication is supported on a per realm basis.

EAP-AKA 237

• Protected Identity Exchanges using AT_CHECKCODE is supported on a per realmbasis.

• Authentication Management Field (AMF) is supported on a per realm basis.• Algorithmically or randomly generated pseudonyms are supported on a per realm

basis.• To ensure that permanent user names, pseudonyms, and fast re-authentication

user names are distinct and can be easily distinguished from one another, theserver generates pseudonyms with the leading character 4 and fast re-authenticationuser names with the leading character 5. In accordance with the RFC, permanentuser names derived from the IMSI are prefixed with the leading character 0.

• A user's subscriber key, Ki, sequence number, mode, and the name of theappropriate AKA algorithms, can be stored in an external database or a local file.The server automatically generates the authentication vector from this information.

• An authentication vector can be stored in a local file. This is intended for use in alab environment, and requires no additional user-written plug-ins.

• The user credentials can be retrieved from an AuC if the customer implements anAATV, which communicates with the AuC.

• AKA 3GPP Milenage algorithms are provided with parameters that can beconfigured.

• The Milenage AKA algorithm can be customized with a simple plug-in.• Additional AKA algorithms provided by the customer can be plugged into the

server.• Occurrences and values of received AKA attributes are validated.• Support for pseudonym and fast re-authentication identity mapping is built-in,

without the need for an external database.

BenefitsEAP-AKA offers the following benefits:• In devices that already contain an identity module, AKA can be used as a secure

Point-to-Point Protocol (PPP) authentication method.• Enables the use of third generation mobile network authentication infrastructure

in wireless LANs.• Supports the co-existence of the existing infrastructure with any other EAP

technology.• Supports identity privacy.• Supports result indications.• Supports fast re-authentication.


Configuring EAP-AKAThe configuration files must be edited manually, because EAP-AKA cannot beconfigured using the HP-UX AAA Server Manager.This section addresses the following topics:• “EAP-AKA Client Configuration” (page 239)• “EAP-AKA User Credential Lookup Configuration” (page 239)• “EAP-AKA Realm-Based Configurations” (page 240)• “Global EAP-AKA Configuration in aaa.config” (page 247)

NOTE: Subsequently, you must restart the RADIUS Server for the configurations totake effect.

EAP-AKA Client ConfigurationYou can configure the access point or the access device for the HP-UX AAA Server touse EAP-AKA, using the HP-UX AAA Server Manager. For more information on howto configure, see Chapter 7 (page 100).

EAP-AKA User Credential Lookup ConfigurationThe HP-UX AAA Server supports configuration of EAP-AKA user credentials as ReplyItems in two forms, as follows:The HP-UX AAA Server on receiving a AKA request does a lookup of the uniqueidentifiers' (real username) credentials. The credentials can be the pre-shared user'sSubscriber-Key (Ki), AKA-Sequence-Number (SQN), AKA-Mode (AMF), andAKA-Algorithm. The following information must be provided for the EAP-AKA moduleto continue processing of the user request:• The first form includes the configuration of the user's Subscriber-Key (Ki),

AKA-Sequence-Number (SQN), AKA-Mode (AMF), and AKA-Algorithm. For adescription of the algorithm, see “Generating Authentication Vectors Using A3,A8, and AKA Algorithms” (page 268). The server uses these AVPs as input togenerate an authentication vector.— Subscriber-Key is a string attribute containing the binary encoded 128-bit user

secret key, often referred to as Ki. The encoding must be in network byte order(big-endian).

— AKA-Sequence-Number is a string attribute containing the binary encoded48-bit user sequence number, often referred to as SQN. The encoding must bein network byte order (big-endian).

— AKA mode is a string attribute containing the binary encoded 16-bit userauthentication management field, often referred to as AMF. The encoding mustbe in network byte order (big-endian).

— AKA algorithm is a string attribute indicating the name of the AKA algorithmto be applied in AKA vector generation. Most lines in the configuration files

EAP-AKA 239

are limited to 1023 characters, which places a limit on the length of this string.The value is case-sensitive.

• The second form is the configuration of an AKA vector. An AKA vector is a fixedlength binary string (octets) attribute, which holds an EAP-AKA authenticationvector. The attribute value is a 576-bit binary string (72 bytes) partitioned asdescribed in Table 17-4. Table 17-4 lists the AKA Vector parameters.

Table 17-4 AKA Vector Parameters


The first 128 bits (16 bytes) of the valueRAND

The next 64 bits (8 bytes) of the valueXRES

The next 128 bits (16 bytes) of the valueCK

The next 128 bits (16 bytes) of the valueIK

The last 128 bits (16 bytes) of the valueAUTN

The user credentials can be stored in any supported data repository, such as a localrealm users file, an LDAP database, SQL-compliant database using SQL Access, or acustomer-supplied database.

NOTE: SQL Access feature can be used to retrieve user credentials as well as manageSQN. For SQL Access sample configuration, see “Realm-Based EAP-AKA ConfigurationInformation in authfile” (page 240). Configuring user credentials in realm user's fileand LDAP database requires Finite State Machine (FSM) modifications and a modulethat manages SQN.

EAP-AKA Realm-Based ConfigurationsMany EAP-AKA parameters can be configured on a per realm basis. These parametersare configured in realm entries stored in the authfile and EAP.authfile files.

Realm-Based EAP-AKA Configuration Information in authfile

The user's AKA credentials lookup information is configured in the authfile on aper realm basis.The EAP-AKA realm must be configured with the -AKA switch. The following syntaxis used to configure the user credential storage:eapakarealm.com –AKA <AATV name> <xstring, if any>

If user-specific plug-in is added for user lookup, the AATV name is replaced with theplug-in name. The following section describes configuration of HP-UX AAA Serverand SQL-compliant database for credential lookup (subscriber key).


The HP-UX AAA Server receives AKA vector directly when the external storage(typically an AuC) generates the vector. An AATV must be written for this. Forinformation on how to write an AATV, see Chapter 28 (page 446)

NOTE: The xstring field in the realm configuration must not have spaces.

SQL Access Authentication Type

To use the SQL Access authentication type, you must include the following entry inthe authfile :eapakarealm.com –AKA SQLAccess ActionId=RetrieveAkaUser

Also, you must include theRetrieveAkaUser SQL action in thesqlaccess.configfile.The following SQL Action RetrieveAkaUser is configured to return the subscriberkey, AKA Mode, and SQN. After successfully retrieving from a SQL compliant database(db_oci) the SQL Action returns RETRIEVE_SUCCESS, else it returnsRETRIEVE_ERROR.SQLAction RetrieveAKAUser {


output DBR(100:0) RET(RETRIEVE_ERROR) DBR(-1:*) RET(ERROR) DBC(subscriber_key, 64, CHAR) FUNC(StoreInSubscriberKey) AAAHexToBinaryString DBC(aka_mode, 16, CHAR) FUNC(StoreInAkaMode) AAAHexToBinaryString DBC(aka_sequence_num, 32, CHAR) FUNC(StoreInAkaSeqNum) AAAHexToBinaryString DBR(0:0) RET(RETRIEVE_SUCCESS) DBR(*:*) RET(RETRIEVE_ERROR)

SQLStatement db_oci { SELECT subscriber_key, aka_mode, aka_sequence_num FROM RAD_USERS_TABLE WHERE user_name=:runame } }}

NOTE: The subscriber_key, aka_mode, and aka_sequence_num columnsmust be added in RAD_USERS_TABLE.StoreInSubscriberKey, StoreInAkaMode, and StoreInAkaSeqNum are thepre-defined mapping functions which stores the binary string into Subscriber-Key,AKA-Mode, AKA-Sequence-Number attributes respectively and inserts these AV-Pairsinto AUTHREQ_REPLY_QUEUE.

For more information on SQL Access, see Chapter 22 (page 338).

EAP-AKA 241

Realm-Based EAP-AKA Configuration Information in EAP.authfile

The EAP.authfile entry for a realm that supports EAP-AKA can contain an optional{} configuration block following the EAP-Type AKA specification. This block containsrealm-specific EAP-AKA configuration information, such as the algorithm to use forthe realm users, Fast-Reauth and Psueodnym parameters discussed later in thechapter. For more information on Fast-Reauth and Psueodnym, see “PseudonymIdentities” (page 256).If certain parameters are not specified in the EAP-Type AKA {} configuration block,default values are assigned. For those parameters that do not have a default value, youmust specify those values to ensure that the capability is supported.The following rules apply to the EAP-Type AKA{} configuration block parameters:• The parameter names are case-insensitive.• For parameters with on and off binary values, the values, enabled, yes, on,

and true are synonymous, and the values, disabled, no, off, and false aresynonymous.

• String parameter values must be enclosed within single or double quotes.The EAP-Type AKA{} configuration block can contain any subset, including emptysubsets. The EAP.authfile configuration parameters are described in Table 17-5.



Specifies the default AKA algorithm for the realm.If the profile for a user in this realm does not specify

AKA Algorithm

an AKA algorithm, and if an AKA algorithm isneeded to produce the AKA vector for this user'sauthentication, the AKA algorithm specified by thisparameter is used. For information on availablealgorithms, see “Generating Authentication VectorsUsing A3, A8, and AKA Algorithms” (page 268).There is no default value.

Indicates whether the server must accept permanentidentities of the form 0 + IMSI, for this realm.

Prefixed-IMSI-Permanent-IDs

EAP-AKA RFC 4187 indicates that the permanentidentity must be derived from the IMSI. However,an implementation may choose a permanentidentity that is not based on IMSI. The serversupports both options.The valid values are Enabled and Disabled.The default value is Enabled.

Indicates whether the server must accept genericpermanent identities that are not based on an IMSI,for this realm. For example, fred.

Generic-Permanent-IDs




EAP-AKA RFC 4187 indicates that the permanentidentity must be derived from the IMSI. However,an implementation may choose a permanentidentity that is not based on the IMSI. The serversupports both options.The valid values are Enabled and Disabled.The default value is Disabled.

Specify the minimum and maximum length of IMSIsthat the server accepts.

Minimum-Length-IMSI andMaximum-Length-IMSI

The server performs sanity checks on a permanentidentity that is offered as an IMSI to ensure that theidentity is neither too short nor too long to be anIMSI. EAP-AKA RFC 4187 explicitly states that 15is the maximum length. The minimum length is six,based on a three digit MCC, a two digit MNC, anda one digit MSIN. This is a theoretical absoluteminimum length of an IMSI. Therefore, the checkmade is as follows:6 <= Minimum-Length-IMSI <= Maximum-Length-IMSI <= 15

The default values are 6 and 15.

Protected success indications are an optionalEAP-AKA feature. The

Protected-Success-Indications

Protected-Success-Indications parameterindicates whether the server offers protected successindications to the peer. The valid values areEnabled and Disabled.The default value is Enabled.

Determines if the server must use theAT_CHECKCODE attribute. The use of the

Protected-Identity-Exchanges

AT_CHECKCODE attribute is an optional feature inEAP-AKA. The attribute allows protection of theEAP-AKA identity messages and any futureextensions to them. The implementation ofAT_CHECKCODE is recommended.The valid values are Yes and No.

AKA mode is the user authentication managementfield, which is often referred to as AMF. It is an

AKA-Mode

input to the functions f1 and f1*. For moreinformation, see 3GPP documents.The value of the AKA mode parameter is a 16-bitbinary string entered as 0x, followed by two 2–digithex values. The dots are optional, and are used to

EAP-AKA 243



improve readability. The encoding must be in thenetwork byte order (big-endian). For moreinformation, see the example following Table 17–9.

The EAP-AKA protocol requires support for twofeatures related to the management of sequence

Resync-Update

numbers (SQN). The Resync-Update parameterspecifies an AATV, which provides one of thefeatures and an Xstring parameter for this AATV.This AATV is invoked to notify the AuC aboutsynchronization failures. The reception of anEAP-Response, AKA, or Synchronization-Failuremessage from the client triggers the call to thisAATV.This feature is optional. The need to configure thisparameter depends on whether you require thisfeature.There is no default value.

The EAP-AKA protocol requires support for twofeatures related to the management of sequence

Auth-Result-Update

numbers (SQN). The Auth-Result-Updateparameter specifies an AATV, which provides oneof the features and an Xstring parameter for thisAATV. This AATV is invoked to notify the AuCabout the results of an authentication attempt. Thecompletion of an EAP-AKA authenticationsequence, triggers the call to this AATV.This feature is optional. The need to configure thisparameter depends on whether you require thisfeature.There is no default value.

The following is an example of the EAP.authfile file that configures the EAP-AKAprotocol for an AKA realm:########################################################################## Append the following to /etc/opt/aaa/EAP.authfile ##################################################################

eapakarealm.com -EAP EAP "comment"{ EAP-Type AKA {

# Following parameter specifies the name of the AKA algorithm to generate # vector. You need not configure these values if the vector is retrieved from # an external AuC.

AKA-Algorithm "3GPP-Milenage" Resync-Update SQLAccess ActionId=ResyncSQN


Auth-Result-Update SQLAccess ActionId=UpdateSQN

############################################################ # Following are optional parameters ############################################################# Prefixed-IMSI-Permanent-IDs "Enabled" Generic-Permanent-IDs "Enabled" Minimum-Length-IMSI 6 Maximum-Length-IMSI 15 AKA-Mode 0x12ab Protected-Identity-Exchanges No Protected-Success-Indications "Enabled" }}

NOTE: The comment field in realm configuration must not have spaces.

Auth-Result-Update and Resync-Update

The management of SQN required for EAP-AKA can be done using SQL Accessfeature provided by HP-UX AAA Server. In this case user credentials must be storedin an Oracle or SQL-compliant database. The above example has EAP.authfileconfiguration for these parameters.UpdateSQN and ResyncSQN are the SQL action names that must be configured in thesqlaccess.config file. Following are the sample entries for the same.UpdateSQN: This SQL action increments the SQN in the database for each successfulauthentication. Two mappings are used. The first one retrieves the sequence numberfor the corresponding real identity and adds the incremented SQN into the REPLYqueue The second mapping retrieves it from the REPLY queue and inserts it back tothe database. A predefined sample mapping function IncAkaSeqNum is used toincrement the SQN if the authentication succeeds. Subsequently, the mapping functionconverts it back to hex string format, and inserts the AKA-Sequence-Number AVP toREPLY queue.You can use the vendor-specific attribute, AKA-Authentication-Result to checkthe result of authentication. The result can include the following values based on theauthentication result:NO-AUTH 0SUCCESS 1REAUTH 2CLIENT_REJECT 3BAD_MAC 4BAD_XRES 5BAD_CHECKCODE 6BAD_PROTOCOL 7BAD_INTERNAL 8

SQLAction UpdateSQN {

{ input RAD(Real-Username, REPLY) DBP(ruame, 253, CHAR)

EAP-AKA 245

output DBR(100:*) RET(NAK) DBR(-1:*) RET(ERROR) DBC(aka_sequence_number, 64, CHAR) FUNC(IncAkaSeqNum) AAAHexToBinaryString DBR(0:0) RET(ACK) DBR(*:*) RET(ERROR)

SQLStatement db_oci { SELECT aka_sequence_number FROM RAD_USERS_TABLE WHERE user_name=:runame } } { input RAD(AKA-Sequence-Number, REPLY) DBP(seqnum, 253, CHAR) RAD(Real-Username, REPLY) DBP(runame, 253, CHAR) output DBR(-1:*) RET(ERROR) DBR(0:0) RET(ACK) DBR(*:*) RET(NAK)

SQLStatement db_oci { UPDATE RAD_USERS_TABLE set aka_sequence_number=:seqnum where user_name=:runame } }}

ResyncSQN SQL action derives the SQN from Vendor-specific attribute(AKA-Synchronization-Token) (AUTS) in the REPLY queue that is sent by the clientwhen a synchronization failure occurs. The first mapping retrieves the subscriber keyfor the corresponding real identity and the second mapping inserts the derived SQNback to the database. A predefined sample GetResyncAkaSeqNummapping functionis used to extract the SQN from AUTS. The mapping function inserts the extracted SQNinto REPLY queue after converting it into the hex string format.SQLAction ResyncSQN {


output DBR(100:*) RET(NAK) DBR(-1:*) RET(ERROR) DBC(subscriber_key, 64, CHAR) FUNC(GetReSyncAkaSeqNum) AAAHexToBinaryString DBR(0:0) RET(ACK) DBR(*:*) RET(ERROR)

SQLStatement db_oci { SELECT subscriber_key FROM RAD_USERS_TABLE WHERE user_name=:runame } } { input RAD(AKA-Sequence-Number, REPLY) DBP(seqnum, 253, CHAR) RAD(Real-Username, REPLY) DBP(ruser, 253, CHAR) output DBR(-1:*) RET(ERROR) DBR(0:0) RET(ACK) DBR(*:*) RET(NAK)


SQLStatement db_oci { UPDATE RAD_USERS_TABLE set aka_sequence_number=:seqnum where user_name=:runame } }}

NOTE: The above SQL actions require the subscriber_key and theaka_sequence_number columns to be added in the RAD_USERS_TABLE as stringtype. The mapping functions mentioned in the above example are for demonstrationpurposes only. You must customize the mapping functions based on the requirements.For more information on SQL Access Mapping functions, see Chapter 22 “SQL Access”.For information on how to write AATVs, see Chapter 28 “Customizing the HP-UXAAA Server Using the SDK”.

Global EAP-AKA Configuration in aaa.configThe aatv.EAP-AKA{} configuration block, located within the aaa.config filecontains global EAP-AKA configuration information. These parameters represent globaldefault values, which do not correspond to any realm-based parameter.The following rules apply to the aatv.EAP-AKA{} configuration block parameters:• The parameter names are case-insensitive.• For parameters with on and off binary values, the values, enabled, yes, on,

and true are synonymous, and the values, disabled, no, off, and falseare synonymous.

• String parameter values must be enclosed in single or double quotes.The aatv.EAP-AKA{} configuration block, in aaa.config file, can contain anysubset, including empty subsets. These parameters are global. Table 17-6 lists theconfiguration block parameters.

Table 17-6 The aaa.config Configuration Block Parameters


Directs the output of EAP-AKA statistics to thelogfile when the server shuts down.

Statistics

The valid values are Enabled and Disabled.If not explicitly configured, the default value isEnabled.

The following is an example of a aaa.config configuration file:aatv.EAP-AKA{# =====================================# The following parameters are global.# =====================================

Statistics "Enabled"

EAP-AKA 247

# Enabled or Disabled

}

Fast Re-AuthenticationFast re-authentication is a an optional EAP-SIM and EAP-AKA feature. This feature isused to refresh the previous authentication periodically. A fast re-authentication, ifapplicable, occurs shortly after a full authentication or an earlier fast re-authentication.The Fast-Reauth-Id-Lifetime parameter specifies a lifetime for a fastre-authentication identity, in seconds. If a fast re-authentication identity is assigned,but is not used within this period of time, the fast re-authentication identity and theassociated full authentication context expire.The HP-UX AAA Server generates a fast re-authentication identity, which is 10characters long, consisting of the fast re-authentication identity prefix 3, followed bynine random characters from the 31 character set consisting of the upper-case characters,without vowels, and ending with 10 digits: 0-9, that is{BCDFGHJKLMNPQRSTVWXYZ0123456789}.As there are 31 choices for each of the nine random characters, there are then 319

different identities, or, more than 26 trillion fast re-authentication identities of allpermanent identities.Selecting only uppercase characters for the server-generated re-authentication identitiesallows case-insensitive database lookups.The server sends a fast re-authentication identity to the client, which includes a realm.Before generating a fast re-authentication identity, the server checks whether the totallength of thename@realm string exceeds 253 characters, which is the maximum lengthof a User-Name attribute value. If it exceeds the maximum length, the server does notgenerate a reauth identity. As the name portion of the fast re-authentication identityis 10 characters, this problem occurs only if the realm is greater than 242 characters.The realm is either the configured fast reauth realm or the realm from the permanentidentity. A fast reauth realm can be configured for targeting a fast reauth authenticationrequest to the specific server that generated the fast re-authentication identity.

Configuring for Fast Re-AuthenticationThis section addresses the following topics:• “Configuring for Fast Re-Authentication in EAP.authfile” (page 248)• “Configuring for Fast Re-Authentication in aaa.config File” (page 251)

Configuring for Fast Re-Authentication in EAP.authfileTo use fast re-authentications, the realm configuration in the EAP-Type SIM{} orEAP-Type AKA{} block in EAP.authfile must specify the parameters described inTable 17-7.




The Fast-Reauth-Lookup parameterspecifies an AATV and anXstringparameter

Fast-Reauth-Lookup

for this AATV. This AATV is invoked to mapa fast re-authentication identity to the user'sreal identity and full authentication context.If this parameter is not configured, fastre-authentication support is disabled for therealm.HP-UX AAA Server provides an AATV,SIMAKA-ReauthCacheLookup, for thisfunction.There is no default value.

The Fast-Reauth-Update parameterspecifies an AATV and anXstringparameter

Fast-Reauth-Update

for this AATV. This AATV is invoked toupdate the mapping of a fast re-authenticationidentity to a user's real identity. If thisparameter is not configured, fastre-authentication support is disabled for therealm.HP-UX AAA Server provides theSIMAKA-ReauthCacheUpdate AATV forthis function.There is no default value.

This parameter specifies an upper limit for thenumber of subsequent fast re-authentications

Max-Number-Of-Reauths-Before-Full-Auth-Is-Required

allowed before a full authentication needs tobe performed.The valid range is 1 to 65,535.

Specifies a realm that ensures where a fastre-authentication is targeted. While providing

Fast-Reauth-Realm

a fast re-authentication identity, the server alsoincludes a realm to help ensure that thesubsequent fast re-authentication be targetedto the server, which holds the fullauthentication context if internal caching,rather than an external database, is used tosave the fast re-authentication context.As the maximum length of a fast re-auth NAIcannot exceed 253 characters, and because thelength of the fast re-auth user name is 10characters, the Fast-Reauth-Realm valuemust not exceed 242 characters. If the fast

Fast Re-Authentication 249



re-authentication identity must be generatedwith no realm name, it is configured as NULL.The empty string entry, using just two quotes,indicates that the server must generate a fastre-authentication identity with the same realmname as the permanent identity.

TheFast-Reauth-Id-Lifetimeparameterspecifies a lifetime for a fast re-authentication

Fast-Reauth-Id-Lifetime

identity, in seconds. If a fast re-authenticationidentity is assigned, but is not used within thisperiod of time, the fast re-authenticationidentity and the associated full authenticationcontext are purged.The valid range is 1 to 14400 (1 second to 4hours).The default value is 3600 seconds.

Sample EAP.authfile Configuration for Fast Re-authentication#################################################################### Add the following in /etc/opt/aaa/EAP.authfile for EAP-SIM#################################################################eapsim.com -EAP EAP "comment"{ EAP-Type SIM { #Configure other realm-specific parameters, if required . .

# Following are the mandatory parameters: Fast-Reauth-Lookup SIMAKA-ReauthCacheLookup “” Fast-Reauth-Update SIMAKA-ReauthCacheUpdate “”

# Following are the optional parameters: Fast-Reauth-Realm “” Max-Number-Of-Reauths-Before-Full-Auth-Is-Required 5 Fast-Reauth-Id-Lifetime 1800 }

} #################################################################### Add the following in /etc/opt/aaa/EAP.authfile for EAP-AKA#################################################################eapaka.com -EAP EAP "comment"{


EAP-Type AKA { #Configure other realm-specific parameters, if required . .

# Following are the mandatory parameters: Fast-Reauth-Lookup SIMAKA-ReauthCacheLookup “” Fast-Reauth-Update SIMAKA-ReauthCacheUpdate “”

# Following are the optional parameters: Fast-Reauth-Realm “” Max-Number-Of-Reauths-Before-Full-Auth-Is-Required 5 Fast-Reauth-Id-Lifetime 1800 }

}

Configuring for Fast Re-Authentication in aaa.config FileIf you use the built in AATVs (SIMAKA-ReauthCacheLookup andSIMAKA-ReauthCacheUpdate) for caching the fast reauth identity to the user's realidentity mapping, you can configure the parameters described in Table 17-8, in theaatv.SIMAKA{} block of the aaa.config file.

Table 17-8 The aaa.config Configuration Block Parameters for Fast Re-authentication


Specifies the maximum size of the in-memory FastRe-authentication table, in terms of the number of

Maximum-Fast-Reauth-Cache-Size

entries. For a given user, the server needs to savethe full authentication context for subsequent fastre-authentications. A boundary must be assignedto the number of entries in this table to protect theserver's memory.The valid range is 0 to 1,000,000.If the value is zero, no new fast reauth identities areadded to the cache, but the existing non-expiredentries are used. This value is intended to phase outfast reauth support following a HUP.If not explicitly configured, the default value is500,000.

Sample aaa.config Configuration for Fast Re-authentication#################################################################### Add the following in /etc/opt/aaa/aaa.config#################################################################aatv.SIMAKA{


#Configure other global parameters, if required . .

Maximum-Fast-Reauth-Cache-Size 4096

}

Guidelines to Write EAP-SIM and EAP-AKA Fast Re-Authentication Database AATVsThis section describes the EAP-SIM and EAP-AKA requirements that the FastRe-authentication Database AATVs must meet in addition to the basic AATVrequirements. For information on AATV writing, compiling, installing, and debugging,see Chapter 28 (page 446).You can configure EAP-SIM and EAP-AKA to support the fast re-authenticationprocedure by saving the last full authentication, including attributes, such as MasterKey and Counter. The saved full authentication is used for the subsequent fastre-authentication. You can save the full authentication attributes in internal tablesincluded in the HP-UX AAA Server, or in an external database using SQL Access,and retrieve the same, when required. If you save the attributes in an external database,the database record must include the following attributes:• Real-Username

• Real-Realm

• Fast-Reauth-Username

• FullAuth-Master-Key

• Fast-Reauth-Counter

• Fast-Reauth-Expiration-Time

These attributes are described as follows:The AATV, which retrieves the mapping information can check whether the retrievedinformation has expired. If the mapping retrieval AATV checks for expiration, theretrieved Fast-Reauth-Expiration-Time attribute need not be placed on theauthreq. If the mapping retrieval AATV does not check for expiration, theFast-Reauth-Expiration-Time attribute must be placed on the authreq, inwhich case the EAP-SIM or the EAP-AKA AATV, which handles the result of thelookup, checks for expiration.There are two AATVs involved in fast re-authentication handling. One AATV performsthe update and the other performs the lookup. This section describes the followingAATVs:• “Fast Re-Authentication Database Update AATV” (page 253)• “Fast Re-Authentication Database Lookup AATV” (page 254)


Fast Re-Authentication Database Update AATVAs a result of a full authentication, the database may require a new record for the fastre-authentication information. If the database includes an existing set of fastre-authentication information, the information needs to be updated or made invalidwith each full authentication or a fast re-authentication.If the realm is configured for fast re-authentication support, the update AATV is invokedwith every authentication, either full or re-authentication, successful or unsuccessful,and whether a new fast re-authentication username is assigned or not.

Update AATV Inputs

The input to the Update AATV is the set of Vendor-Specific Attributes (VSAs) on theAUTHREQ_REPLY_QUEUE list of the authreq. Table 17-9 describes the FastRe-Authentication Database Update AATV attributes.

Table 17-9 Vendor-Specific Attributes for Fast Re-Authentication Database Update AATV

DescriptionAttribute

A string attribute that contains the user's real identity. This identitycontains neither a prefix nor a realm. The identity can be an

Real-Username

International Mobile Subscriber Identity (IMSI) constituting up to15 decimal digits. If the realm is configured to support non-IMSIreal identities, the identity can be a non-IMSI real usernameconstituting up to 253 characters.

A string attribute that contains the user's real realm, which is thevalue of the AT_IDENTITY attribute, of the last full

Real-Realm

re-authentication. This realm can differ from the realm portion ofthe User-Name attribute value. If the AT_IDENTITY attribute ofthe last full re-authentication does not specify a realm, theReal-Realm attribute contains an empty string value.

A string attribute that contains the value sent by the HP-UX AAAServer during the authentication. This value is the user's next

Fast-Reauth-Username

Fast-Reauth-Username. This identity is prefixed with the FastReauth ID, 3. However, no realm is associated with it. The lengthof the identity, including the prefix, is 10 characters. If the attributecontains no value, it implies that the database's existingFast-Reauth-Username and the associated full authenticationdetails must be made invalid.

A fixed length binary string (octets) attribute that contains theMaster Key (MK) value of the last full authentication. The value

FullAuth-Master-Key

consists of a 160-bit binary string (20 bytes), in the network byteorder. If the Fast-Reauth-Username is an empty string, thisattribute is not present.

An attribute that contains the updated value of the fastre-authentication counter. During an update following a full

Fast-Reauth-Counter

authentication, this value is zero. Otherwise, the value is the numberof fast re-authentications performed after the last full authentication.


Table 17-9 Vendor-Specific Attributes for Fast Re-Authentication Database Update AATV(continued)


If the value of the Fast-Reauth-Username value is an emptystring, this attribute is not present.

A Unix epoch date attribute that contains the UTC time at whichthis fast re-authentication information expires. If the fast

Fast-Reauth-Expiration-Time

re-authentication information in the database is made invalid insteadof being updated, this attribute has no significance. If theFast-Reauth-Username is an empty string, this attribute is notpresent.

Update AATV Outputs

No attributes must be returned by the Update AATV.

AATV Functionality and Return Events

The fast re-authentication update AATV updates its database with the fastre-authentication information available in the AUTHREQ_REPLY_QUEUE list of theauthreq. The Update AATV must not modify the AUTHREQ_REPLY_QUEUE list ofthe authreq. The result of the update can be either ACK or NAK. If the result of theupdate is NAK, the update has failed, which may affect a subsequent fastre-authentication. However, it does not affect the success or failure of the currentauthentication.

Fast Re-Authentication Database Lookup AATVThe fast re-authentication lookup AATV retrieves the information associated with theFast-Reauth-Username attribute in the database. This AATV is invoked during afast re-authentication only.

Lookup AATV Inputs

The input to the lookup AATV is a set of VSA in the AUTHREQ_REPLY_QUEUE list oftheauthreq. Table 17-10 describes the Fast Re-Authentication Database Lookup AATVattributes.

Table 17-10 Vendor-Specific Attributes for Fast Re-Authentication Database Lookup AATV


A string attribute that contains the value of the user's Fast Reauthidentity. This identity contains a Fast Reauth ID prefix, 3. However,

Fast-Reauth-Username

no realm is associated with it. The length of the identity, including theprefix, is 10 characters.

A string attribute that contains the realm portion of the received FastReauth identity. This realm can be the Real-Realm or the configured

Fast-Reauth-Realm


Table 17-10 Vendor-Specific Attributes for Fast Re-Authentication Database Lookup AATV(continued)


Fast-Reauth-Realm. The realm can also be a realm that the NAScreated to facilitate routing of theFast Reauth Request to the HP-UXAAA Server, which performed the last full authentication. The realm isused for the database lookup, and is used by the HP-UX AAA Server toinvoke EAP-SIM or EAP-AKA only.

Lookup AATV Outputs

The AUTHREQ_REPLY_QUEUE list of the authreq is updated to additionally containthe full authentication details. Table 17-11 describes the Lookup AATV attributes.

Table 17-11 Lookup AATV Output Attributes


A string attribute that contains the user's real identity. This identitycontains no prefix or realm. The IMSI can be up to 15 decimal digits.

Real-Username

If the HP-UX AAA Server is configured to support non-IMSI realidentities, the identity can be a non-IMSI real username, which is upto 253 characters.

A string attribute that contains the user's real realm. This realm candiffer from the realm portion of the User-Name attribute value. If the

Real-Realm

AT_IDENTITY attribute of the user’s last full authentication specifiesonly a username with no realm, the Real-Realm attribute containsan empty string value.

A fixed-length binary string (octets) attribute that contains the valueof the Master Key (MK) from the last full authentication. The value isa 160-bit binary string (20 bytes), in the network byte order.

FullAuth-Master-Key

An integer attribute that contains the value of the last fastre-authentication counter. The value is the number of fastre-authentications performed after the last full authentication.

Fast-Reauth-Counter

A Unix epoch date attribute that contains the UTC time at which thisfast re-authentication information expires. If the lookup AATV has

Fast-Reauth-Expiration-Time

already checked for an expiredFast-Reauth-Username, the attributeis not returned. If the attribute is returned, the HP-UX AAA Serverchecks whether the Fast-Reauth-Username has expired.


Lookup AATV Functionality and Return Events

The fast re-authentication lookup AATV attempts to retrieve the full authenticationdetails of the Fast-Reauth-Username attribute from its database.• If the information is available, the lookup AATV updates the

AUTHREQ_REPLY_QUEUE list of the authreq with the specified output and aRETRIEVE_SUCCESS message is returned

• If the information is not available, a RETRIEVE_ERROR message is returned.• The lookup AATV can check if the fast re-authentication information has expired

based on theFast-Reauth-Expiration-Timevalue. If the fast re-authenticationinformation has expired, a RETRIEVE_ERROR message is returned, and thecur_request list of the authreq is not updated. If the AATV does not check foran expired entry, the Fast-Reauth-Expiration-Time value is returned.Subsequently, the HP-UX AAA Server checks for the expiration.

Pseudonym IdentitiesPseudonym Identity support is an optional EAP-SIM and EAP-AKA feature, whichprovides identity protection by hiding the permanent identity on the second and allfuture authentications.The HP-UX AAA Server can generate pseudonyms as an encrypted form of thepermanent identity, which can be subsequently decrypted to reproduce the permanentidentity. Alternatively, the server can generate pseudonyms as a string of randomcharacters, similar to the fast re-authentication identity. In the latter case, an externaldatabase is required to store the pseudonym to permanent identity mappings. Formany users, the algorithm-based pseudonyms are the easiest and most efficient option.Random pseudonyms are required if the algorithm does not provide adequate securityto the permanent identity.

Random PseudonymsThe server, while operating in an environment where a central database is used forsaving the pseudonym to permanent identity mappings, can be configured to generatea pseudonym as a string of random characters. The server can also store the last usedand last assigned pseudonyms in this central database. EAP-SIM RFC 4186 recommendssaving at least two pseudonyms, the last used and the last assigned. To ensure randompseudonyms work, the realm configuration in EAP-Type SIM{} block within theEAP.authfile file must specify thePseudonym-Lookup andPseudonym-Updateparameters with an AATV, which maps the pseudonym to the permanent identity,and which stores the random pseudonym in the database. In this case, the pseudonymalgorithm is employed and the pseudonym resembles a fast re-authentication identitywith a different prefix. The random pseudonym identity is 10 characters long, consistingof the pseudonym prefix 2, followed by nine random characters from the character set,{BCDFGHJKLMNPQRSTVWXYZ0123456789}. The random pseudonym is advantageous,


because it is impossible to reverse engineer the permanent identity. However, a databaseto store and retrieve the mapping of pseudonym to permanent identity is required.

Algorithm-Based PseudonymsThe HP-UX AAA Server generates a pseudonym by encrypting the real user nameusing an algorithm and the SIMAKA-PseudonymDecrypt AATV that decrypts apseudonym to reproduce the real user name. Following are the features and benefitsof the algorithmic approach as specified by Ericsson1, and submitted to the 3GPP TSGSA WG3 working group:• No external database is required to store all the assigned pseudonyms.• A pseudonym generated on one RADIUS server can be processed by a second

RADIUS server.• No user state is kept in the RADIUS server between WLAN sessions.• Pseudonyms are not stored in the Home Subscriber Server (HSS) or Home Location

Register (HLR).• Any secret keys used in the RADIUS server for the generation of pseudonyms

cannot be recovered even if a number of matching permanent identities andpseudonyms are available.

• For any given pseudonym or a number of correlated pseudonyms, it is impossibleto recover the corresponding permanent identity.

• It is impossible to determine whether two pseudonyms correspond to the samepermanent identity.

• It is impossible to generate a valid pseudonym irrespective of the underlyingpermanent identity, thereby avoiding random forgery.

• It is impossible to generate a valid pseudonym corresponding to a given permanentidentity, thereby avoiding targeted forgery.

To use algorithm-based pseudonyms, the global configuration in the aatv.SIMAKA{}block must specify one or morePseudonym-Algorithm-Key-nparameters. The keynumber specified in the Pseudonym-Algorithm-Current-Key field is used toencrypt new pseudonyms. The other keys are used for decryption of pseudonymsgenerated earlier by them, but are not used for generation of new pseudonyms. Withthe algorithm-based pseudonyms, there is no lifetime applied to the pseudonym. Alifetime can be approximated by defining a new key and making the new key current.After the desired lifetime, the old key can be removed and the pseudonyms generatedwith it are disabled.While generating a pseudonym based on a permanent identity, an IMSI, the serveruses a minor modification of an algorithm developed by Ericsson2 and submitted tothe 3GPP TSG SA WG3 working group. In this case, the pseudonym user name is 24characters long.While generating a pseudonym based on a permanent identity, which is a generic username, for example, fred, the server uses an algorithm derived from the same Ericsson

Pseudonym Identities 257

algorithm. In this case, the length of the pseudonym varies, depending on the lengthof the permanent identity, as follows:• 24 characters, if the permanent user name is 1-8 characters.• 45 characters, if the permanent user name is 9-24 characters.• 66 characters, if the permanent user name is 25-40 characters.• 88 characters, if the permanent user name is 41-56 characters.• 109 characters, if the permanent user name is 57-72 characters.• 130 characters, if the permanent user name is 73-88 characters.• 152 characters, if the permanent user name is 89-104 characters.• 173 characters, if the permanent user name is 104-120 characters.• 194 characters, if the permanent user name is 121-136 characters.• 216 characters, if the permanent user name is 137-152 characters.• 237 characters, if the permanent user name is 153-168 characters.

NOTE: The pseudonym is not generated if the permanent user name is greater than168 characters, as the pseudonym identity exceeds 253 characters.

The server generates a pseudonym identity only if the length of thepseudonym@realrealm string does not exceed 253 characters.For a given IMSI permanent identity, there are 56 random user bits involved in thepseudonym generation, resulting in over seven million trillion (7*1018) differentpseudonyms for a given IMSI. The probability of a random forgery involving a randomIMSI is less than one in four million.For a given non-IMSI permanent identity, there are 32 random user bits involved inthe pseudonym generation, resulting in over 4 billion different pseudonyms for a givenuser. The probability of a random forgery involving a generic user name is less thanone in 50 million.

Configuring for Pseudonym Identity SupportTo use pseudonym identity support, the realm configuration in the EAP-Type SIM{}or EAP-Type AKA{} block inEAP.authfilemust specify the parameters describedin Table 17-12.



The Pseudonym-Lookup parameter specifies anAATV and an Xstring parameter for this AATV.

Pseudonym-Lookup

This AATV is invoked to map a pseudonym to theuser's real identity. If this parameter is notconfigured, pseudonym support is disabled for therealm.




The HP-UX AAA Server provides theSIMAKA-PseudonymDecrypt AATV foralgorithm-based pseudonym identity support. Thefollowing conditions apply if this AATV isconfigured:• The server forces non-random pseudonym

generation for this realm.• If no Pseudonym-Algorithm-Key-*

parameters are defined in the aatv.SIMAKA{}block of the aaa.config file, pseudonymsupport is disabled.

• If at least one of the above mentioned keys isdefined, and thePseudonym-Algorithm-Current-Key is notdefined in the aatv.SIMAKA{} block of theaaa.config file, or does not refer to a definedkey, generation of new pseudonyms is disabled,but existing pseudonyms can be looked up.

There is no default value.

This parameter specifies an AATV and an Xstringparameter for this AATV. This AATV is invoked to

Pseudonym-Update

update the mapping of a pseudonym to a user's realidentity. Pseudonym support using an algorithmdoes not require a Pseudonym-Update AATV.There is no default value.

The Pseudonym-Lifetime parameter specifiesthe lifetime of such a generated random characterpseudonym.

Pseudonym-Lifetime

After the specified duration has elapsed from thetime the pseudonym was first assigned, thepseudonym becomes invalid, independent of thenumber of times the pseudonym was used.The valid range is 1 to 31,622,400 (1 second to 366days).The default value is 1,209,600 seconds (14 days).

TheGenerate-Random-Character-Pseudonyms

Generate-Random-Character-Pseudonyms

parameter indicates whether the server generatespseudonyms by algorithm (value = no) or if theserver generates random character pseudonyms(value = yes).The valid values are Yes and No.The default value is No


To use algorithm-based pseudonym identity support, the aatv.SIMAKA {} block inthe aaa.config file must specify the parameters described in Table 17-13.

Table 17-13 The aaa.config Parameters for Algorithm-based Pseudonym Identity


The HP-UX AAA Server can generate pseudonymsas an encrypted form of the permanent identity,

Pseudonym-Algorithm-Key-n

which can be subsequently decrypted to reproducethe permanent identity.This set of parameters (n = 1 to 16) can be used tospecify up to 16 encryption keys for encryption ordecryption.The key value is a 128-bit binary string (16 bytes)entered as 0x, followed by two 16 two digit hexvalues. The dots are optional, and are used toimprove readability.Pseudonym generation for a realm is disabled if nokeys are defined, and the generation of randomcharacter pseudonyms is disabled, that is, the valueof theGenerate-Random-Character-Pseudonymsparameter is No.If not explicitly configured, there are no defaultvalues.

Specifies the Pseudonym-Algorithm-Key toencrypt the permanent identity during thegeneration of a new pseudonym.

Pseudonym-Algorithm-Current-Key

The other keys are used for decryption ofpseudonyms previously generated with the otherkeys, but are not used for generation of newpseudonyms.The valid range is 1 to 16.If not explicitly configured, there is no default value.

Sample EAP.authfile Configuration for Random Pseudonym Identity Support#################################################################### Add the following in /etc/opt/aaa/EAP.authfile for EAP-SIM#################################################################eapsim.com -EAP EAP "comment"{ EAP-Type SIM { #Configure other realm-specific parameters, if required . .

# Following are the mandatory parameters: Pseudonym-Lookup <pseudonym lookup aatv name> "<xsting if any>"


Pseudonym-Update <pseudonym update aatv name> "<xsting if any>” Generate-Random-Character-Pseudonyms Yes Pseudonym-Lifetime 604800

# Following are the optional parameters: Pseudonym-Lifetime 604800

}

} #################################################################### Add the following in /etc/opt/aaa/EAP.authfile for EAP-AKA#################################################################eapaka.com -EAP EAP "comment"{ EAP-Type AKA { #Configure other realm-specific parameters, if required . .

# Following are the mandatory parameters: Pseudonym-Lookup <pseudonym lookup aatv name> "<xsting if any>" Pseudonym-Update <pseudonym update aatv name> "<xsting if any>” Generate-Random-Character-Pseudonyms Yes Pseudonym-Lifetime 604800


}

}

NOTE: No global configuration is required for random pseudonym identity support.

Sample EAP.authfile Configuration for Algorithm-based Pseudonym Identity Support#################################################################### Add the following in /etc/opt/aaa/EAP.authfile for EAP-SIM#################################################################eapsim.com -EAP EAP "comment"{ EAP-Type SIM { #Configure other realm-specific parameters, if required . .

# Following are the mandatory parameters: Pseudonym-Lookup SIMAKA-PseudonymDecrypt "" Pseudonym-Update NULL "" Generate-Random-Character-Pseudonyms No Pseudonym-Lifetime 604800



}

} #################################################################### Add the following in /etc/opt/aaa/EAP.authfile for EAP-AKA#################################################################eapaka.com -EAP EAP "comment"{ EAP-Type AKA { #Configure other realm-specific parameters, if required . .

# Following are the mandatory parameters: Pseudonym-Lookup SIMAKA-PseudonymDecrypt "" Pseudonym-Update NULL "" Generate-Random-Character-Pseudonyms No Pseudonym-Lifetime 604800


}

}

Sample aaa.config Configuration for Algorithm-based Pseudonym Identity Support#################################################################### Add the following in /etc/opt/aaa/aaa.config#################################################################aatv.SIMAKA{ #Configure other global parameters, if required . . #Atleast one Pseudonym-Algorithm-Key is mandatory Pseudonym-Algorithm-Key-1 0x00010203.04050607.08090a0b.0c0d0e0f Pseudonym-Algorithm-Key-11 0xa0a1a2a3.a4a5a6a7.a8a9aaab.acadaeaf Pseudonym-Algorithm-Key-16 0xf0f1f2f3.f4f5f6f7.f8f9fafb.fcfdfeff Pseudonym-Algorithm-Current-Key 11

}

Guidelines to Write EAP-SIM and EAP-AKA Pseudonym Database AATVsThis section describes the EAP-SIM and EAP-AKA requirements that the PseudonymDatabase AATVs must meet in addition to the basic AATV requirements. For


information on AATV writing, compiling, installing, and debugging, see Chapter 28(page 446).You can configure EAP-SIM and EAP-AKA to support pseudonyms. To perform a fullauthentication using pseudonym, you must map an assigned pseudonym to the realidentity. EAP-SIM and EAP-AKA can manage the pseudonym mapping internally.Alternatively, using customer-supplied plug-ins, they can store the mapping in anexternal database using SQL Access and retrieve, when required. In accordance withthe RFCs, the HP-UX AAA Server must save at least two pseudonyms: the last oneused by the peer and the last one assigned by the HP-UX AAA Server. If you save theattributes in an external database, the database record must include the followingattributes:• Real-Username

• Real-Realm

• Last-Used-Pseudonym-Username

• Last-Used-Pseudonym-Expiration-Time

• Last-Assigned-Pseudonym-Username

• Last-Assigned-Pseudonym-Expiration-Time

These attributes are described as follows:The database can also include the authentication information and the reply items. TheAATV, which retrieves the mapping information, must look for a match for theLast-Used-Pseudonym-Username attribute or theLast-Assigned-Pseudonym-Username attribute.The AATV, which retrieves the mapping information, can check whether the matchingfield has expired. If the mapping retrieval AATV checks for expiration, thecorresponding expiration time attribute need not be placed on theAUTHREQ_REPLY_QUEUE list of the authreq. If the mapping retrieval AATV is notconfigured to check for expiration, the expiration time attributes must be placed in theauthreq. Consequently, the EAP-SIM or the EAP-AKA AATV, which handles theresult of the lookup, checks for expiration.If you write your own AATVs, which are necessary if an external database is employed,a set of input attributes in the AUTHREQ_REPLY_QUEUE list of the authreq can beused by the AATVs. Also, a set of returned attributes, that the lookup AATV adds tothe AUTHREQ_REPLY_QUEUE list of the authreq to interface with the HP-UX AAAServer, can be used by the AATVs.There are two AATVs involved in pseudonym handling. One AATV performs thelookup and the other performs the update. This section describes the following AATVs:• “Pseudonym Database Update AATV” (page 264)• “Pseudonym Database Lookup AATV” (page 265)


Pseudonym Database Update AATVAs a result of a full authentication, the database may require a new record for thepseudonym information. If the database includes an existing set of pseudonyminformation, the information needs to be updated or made invalid each time the HP-UXAAA Server assigns a new pseudonym.

Update AATV Inputs

The input to the Update AATV is the set of VSA on the AUTHREQ_REPLY_QUEUE listof the authreq. Table 17-14 describes the Pseudonym Database Update AATVattributes.

Table 17-14 Vendor-Specific Attributes for Pseudonym Database Update AATV


A string attribute that contains the user's real identity. Thisidentity contains neither a prefix nor a realm. The identity can

Real-Username

be an IMSI constituting up to 15 decimal digits. If the HP-UXAAA Server is configured to support non-IMSI real identities,the identity can be a non-IMSI real username constituting upto 253 characters.

A string attribute that contains the user's real realm. This realmcan differ from the realm portion of the User-Name attribute

Real-Realm

value. If theAT_IDENTITY attribute contains only a username,but no realm, the Real-Realm attribute contains an emptystring value.

A string attribute that contains the value sent by the HP-UXAAA Server during the current authentication. This value is

Last-Assigned-Pseudonym-Username

also the value of the next pseudonym. This username containsa pseudonym prefix, 2. However, no realm is associated withit. The length of the identity, including the prefix, can be upto 253 characters. If no new pseudonym is assigned, the updateAATV is not called.

A Unix epoch date attribute that contains the UTC time atwhich Last-Assigned-Pseudonym-Username expires.

Last-Assigned-Pseudonym-Expiration-Time

This attribute is present only if the value of theLast-Assigned-Pseudonym-Usernameattribute is present.

If the peer authenticated using a pseudonym, theLast-Used-Pseudonym-Username attribute contains the

Last-Used-Pseudonym- Username

pseudonym value of the current authentication. This identitycontains a pseudonym prefix, 2. However, no realm isassociated with it. The length of the identity can be up to 253characters. Otherwise, this attribute is not present.

A Unix epoch date attribute that contains the UTC time atwhich Last-Used-Pseudonym-Username expires. This

Last-Used-Pseudonym-Expiration-Time

attribute is present only if theLast-Used-Pseudonym-Username attribute is present and


Table 17-14 Vendor-Specific Attributes for Pseudonym Database Update AATV (continued)


the database which maps the pseudonym to theReal-Username attribute returns aPseudonym-Expiration-Time VSA.

Update AATV Outputs

None of the attributes are returned by Update AATV.

AATV Functionality and Return Events

The pseudonym update AATV updates its database with the pseudonym informationavailable in theAUTHREQ_REPLY_QUEUE list of theauthreq. The Update AATV mustnot modify the AUTHREQ_REPLY_QUEUE list of the authreq. The result of the updatecan be either ACK or NAK. The AATV returns ACK if the database is updated successfully.If the result of the update is NAK, the update has failed. However, it does not affect theoutcome of the current authentication.

NOTE: If thePseudonym-Expiration-Time is not present as a result of the LookupAATV handling the expiration check, theLast-Used-Pseudonym-Expiration-Timeof the database may need to be updated with theLast-Assigned-Pseudonym-Expiration-Time value by the Lookup AATV. Formore information on Pseudonym-Expiration-Time, see Table 17-16 (page 266).

Pseudonym Database Lookup AATVThe Pseudonym Database Lookup AATV retrieves the information associated with thePseudonym-Username attribute from the database.

Lookup AATV Inputs

The input to the Lookup AATV is a set of Vendor-Specific Attributes (VSA) in theAUTHREQ_REPLY_QUEUE list of the authreq. Table 17-15 describes the attributes.

Table 17-15 Vendor-Specific Attributes for Pseudonym Database Lookup AATV


A string attribute that contains the pseudonym value to be found in thedatabase. The identity contains a pseudonym prefix, 2. However, no realmis associated with it. The length of the identity can be up to 253 characters.

Pseudonym-Username

A string attribute that contains the user's real realm. This realm can differfrom the realm portion of the User-Name attribute value. If the

Real-Realm

AT_IDENTITY attribute contains only a username, but no realm, theReal-Realm attribute contains an empty string value.


Table 17-15 Vendor-Specific Attributes for Pseudonym Database Lookup AATV (continued)


An integer attribute that contains the number of requested triplets, suchas, RAND, Kc, and SRES. In accordance with RFC4186, the number of

Number-of-Triplets-Requested

triplets required for authentication is two or three. The number of tripletsrequired for authentication is present to enable the lookup AATV togenerate GSM Triplets, if required.

A string attribute that contains the name of the A3 algorithm to be usedin the GSM Triplet generation. The value is case-sensitive. This attribute

A3-Algorithm

is present only if the realm is configured with a default A3 algorithm. Theattribute is present to enable the lookup AATV to generate GSM Triplets,if required.

A string attribute that contains the name of the A8 algorithm to be usedin the GSM Triplet generation. The value is case-sensitive. This attribute

A8-Algorithm

is present only if the realm is configured with a default A8 algorithm. Theattribute is present to enable the lookup AATV to generate GSM Triplets,if required.

Lookup AATV Outputs

The AUTHREQ_REPLY_QUEUE list of the authreq is updated to additionally containthe following attributes, as described in Table 17-16.

Table 17-16 Lookup AATV Output Attributes


A string attribute that contains the user's real identity. The identity containsneither a prefix nor a realm. The identity can be an IMSI constituting up

Real-Username

to 15 decimal digits. If the realm is configured to support non-IMSI realidentities, the identity can be a non-IMSI real username constituting upto 253 characters.

A Unix epoch date attribute that contains the UTC time at which thelooked up pseudonym expires. This attribute is optional if the lookup

Pseudonym-Expiration-Time

AATV has already checked for an expired Pseudonym-Username. If itis returned, the HP-UX AAA Server checks whether thePseudonym-Username has expired. The lookup AATV may return thisattribute even if the expiration check is performed. If this attribute ispresent, the Pseudonym Update AATV is called with theLast-Used-Pseudonym-Expiration-Time present, along with thePseudonym-Expiration-Time value. If this attribute is not returned,the Last-Used-Pseudonym-Expiration-Time in the database mustbe updated by the Lookup AATV.

The Lookup AATV for EAP-SIM can also return credentials and other reply items whileretrieving the user's Real-Username. Consequently, the AUTHREQ_REPLY_QUEUElist of the authreq is updated to contain additional attributes. Table 17-17 describesthe Lookup AATV Attributes for EAP-SIM.


Table 17-17 Lookup AATV Attributes for EAP-SIM


A fixed-length binary string (octets) attribute that can occur twice or thrice,and can contain an EAP-SIM authentication vector. The parameter value is a224-bit binary string (28 bytes). The value constitutes the following:

GSM-Triplet(s)

• RAND = The first 128-bits (16 bytes) of the value.• Kc = The next 64-bits (8 bytes) of the value.• SRES = The last 32-bits (4 bytes) of the value.

OR

A fixed-length binary string (octets) attribute that contains the 128-bit valueof the Subscriber Key (Ki) used to authenticate the user.

Subscriber-Key

An optional string attribute that contains the name of the A3 algorithm usedto authenticate the user. This attribute is optional if a default value isconfigured for the realm. The value is case-sensitive.

A3-Algorithm

An optional string attribute that contains the name of the A8 algorithm usedto authenticate the user. This attribute is optional if a default value isconfigured for the realm. The value is case-sensitive.

A8-Algorithm

AND

Optional Reply item, such as, Session-Timeout and Idle-Timeout.Other reply attributes

The Lookup AATV for EAP-AKA can also return credentials and other reply itemswhile retrieving the user's Real-Username. Consequently, theAUTHREQ_REPLY_QUEUE list of theauthreq is updated to contain additional attributes.Table 17-18 describes the Lookup AATV Attributes for EAP-AKA.

Table 17-18 Lookup AATV Attributes for EAP-AKA


A fixed-length binary string (octets) attribute that can occur only once, andcontains an EAP-AKA authentication vector. The value is a 576-bit binarystring (72 bytes). The value constitutes the following:

AKA-Vector

• RAND = The first 128-bits (16 bytes) of the value.• XRES = The next 64-bits (8 bytes) of the value.• CK = The next 128-bits (8 bytes) of the value.• IK = The next 128-bits (8 bytes) of the value.• AUTN = The last 128-bits (8 bytes) of the value.

OR

A fixed-length binary string (octets) attribute that contains the 128-bit valueof the Subscriber Key (Ki) used to authenticate the user.

Subscriber-Key


Table 17-18 Lookup AATV Attributes for EAP-AKA (continued)


An optional string attribute that contains the name of the AKA algorithmused to authenticate the user. This attribute is optional if a default value isconfigured for the realm. The value is case-sensitive.

AKA-Algorithm

A fixed-length binary string (octets) attribute that contains the 48-bit sequencenumber, which is used to authenticate the user.

AKA-Sequence-Number

An optional fixed-length binary string (octets) attribute that contains a 16-bitvalue. The value indicates whether the AKA-Sequence-Number is used for

AKA-Mode

a Circuit Switched or Packet Switched authentication. This attribute is optionalif a default value is configured for the realm.

AND

Optional Reply item, such as, Session-Timeout and Idle-Timeout.Other reply attributes

Lookup AATV Functionality and Return Events

The Pseudonym Lookup AATV attempts to retrieve the Real-Username from itsdatabase.• If the information is found, the Lookup AATV updates the cur_request list of

the authreq with the specified output, and a RETRIEVE_SUCCESS message isreturned.

• If the information is not available, a RETRIEVE_ERROR message is returned.• The Lookup AATV can check if the Pseudonym-Username has expired based on

thePseudonym-Expiration-Time. If thePseudonym-Usernamehas expired,a RETRIEVE_ERROR message is returned, and the cur_request list of theauthreq is not updated. If the AATV does not check for an expired entry, thePseudonym-Expiration-Time is returned. Subsequently, the HP-UX AAAServer checks for the expiration.The Pseudonym-Expiration-Time values represent the following:— Last-Used-Pseudonym-Expiration-Time -- If thePseudonym-Username

matches the Last-Used-Pseudonym-Username— Last-Assigned-Pseudonym-Expiration-Time -- If the

Pseudonym-Usernamematches theLast-Assigned-Pseudonym-Username• A successful mapping can also return user credentials and general reply-items. If

the user credentials are returned, these credentials are appended to thecur_request list of the authreq, as specified.

Generating Authentication Vectors Using A3, A8, and AKA AlgorithmsIf authentication vectors are not retrieved from a datastore or supplied by an externalAuC, they must be generated using A3 and A8 algorithms for EAP-SIM or the AKAalgorithm for EAP-AKA.


GSM A3 and A8 algorithms are used in EAP-SIM. GSM-03.20 specifies the general GSMauthentication procedure and the external interface of the A3 and A8 algorithms. Theoperation of these functions are specific to each network operator. Therefore, thefunctions are not generalized, but are specified by each operator. The GSM-MILENAGEalgorithm, specified publicly in 3GPP-TS-55.205, is an example algorithm set for A3and A8 algorithms.The AKA algorithm can also use the GSM functions that are used to implement A3and A8 algorithms.The A3, A8, and AKA algorithm plug-ins are located in the/opt/aaa/aatvdirectory,by default. The server can use multiple A3/A8/AKA algorithms. You can specify thesealgorithms in the aaa.config global configuration file, realm-based configurations,or in an users’ profile. For information on how to modify the examples or create yourown A3, A8, AKA algorithm plug-ins, see “Creating Plug-ins for AATVs” (page 454).

3GPP Milenage A3, A8, and AKA AlgorithmAn implementation of the 3GPP Milenage A3 and A8 algorithm functions for EAP-SIMauthentication and the AKA algorithm for EAP-AKA are included in the server. The3GPP Milenage A3, A8, and AKA algorithm plug-in module includes configurationparameters that allow it to be customized for a specific operator. The A3, A8, and AKAalgorithm names in this plug-in are 3GPP-Milenage.For more information on 3GPP Milenage f1, f1*, f2, f3, f4, f5, f5* algorithms, see thefollowing 3GPP documents:• 3GPP TS 35.205 v6.0.0 - General Information• 3GPP TS 35.206 v6.0.0 - Algorithm Specification• 3GPP TS 35.207 v6.0.0 - Implementors' Test Data• 3GPP TS.35.208 v6.0.0 - Design Conformance Test Data• 3GPP TS.35.909 v6.0.0 - Summary and results of design and evaluation• 3GPP TS.55.205 v6.2.0 - Authentication and Key Generation functions for A3 and

A8The 3GPP Milenage A3/A8/AKA algorithms are based on the following 3GPP Milenagefunctions:f1(), f1*(), f2(), f3(), f4(), f5(), f5*()A total of 12 parameters are required to fully specify the function set. Table 17–5 liststhe 3GPP Milenage parameters.

Table 17-19 3GPP Milenage Parameters


128-bit kernel functionEk

128-bit operator specific valueOP

Generating Authentication Vectors Using A3, A8, and AKA Algorithms 269

Table 17-19 3GPP Milenage Parameters (continued)


128-bit values used to compute f1, f1*, f2,f3, f4, f5, f5*

C1-C5

Integer rotation constants used to compute f1,f1*, f2, f3, f4, f5, f5*

R1-R5

The Ek kernel function specified by 3GPP Milenage is 128-bit AES (Rijndeal).The 3GPP Milenage A3 algorithm has two variants corresponding to recommendedSRES derivation function #1 and recommended SRES derivation function #2. The A3function is affected by the choice, while the A8 function is unaffected. The selection ofA3 variant #1 or #2 constitutes another parameter, A3-Variant. The AKA algorithmis unaffected by this parameter.The selection of parameter values must match the characteristics of the client devicesto be authenticated.Table 17–6 lists the configuration parameters available in aatv.3GPP-Milenage{}block in aaa.config file.

Table 17-20 Configuration Parameters of aatv.3GPP-Milenage{} Block


128-bit operator-specific constant. The OP valuemust be specified by each operator. Milenagespecifies no default value.

OP

If not explicitly configured, the default value is0x00000000.00000000.00000000.00000000. Use of thisvalue generates a warning message in thelogfile.

128-bit computation constant. C1 must have evenparity. Use of a value with odd parity generates a

C1

warning message in the logfile. Milenagespecifies the default value.If not explicitly configured, the default value is0x00000000.00000000.00000000.00000000.

128-bit computation constant. C2 must have oddparity. Use of a value with even parity generates a

C2



C3


Table 17-20 Configuration Parameters of aatv.3GPP-Milenage{} Block (continued)




C4



C5


Rotation constant. The valid range is 0 to 127.Milenage specifies the default value.

R1

If not explicitly configured, the default value is 64.


R2



R3



R4



R5


Plug-in module that supports the selection ofMilenage variant #1 or #2. A3-Variant must be 1

A3-Variant

or 2. For information on whether an alternativeSRES derivation function is required, see “CreatingPlug-ins for AATVs” (page 454). The AKA algorithmis unaffected by this parameter.If not explicitly configured, the default value is 1.

Generating Authentication Vectors Using A3, A8, and AKA Algorithms 271

NOTE: The Ci,Ri pairs must be unique. The condition, Ci=Cj and Ri =Rj is notallowed, because i≠j. For instance, C2=C4 and R2=R4 is not allowed.

The following is an example of aatv.3GPP-Milenage block in aaa.config file:aatv.3GPP-Milenage{# OP 128-bit operator-specific constant ==> CONFIGURATION RECOMMENDED. OP 0x00000000.00000000.00000000.00000000

# C1 128-bit computation constant ==> CONFIGURATION OPTIONAL. C1 0x00000000.00000000.00000000.00000000





# R1 rotation constant ==> CONFIGURATION OPTIONAL. R1 64





# A3-Variant algorithm variant ==> CONFIGURATION OPTIONAL. A3-Variant 1}


18 Configuring HP-UX AAA Server for Scalability andHigh-Availability

This chapter describes how to configure the HP-UX AAA Server for scalability andhigh-availability. Starting with the HP-UX AAA Server A.08.01 release, HP-UX AAAServer supports configuring for scalability and high-availability. This chapter discussesthe following topics:• “Overview” (page 273)• “Scalability and High-Availability Concepts” (page 274)• “HP-UX AAA Server Deployment for Scalability and High-Availability” (page 274)• “Managing Multiple HP-UX AAA Servers For Scalability and High-Availability”

(page 276)• “Disaster Recovery of the HP-UX AAA Server Manager” (page 289)

OverviewThe HP-UX AAA Server is scalable and highly-available to meet the current and futurerequirements of the organizations. Scalability is achieved by supporting multiple HP-UXAAA Servers on the same host and high-availability is achieved by supporting clonedHP-UX AAA Servers on the same or different hosts.In case of a single HP-UX AAA Server, scaling up system resources may not be sufficientto accommodate the scalability requirements of the organization. HP-UX AAA Serversupports running multiple HP-UX AAA Servers on a single host ensuring optimumutilization of system resources and addressing the organizational scalabilityrequirements. Organizations can deploy load balancers to distribute load across theHP-UX AAA Servers. This ensures scalability and enhances performance of the solution.In the event of downtime due to HP-UX AAA Server failure or HP-UX AAA Servermaintenance, client requests can be processed by other HP-UX AAA Servers that arerunning on the host. This ensures high availability of the solution on a single host.Although multiple HP-UX AAA Servers on a single host provide scalability, highavailability, and enhance performance, if the host crashes, all the HP-UX AAA Serverson the host fail and the AAA services are not available for the clients. Therefore, it isadvantageous to clone the HP-UX AAA Servers on one or more hosts. If the primaryHP-UX AAA Server fails, the cloned HP-UX AAA Servers serve as backup, thusproviding a highly available solution. Organizations can deploy load balancers todistribute load across the HP-UX AAA Servers on a single or multiple hosts. Thisensures high available AAA solution.The HP-UX AAA Server supports disaster recovery of HP-UX AAA Server Manager,used for configuration and administration. In case the host running HP-UX AAA ServerManager crashes, a set of configuration files need to be restored and the HP-UX AAAServer Manager can be started on the same or different host.

Overview 273

Scalability and High-Availability ConceptsThis section describes the Scalability and High-Availability concepts. It discusses thefollowing topics:• “Grouping HP-UX AAA Servers” (page 274)• “HP-UX AAA Server Attributes” (page 274)

Grouping HP-UX AAA ServersTo manage multiple HP-UX AAA Servers on a single or multiple hosts with ease, theHP-UX AAA Server Manager supports configuring and administering groups of HP-UXAAA servers. Using this functionality, you can logically group related HP-UX AAAServers that are used for similar purposes, present on a single or multiple hosts. Eachgroup is associated with a group name, and each HP-UX AAA Server within a groupis associated with a server name.Typically, groups contain cloned HP-UX AAA Servers or administration-related HP-UXAAA Servers, although this is not a restriction. In a group with cloned HP-UX AAAServers, each HP-UX AAA Server is a clone of the primary HP-UX AAA Server in thegroup. Groups with cloned HP-UX AAA Servers are created while deploying a scalableand highly available solution. In a group with administration-related servers, eachHP-UX AAA Server performs functionalities, such as, authentication, accounting, anddynamic authorization. Therefore, the administration tasks such as, starting, stoppingand reloading HP-UX AAA Servers in a group can be done with ease.

NOTE: At a given time, you can administer servers belonging to a single group onlyusing HP-UX AAA Server Manager.

HP-UX AAA Server AttributesThe HP-UX AAA Servers running on a host are independent of each other. Each serveris identified by a server name, and the IP address or the name of the host on which theserver is running. Each server must be assigned a set of server attributes, such as, ListenIP Address, Authentication Port Number, Accounting Port Number, DynamicAuthorization Port Number, Configuration Directory Path, and Log File DirectoryPath. Every combination of the Listen IP Address and any of the port numbers suchas Authentication, Accounting, and Dynamic Authorization port numbers must beunique across all the servers managed by the HP-UX AAA Server Manager.

HP-UX AAA Server Deployment for Scalability and High-AvailabilityFigure 18-1 illustrates multiple HP-UX AAA Servers on a host (Host 1) for greaterscalability and clones of servers on the same and different hosts (Host 2 and Host 3)for high-availability.

274 Configuring HP-UX AAA Server for Scalability and High-Availability

Figure 18-1 HP-UX AAA Server Deployment for Scalability and High-Availability

In Figure 18-1, the HP-UX AAA Server Manager manages multiple HP-UX AAA Serverson three remote hosts (Host 1, Host 2, and Host 3). Each remote host is running morethan one HP-UX AAA Server. Running multiple HP-UX AAA Servers on the samehost ensures better utilization of system resources, thus ensuring greater scalability.And running cloned HP-UX AAA Servers belonging to a single group on multiplehosts provides high-availability of the AAA services.For easier management of the HP-UX AAA Servers, each server is associated with agroup. In the given example, HP-UX AAA Server Manager manages three groups,called Group A, Group B, and Group C, denoted by red, blue, and green respectively.The servers in Group A and Group C are named S1, S2, and S3 and the servers in GroupB are named S1, S2, S3 and S4.Group A is a group with a set of three HP-UX AAA Servers S1, S2 and S3, running onthe same host, Host 1. These servers running on Host 1, utilize the system resourceseffectively, thus providing a scalable solution. By employing the load balancers, if oneof the HP-UX AAA Servers (for example, S2) on Host 1 is relatively free than the otherHP-UX AAA Servers on Host 1, new client requests can be directed to HP-UX AAA

HP-UX AAA Server Deployment for Scalability and High-Availability 275

Server S2 to ensure load is evenly balanced. Therefore, client requests are processedfaster to provide desired optimum performance.Group B is a group with a set of four HP-UX AAA Servers, S1 and S2 running on Host2, and S3 and S4 running on Host 3. HP-UX AAA Servers S1 and S3 are cloned serversproviding authentication services and S2 and S4 are cloned servers providing accountingservices. If an HP-UX AAA Server (S1/S2) crashes, the cloned server (S3/S4) can servicethe clients' requests, thereby ensuring high-availability of the solution. If Host 2 crashes,the HP-UX AAA Servers (S1 and S2) are not available to service the client requests, butthe cloned servers (S3 and S4) can service the client requests, thereby ensuringhigh-availability of the solution.Group C is a group with a set of three HP-UX AAA Servers, S1, S2 and S3 running onHost 2 and Host 3. HP-UX AAA Server S1 provides authentication services and S2provides accounting services on Host 3, while S3 provides both the authentication andaccounting services on Host 2. S1 and S2 are the primary servers running on Host 3addressing scalability and S3 is a hybrid of S1 and S2 providing a backup to addresshigh-availability.

NOTE: In the given example, only one port number is used per HP-UX AAA server.However, multiple port numbers such as authentication, accounting, dynamicauthorization ports, can be used for each HP-UX AAA Server.

Managing Multiple HP-UX AAA Servers For Scalability and High-AvailabilityThis section describes how to manage multiple HP-UX AAA Servers. It discusses thefollowing topics:• “Administering HP-UX AAA Servers Using HP-UX AAA Server Manager”

(page 276)• “Administering HP-UX AAA Servers Using HP-UX AAA Server Admin Tool

(Command Line)” (page 287)

Administering HP-UX AAA Servers Using HP-UX AAA Server ManagerThis section describes how to configure servers and groups using the HP-UX AAAServer Manager.The Default (Server Connections) group, including a server, called localhost, is presentby default. This group is compatible with the Server Connections present in releasesearlier than HP-UX AAA Server A.08.01. All Server Connections managed by theHP-UX AAA Server Manager in the earlier versions of HP-UX AAA Server are movedto the Default (Server Connections) group during migration. If you do not want tocreate new groups for scalability and high-availability, you can continue to createHP-UX AAA Servers belonging to this group.


The section also describes how to administer the HP-UX AAA Servers using the HP-UXAAA Server Manager. The section discusses the following topics:• “Logging In” (page 277)• “Adding a Group” (page 278)• “Modifying a Group” (page 279)• “Deleting a Group” (page 279)• “Adding a Server” (page 280)• “Modifying a Server” (page 284)• “Deleting a Server” (page 284)• “Cloning a Server” (page 284)

NOTE: You can also perform other administration tasks, such as, Start, Stop, andReload the HP-UX AAA Server using the HP-UX AAA Server Manager. For moreinformation on how to perform the tasks using HP-UX AAA Server Manager, seeChapter 4 (page 71).

Logging InTo log in to HP-UX AAA Server Manager, complete the following steps:

Managing Multiple HP-UX AAA Servers For Scalability and High-Availability 277

1. Enter the following URL:http://<system name>:<port number>/aaa

Replace system name and port number with appropriate values.

NOTE: For secured remote Server Manager administration, see “Using SecureSocket Layer (SSL) for Secured Remote Server Manager Administration” (page 64).

2. Enter the username and password.The HP-UX AAA Server Manager Administration page is displayed. Click ServerConnections in the left panel. The Groups and Server Connections tables aredisplayed, as shown in Figure 18-2.

Figure 18-2 Server Connections

Adding a GroupTo add a group using the HP-UX AAA Server Manager, complete the following steps:1. Click Server Connections on the top left window.2. Click New Group under Groups in the right window. The Add Group page is

displayed, as shown in Figure 18-3.

Figure 18-3 Adding a Group


3. Enter the name of the group in the Name field and click Create.A new group is created. Figure 18-4 displays a sample group name, called group1.

Figure 18-4 Sample Group Created

Modifying a GroupTo modify a group name, complete the following steps:1. Click Server Connections on the top left window.2. Select the group you want to modify in the drop-down menu, under Select a group

for administration.

3. Click against the group. The Groups: Modify Group window is displayed, asshown in Figure 18-5.

Figure 18-5 Modify Group

4. Enter the new name and click Modify. The name of the group is modified.

Deleting a GroupTo delete a group, complete the following steps:1. Click Server Connections on the top left window.2. Select the group you want to delete, in the drop-down menu, under Select a group

for administration.


3. Click against the group and confirm.The group is deleted.

Adding a ServerTo add a server to a group, complete the following steps:1. Click Server Connections on the top left window.2. Select the group in the drop-down menu to which you want to add the server,

under Select a group for administration.3. Click New Server under Servers. The Servers: Add Server page is displayed, as

shown in Figure 18-6.

Figure 18-6 Adding a Server

4. Enter the values of the server attributes. Table 18-1 describes the server-specificfields.


Table 18-1 Server Attributes

DescriptionOption

Port number to listen to authentication requests. The defaultAuthentication port number is 1812.

Authentication

Port number to listen to accounting requests. The default Accountingport number is 1813.

Accounting

Specifies the UDP port number to listen for the Dynamic Authorizationrequests. The default port number is 3799.

Dynamic Authorization

Port number to relay authentication requests. This option is useful whenproxying requests to a HP-UX AAA server that is not listening on thedefault port.

Authentication Relay

Port number to relay accounting requests. This option is useful whenproxying requests to a HP-UX AAA server that is not listening on thedefault port.

Accounting Relay

Specifies the local UDP port number to which the Client AATV bindsto listen for the incoming client replies. This field is optional. If no valueis entered, the HP-UX AAA Server uses any available port.

Client

Specifies the debug level. Higher levels write more information to theradius.debug file. Increasing this value can cause performance todecline. The default value is 0.

Debug Level

Specifies the level of information logged based on the RADIUS messagetype.

Log Control

Empties the logfile and debug file when the server is started.Reset Logfile

Empties stored session table at server startup.

IMPORTANT: This option is only intended for experimental use ortesting and not for a live production server. If you reset a productionserver, the server loses track of the sessions that are still active.

Reset Session Table

Specifies the timeout value in seconds. The default value is five seconds.Timeout

Specifies the number of retries to retrieve the status of the server. Thedefault value is three.

Number of Retries

Specifies the directory where the HP-UX AAA Server binaries arelocated. The default directory is /opt/aaa/bin.

Bin Directory

Specifies the directory where the AATV libraries are located. The defaultdirectory is /opt/aaa/aatv.

Aatv Directory

Specifies the directory where the configuration files are located. Thedefault directory is /etc/opt/aaa.

Config Directory

Specifies the directory where the log and debug files are located. Thedefault directory is /var/opt/aaa/logs.

Log Directory


Table 18-1 Server Attributes (continued)

DescriptionOption

Specifies the directory where the files generated for shared memoryoperation are located. The default directory is /var/opt/aaa/ipc.

IPC Directory

Specifies the directory where the Livingston style accounting log filesare located. The default directory is /var/opt/aaa/radacct.

Livingston AccountingDirectory

Specifies the directory where Merit style accounting log files (sessionlogs) are located. The default directory is /var/opt/aaa/acct.

Accounting Directory

Specifies the directory where the active session file (session.las) islocated. The default directory is /var/opt/aaa/data.

Data Directory

Specifies the directory where the server's process id file (radiusd.pid)is located. The default directory is /var/opt/aaa/run.

Run Directory

Sets the current working directory. This option can be used to determinethe location of the system generated files, such as core files.

Current Directory


NOTE: If the Listen IP address is not specified, all addresses configured on thehost are considered.Default Authentication, Accounting, and Dynamic Authorization port values aredisplayed. However, you can modify those values, if required.Following are the conditions that must be considered while configuring the serverattributes:• The combination of the Listen IP address and the Administration port values

must be unique.• The combination of the server name and the group name must be unique.• The Name and Domain Name or IP Address fields are mandatory. Some

server attributes are optional or set to take default values.• If some of the optional server attributes are not configured, the corresponding

global configuration values are considered.• The following values cannot be shared between multiple servers on a single

host:— Run directory path, which includes the radiusd.pid file. The

radiusd.pid file contains the Process ID (PID) of the HP-UX AAA Server.— Logs directory path containing the log file that is used for maintenance

and statistics.— Accounting directory path containing the accounting log files that are used

for maintenance and statistics.— Data directory path containing the currently active sessions that are used

for maintenance and statistics.— IPC directory path containing the shared memory files required for proper

operation of HP-UX AAA server.The HP-UX AAA Server Manager requires the RMI Server on the respectivehost to validate the server attributes. Therefore, the RMI Server on therespective host must be running to validate the configured server attributes.

5. Click Create.The server is created.


NOTE: SelectingSave the above ServerAttributes to the configured server (specifiedin the 'DomainName' field) on clicking the 'Create' button saves the server attributesto the server. You must perform this step to enable the HP-UX AAA Server AdminTool for administration tasks. For more information on HP-UX AAA Server AdminTool, see “Administering HP-UX AAA Servers Using HP-UX AAA Server Admin Tool(Command Line)” (page 287).

Modifying a ServerTo modify the attributes of a server, complete the following steps:1. Click Server Connections on the top left window.2. Select the group in the drop-down menu to which the server belongs, under Select

a group for administration.

3. Click against the server you want to modify.4. Modify the server attributes and click Modify.

The server attributes are modified.

NOTE: Selecting Save Server Attributes to the configured server (specified in the'Domain Name or IP Address' field) on clicking the 'Modify' button saves the serverattributes to the server. You must perform this step to enable the HP-UX AAA ServerAdmin Tool for administration tasks. For more information on HP-UX AAA ServerAdmin Tool, see “Administering HP-UX AAA Servers Using HP-UX AAA ServerAdmin Tool (Command Line)” (page 287).

Deleting a ServerTo delete a server, complete the following steps:1. Click Server Connections on the top left window.2. Select the group in the drop-down menu to which the server belongs, under Select

a group for administration.

3. Click against the server you want to delete.The server is deleted.

Cloning a ServerCloning a server involves copying the configuration files of one server to another. Thecloning operation helps multiple servers having common configuration to maintainbackup servers for high-availability. The following example illustrates how configurationfiles of server2 is cloned to server1 within a group.


NOTE: To perform a cloning operation, the target server must already exist withconfigured values. After the successful completion of the cloning operation, the sourceand the target servers will have the same configuration files.You can reduce the time required to load a configuration from a HP-UX AAA Serveror to save a configuration to multiple HP-UX AAA Servers by using the Secure CopyProtocol (scp). For more information on scp, see “Enhancing Loading and SavingPerformance Using Secure Copy Protocol”.

To clone server2 on server1, complete the following steps:1. Click Server Connections on the top left window.2. Select the group in the drop-down menu to which the server belongs, under Select

a group for administration.3. Click Load Configuration on the left window. The Load Configuration page is

displayed, as shown in Figure 18-7.

Figure 18-7 Selecting the Server for Loading

4. Select the HP-UX AAA Server whose configuration files you want to clone, andclick Load. When the loading operation is completed, the message is displayed,as shown in Figure 18-8.

Figure 18-8 Loading Configuration Completed


5. Modify the configuration files using the options under Edit Configuration in theleft window, if required.

6. Click Save Configuration in the left window. The list of servers in the group isdisplayed, as shown in Figure 18-9.

Figure 18-9 Cloning Server

7. Select the target server, and click Save. The configurations files and the serverattributes are copied to the selected servers.

NOTE: Selecting server2 and server1 ensures that the modified configurationfiles are saved on both servers.If you want to save only the server attributes and not the configuration files, selectSave Server Attributes only.Select Save Server Attributes only to enable administration using HP-UX AAAServer Admin Tool.

When the files are saved, a message is displayed, as shown in Figure 18-10.

Figure 18-10 Saving Configuration

server1 is now a clone of server2.


NOTE: Although loading and saving configurations are required to clone HP-UXAAA Servers, you can perform those tasks independently, without associating themwith cloning.To perform any administration tasks, such as loading, saving, and maintenance, youmust select the servers within the group that is administered.

Administering HP-UX AAA Servers Using HP-UX AAA Server Admin Tool (CommandLine)

You can administer the HP-UX AAA Servers running on a host using HP-UX AAAServer Admin Tool (rad_admin). However, you must save the server attributes usingHP-UX AAA Server Manager on the host where you want to manage the servers usingHP-UX AAA Server Admin Tool.

rad_admin Syntax/opt/aaa/bin/rad_admin.sh [-config config_dir] [start|stop|reload|status|list server_list]

Table 18-2 describes all the rad_admin options.

Table 18-2 rad_admin Options

DescriptionOption

Directory path where the file rmiserver.properties is located. Ifomitted, the default is /opt/aaa/remotecontrol/rmiserver.properties

-config config_path

Starts the HP-UX AAA Servers specified in server_liststart server_list

Stops the HP-UX AAA Servers specified in server_list.stop server_list

Reloads the HP-UX AAA Servers specified in server_listreload server_list

Retrieves the status of the HP-UX AAA Servers specified in server_liststatus server_list

Lists the PIDs of the HP-UX AAA Servers specified in server_listlist server_list


NOTE: server_list all | groupname:all... | groupname:list... —server_list denotes the list of HP-UX AAA Servers to be administered. To selectall the HP-UX AAA Servers on the local host use keyword "all".To select all the HP-UX AAA Servers within a group, specify the group name followedby the keyword "all", as <groupname>:all. To select a specific set of HP-UX AAAServers within a group, specify the group name followed by the names of the HP-UXAAA Servers separated by a comma, as follows <groupname>:<list>, where list isa list of the HP-UX AAA Server names separated by a comma.To select a specific set of HP-UX AAA Servers from multiple groups, specify the groupname followed by the names of the HP-UX AAA Servers separated by a comma multipletimes separated by space, as follows <groupname1>:<list1><groupname2>:<list2> where list1 and list2 are the HP-UX AAA Server namesseparated by a comma.

Examples of Administering Multiple HP-UX AAA ServersFollowing is an example to start all the HP-UX AAA Servers of all the groups on a host:# /opt/aaa/bin/rad_admin.sh start all

Following is an example to stop server1 and server2 belonging to group1:# /opt/aaa/bin/rad_admin.sh stop group1:server1,server2

Following is an example to restart server1 and server2 belonging to group1 and server3and server4 in group2:# /opt/aaa/bin/rad_admin.sh reload group1:server1,server2group2:server3,server4

Following is an example to retrieve the status of all the servers belonging to group1:# /opt/aaa/bin/rad_admin.sh status group1:all

NOTE: You must save the HP-UX AAA Server attributes on the respective server touse HP-UX AAA Server Admin tool.

Administering HP-UX AAA Servers Using Interactive User InterfaceThis section describes how to administer the HP-UX AAA Servers using the interactiveuser interface. If none of the CLI options are specified, an interactive user interface isinvoked.To administer multiple HP-UX AAA Servers using the interactive interface, completethe following steps:1. Log in to the system running the HP-UX AAA Server.


2. To start the HP-UX AAA Server using the HP-UX AAA Server Admin Tool, enterthe following command at the HP-UX prompt:# /opt/aaa/bin/rad_admin.sh

The interactive mode starts.3. Enter the group ID.4. Enter the HP-UX AAA Server ID.5. Specify the operation you want to perform.

The operation starts.

NOTE: It is recommended that you use the HP-UX AAA Server Manager to managemultiple HP-UX AAA Servers. For more information on how to perform the tasks usingHP-UX AAA Server Manager, see “Administering HP-UX AAA Servers Using HP-UXAAA Server Manager” (page 276).

Disaster Recovery of the HP-UX AAA Server ManagerThe HP-UX AAA Server supports disaster recovery of HP-UX AAA Server Manager.If the host running the HP-UX AAA Server Manager crashes due to system failure, theHP-UX AAA Server Manager can be restored on the same or different host. You mustback up a set of HP-UX AAA Server Manager configuration files periodically andrestore them on the host where you want to launch the HP-UX AAA Server Manager.To perform the disaster recovery of HP-UX AAA Server Manager, complete thefollowing steps:1. Deploy the AAA solution using HP-UX AAA Server Manager.2. To backup the HP-UX AAA Server Manager configuration files from the host

running the HP-UX AAA Server Manager to a backup host, enter the followingcommand at the HP-UX prompt:1. scp /opt/hpws22/tomcat/webapps/aaa/aaalog/groups.config\

/opt/hpws22/tomcat/webapps/aaa/aaalog/AU.radhosts \/opt/hpws22/tomcat/webapps/aaa/WEB-INF/gui.properties \<user-account>@<backup-host>:/<backup-path>

Disaster Recovery of the HP-UX AAA Server Manager 289

where, the variables are described as follows:• <backup-host> - host on which the configuration files are backed up• <backup-path> - location on the <backup-host> to store the

configuration files• <user-account> - the user account with privileges to store files under

<backup-path> on the <backup-host>2. Enter the password for the <user-account> on the <backup-host>, if

prompted.The configuration files are now available in the desired path <backup-path>,on the <backup-host>.

NOTE: These HP-UX AAA Server Manager configuration files must be backedup periodically whenever there is a change in the Administration Start Options,Administration Status Options, HP-UX AAA Server attributes and Groupsconfiguration.

3. Restore the configuration files from the <backup-host>, where the configurationfiles are backed up to the host identified to launch the HP-UX AAA Server Manager,as follows:1. Log in to the host identified to launch the HP-UX AAA Server Manager.2. Enter the following command at the HP-UX prompt:

scp <user-account>@<backup-host>:/<backup-path>/groups.config\<user-account>@<backup-host>:/<backup-path> \/AU.radhosts /opt/hpws22/tomcat/webapps/aaa/aaalog/

3. Enter the password for the <user-account> on the remote host<backup-host>, if prompted.

4. Enter the following command at the HP-UX prompt:scp <user-account>@<backup-host>:/<backup-path>/gui.properties\/opt/hpws22/tomcat/webapps/aaa/WEB-INF/gui.properties

5. Enter the password for the <user-account> on the <backup-host>, ifprompted.

The HP-UX AAA Server Manager configuration files are recovered from the backuplocation. You can start the HP-UX AAA Server Manager on the host where thefiles are recovered, to manage the HP-UX AAA Servers.


19 Configuring the HP-UX AAA Server for ClientFunctionality

This chapter describes the client functionality of the HP-UX AAA Server. The chapterdiscusses the following topics:• “Overview” (page 291)• “CLIENT AATV” (page 292)• “Supported APIs” (page 294)

OverviewCurrently, the HP-UX AAA Server works in the server mode. It receives requests fromclients, processes them, and sends out appropriate responses, based on the requesttype. However, under some circumstances, it is desirable for the HP-UX AAA Serverto perform client functions. This functionality involves the ability to send HP-UX AAAServer-initiated messages and assimilate responses. For example, it is advantageousto have the HP-UX AAA Server disconnect sessions or change session characteristicsin real time, by sending Disconnect and Change-Of-Authorization (CoA)requests. Therefore, starting with the HP-UX AAA Server A.08.01 release, the HP-UXAAA Server also performs certain client functionalities.To perform the client functionalities, a generic framework is included. You can use theframework to generate client messages for any different scenarios. The frameworkconsists of the following components:• CLIENT AATV — The CLIENT AATV is a generic AATV, which you can use to

generate requests at configured intervals. These requests are empty requests. Usingother AATVs, you can enter the fields of these empty requests with the requiredvalues. For example, you can use the SQL Access AATV to enter values in therequired fields, based on the information stored in a database table, such as thesession table.

• APIs in the Software Development Kit (SDK) — Some APIs are included in theSDK to set the fields in the client requests. These APIs can be used in customAATVs or in SQL Access mapping and conversion functions to set the fields ofthe empty requests generated by the CLIENT AATV.

• Finite State Machine (FSM) — Using the FSM, you can control how the HP-UXAAA Server processes a client request.

• Advanced Policy — Using the Advanced Policy module, you can make complexpolicy decisions during the processing of a client request.

This chapter discusses the framework that the HP-UX AAA Server uses to performclient functions. For more information on reference implementations of this frameworkto perform dynamic authorization, see Chapter 20 (page 297).

Overview 291

CLIENT AATVThis section describes how to configure the CLIENT AATV and how the CLIENTAATV works.

Configuring CLIENT AATVThe CLIENT AATV is a generic AATV, which you can use to generate empty RADIUSrequests at specified intervals. You can use these RADIUS requests to perform therequired client functions. You must configure the CLIENT AATV in the aatv.CLIENTblock within the aaa.config file. You can configure multiple CLIENT actions in theaatv.CLIENT block. Each CLIENT action generates requests at configured timeintervals, which can be used to perform a particular client function. The syntax of theaatv.CLIENT block parameters is as follows:aatv.CLIENT{ <action name>.client_timer_value <time interval> <action name>.client_max_requests <value>}

The parameters are described as follows:action name – A string used to identify an action.time interval – Specifies how frequently client requests must be generated for an action.value – Specifies the maximum number of requests that must be spawned each timethis client action is invoked.Following is an example of the aatv.CLIENT block within the aaa.config file:aatv.CLIENT{ Disconnect.client_timer_value 1 Disconnect.client_max_requests 10}

In the given example, the client action is called Disconnect. Requests are generatedafter every second for Disconnect. Also, the CLIENT AATV generates a maximumof 10 requests per second for Disconnect.

Working of the CLIENT AATVFor each configured client action, based on the configured time interval, the timerfunction of the CLIENT AATV generates an empty RADIUS request and places it inthe initial state of the FSM. The sequence of steps involved in the processing of thisempty request through the FSM is as follows:1. One or more AATVs are invoked, which enter values in the required fields of the

empty RADIUS request generated by the CLIENT AATV. For example, you can

292 Configuring the HP-UX AAA Server for Client Functionality

invoke the SQL Access AATV to enter values based on the information storedin a database table.

2. The CLIENT AATV is invoked through the FSM, and the action function of theCLIENT AATV is executed. The action function of the CLIENT AATV performstwo major functions. One, it places the current client request in the message queuefor client messages. Two, it generates another empty RADIUS request and placesit in the initial state of the FSM. Similarly, new client requests are generated andplaced in the message queue successively, thereby resulting in a loop. You canconfigure the number of new client requests that must be generated by specifyingthe value in theclient_max_requests field of theaatv.CLIENT block, withinthe aaa.config file.

3. After the client requests are assigned values, they are sent to the target host by theReplySend AATV. Subsequently, the request waits for a response. If the requestis timed out, it is retransmitted based on the configured retransmission intervaland the maximum number of retransmissions.

4. One or more AATVs are invoked to perform the post-processing action. Forexample, the SQL Access AATV can be invoked to modify the database tablebased on the response received.

Figure 19-1 illustrates the working of the client functionality.

CLIENT AATV 293

Figure 19-1 CLIENT AATV Flowchart

Supported APIsThis section lists the Application Programming Interfaces (APIs) included in theSoftware Development Kit (SDK), to support the client functionality.New APIs are included or existing APIs are modified to support the client functionality.Table 29–1 describes the APIs supporting the client functionality.

Table 19-1 APIs Supporting Client Functionality

DescriptionAPI

Generates a new request.sdk_authreq_allocate

Frees the memory allocated for the request.sdk_authreq_free

Sets the various fields in the request.sdk_set_authreq_info

Enqueues a request in a message queue.sdk_enqueue_authreq

For more information on the supported APIs, see “APIs in the HP-UX AAA ServerSDK” (page 579).


For more information on the Finite State Machine (FSM), see Chapter 26 (page 396).For more information on the Advanced Policy actions, see Chapter 27 (page 411).

Internal Attributes and Mapping FunctionsThis section describes the internal attributes and pre-defined mapping functionsincluded for client functionality.Table 19-2 describes the pre-defined mapping functions for Client Functionality.

Internal Attributes and Mapping Functions 295

Table 19-2 Pre-defined Mapping Functions for Client Functionality

DescriptionMapping FunctionMapping Type

Sets the RADIUS message type for client requests.set_radius_msg_typeTarget

Sets the target host to which a client request must besent.

set_target_hostTarget

Returns the hostname from which a RADIUS requestwas received.

get_from_hostSource

Returns the current timestamp.get_cur_timestampSource

Generates a value that can be used as the value of theState attribute.

gen_stateSource

Returns a unique name for the HP-UX AAA Serverthat invokes this function.

get_server_nameSource

Table 19-3 describes the internal attributes for Client Functionality.

Table 19-3 Internal Attributes for Client Functionality

DescriptionTypeAttribute Name

Contains the name of the CLIENT action, whichgenerated the request.

StringClient-Action-Name

Contains the current count of requests generatedby a CLIENT action.

IntegerClient-Request-Count

Contains the SQL Access action Id that mustbe used for generating a client request.

StringClient-Request-Create-ActionId

Contains the SQL Access action Id that must beused to update the database row, which has justbeen processed.

StringClient-Request-Update-ActionId

Contains the SQL Access action Id that mustbe used to update the database when a reply to aclient request is received.

StringClient-Request-Cleanup-ActionId

Contains the SQL Access action Id that mustbe used to update the database when a clientrequest times out.

StringClient-Request-Timeout-ActionId

NOTE: The attributes listed in Table 19-3 are available in the dictionary file.


20Configuring the HP-UX AAA Server for DynamicAuthorization

This chapter discusses the Dynamic Authorization capability of the HP-UX AAA Server.The Dynamic Authorization capability is based on the client functionality of the HP-UXAAA Server.This chapter discusses the following topics:• “Dynamic Authorization Overview” (page 297)• “HP-UX AAA Server and Dynamic Authorization” (page 297)• “Processing of Dynamic Authorization Requests” (page 298)• “Configuring for Dynamic Authorization” (page 300)

— “Basic Configuration” (page 301)— “Advanced Configuration” (page 302)

◦ “Migrating Existing SQL Access Deployments for Dynamic Authorization”(page 302)

◦ “Configuring Multiple HP-UX AAA Servers as a Group” (page 304)◦ “Dynamic Authorization in Authorize Only Mode” (page 316)◦ “Configuring for Proxy Functionality” (page 319)◦ “Configuring for Failover” (page 321)◦ “Security Consideration in Dynamic Authorization” (page 321)

• “Sample Configuration Files” (page 326)

Dynamic Authorization OverviewThe RADIUS protocol, specified in RFC 2865, does not support RADIUS server-initiatedrequests. Typically, RADIUS server processes RADIUS client-generated requests.However, under some circumstances, it is desirable for the RADIUS server to initiaterequests. For example, sometimes it is desirable to be able to disconnect or changeauthorization attributes of user sessions in real time, using RADIUS server-initiatedrequests. RFC 5176 defines new RADIUS standards to implement these features. Thesestandards provide support for Disconnect and Change-Of-Authorization(CoA) packets. Disconnect packets are used to disconnect user sessions. CoA packetsare used to change the authorization attributes of user sessions.For more information on Dynamic Authorization, see http://www.ietf.org/rfc/rfc5176.txt.

HP-UX AAA Server and Dynamic AuthorizationThe Dynamic Authorization capability is implemented using HP-UX AAA Server clientfunctionality. For more information on how the client functionality of the HP-UX AAAServer works, see Chapter 19 (page 291).

Dynamic Authorization Overview 297

http://www.ietf.org/rfc/rfc5176.txt

Figure 20-1 illustrates how the HP-UX AAA Server performs Dynamic Authorization.

Figure 20-1 HP-UX AAA Server Performing Dynamic Authorization Operation

In the following process flow, step 1 to step 5 (highlighted in blue in the figure) arerelated to creating RADIUS sessions and step 6 to step 10 (highlighted in green in thefigure) are related to the Dynamic Authorization operation:1. A client requests for access to a protected resource by sending user credentials to

the authenticator.2. The authenticator forwards the request to the HP-UX AAA Server.3. The HP-UX AAA Server verifies the credentials. Based on the success, the HP-UX

AAA Server adds a new session entry in the session table of the database.4. After a successful authentication, the HP-UX AAA Server provides access.5. The authenticator grants access to the user and a session is created.6. The HP-UX AAA Server periodically checks the session table in the database.7. Based on the configured conditions, the HP-UX AAA Server sends either a

Disconnect or a CoA request to the Authenticator.8. The authenticator processes the Disconnect or the CoA request and makes the

corresponding changes to the user sessions.9. Based on the result of the processing, the authenticator sends an ACK or NAK

response.10. Based on the response received, the HP-UX AAA Server makes the corresponding

changes in the session table of the database.

Processing of Dynamic Authorization RequestsThe dynamic authorization functionality is implemented using the HP-UX AAA Serverclient functionality. For more information on the HP-UX AAA Server client functionality,see Chapter 19 (page 291).A client action is configured for each dynamic authorization request type. For eachconfigured client action, based on the configured time interval, the timer function ofthe CLIENT AATV generates an empty request and places it in the initial state of theFSM. The sequence of steps involved in the processing of this empty request throughthe FSM is as follows:

298 Configuring the HP-UX AAA Server for Dynamic Authorization

1. Theclient-request-initpolicy is invoked. In this step, the policies configuredin /etc/opt/aaa/client-request-init.grp are executed. The followingthings must be set through this policy.a. The SQL action to be executed for creating the dynamic authorization request

should be set in the attribute Client-Request-Create-ActionId.b. The SQL action to be executed for updating the database to indicate that the

row has just been processed should be set in the attributeClient-Request-Update-ActionId.

c. The SQL action to be executed for updating the database if the dynamicauthorization request times out should be set in the attributeClient-Request-Timeout-ActionId.

d. The RADIUS message type of the dynamic authorization request should be setin the attribute Interlink-Packet-Code.

2. The SQL Access AATV is invoked. The SQL Access AATV executes the SQLaction set in the attributeClient-Request-Create-ActionId. This SQL actionwill enter values in the required fields of the empty request generated by theCLIENT AATV, based on the information stored in a database table, to create thedynamic authorization request.

3. The SQL Access AATV is invoked. The SQL Access AATV executes the SQLaction set in the attributeClient-Request-Update-ActionId. This SQL actionwill update the database table to indicate that this database row has already beenprocessed.

4. The CLIENT AATV is invoked. The action function of the CLIENT AATV isexecuted. The action function of the CLIENTAATV performs two major functions.One, it places the current dynamic authorization request in the message queue forclient messages. Two, it generates another empty request and places it in the initialstate of the FSM. Similarly, new dynamic authorization requests are generatedand placed in the message queue successively, thereby resulting in a loop.

5. The client request egress policy is invoked. In this step the policies configured in/etc/opt/aaa/client-request-egress.grp are executed. This policy filecan be used to insert, modify and delete attributes from the dynamic authorizationrequest.

6. ReplySend AATV is invoked. The dynamic authorization request is sent to thetarget host by the ReplySend AATV. Subsequently, the request waits for aresponse. If the request is timed out, it is retransmitted based on the configuredretransmission interval and the maximum number of retransmissions.

7. If there is no response after the configured maximum number of retransmissionsare done, the SQL Access AATV is invoked. The SQL Access AATV executesthe SQL action set in the attribute Client-Request-Timeout-ActionId. ThisSQL action will update the database row to indicate that the dynamic authorizationrequest timed out.

Processing of Dynamic Authorization Requests 299

8. If a response is received for the dynamic authorization request, the client replyingress policy is invoked. In this step the policies configured in /etc/opt/aaa/client-reply-ingress.grp are executed. Through this policy the SQL actionto be used to update the database table based on the response type, must be set inthe attribute Client-Request-Cleanup-ActionId.

9. SQL AccessAATV is invoked. The SQL AccessAATV executes the SQL actionconfigured in the attribute Client-Request-Cleanup-ActionId. This SQLaction updates the database based on the response type.

Figure 20-2 illustrates the sequence of steps involved in the processing of dynamicauthorization requests.

Figure 20-2 Dynamic Authorization Request Processing

Configuring for Dynamic AuthorizationThis section describes how to configure the HP-UX AAA Server for DynamicAuthorization. Figure 20-3 illustrates the different configurations for DynamicAuthorization.


Figure 20-3 Flowchart for Basic and Advanced Configuration

Basic ConfigurationA basic implementation of the Dynamic Authorization capability for initiating andprocessing the Disconnect and CoA requests is available with the SQL Accessreference implementation. Two sets of reference implementation files included are asfollows:• Files to set up a sample implementation for Oracle 10g and OCI client to configure

HP-UX AAA Server-initiated Disconnect and CoA requests are available at:/opt/aaa/examples/sqlaccess/oracle-1

For details on how to implement sample SQL Access for Oracle, see the READMEin the directory.

• Files to set up a sample implementation for MySQL and Unix ODBC driver toconfigure HP-UX AAA Server-initiatedDisconnect andCoA requests are availableat: /opt/aaa/examples/sqlaccess/mysql-1For details on how to implement sample SQL Access for MySQL, see the READMEin the directory.

For more information on the SQL Access reference implementation, see Chapter 22(page 338).

Configuring for Dynamic Authorization 301

For more information on the advanced configurations, see “Advanced Configuration”(page 302).

Advanced ConfigurationAdvanced configuration typically requires some extra customization of a feature tosuit your needs.This section addresses the following topics:• “Migrating Existing SQL Access Deployments for Dynamic Authorization”

(page 302)• “Configuring Multiple HP-UX AAA Servers as a Group” (page 304)• “Dynamic Authorization in Authorize Only Mode” (page 316)• “Configuring for Proxy Functionality” (page 319)• “Configuring for Failover” (page 321)• “Security Consideration in Dynamic Authorization” (page 321)

Migrating Existing SQL Access Deployments for Dynamic AuthorizationIf session management using SQL Access is already configured based on the referenceimplementation files delivered with HP-UX AAA Server version A.07.01 or earlier,you must complete the following additional steps for the Disconnect and CoAfunctionalities:1. To add the additional columns required for dynamic authorization, modify the

session table as follows:If you are using Oracle, enter the following at the SQL prompt:SQL> alter table RAD_SESS_TABLE add ( session_timeout number(11), from_host varchar2(253), session_status varchar2(253), sess_mod_time TIMESTAMP, filter_id varchar2(253) );

If you are using MySQL, enter the following at the mysql prompt:mysql> alter table RAD_SESS_TABLE add ( session_timeout INT, from_host varchar(253), session_status varchar(253), sess_mod_time TIMESTAMP, filter_id varchar(253) );


2. To insert values in the new columns while creating a session, modify theStartSession SQL action. Following is the list of new columns in the sessiontable, and their corresponding values:1. session_timeout — Specifies the value configured in the

Session-Timeout attribute. You can configure the Session-Timeoutattribute using either the user profile or through policy. The following mappingis used to insert this value:• For Oracle,

RAD(Session-Timeout, REPLY) DBP(sess_timeout, 11, INT)

• For MySQL,RAD(Session-Timeout, REPLY) DBP(9, 11, INT)

2. from_host — Specifies the host from which the authentication request wasreceived. The get_from_host mapping function retrieves this value. Thefollowing mapping is used to insert this value:• For Oracle,

FUNC(get_from_host) DBP(from_host, 253, CHAR)

• For MySQL,FUNC(get_from_host) DBP(10, 253, CHAR)

3. session_status— Specifies the status of the session. The initial state is setto <server_name>_ACTIVE. The get_server_name mapping functionretrieves a unique value for <server_name>. The following mapping is usedto insert this value:• For Oracle,

FUNC(get_server_name) DBP(server_name, 259, CHAR)

• For MySQL,FUNC(get_server_name) DBP(11, 259, CHAR)

4. sess_mod_time — Specifies the time when the session entry was modified.The initial value is Current timestamp. This column does not requiremapping. The current_timestamp function is directly used in the SQLstatement.

5. filter_id — Specifies the data filter used for this session. The value isretrieved from theFilter-Id attribute. You can configureFilter-Idusingeither the user profile or through policy. The following mapping is used toinsert this value:• For Oracle,

RAD(Filter-Id, REPLY) DBP(filterid, 253, CHAR)

• For MySQL,RAD(Filter-Id, REPLY) DBP(12, 253, CHAR)


If the StartSession SQL action was not modified earlier, you can directlysubstitute with the StartSession SQL action in the latest referenceimplementationsqlaccess.config file. The file is available in the followingpaths:For Oracle,/opt/aaa/examples/sqlaccess/oracle-1/sqlaccess.config

For MySQL,/opt/aaa/examples/sqlaccess/mysql-1/sqlaccess.config

If StartSession was modified to suit your environment, the changes mustbe merged with the changes in the latest sqlaccess.config file.

3. You must modify the FSM file. If the default FSM file delivered with the referenceimplementation is not modified, you can copy the FSM file from the latest referenceimplementation. If you have modified the default FSM file, you must manuallymodify the latest file. The latest FSM file is available at: /opt/aaa/examples/config/sqlaccess-acct-sess.fsm

The migration is complete. To configure for Disconnect and CoA, complete theprocedure available at:• For Oracle — /opt/aaa/examples/sqlaccess/oracle-1/README

• For MySQL — /opt/aaa/examples/sqlaccess/mysql-1/README

Configuring Multiple HP-UX AAA Servers as a GroupTo improve performance and the ability to process multiple dynamic authorizationrequests, it is possible to run multiple HP-UX AAA Servers on a single HP-UX hostand use the load balancer to distribute the client requests thereby, achieving scalabilityand reliability. In addition to running multiple HP-UX AAA Servers, you can clonethe HP-UX AAA Server on the same or different hosts to support high-availability.For easier management of the servers, each server is associated with a group. Fordynamic authorization, all the HP-UX AAA Servers in a group must facilitate loadbalancing and high-availability. The Disconnect and CoA messages to be sent tosessions must be distributed among the live HP-UX AAA Servers in that group.Figure 20-4 illustrates multiple HP-UX AAA Servers configured as a group for dynamicauthorization.


Figure 20-4 Multiple HP-UX AAA Servers in a Group for Dynamic Authorization

In Figure 20-4, sessions in the database that must either be disconnected or changedare distributed among the live HP-UX AAA Servers within the group. Each HP-UXAAA Server within the group subsequently, initiates Disconnect or CoA messageexchanges with the authenticator for the sessions assigned to it.The requirement to distribute Disconnect and CoA messages is met as follows:• In the default reference implementation, the session status is always prefixed with

the server name to ensure that the sessions created by a particular HP-UX AAAServer is processed only by that HP-UX AAA Server. However, when an HP-UXAAA Server belongs to a group, sessions created by the HP-UX AAA Server canbe processed by any other HP-UX AAA Server in the same group. Therefore, thegroup name must be prefixed to the session status, and the initial status must be<groupname>_ACTIVE.

• The live HP-UX AAA Servers must be easy to identify at any point of time. Forthis purpose, a new database table, called RAD_SERVER_TABLE is included. Thistable includes two columns: server_name and update_time. The value of theserver_name column is <groupname>_<server_name>. All the HP-UX AAAServers include a TimedEvent SQLAction, which periodically updates theupdate_time in this table. Using this table we can determine the list of HP-UXAAA Servers that are live by verifying the update_time. A stored procedure,called update_server_table is used to update the RAD_SERVER_TABLE.

• The stored procedures, distribute_disconnect_sessions anddistribute_coa_sessions, are used to distribute the sessions. These stored


procedures determine the list of sessions to which Disconnect and CoA requestsmust be sent, and ensure that the requests are distributed among the live HP-UXAAA Servers. The RAD_SERVER_TABLE is used to determine the list of live HP-UXAAA Servers.

For more information on these stored procedures and tables, see the following:• For Oracle — /opt/aaa/examples/sqlaccess/oracle-1/

dbsetup.sql.dynauth_server_group

• For MySQL — /opt/aaa/examples/sqlaccess/mysql-1/dbsetup.sql.dynauth_server_group

Configuring for Disconnect and CoA Request Processing

This section describes the procedure to configure all the HP-UX AAA Servers in a groupto perform authentication, accounting, and dynamic authorization. To dedicate someHP-UX AAA Servers in a group for dynamic authorization, see “Dedicated HP-UXAAA Servers for Dynamic Authorization” (page 311).To configure for Disconnect and CoA request processing when multiple HP-UXAAA Servers belong to a group, complete the following steps:1. Configure the HP-UX AAA Server to enable session management using SQL.

For information on how to enable session management using SQL, see Chapter 22(page 338)

2. Retrieve a copy of the dbsetup.sql.dynauth_server_group script from thefollowing directories and store it in the /tmp directory on the database system:• For Oracle — /opt/aaa/examples/sqlaccess/oracle-1/



3. To create the necessary tables and stored procedures, you must execute the script.For Oracle, enter the following command at the SQL prompt:SQL> @ /tmp/dbsetup.sql.dynauth_server_group

For MySQL, enter the following command at the mysql prompt:mysql> source /tmp/dbsetup.sql.dynauth_server_group

4. Replace <groupname> with the name of the group and append the requiredSQLActions.For Oracle, enter the following command at the prompt:$ sed "s/<groupname>/test_group/g"/opt/aaa/examples/sqlaccess/oracle-1/sqlaccess.config.dynauth_server_group>> /etc/opt/aaa/sqlaccess.config

For MySQL, enter the following command at the prompt:


$ sed "s/<groupname>/test_group/g"/opt/aaa/examples/sqlaccess/mysql-1/sqlaccess.config.dynauth_server_group>> /etc/opt/aaa/sqlaccess.config

5. To create sessions using the new SQL action, modify the FSM as follows:Replace the following line in /etc/opt/aaa/radius.fsm:*.*.ACK SQLAccess Tunneling xstring="ActionID=StartSession"

with*.*.ACK SQLAccess Tunneling xstring="ActionID=StartSessionServerGroup"

NOTE: If you have modified the StartSession SQLAction to suit yourenvironment, the changes must be merged with StartSessionServerGroupSQLAction.

6. To copy the following policy files, enter the following commands at the HP-UXprompt:• $ cp

/opt/aaa/examples/config/client-request-init.grp.dynauth/etc/opt/aaa/client-request-init.grp

• $ cp/opt/aaa/examples/config/client-reply-ingress.grp.dynauth/etc/opt/aaa/client-reply-ingress.grp

NOTE: If some policies have already been configured in the /etc/opt/aaa/client-request-init.grp and /etc/opt/aaa/client-reply-ingress.grp files, you must append the policies insteadof copying.

7. To use the new SQLActions, modify the policy files as follows:In /etc/opt/aaa/client-request-init.grp

• Replace the following line:insert Client-Request-Create-ActionId = "CreateDisconnectReq"

withinsert Client-Request-Create-ActionId = "CreateDisconnectReqServerGroup"

• Replace the following line:insert Client-Request-Update-ActionId = "UpdateDisconnectReq"

withinsert Client-Request-Update-ActionId = "UpdateDisconnectReqServerGroup"

• Replace the following line:insert Client-Request-Timeout-ActionId = "TimeoutDisconnectReq"

with


insert Client-Request-Timeout-ActionId = "TimeoutDisconnectReqServerGroup"

• Replace the following line:insert Client-Request-Create-ActionId = "CreateCOAReq"

withinsert Client-Request-Create-ActionId = "CreateCOAReqServerGroup"

• Replace the following line:insert Client-Request-Update-ActionId = "UpdateCOAReq"

withinsert Client-Request-Update-ActionId = "UpdateCOAReqServerGroup"

• Replace the following line:insert Client-Request-Timeout-ActionId = "TimeoutCOAReq"

withinsert Client-Request-Timeout-ActionId = "TimeoutCOAReqServerGroup"

In /etc/opt/aaa/client-reply-ingress.grp

• Replace the following line:insert Client-Request-Cleanup-ActionId = "SuspendDisconnectedSession"

withinsert Client-Request-Cleanup-ActionId = "SuspendDisconnectedSessionServerGroup"

• Replace the following line:insert Client-Request-Cleanup-ActionId = "UpdateCOASession"

withinsert Client-Request-Cleanup-ActionId = "UpdateCOASessionServerGroup"

• Replace the following line:insert Client-Request-Cleanup-ActionId = "SuspendCOASession"

withinsert Client-Request-Cleanup-ActionId = "SuspendCOASessionServerGroup"

NOTE: The following requirement is applicable for Oracle only. If DHCP isenabled, replace the following line in the /etc/opt/aaa/client-reply-ingress.grp file:insert Client-Request-Cleanup-ActionId = "CleanupDisconnectedSession"

withinsert Client-Request-Cleanup-ActionId = "CleanupDisconnectedSession-DHCP"

8. To enable the Disconnect functionality, complete the following steps:


NOTE: You must perform this step only if you want the Disconnect functionality.Otherwise, you can ignore this step.

1. Log in to HP-UX AAA Server Manager.2. ClickServer Properties. The Server Properties window is displayed as follows:

Figure 20-5 Server Properties

3. Click AAA Server as a Client Properties. The Server Properties (CLIENT)window is displayed as follows:

Figure 20-6 Server Properties (CLIENT)

4. Click Client Action Properties. The Server Properties: Modify Propertywindow is displayed as follows:


Figure 20-7 Server Properties: Modify Property

5. Select New Action. The Client Action Properties window is displayed asfollows:

Figure 20-8 Client Action Properties

6. Enter the following values in the respective fields, within the Client ActionProperties window:Action Name: DisconnectTimer Value: 1Max Requests: 0

9. To enable the CoA functionality, complete the following steps:

NOTE: You must complete this procedure only if you want the CoA functionality.Otherwise, you can ignore this procedure.

1. Log in to HP-UX AAA Server Manager.2. Click Server Properties.3. Click AAA Server as a Client Properties.4. Click Client Action Properties.5. Select New Action.6. Enter the following values in the respective fields, within the Client Action

Properties window:Name: COATimer Value: 60Max Requests: 0

10. To activate the changes, restart the HP-UX AAA Server.


Dedicated HP-UX AAA Servers for Dynamic Authorization

Within a group, you can dedicate a set of HP-UX AAA Servers for the dynamicauthorization operation. If you want to dedicate a set of HP-UX AAA Servers withina group for dynamic authorization, you need not perform all the mentioned steps onall the HP-UX AAA Servers. This section describes the procedures to dedicate HP-UXAAA Servers within a group for authentication and for dynamic authorization.On the HP-UX AAA Servers that perform authentication only (HP-UX AAA Serversthat create the sessions), complete the following steps:1. Configure the HP-UX AAA Server to enable session management using SQL.

For information on how to enable session management using SQL, see Chapter 22(page 338)

2. Copy the SQLAction definition for StartSessionServerGroup from• For Oracle — /opt/aaa/examples/sqlaccess/oracle-1/

sqlaccess.config.dynauth_server_group

• For MySQL — /opt/aaa/examples/sqlaccess/mysql-1/sqlaccess.config.dynauth_server_group

to/etc/opt/aaa/sqlaccess.config, and replace<groupname>with the nameof the group.

3. To create sessions using the new SQLAction, modify the FSM as follows:Replace the following line in /etc/opt/aaa/radius.fsm:*.*.ACK SQLAccess Tunneling xstring="ActionID=StartSession"

with*.*.ACK SQLAccess Tunneling xstring="ActionID=StartSessionServerGroup"

NOTE: If you have modified the StartSession SQLAction to suit yourenvironment, the changes must be merged with StartSessionServerGroupSQLAction.

On HP-UX AAA Servers dedicated to dynamic authorization, complete the followingsteps:1. Retrieve a copy of the dbsetup.sql.dynauth_server_group script from the

following locations and store it in the /tmp directory on the database system:• For Oracle — /opt/aaa/examples/sqlaccess/oracle-1/



2. To create the necessary tables and stored procedures, you must execute the script.For Oracle, enter the following command at the SQL prompt:


SQL> @ /tmp/dbsetup.sql.dynauth_server_group

For MySQL, enter the following command at the mysql prompt:mysql> source /tmp/dbsetup.sql.dynauth_server_group

3. Copy sqlaccess.config.For Oracle, enter the following command at the prompt:$ cp /opt/aaa/examples/sqlaccess/oracle-1/sqlaccess.config/etc/opt/aaa/sqlaccess.config

For MySQL, enter the following command at the prompt:$ cp /opt/aaa/examples/sqlaccess/mysql-1/sqlaccess.config/etc/opt/aaa/sqlaccess.config

4. Configure the Database Connection (DBID) section in /etc/opt/aaa/sqlaccess.config.• For Oracle — In the Database Connection (DBID) section of

sqlaccess.config file, replace <aaaoracleuser>,<aaaoracleuserpassword>, <hostname>, <port>, and <SID> ,with the Oracle username, password, hostname on which database is installed,database server port number, and OracleSID.

• For MySQL — In the Database Connection (DBID) section of thesqlaccess.config file, replace the variables <mysqlaaauser> and<mysqlaaauserpassword>with the MySQL username and password, andset ODBCDatastore to the ODBC Data Source.

5. Append the required SQLActions after replacing <groupname> with the name ofthe group.For Oracle, enter the following command at the prompt:$ sed "s/<groupname>/test_group/g"/opt/aaa/examples/sqlaccess/oracle-1/sqlaccess.config.dynauth_server_group>> /etc/opt/aaa/sqlaccess.config

For MySQL, enter the following command at the prompt:$ sed "s/<groupname>/test_group/g"/opt/aaa/examples/sqlaccess/mysql-1/sqlaccess.config.dynauth_server_group>> /etc/opt/aaa/sqlaccess.config

6. Copy the required policy files. Enter the following commands at the HP-UX prompt:• $ cp

/opt/aaa/examples/config/client-request-init.grp.dynauth/etc/opt/aaa/client-request-init.grp

• $ cp/opt/aaa/examples/config/client-reply-ingress.grp.dynauth/etc/opt/aaa/client-reply-ingress.grp


NOTE: If some policies have already been configured in the /etc/opt/aaa/client-request-init.grp and /etc/opt/aaa/client-reply-ingress.grp files, you must append the policies insteadof copying.

7. To use the new SQLActions, modify the policy files as follows:In /etc/opt/aaa/client-request-init.grp

• Replace the following line:insert Client-Request-Create-ActionId = "CreateDisconnectReq"

withinsert Client-Request-Create-ActionId = "CreateDisconnectReqServerGroup"

• Replace the following line:insert Client-Request-Update-ActionId = "UpdateDisconnectReq"

withinsert Client-Request-Update-ActionId = "UpdateDisconnectReqServerGroup"

• Replace the following line:insert Client-Request-Timeout-ActionId = "TimeoutDisconnectReq"

withinsert Client-Request-Timeout-ActionId = "TimeoutDisconnectReqServerGroup"

• Replace the following line:insert Client-Request-Create-ActionId = "CreateCOAReq"

withinsert Client-Request-Create-ActionId = "CreateCOAReqServerGroup"

• Replace the following line:insert Client-Request-Update-ActionId = "UpdateCOAReq"

withinsert Client-Request-Update-ActionId = "UpdateCOAReqServerGroup"

• Replace the following line:insert Client-Request-Timeout-ActionId = "TimeoutCOAReq"

withinsert Client-Request-Timeout-ActionId = "TimeoutCOAReqServerGroup"

In /etc/opt/aaa/client-reply-ingress.grp

• Replace the following line:insert Client-Request-Cleanup-ActionId = "SuspendDisconnectedSession"

with


insert Client-Request-Cleanup-ActionId = "SuspendDisconnectedSessionServerGroup"

• Replace the following line:insert Client-Request-Cleanup-ActionId = "UpdateCOASession"

withinsert Client-Request-Cleanup-ActionId = "UpdateCOASessionServerGroup"

• Replace the following line:insert Client-Request-Cleanup-ActionId = "SuspendCOASession"

withinsert Client-Request-Cleanup-ActionId = "SuspendCOASessionServerGroup"



8. To enable the Disconnect functionality, complete the following steps:

NOTE: You must perform this step only if you want the Disconnect functionality.Otherwise, you can ignore this step.

1. Log in to HP-UX AAA Server Manager.2. ClickServer Properties. The Server Properties window is displayed as follows:


3. Click AAA Server as a Client Properties. The Server Properties (CLIENT)window is displayed as follows:



4. Click Client Action Properties. The Server Properties: Modify Propertywindow is displayed as follows:

Figure 20-11 Server Properties: Modify Property

5. Select New Action. The Client Action Properties window is displayed asfollows:

Figure 20-12 Client Action Properties


6. Enter the following values in the respective fields, within the Client ActionProperties window:Action Name: DisconnectTimer Value: 1Max Requests: 0

9. To enable the CoA functionality, complete the following steps:

NOTE: You must complete this procedure only if you want the CoA functionality.Otherwise, you can ignore this procedure.

1. Log in to HP-UX AAA Server Manager.2. Click Server Properties.3. Click AAA Server as a Client Properties.4. Click Client Action Properties.5. Select New Action.6. Enter the following values in the respective fields, within the Client Action

Properties window:Name: COATimer Value: 60Max Requests: 0

10. To activate the changes, restart the HP-UX AAA Server.

Dynamic Authorization in Authorize Only ModeTo ensure simplicity of translation between RADIUS and DIAMETER, RFC 5176describes a different sequence of message exchanges between the HP-UX AAA Serverand the NAS for Disconnect and CoA. Figure 20-13 illustrates dynamic authorizationin authorize only mode.

Figure 20-13 Dynamic Authorization in Authorize Only Mode

The sequence of steps involved in the message exchange is as follows:1. The HP-UX AAA Server sends a CoA-Request that includes the Service-Type

attribute. The value of attribute is Authorize Only. Therefore, the mode is called


Authorize Only. In addition to theService-Type attribute, theCoA-Requestincludes session identification attributes, a State attribute, and NASidentification attributes. The CoA-Request does not contain any otherattribute.

2. If the NAS supports the Authorize Only mode, it responds with a CoA-NAKcontaining the Service-Type and Error-Cause attributes. The value of theService-Type attribute isAuthorize Only and the value of theError-Causeattribute is Request Initiated.

3. Subsequently, the NAS sends an Access-Request to the HP-UX AAA Server,including a Service-Type attribute and the State attribute that was sent bythe HP-UX AAA Server in the initial CoA-Request. The value of theService-Type attribute is Authorize Only.

4. The HP-UX AAA Server responds to the Access-Request with anAccess-Accept to reauthorize the session or an Access-Reject to disconnectit.

Configuring for Dynamic Authorization in Authorize Only Mode

To configure the HP-UX AAA Server for dynamic authorization in the Authorize Onlymode, complete the following steps:1. To configure the HP-UX AAA Server to send Disconnect and CoA requests in

the default mode, complete the procedure described in the following files:• For Oracle — /opt/aaa/examples/sqlaccess/oracle-1/README

• For MySQL — /opt/aaa/examples/sqlaccess/mysql-1/README

2. Modify the /etc/opt/aaa/client-request-init.grp file as follows:• For Authorize Only mode, the RADIUS message type for both Disconnect

and CoA requests must be CoA-Request. Therefore, replace the followinglines:## Set the RADIUS message type of the request to Disconnect-Request. insert Interlink-Packet-Code = "Disconnect-Request"

with## Set the RADIUS message type of the request to COA-Request. insert Interlink-Packet-Code = "COA-Request"

• Insert a Service-Type attribute. Assign Authorize-Only as the value ofthe attribute. Append the following lines at the end of the /etc/opt/aaa/client-request-init.grp file:## Add Service-Type attribute with value "Authorize Only" insert Service-Type = "Authorize-Only"

3. A CoA-Request, whose Service-Type attribute value is Authorize Only,must include session and NAS identification attributes only. Therefore, theFilter-Id attribute must be removed from the Change-Of-Authorization request.


Add the following lines in the/etc/opt/aaa/client-request-egress.grpfile:if( count(Service-Type) != 0 && Service-Type = "Authorize-Only" && Client-Action-Name = "COA")

{ ## Delete the Filter-Id attribute.

delete Filter-Id }

4. To handle a response to CoA-Request, whose Service-Type attribute value isAuthorize-Only, modify the client-reply-ingress.grp file. Add thefollowing lines at the beginning of the /etc/opt/aaa/client-reply-ingress.grp file: if( count(Service-Type) != 0 && Service-Type = "Authorize-Only" ) { if( Interlink-Packet-Code = "COA-NAK" && count(Error-Cause) != 0 && Error-Cause = "Request_Initiated" ) { ## Authorize Only request succeeded.

if( Client-Action-Name = "Disconnect" ) { ## Set the SQLAccess ActionID to be used for Disconnect success.

insert Client-Request-Cleanup-ActionId = "CleanupDisconnectedSession" } else { if( Client-Action-Name = "COA" ) { ## Set the SQLAccess ActionID to be used for COA success.

insert Client-Request-Cleanup-ActionId = "UpdateCOASession"

## Set the Filter-Id based on the current time of day.

if( Time-Of-Day >= "08:00" && Time-Of-Day <= "20:00" ) { insert Filter-Id = "daytime_filter" } else { insert Filter-Id = "nighttime_filter" } } } } else { ## Authorize Only request failed.

if( Client-Action-Name = "Disconnect" ) { ## Set the SQLAccess ActionID to be used for Disconnect failure.

insert Client-Request-Cleanup-ActionId = "SuspendDisconnectedSession" } else { if( Client-Action-Name = "COA" ) { ## Set the SQLAccess ActionID to be used for COA failure.

insert Client-Request-Cleanup-ActionId = "SuspendCOASession" } }


} }



If multiple HP-UX AAA Servers are configured as a group, enterUpdateCoASessionServerGroup,SuspendDisconnectedSessionServerGroup andSuspendCoASessionServerGroup instead of UpdateCoASession,SuspendDisconnectedSession, and SuspendCoASession respectively.

5. Set the Authorize-Only-ActionId attribute to the SQL Access action IDthat must be used for Access-Request, whose Service-Type attribute valueis Authorize Only. Add the following lines in the /etc/opt/aaa/request-ingress.grp file: ## Set the SQLAccess Action ID to be used for Authorize Only type requests.

if( count(Service-Type) != 0 && Service-Type = "Authorize-Only" ) { insert Authorize-Only-ActionId = "AuthorizeSession" }

NOTE: If multiple HP-UX AAA Servers are configured as a group, enterAuthorizeSessionServerGroup instead of AuthorizeSession.

6. Add the State attribute in the generated CoA-Request. In the /etc/opt/aaa/sqlaccess.config file, add the following mapping in theCreateDisconnectReq and CreateCoAReq SQLActions:FUNC(gen_state) RAD(State, REPLY)

NOTE: If multiple HP-UX AAA Servers are configured as a group, the mappingmust be added in the CreateDisconnectReqServerGroup andCreateCoAReqServerGroup SQLActions in the /etc/opt/aaa/sqlaccess.config file.

Configuring for Proxy FunctionalityIn addition to disconnecting and changing the authorization of user sessions, the HP-UXAAA Server can act as a proxy for Dynamic Authorization requests to a target NetworkAccess Server (NAS). AAA proxy is an entity that acts as a client as well as a server.When a request is received from a Dynamic Authorization Client (DAC), the proxy


acts as a Dynamic Authorization Server (DAS). If the same request must be forwardedto another AAA entity, the proxy acts as a DAC.Requests are sent based on the configuration. For example, using advanced policy, youcan configure on the basis of user-realm or target NAS. The proxy HP-UX AAA Serverlistens to Disconnect and CoA requests on a port that can be configured. Theconfiguration settings of this port are the same as that of authentication and accountingproxy ports. The default port is 3799.Figure 20-14 illustrates the Dynamic Authorization proxy functionality.

Figure 20-14 Proxy Functionality

Configuring for Dynamic Authorization Proxy Functionality

To configure the HP-UX AAA Server for Dynamic Authorization proxy functionality,you must configure the routing tables for the requests in the /etc/opt/aaa/proxy-egress.grp proxy egress policy file.You can configure the routing tables on the basis of attributes, such as user's realm andtarget NAS (authenticator), in the incoming request.

Configuring on the Basis of User's Realm

To configure routing tables based on the user's realm, add the following lines in the/etc/opt/aaa/proxy-egress.grp file:if( Interlink-Packet-Code = "Disconnect-Request" || Interlink-Packet-Code = "COA-Request" )


{ if( (count(User-Name) > 0) && substr(User-Name after "@") = "<realm>" ) { modify Interlink-Proxy-Target = "<Hostname or IP Address of Proxy Target Server>" }}

Configuring on the Basis of NAS

To configure routing tables based on NAS (authenticator), add the following lines inthe /etc/opt/aaa/proxy-egress.grp file:if( Interlink-Packet-Code = "Disconnect-Request" || Interlink-Packet-Code = "COA-Request" ){ if( count(NAS-Identifier) > 0 && NAS-Identifier = "<DNS name of NAS>" ) { modify Interlink-Proxy-Target = "<Hostname or IP Address of Proxy Target Server>" }}

NOTE: The HP-UX AAA Server configuration must include all the remote proxyservers that forward messages to or receive forwarded messages from this HP-UX AAAServer. If a remote proxy server is not included in the configuration, the server doesnot handle or forward requests to it. The Proxies screen in the HP-UX AAA ServerManager allows you to add, modify, or delete a remote proxy server in the serverconfiguration. For information on how to configure Proxies, see Chapter 9 (page 117).

Configuring for FailoverThe HP-UX AAA Server supports failover functionality for dynamic authorizationrequests. You can configure a secondary server to which the requests must be sent incase the primary server fails to respond.To configure a secondary server, add the following lines in the /etc/opt/aaa/client-request-egress.grp file:insert Client-Request-Secondary-Server = <hostname or IP address of secondary server>

Security Consideration in Dynamic AuthorizationThis section describes the security features in Dynamic Authorization. The followingfeatures are supported:• “Replay Protection” (page 321)• “Message-Authenticator” (page 324)• “Reverse Path Forwarding Check for Proxies” (page 324)

Replay Protection

The Replay Protection feature protects the network from fraudulent transmissionsusing valid data. The Event-Timestamp attribute is used for enforcing replayprotection. The HP-UX AAA Server discards all incoming messages if theEvent-Timestamp value is not within acceptable time limits. You can configure thetime window using the event_timestamp_window attribute in the aaa.config


file. For more information on the attribute, see “Dynamic Authorization-RelatedConfiguration Items” (page 525).By default, the Event-Timestamp attribute checking is not enforced. The verificationof theEvent-Timestamp attribute occurs only if the attribute is present in the incomingmessage. If an Event-Timestamp attribute is not present, the attribute is ignored. Toenforce Event-Timestamp attribute checking, add the following lines in the /etc/opt/aaa/client-reply-ingress.grp file:if( count(Event-Timestamp) = 0 ){ exit "NAK"}

To configure the HP-UX AAA Server to send the Event-Timestamp attribute in theoutgoing messages, add the following SQL mapping in SQLAction, which creates theclient request.FUNC(get_cur_timestamp) RAD(Event-Timestamp, REPLY)

To add the Event-Timestamp attribute in the outgoing Disconnect requests, addthe mentioned mapping in the CreateDisconnectReq orCreateDisconnectReqServerGroup SQLAction within the /etc/opt/aaa/sqlaccess.config file.To add theEvent-Timestamp value in the outgoingCoA requests, add the mentionedmapping in the CreateCoAReq or CreateCoAReqServerGroup SQLAction withinthe /etc/opt/aaa/sqlaccess.config file.

Configuring the Event Timestamp Window for Replay Protection Using HP-UX AAA Server Manager

To configure the Event Timestamp window for replay protection, complete thefollowing steps:1. Log in to HP-UX AAA Server Manager.2. Click Server Properties. The Server Properties window is displayed as follows:



3. ClickAAAServer as aClient Properties. TheServer Properties (CLIENT)windowis displayed as follows:


4. ClickGlobal Event TimestampWindow . The Server Properties: Modify Propertywindow is displayed as follows:


Figure 20-17 Server Properties: Modify Property (Event Timestamp)

5. Enter the time window (in seconds) for which the incoming Event-Timestampattribute is valid.

Message-Authenticator

The Message-Authenticator attribute provides additional protection to RADIUSmessages from fraudulent messages and message tampering. You can use theMessage-Authenticator attribute to authenticate and integrity-protect the DynamicAuthorization messages. The HP-UX AAA Server discards all incoming messages thatinclude an invalid Message-Authenticator attribute.The verification of the Message-Authenticator attribute occurs only if the attributeis present in the incoming message. If the attribute is absent, the attribute is ignored.To ensure that the Message-Authenticator checking occurs, add the followinglines in the/etc/opt/aaa/client-reply-ingress.grp client reply ingress policyfile. For more information on Message-Authenticator, see RFC 2869.if( count(Message-Authenticator) = 0 ) { exit "NAK"}

To add the Message-Authenticator attribute in the outgoing messages, add thefollowing line in the /etc/opt/aaa/client-request-egress.grp client requestegress policy file.insert Message-Authenticator = "0000000000000000"

The mentioned line adds an empty Message-Authenticator value to the request.The HP-UX AAA Server calculates the correct Message-Authenticator value andreplaces the existing value before sending the message.

NOTE: The length of the Message-Authenticator string must be 16.

Reverse Path Forwarding Check for Proxies

The Dynamic Authorization proxy functionality can perform Reverse Path Forwarding(RPF) check to verify that a Dynamic Authorization request originated from anauthorized Dynamic Authorization Client (DAC). The HP-UX AAA Server extracts therealm from the user name and determines the corresponding HP-UX AAA Servers inthe realm routing tables configured in the /etc/opt/aaa/authfile or the Proxies


screen in the HP-UX AAA Server Manager. If the request is not from an authorizedsource, the request is discarded.This feature is disabled by default. You can enable the feature using theenable_rpf_check attribute in the aaa.config file. For more information on theattribute, see “Dynamic Authorization-Related Configuration Items” (page 525).

Configuring Reverse Path Forwarding Check for Proxies Using HP-UX AAA Server Manager

To enable RPF check using HP-UX AAA Server Manager, complete the following steps:1. Log in to HP-UX AAA Server Manager.2. Click Server Properties. The Server Properties window is displayed as follows:


3. ClickAAAServer as aClient Properties. TheServer Properties (CLIENT)windowis displayed as follows:



4. Click Enable Reverse Path Forwarding Check. The Server Properties: ModifyProperty window is displayed as follows:

Figure 20-20 Reverse Path Forwarding Check

5. Click Yes to enable RPF.

Sample Configuration FilesThis section describes the sample configuration files that are used to configure theHP-UX AAA Server for Dynamic Authorization. This section addresses the followingtopics:• “The client-request-init.grp.dynauth Sample File” (page 327)• “The client-reply-ingress.grp.dynauth Sample File” (page 327)• “The sqlaccess.config.dynauth Sample File” (page 327)• “The sqlaccess.config.dynauth_server_group Sample File” (page 329)• “The dbsetup.sql.dynauth_server_group Sample File” (page 331)


The client-request-init.grp.dynauth Sample FileTheclient-request-init.grp.dynauth is the sampleclient request initpolicy file. The following actions are performed in this sample policy file:1. The SQL actions, to be used to generate Disconnect and CoA requests, are set in

the attribute Client-Request-Create-ActionId.2. The SQL actions, to be used to generate the session entry to indicate that it has just

been processed for Disconnect and CoA, are set in the attributeClient-Request-Update-ActionId.

3. The SQL actions, to be used to update the session entry for which a Disconnector CoA request timed out, are set in the attributeClient-Request-Timeout-ActionId.

4. The RADIUS message type of the request is set in the attributeInterlink-Packet-Code.

5. For CoA, the Filter-Id attribute is set based on the time of the day.The attribute Client-Action-Name is used to differentiate between Disconnectand CoA requests.

The client-reply-ingress.grp.dynauth Sample FileThe client-reply-ingress.grp.dynauth file is the sample client replyingress policy file. In this policy file, the SQL actions to be used to update the databasetable forDisconnect-ACK response,Disconnect-NAK response,CoA-ACK responseandCoA-NAK response are set in theClient-Request-Cleanup-ActionId attribute.The Interlink-Packet-Code attribute is used to determine the response type.

The sqlaccess.config.dynauth Sample FileTable 20-1 lists the SQL actions listed in the sqlaccess.config.dynauth file tosupport Dynamic Authorization.

Table 20-1 SQL Actions that Support Dynamic Authorization

DescriptionSQL action

Queries the session table for sessions that haveexceeded their session-timeout limit, and uses

CreateDisconnectReq

the information in the expired session to create aDisconnect-Request. Based on multi-rowfunctionality, this SQL action retrieves all expiredsessions using a single query.

Updates the status of the session entry to indicatethat the session is processed forDisconnect-Request.

UpdateDisconnectReq

Updates the status of the session entry to indicatethat the Disconnect-Request timed out.

TimeoutDisconnectReq

Sample Configuration Files 327

Table 20-1 SQL Actions that Support Dynamic Authorization (continued)

DescriptionSQL action

Removes the session entry after receivingDisconnect-ACK.

CleanupDisconnectedSession

Removes the session entry after receivingDisconnect-ACK. Also, releases the IP address ofthe first session entry that was removed.

CleanupDisconnectedSession-DHCP

Updates the status of the session entry afterreceiving a Disconnect-NAK.

SuspendDisconnectedSession

SendsCoA requests for all sessions at 08:00 and 20:00hours to change the Filter-Id to daytime_filter

CreateCoAReq

and nighttime_filter respectively. Based onmulti-row functionality, this SQL action retrievesall expired sessions using a single query.

Updates the status of the session entry to indicatethat the session is already processed forCoA-Request.

UpdateCoAReq

Updates the status of the session entry to indicatethat the CoA-Request timed out.

TimeoutCoAReq

Updates the session entry after receivingCoA-ACK.UpdateCoASession

Updates the status of the session entry afterreceiving CoA-NAK.

SuspendCoASession

Restores timed out sessions to ACTIVE state after60 seconds. Subsequently, Disconnect or CoA

UpdateTimedOutSessions

requests can be resent. Each time a Disconnector a CoA request for a session times out, the sessionis disabled for 60 seconds.

Checks the database for sessions for which theDisconnect or CoA requests cannot be sent after

RestoreDroppedSessions

updating the session_status attribute. Forexample, if a HUP signal is received, all the requestsare purged from the queue. Under suchcircumstances, sessions that are updated withDISCONNECT_INIT will not be processed again.Checks in the database for such sessions ensure thatthe sessions are restored to ACTIVE state.

Sends an Access-Reject and disconnects asession if the session is not found in the session

AuthorizeSession

table. If the session is found, this SQL action sendsanAccess-Accept to reauthorize the session witha new Filter-Id value.


The sqlaccess.config.dynauth_server_group Sample FileThe sqlaccess.config.dynauth_server_group file contains the SQL actionsrequired to implement the dynamic authorization functionality for Disconnect andCoA requests when multiple HP-UX AAA Servers are configured as a group. You canmodify these SQL actions based on requirements.Table 20-2 lists the SQL actions listed in thesqlaccess.config.dynauth_server_group file to support DynamicAuthorization.

Table 20-2 SQL Actions that Support Dynamic Authorization in Groups

DescriptionSQL Action

Creates a user session entry in the session table. This SQLaction is used only when multiple HP-UX AAA Serversare configured as a group.

StartSessionServerGroup

Creates a row for the HP-UX AAA Server in theRAD_SERVER_TABLE, if a row does not exist. If a row

UpdateServerTable

exists for the HP-UX AAA Server, the SQL action executesa stored procedure that updates the row. A mappingfunction is used to retrieve a unique server name.

Executes a stored procedure every second. The storedprocedure distributes the expired sessions among the liveHP-UX AAA Servers in the group.

DistributeDisconnectSessions

Queries the session table for sessions assigned to the HP-UXAAA Server, to process Disconnect requests. The SQL action

CreateDisconnectReqServerGroup

also uses the information in the expired session to create aDisconnect-Request. The SQL action implements themulti-row functionality to retrieve all expired sessionsusing a single query.

Updates the status of the session entry to indicate that it isalready processed for Disconnect-Request. This SQL

UpdateDisconnectReqServerGroup

action is used only when multiple HP-UX AAA Serversare configured as a group.

Updates the status of the session entry to indicate that theDisconnect-Request has timed out. This SQL action is

TimeoutDisconnectReqServerGroup

used only when multiple HP-UX AAA Servers areconfigured as a group.

Removes the session entry for which a Disconnect-ACKwas received.

CleanupDisconnectedSession

Removes the session entry after receivingDisconnect-ACK. Also, releases the IP address of the firstsession entry that was removed.

CleanupDisconnectedSession-DHCP

Updates the status of a session entry for whichDisconnect-NAK was received. This SQL action is used

SuspendDisconnectedSessionServerGroup


Table 20-2 SQL Actions that Support Dynamic Authorization in Groups (continued)

DescriptionSQL Action

only when multiple HP-UX AAA Servers are configuredas a group.

Distributes the list of sessions for which CoA requests mustbe sent, among the live HP-UX AAA Servers in the group.

DistributeCoASessions

This SQL action is used only when multiple HP-UX AAAServers are configured as a group.

Creates CoA requests to change data filters. This SQL actionis used only when multiple HP-UX AAA Servers areconfigured as a group.

CreateCoAReqServerGroup

Updates the status of the session entry to indicate that it isalready processed for CoA-Request. This SQL action is

UpdateCoAReqServerGroup

used only when multiple HP-UX AAA Servers areconfigured as a group.

Updates the status of the session entry to indicate that theCoA-Request has timed out. This SQL action is used only

TimeoutCoAReqServerGroup

when multiple HP-UX AAA Servers are configured as agroup.

Updates the session entry for whichCoA-ACKwas received.This SQL action is used only when multiple HP-UX AAAServers are configured as a group.

UpdateCoASessionServerGroup

Updates the status of a session entry for which CoA-NAKwas received. This SQL action is used only when multipleHP-UX AAA Servers are configured as a group.

SuspendCoASessionServerGroup

Restores timed out sessions to ACTIVE state after 60seconds. Subsequently, Disconnect or CoA requests can

UpdateTimedOutSessionsServerGroup

be resent. Each time a Disconnect or a CoA request for asession times out, the session is disabled for 60 seconds.This SQL action is used only when multiple HP-UX AAAServers are configured as a group.

Checks the database for sessions for which theDisconnect orCoA requests cannot be sent after updating

RestoreDroppedSessionsServerGroup

the session_status attribute. For example, if a HUPsignal is received, all the requests are purged from thequeue. Under such circumstances, sessions that are updatedwith DISCONNECT_INIT will not be processed again.Checks in the database for such sessions ensure that thesessions are restored to ACTIVE state. This SQL action isused only when multiple HP-UX AAA Servers areconfigured as a group.

Sends anAccess-Reject and disconnects a session if thesession is not found in the session table. If the session is

AuthorizeSession

found, this SQL action sends an Access-Accept toreauthorize the session with a new Filter-Id value.


The dbsetup.sql.dynauth_server_group Sample FileThedbsetup.sql.dynauth_server_group sample file contains the SQL commandsrequired to create tables and stored procedures in the database server.Table 20-3 lists the stored procedures and tables.

Table 20-3 Tables and Stored Procedures in thedbsetup.sql.dynauth_server_group File

DescriptionTables and Stored Procedures

Contains information related to the HP-UX AAA Serversthat are sharing the same database tables. This table is usedto keep track of the live HP-UX AAA Servers.

RAD_SERVER_TABLE

Updates theUPDATE_TIMEvalue of the entry correspondingto the HP-UX AAA Server passed in as argument, in the

update_server_table

RAD_SERVER_TABLE. If an entry for the server is notavailable in the table, an entry is added in the table.

Distributes those expired sessions that need to bedisconnected among the live HP-UX AAA Servers of a

distribute_disconnect_sessions

group, for Disconnect request processing. The number ofexpired sessions is retrieved from the RAD_SESS_TABLEbased on the session_timeout value configured for thesessions. The number of live HP-UX AAA Servers is obtainedfrom the RAD_SERVER_TABLE based on the UPDATE_TIMEvalue. The sessions are assigned to the servers by setting theSESSION_STATUS to <groupname>_DISCONNECT. Thenumber of expired sessions for Disconnect processingassigned to each server is equal to ((number ofsessions/number of servers) + 1). If an HP-UX AAA Serveris down, because the UPDATE_TIME in theRAD_SERVER_TABLE was not updated for some time, theassigned sessions are reset to the ACTIVE state to ensurethat the sessions are assigned to one of the live HP-UX AAAServers.

Distributes those sessions that need to be changed amongthe liveHP-UX AAA Servers of a group, for CoA request

distribute_coa_sessions

processing. The number of sessions is retrieved from theRAD_SESS_TABLE. The number of live HP-UX AAA Serversis obtained from the RAD_SERVER_TABLE based on theUPDATE_TIME value. The sessions are assigned to theservers by setting the SESSION_STATUS to<groupname>_CoA. The number of expired sessions forCoA processing assigned to each server is equal to ((numberof sessions/number of servers) + 1). If an HP-UX AAA Serveris down, because the UPDATE_TIME in theRAD_SERVER_TABLE was not updated for some time, theassigned sessions are reset to the ACTIVE state to ensurethat the sessions are assigned to one of the live HP-UX AAAServers.


Part IV Integrating the HP-UX AAA Server With ExternalServices

This part of the HP-UX AAA Server Administrator’s Guide contains the following chapters:• Chapter 21: “LDAP Authentication” (page 335)• Chapter 22: “SQL Access” (page 338)• Chapter 23: “Simple Network Management Protocol (SNMP) Support” (page 386)• Chapter 24: “VPN Tunneling” (page 388)• Chapter 25: “Using DHCP” (page 390)

332

Table of Contents21 LDAP Authentication..............................................................................................................335

LDAP Server Compatibility .............................................................................................335Related LDAP Documentation ........................................................................................335Authentication with LDAP ..............................................................................................335

Configuring the LDAP Server ....................................................................................335The HP-UX AAA Server LDAP Schema................................................................336To Configure Netscape Directory Server v6..........................................................337To Configure iPlanet Directory Server v5..............................................................337To Configure OpenLDAP 2.0.x..............................................................................337

22 SQL Access..........................................................................................................................338SQL Access Overview.......................................................................................................338

SQL Access Concepts..................................................................................................339RADIUS Attribute to SQL Statement Mapping.....................................................340Mapping Functions................................................................................................341Conversion Functions............................................................................................341SQL Action Processing and Result Handling........................................................342

Implementing SQL Access................................................................................................342Sample Implementation Files......................................................................................342

sqlaccess.config Sample File.........................................................................343dbsetup.sql Sample File....................................................................................345Finite State Machine Sample..................................................................................346

Pre-requisites for SQL Access......................................................................................346Database Server and Schema.................................................................................346

Database Security..............................................................................................347High Availability...............................................................................................347

Database Client......................................................................................................347Shared Library Path Configuration..................................................................348

Database Client Connector Libraries.....................................................................348SQL Access Implementation Details...........................................................................348sqlaccess.config File Configuration.............................................................................349

Database Connection Definition............................................................................350SQL Actions............................................................................................................352Mapping Syntax.....................................................................................................353

RAD Mapping...................................................................................................355DBC Mapping...................................................................................................356DBP Mapping....................................................................................................357RET Mapping....................................................................................................359Mapping Functions...........................................................................................359Conversion Functions.......................................................................................361

SQL Statement........................................................................................................362


SQL Result Mapping..............................................................................................364Result Handling for Retrieval Requests...........................................................366

Global Definitions..................................................................................................369Advanced SQL Mapping Configuration.....................................................................369

Developing Custom Functions...............................................................................369Null SQL Statements..............................................................................................370Null Source and Target Mapping...........................................................................370Time Synchronization............................................................................................371Finite State Table Configuration in the FSM..........................................................372Stored Procedures..................................................................................................373

Administering Users and Tokens Stored in an SQL Database.........................................374Managing Users...........................................................................................................375

Adding Users to an SQL Database.........................................................................375Modifying User Credentials...................................................................................377

Managing Users Using OTP to Authenticate..............................................................378Importing Tokens into the Database......................................................................378Assigning Tokens to Users.....................................................................................379

Assigning a Specific Token to a User................................................................379Allocating Any Available Tokens to a User......................................................380

Enrolling Tokens (Procedure for Users).................................................................380Synchronizing Tokens (Procedure for Users)........................................................382Terminating Tokens................................................................................................383

Viewing User and Token Statistics..............................................................................383Valid Token Status Values...........................................................................................383Invoking the User Database Administration Manager Interface from ServerManager.......................................................................................................................384

Multi-Row Support For SQL Access.................................................................................38523 Simple Network Management Protocol (SNMP) Support...........................................................386

Setting Up SNMP to Monitor the HP-UX AAA Server....................................................38624 VPN Tunneling.....................................................................................................................388

Establishing a Tunnel for a User.......................................................................................38825 Using DHCP........................................................................................................................390

Required DHCP Server Features......................................................................................390Recommended DHCP Server Features.......................................................................390

Defining DHCP Address Pools for Specific Users............................................................390To Associate an Address Pool with a User Profile in AAA Server Flat Files..............390To Associate an Address Pool with a User Profile in an LDAP LDIF File..................391

Associating Address Pools with Realms and Other Conditions......................................391


21 LDAP AuthenticationThe Lightweight Directory Access Protocol (LDAP) authentication type provides amethod for storing user profiles on an LDAP server. LDAP servers are useful whenmanaging a large number of user profiles.

NOTE: You can download Red Hat/Netscape Directory Server for HP-UX fromwww.software.hp.com.

LDAP Server CompatibilityThe HP-UX AAA Server is designed to interoperate with LDAP Version 3 compliantdirectories. Refer to the HP-UX AAA Server Release Notes at http://docs.hp.com onthe Internet and Security Solutions page to see the directory suppliers and versionsthat are currently certified with the HP-UX AAA Server.

Related LDAP DocumentationThis LDAP documentation assumes that you are familiar with LDAP serversmanagement and configuration.For more information on the Red Hat/Netscape Directory Server for HP-UX, go to theInternet and Security Solutions page at http://docs.hp.com.For more information on the OpenLDAP Server, including information on downloadingthe software go to the Internet Express for HP-UX page at www.hp.com/go/internetexpress.

Authentication with LDAPThe HP-UX AAA Server can utilize one or more LDAP servers to retrieve user profileinformation and/or to authenticate the user directly with LDAP by attempting an LDAPdirectory bind operation using the user's credentials.You can specify LDAP authentication on a per realm basis. Each realm can be configuredwith up to four redundant LDAP directories, which are used by the server when itperforms load balancing and failover.

Configuring the LDAP ServerOn the machine hosting the LDAP server, LDAP configuration files must be modifiedor created in order to implement authorization. For security reasons, install the LDAPServer on the same machine as the HP-UX AAA Server. Alternatively, have both serverson the same secure network, or have them secured via LDAP/SSL.

LDAP Server Compatibility 335

www.software.hp.com

http://docs.hp.com

www.hp.com/go/internetexpress




NOTE: The following procedures are required if your user entries are using attributesdefined in the aaaPerson object class. If you are only storing user profiles based on thecore LDAP inetOrgPerson object class (to retrieve the user ID and password), thefollowing procedures are not necessary.

The HP-UX AAA Server LDAP SchemaThe HP-UX AAA Server LDAP schema consists of the aaaPerson object class and aset of LDAP attributes utilized by aaaPerson. Note that while the AAA LDAP schemais not mandatory, it is useful for providing commonly used RADIUS functionality.The following LDAP attributes are included in the AAA Server LDAP Schema:

Table 21-1 The HP-UX AAA Server LDAP Schema

DescriptionLDAP Attribute

RADIUS Check items in A-V pair string format.aaacheck

RADIUS Deny items in A-V pair string format.aaadeny

RADIUS Reply attributes in A-V pair string format.aaareply

User name*.user-id

User password. If not present, userpassword from inetOrgPersonis used.

user-password

* Can be specified by entering User-ID as the search filter in the LDAP clientconfiguration in the AAA Server manager. If no search filter is specified, theuid attributeof the ineOrgPerson object class is used.LDIF files are a text based representation of LDAP data, and are used to import andexport data into an LDAP directory.The following is an example of an LDIF entry for an AAA Server user profile:dn: uid=deshen,ou=Groups,dc=chicago,dc=example,dc=comobjectclass: topobjectclass: aaapersoncn: depakshensn: shenuid: deshenuserpassword: mypassaaareply: Reply-Message=”Hello, deshen”aaareply: Session-Timeout=60aaacheck: NAS-Idenfier=”localnet”

336 LDAP Authentication

To Configure Netscape Directory Server v61. Copy /opt/aaa/examples/proldap/55iaaa-radius.ldif to the LDAP

server schema directory:(/var/opt/netscape/servers/slapd-<hostname>/config/schema).

2. Restart the directory server.3. Create an LDIF file for your user profiles and import to the directory.

To Configure iPlanet Directory Server v51. Copy /opt/aaa/examples/proldap/55iaaa-radius.ldif to the LDAP

server schema directory (/var/opt/iplanet/servers/slapd-<hostname>/config/schema).


To Configure OpenLDAP 2.0.x1. Copyiaaa-radius.schema from /opt/aaa/examples/proldap/ to the

OpenLDAP server (usually, /usr/local/etc/openldap/schema).2. Modify the slapd.conf by adding the following lines:

/usr/local/etc/openldap/schema/cosine.schema /usr/local/etc/openldap/schema/inetorgperson.schema

/usr/local/etc/openldap/schema/iaaa-radius.schema


NOTE: Refer to “Configuring Realms for LDAP ” (page 112) for information onconfiguring the AAA Server for LDAP Access.

Authentication with LDAP 337

22 SQL Access

IMPORTANT: The Oracle authentication module is obsolete in this release of theHP-UX AAA Server. The Oracle authentication module is supported using SQL Access.HP recommends that you set up your HP-UX AAA Server to interact with the Oracledatabase using the SQL Access feature.

This chapter introduces the SQL Access feature, describes how it works and how toconfigure the HP-UX AAA Server for SQL Access. The term SQL Access is usedthroughout this guide to refer to the functionality that allows flexible and customizableaccess to an SQL database.This chapter also discusses how to manage user and token information that is storedin an SQL database. This chapter addresses the following topics:• “SQL Access Overview” (page 338)• “Implementing SQL Access” (page 342)• “Administering Users and Tokens Stored in an SQL Database” (page 374)• “Multi-Row Support For SQL Access” (page 385)

SQL Access OverviewSQL Access offers a highly flexible interface to customize the functionality of the HP-UXAAA Server to meet your business requirements. In its basic implementation, SQLAccess executes user specified SQL statements against database columns that aremapped to RADIUS attributes. More advanced customizations such as using customizedfunctions are also possible.The ability to integrate the HP-UX AAA Server with an SQL compliant database offersthe following benefits:• Provides scalability across multiple AAA servers by using a database as a central

repository for user, account, and session information.• Enables you to integrate AAA servers with existing databases for authentication,

authorization, and session management.• Allows session state tracking and session limit enforcement to be shared across

multiple AAA servers for greater scalability, and availability.• Enables the extension of AAA server functionality by introducing customized

behaviors using the combination of SQL Access and Finite State Machine (FSM)modifications.

Figure 22-1 shows the interaction between the various components to implement theSQL Access feature.

338 SQL Access

Figure 22-1 SQL Access Components

When the AAA Server receives a RADIUS request to perform an action (for example,authentication), it calls the SQL Access AATV if SQL Access is configured. The SQLAccess AATV maps RADIUS attributes to database columns and prepares user definedSQL statements for execution. The connector libraries pass the SQL statements to vendorsupplied database client libraries, which in turn communicate with the database.After the database returns the query results, the SQL Access AATV maps the resultingdatabase columns to RADIUS attributes for further processing by the AAA Server.The definition of the input into the SQL statements (input map), the SQL statementitself, and the output definition (output map) is called an SQL action.

SQL Access ConceptsSQL actions are defined in the /etc/opt/aaa/sqlaccess.config file as a set ofone or more combinations of SQL mappings and user defined SQL statements that areexecuted against the database.SQL mappings consist of input and output maps. An input map consists of one or moreinput mapping entries, which identify the input into an SQL statement. An output mapconsists of one or more output mapping entries which identify what to do with theoutput from the SQL statement. Each mapping entry, input or output, consists of asource and target component.Mappings without SQL statements are possible, and SQL statements can be executedwithout mapping entries. See “Advanced SQL Mapping Configuration” (page 369) formore information.

SQL Access Overview 339

RADIUS Attribute to SQL Statement MappingYou can use SQL mappings to define how to associate or "map" RADIUS attributes toand from the input and output of your SQL statement . The execution of the SQLstatement and associated mappings occur in three steps:1. Input Mappings2. SQL statement execution3. Output mappingsIn the typical case, you map RADIUS attributes (input source) to SQL statementplaceholders (input target). The AAA Server binds the RADIUS data to the SQLstatement in preparation for execution.After execution of the SQL statement, the AAA Server processes the output mappings,which typically consist of a mapping to check the result of the SQL statement executionand one or more mappings of database columns (output source) to RADIUS replyattributes (output target). A new RADIUS attribute will be allocated for each outputmapping.For maximum flexibility and customization, there are no pre-determined or hard codedrelationships between database columns and RADIUS attributes; that relationship iscreated entirely through the sqlaccess.config file. See “sqlaccess.config FileConfiguration” (page 349) for complete configuration definitions of thesqlaccess.config file.Figure 22-2 (page 341) illustrates the SQL mapping concept for RADIUS attribute todatabase column mapping for a specific access request using OCI, in this example byuser John.

340 SQL Access

Figure 22-2 RADIUS Attribute to SQL Statement Mapping

During input mapping, the value for the RADIUS attribute User-name is passed tothe SQL statement SELECT as a search value into the database table USERTABLE usingthe SQL placeholder to bind to the data value John. The output mapping entry tells theSQL Access AATV that the database columndb_passwdmaps to the RADIUS attributepassword, with a returned value of Johnpass in the attribute-value pair.

Mapping FunctionsYou can also use a pre-defined or user-defined mapping function as the source or targetof a mapping. For example, the pre-defined mapping function get_sid retrieves thesession ID from the RADIUS request's CLASS attribute-value pair or generates a uniquesession ID if the CLASS attribute-value pair does not exist. You can then insert thesession ID value into a database table using the SQL INSERT command to allow forsession management via SQL Access.

Conversion FunctionsPre-defined or user-defined conversion functions execute on the data in transit betweenthe source and the target of a mapping. For example, the pre-defined conversion functionAAAIPv6toString converts a binary format IPv6 address to an ANSI string suitablefor generating human readable output. This can be used to translate an IPv6 addressfrom a RADIUS attribute to a string formatted column in the database.

SQL Access Overview 341

SQL Action Processing and Result HandlingThe SQL Access AATV processes all mapping entries of an SQL action in the order inwhich they are defined in the sqlaccess.config file. It first processes all input mappingentries in order, then executes the SQL statement, and finally processes the outputmapping entries in order.SQL actions start with an event of ACK and mapping entries usually return an eventof ACK. If any mapping entry returns an event other than ACK, the SQL processing isstopped and control is immediately returned to the FSM . You can control this behaviorwith customized mapping functions to set pre-defined or custom event codes otherthan ACK and ACK.If all mapping entries are processed successfully, the SQL Access AATV returns controlto the FSM at the end of the SQL action with an ACK event or a customized value forthe event code.Note that by default, the AAA Server will not take any action based on the SQLstatement execution result code returned by the database client library. However, youcan configure an SQL result output mapping to define the behavior of the AAA Serverbased on the SQL statement result. For more information on how to control executionbased on SQL statement result codes from SQL statement execution, see “SQL ResultMapping” (page 364).

NOTE: An SQL query can return more than one matching row, however, only thefirst row of a result is used for output mapping.

Implementing SQL AccessSQL Access requires that you configure and modify a number of mandatory andoptional files based on your implementation. HP recommends that you start with thesample implementation files to facilitate the initial set up and configuration for SQLAccess before further customization to meet your particular business need.

Sample Implementation FilesThe sample set of configuration files and scripts set up a working environment thatuses SQL statements to retrieve user and token entries, and optionally performaccounting and session management in a multi-server environment. See “SQL AccessImplementation Details” (page 348) for more information on the functional details ofthe sample implementation.There are two sets of sample configuration files:• /opt/aaa/examples/sqlaccess/oracle-1: files to set up a sample

implementation for Oracle 10g and OCI client. See the README in that directory

342 SQL Access

for detailed information on how to install your sample SQL Access implementationfor Oracle.

• /opt/aaa/examples/sqlaccess/mysql-1: files to set up a sampleimplementation for MySQL and Unix ODBC driver. See the README in thatdirectory for detailed information on how to install your sample SQL Accessimplementation for MySQL.

NOTE: The database server and client are not provided with the HP-UX AAA Server.However, HP supports connectivity to selected database clients and provides acorresponding client connector library for those supported clients.

The following section provides an overview of the sample implementation:

sqlaccess.config Sample FileThe sqlaccess.config sample file is configured for the database tables defined inthe schema files provided with this sample configuration. Its SQL actions operate onthe database tables as follow:

Table 22-1 The sqlaccess.config Sample File

OperationTable Operated OnSQL Action

Retrieves the user profile. Uses SQLresult mapping to test that at least one

RAD_USERS_TABLERetrieveUser

row is returned and sets event toRETRIEVE_SUCCESSupon exiting tothe FSM.

Retrieves token information. UsesSQL result mapping to test that at

RAD_TOKENS_TABLERetrieveToken

least one row is returned and sets theevent to RETRIEVE_SUCCESS onexiting to the FSM.

Retrieves user and token information.Uses SQL result mapping to test that

RAD_TOKENS_TABLE andRAD_USERS_TABLE

RetrieveUserAndToken

at least one row is returned and setsthe event to RETRIEVE_SUCCESS onexiting to the FSM.

A stored procedure that is createdusing dbsetup.sql. This procedure

RAD_TOKENS_TABLEUpdateSequenceCounterAndSuccessAuthCount

updates the sequence counter that ispassed as an argument. This action iscalled after successful OTPauthentication. This stored procedurealso increments the successauthentication count.

Implementing SQL Access 343

Table 22-1 The sqlaccess.config Sample File (continued)

OperationTable Operated OnSQL Action

A stored procedure that is createdusing dbsetup.sql. This procedure

RAD_TOKENS_TABLEUpdateFailedAuthCountAndTokenStatus

increments the failed authenticationcount after a failed authentication.This stored procedure also incrementsthe lock counter for each failedauthentication. If the number ofconsecutive failed authenticationattempts is greater than theconfigured token lock counter value(default 6), where the time intervalbetween two consecutive failedauthentication attempts is less than60 seconds, it updates the token statusto LOCKED.

Inserts a row to the accounting tablefor each user to start accounting.

RAD_ACCT_TABLEInsertAcct

Updates the column update_timein the accounting table with thecurrent time for an active account.

RAD_ACCT_TABLEUpdateAcct

Sets the stop time in the accountingtable for a given session ID.

RAD_ACCT_TABLEStopAcct

Inserts a user session entry.RAD_SESS_TABLEStartSession

Removes a user session entry.RAD_SESS_TABLEStopSession

Removes all expired sessions that areolder than 24 hours.

RAD_SESS_TABLECleanupExpiredSessions

Sets the stop time for all accounts thatmatch the client’s NAS identifier.

RAD_ACCT_TABLEStopAllAccts

Removes all sessions from the sessiontable that match the client’s NASidentifier.

RAD_SESS_TABLECleanupAllSessions

Uses a stored procedure to return theIP address of the session entry and

RAD_SESS_TABLEStopSession-DHCP(OCI only)

removes the entry with a matchingsession id from the session table. Thereturned IP address is passed to theAAAFreeIP mapping function toinitiate the releasing of the IP addressvia DHCP.

344 SQL Access

dbsetup.sql Sample FileThe dbsetup.sql sample file creates the database tables RAD_USERS_TABLE,RAD_TOKENS_TABLE, RAD_ACCT_TABLE, and RAD_SESS_TABLE with thefollowing columns and inserts a test user into RAD_USERS_TABLE:RAD_USERS_TABLE user_name user_password framed_protocol framed_ip_addr framed_ip_netmask framed_routing address_pool security_question security_answer mailing_address mailing_city mailing_state mailing_pin mailing_country email_id work_phone mobile_phone

RAD_TOKENS_TABLE serial_number user_name manufacturer token_status seq_counter shared_secret otp_length lookup_window checksum activation_code success_auth_count failed_auth_count failed_lock_count locktime

RAD_ACCT_TABLE start_time stop_time update_time code user_name session_id nasid nasport service_type framed_service


login_service

RAD_SESS_TABLE sess_start_time session_id user_name nasid nasport assigned_framed_ip client_hw_address client_identifier varchar2(100), session_timeout number(11), from_host varchar2(253), session_status varchar2(253), sess_mod_time TIMESTAMP, filter_id varchar2(253)

In addition, the dbsetup.sql script for OCI creates a stored procedure to first retrievethe IP address for a session ID and then to delete it from the session tableRAD_SESS_TABLE.

Finite State Machine Sample

NOTE: If you are using SQL Access for the retrieval of user entries only, you can useyour existing FSM file.

The sample implementation contains two FSM files, one modified for accountingwithout session management via SQL Access (sqlaccess-acct.fsm), and one that allowsboth, accounting and session management via SQL Access(sqlaccess-acct-sess.fsm). Note that session management with DHCP is onlypossible for OCI in the sample implementation, and that you need to specifically modifysqlaccess-acct-sess.fsm to choose session management with or without DHCP.By default session management is disabled in this FSM file.

Pre-requisites for SQL AccessSQL Access requires the following:• Database Server and Schema• Database Client and Client Connector Libraries

Database Server and SchemaIf you are not using an existing database, see your database vendor's documentationto install the database server software and create an instance of the database where thetables are to be located. See the README files for the supported environments in therespective directory at/opt/aaa/examples/sqlaccess/ for specific implementationinformation.

346 SQL Access

You must consider the following while selecting and setting up your databaseenvironment:

Database Security

Secure communication between the database client and the database server is controlledby the database server and client software. Therefore, choose your database environmentbased on your organization's security requirements. You may have to considercontrolling access to the database tables based on views and privileges, data encryptionrequirements between the database client and server, or data encryption requirementsof the data stored in the database.

High Availability

SQL Access provides multiple options to configure a highly available AAA Serverenvironment:• Utilizing the high-availability features of the database client and server for fail-over

and load balancing;• Configuring SQL Access such that alternate or secondary SQL actions are executed

depending on database availability events, or to build in redundancy for criticaldatabase transactions;

• Using the SQL Access database reconnection feature that automatically attemptsreconnection to the database in the event of an unresponsive database.

These tools can be used separately or can be combined to achieve the degree of highavailability required for your business.

Database ClientThe AAA Server communicates to the database through the database client and clientconnector library. See the HP-UX AAA Server Release Notes at http://docs.hp.com/ inthe Internet and Security Solutions collection for the latest list of certified databaseclients.Refer to your database client vendor's documentation to install the database clientsoftware on the same system where your HP-UX AAA server resides. See the READMEfiles in the respective directory for the supported environments at /opt/aaa/examples/sqlaccess/ for specific implementation information.These tools can be used separately or can be combined to achieve the degree of highavailability required for your business.


http://docs.hp.com

http://docs.hp.com/

Shared Library Path Configuration

The shared library path to the database client libraries must be set depending on thevendor's library path requirements and how the AAA Server is started:• For startup using the Server Manager, modify the /opt/aaa/remotecontrol/

rmistart.sh startup script• For startup at system boot, modify the /sbin/init.d/radiusd.rc file• For interactive startup of radiusd, set the shared library path at the command

prompt or include it in your shell initialization scriptSee the README files for the supported environments in the respective directories at/opt/aaa/examples/sqlaccess/ for specific shared library path configurationinformation for the supported database clients.

Database Client Connector LibrariesFor each supported database client, HP provides a corresponding client connectorlibrary. Copy the corresponding client connector library from/opt/aaa/lib/dbcon/alternate/ to the execution directory /opt/aaa/lib/dbcon. See the READMEfiles in the respective directory for the supported environments at /opt/aaa/examples/sqlaccess/ for specific client configuration.

NOTE: HP recommends that you only install one connector library to avoidco-existence problems with multiple database client vendors.

SQL Access Implementation DetailsFollow the steps below to set up and configure SQL Access:1. Install the sample implementation. See the README files in the respective directory

for the supported environments at /opt/aaa/examples/sqlaccess/ forspecific implementation information.Review the sample implementation, and note any modifications and customizationsrequired for your specific implementation. See “SQL Access ImplementationDetails” (page 348) for information on the functionality provided by the sampleimplementation. If you need to customize the sample implementation, continuewith steps 2 to 5.

2. Create or modify the database tables based on your implementation of SQL Access.You can use the sample schema provided in the sample configuration files locatedat /opt/aaa/examples/sqlaccess/oracle-1/ or /opt/aaa/examples/sqlaccess/mysql-1 as a starting point.

3. Create or modify the /etc/opt/aaa/sqlaccess.config file. This file containsdatabase connection definitions, SQL action definitions, and an optional globaldefinition. See “sqlaccess.config File Configuration” (page 349) for detailedinformation on the sqlaccess.config file structure.

348 SQL Access

4. Configure SQL Access execution based on your implementation:• If SQL Access is used to retrieve user profiles, configure the SQL action for

the desired realm on the Local Realm screen in the Server Manager. See“Adding a Realm” (page 105) for more information.

• If SQL Access is used for more advanced implementations, such as accountingand session management, modify the Finite State Machine (FSM)radius.fsmfile to specify the execution of specific SQL actions for particular events. See“Finite State Table Configuration in the FSM” (page 372) for more information.The sample implementation includes two modified FSMs configured foraccounting without session management and accounting with sessionmanagement using the SQL Access feature.

5. Restart the server. You can also send the kill -HUP signal to activate the SQLaccess implementation while the AAA server is running if you have not modifiedthe FSM. Refer to “HUP Processing” (page 519) for details on the kill -HUPsignal.

sqlaccess.config File ConfigurationThe sqlaccess.config file consists of the following definition types:• An optional Global Definition;• One or more database connection definitions (DBID) used to set up the database

connection;• One or more SQL action definitions that identify the input and output parameters

and the SQL statement for execution.The sqlaccess.config file definitions are as follows:


/* Global Definition*/[SQLMapConvLibs “path_to_lib:path_to_lib:…:path_to_lib”]

/*Database Connection Definition*/

DBID instance {

DBClient db_client_library_interface [DBUser db_user] [DBPassword db_user_password] [ReconnectWaitTime reconnect_wait_time] [ReconnectErrorCodes reconnect_err_code] [OracleSID Oracle_db_instance] [ODBCDatastore ODBC_db_instance]

}

/*SQL Action Definition*/SQLAction action_ID

{

[TimedEvent timed_event] [QueryType multi_row]

/* repeat as needed */

{ [input [source target [conversion_function]] . . [source target [conversion_function]]]

[output [source target [conversion_function]] . . [source target [conversion_function]]]

[SQLStatement instance {sql_statement}] } /* end repeat */

}

Database Connection DefinitionDefine the database connection parameters in the data structure identified with thekeyword DBID. The syntax of DBID is as follows:

350 SQL Access

DBID instance { DBClient db_client_library_interface [DBUser db_user] [DBPassword db_user_password] [ReconnectWaitTime reconnect_wait_time] [ReconnectErrorCodes reconnect_err_code] [OracleSID Oracle_db_instance] [ODBCDatastore ODBC_db_instance] }

Where:instance Identifies a unique instance of the AAA Server as a database client. Note

that the database connection parameters for a particular instance mustbe defined before the SQL actions for that particular database instancein the sqlaccess.config file.

Table 22-2 (page 351) lists the database access parameters and their usage:

Table 22-2 Database Access Parameters

DescriptionDatabase Access Variable

Mandatory. Identifies the database client library.db_client_library_interface

Values: OracleOCI or ODBC

Optional for database clients that maintain user and passwordinformation in their configuration file.User identity for database connection.

db_user

Optional for database clients that maintain user and passwordinformation in their configuration file. Password for database

db_user_password

connection. Some client libraries require the password to bespecified in their configuration file. These libraries ignore theDBPassword keyword.

Optional. Timer in seconds after which reconnection to the databaseis attempted, when connection fails.Default:

reconnect_wait_time

60

Optional: Comma separated native database error codes got ifdatabase is unreachable or shutdown. Whenever the server gets

reconnect_err_code

any of these configured error code, it attempts to reconnectperiodically at an interval of reconnect_wait_time until theconnection to database is successfully established. No error codesare configured by default.


Table 22-2 Database Access Parameters (continued)

DescriptionDatabase Access Variable

Required for OCI only. Identifies the Oracle database instance toconnect to. The supported format for this parameter is determinedby the OCI client software.

Oracle_db_instance

Required for ODBC only. Identifies the database instance to connectto. The supported format for this parameter is determined by theODBC driver software.

ODBC_db_instance

Example 22-1 defines an instance of an Oracle database interface as db_oci with theconnection parameters. In the Oracle instance, the Server will attempt to reconnectafter every 60 second, if it gets ORA-3113 or ORA-3114 due to database access failures.

Example 22-1 Define the Oracle Database Connection Parameters

## Define the Oracle/OCI connection.

DBID db_oci { DBClient OracleOCI DBUser aaaoracleuser DBPassword aaaoraclepassword ReconnectWaitTime 60 ReconnectErrorCodes 3113,3114 OracleSID "example.db.com:1521/testdb"}

Example 22-2 (page 352) defines an instance of an ODBC database interface as db_odbcwith the connection parameters:

Example 22-2 Define the MySQL Database Connection Parameters

## Define the MYSQL ODBC connection.

DBID db_odbc { DBClient ODBC DBUser mysqlaaauser DBPassword mysqlaaapassword ReconnectWaitTime 30 ReconnectErrorCodes 2006 ODBCDatastore RadiusStore}

SQL ActionsSQL actions are defined in the data structure identified by the keyword SQLAction.Following is the syntax of the SQLAction data structure:

352 SQL Access

SQLAction action_ID { [TimedEvent timed_event] [QueryType multi_row] /* repeat as needed */ { [input [source target [conversion_function]] . . [source target [conversion_function]]]

[output [source target [conversion_function]] . . [source target [conversion_function]]]

[SQLStatement instance {sql_statement}] } /* end repeat *

Where:action_ID Required. Specifies a unique instance of an SQL action.

Identifies the SQL action to be executed as configuredin the FSM or in the authfile file through the LocalRealm screen in the Server Manager. Follow a namingconvention for action_ID that allows for easyidentification of the actions they perform to ensure theintegrity of the processing logic.

timed_event Optional. Used for actions not triggered by user requests.Specifies the time interval in seconds for the AAA Serverto execute this action. See “Advanced SQL MappingConfiguration” (page 369) for more information.

QueryType multi_row Optional. Enables multi-row support for SQL Access.Supports multiple rows returned by an SQL query. Formore information, see “Multi-Row Support For SQLAccess” (page 385).

The following sections provide details on the input and output mapping syntax andthe SQL statement.

Mapping SyntaxEach input or output mapping entry consists of a source and target definition, and anoptional conversion function.


Table 22-3 (page 354) and Table 22-4 (page 354) show the source and target data typesthat can be mapped depending on input or output mapping:• RAD: identifies a RADIUS attribute in a mapping,• DBP: identifies SQL placeholder mapping,• DBC: identifies the database column mapping,• DBR: handles return values from the SQL statements. See “SQL Result Mapping”

(page 364) for more information on the use of DBR mapping.

Table 22-3 Input Mapping Data Types and Syntax

SyntaxInput Mapping Type

source • RAD(vendor_id:attribute, attr_type, MAND)

• FUNC(mappingfunction)

• DBR(result) or DBR(ret code:error code)

target • RAD(vendor_id:attribute, attr_type, MAND)


• DBP(placeholder, db_width, db_type)

• RET (return event)

Table 22-4 Output Mapping Data Types and Syntax

SyntaxOutput Mapping Type

source • RAD(vendor_id:attribute, attr_type, MAND)

• DBC(db_column, db_width, db_type)

• DBP(placeholder, db_width, db_type)


• DBR(result) or DBR(ret code:error code)

target • RAD(vendor_id:attribute, attr_type, MAND)


• RET (return event)

354 SQL Access

NOTE: You must store the values of tagged attributes in raw format, in the SQLAccess database. Following are the syntax and sample values of the tagged attributes:• Tagged Integer — The syntax for the Tagged Integer attribute is :<tag

value>:<attribute value>. The value must always comprise four octets, ofwhich the tag value must comprise one octet and the attribute value must comprisethree octets.For example, the value :3:32must be stored as 03000020. 03 is the hexadecimalequivalent of 3 and 0000020 is the hexadecimal equivalent of 32. The additional0s are included to ensure that the value comprises four octets.

• Tagged String — The syntax for the Tagged String attribute is :<tagvalue>:<string>. The value can comprise a maximum of 254 octets, of whichthe tag value must comprise one octet and the string must comprise a maximumof 253 octets.For example, the value :12:Sample must be stored as 0C53616D706C65. In theexample, OC is the hexadecimal equivalent of 12 and 53616D706C65 is thehexadecimal equivalent of Sample.

RAD Mapping

The RAD mapping identifies a RADIUS attribute for input and/or output mapping. Ifa RADIUS attribute is the source in input mapping, the target can either be a DBplaceholder map, a RADIUS attribute, or a mapping function. The most common usefor a RADIUS attribute output mapping is to map to a database column and value fromthe SQL statement execution.If the same attribute is specified in multiple source mappings for a given SQL statement,the order of mappings will match the order of appearance in the RADIUS attributequeue associated with attr_type. When RAD is specified as a target mapping, a newattribute is created to hold the data.Table 22-5 (page 355) lists the RAD mapping parameters and their descriptions:

Table 22-5 RAD Mapping Parameters


Optional. Specifies the RADIUS vendor ID in the string format. The RADIUSvendor ID must exist in the dictionary.Default: 0 (standard RADIUS) attribute.

vendor_id

Mandatory. Specifies the RADIUS attribute ID in the string format as definedin the dictionary.

attribute


Table 22-5 RAD Mapping Parameters (continued)


Optional. Specifies the type of RADIUS attribute, and is used to determinethe queue where the attribute is located. A set of attribute queues is associatedwith each RADIUS request. You can specify one of the following queues:

attr_type

• REQUEST: Attributes from the inbound request.• REPLY: Attributes to be included in the reply. Also typically used for

temporary attributes used for local processing.• CHCK: Attributes that will be compared with the corresponding REQUEST

attributes by a CHK_DENY AATV, ensuring that ACESS_REQUEST packetscontain matching attributes for all check attributes.

• DENY: Attributes that will be compared with the corresponding requestattributes by the CHK_DENY AATV, ensuring that ACCESS_REQUESTpackets do not contain any request attribute with a matching denyattribute.

Default: REQUEST for source mapping. REPLY for target mapping.

Optional. Defines how to handle data that exceeds the RADIUS attributevalue size of 235 bytes. when mapping to a RADIUS output target attribute.You can specify one of the following:

attr_overflow

• TRUNCATE: Truncate the data to 235 bytes.• CONCAT: Append the overflowing data to consecutive RADIUS attributes.• FAIL: Allow the SQL action to fail.Default: FAIL

Optional. Used for source target mapping only. Specifies that the attributemust be present. If the attribute is not found, the NAK event code is returned.

MAND

DBC Mapping

DBC identifies a database column as the source of data in the output mapping statement.The database column and value can either be mapped to a RADIUS attribute (outputtarget is of type RAD), or a mapping function. Table 22-6 (page 357) lists the DBCattributes and descriptions:

356 SQL Access

Table 22-6 DBC Mapping Parameters


Mandatory. Specifies the column name of the database table.db_column

Mandatory. Specifies the column width as defined in the database schema. Usedby the database client library to determine the length of data to reserve forprocessing the column.

db_width

Mandatory. Used by the database column library to specify the type conversionto be performed on the data. You can use one of the following keywords:

db_type

• CHAR

• INT

• RAW

DBP Mapping

DBP is the placeholder mapping using the placeholder syntax in the SQL statementsand parameter bind functions as defined by the OCI and ODBC library APIs. If usedas a target in input mapping, it contains a placeholder to the local data to bind to usingSQL placeholders. If used as a source in output mapping, it contains the value to beretrieved from the placeholder after execution of a stored procedure. For moreinformation on stored procedure, see “Stored Procedures” (page 373).Check the latest HP-UX AAA Server Release Notes to determine if DBP is supportedwith your client library.Table 22-7 (page 358) lists the DBP mapping parameters and their descriptions:


Table 22-7 DBP Mapping Parameters


Mandatory.placeholder

• For OCI: Any string value. Passed to the OCIBindByName function. Bindsthe mapping to a placeholder in the SQL statement as defined by the OCIsyntax based on string matching.

• For ODBC: Integer value. Identifies the order or position of the DBPparameter in the SQL statement. Passed to the SQLBindParameterfunction. Binds the mapping to a placeholder in the SQL statement asspecified by the ODBC syntax. Input mappings and output mappings useseparate ordering, each starting with 1.

Mandatory. Specifies the column width as defined in the database schema.Used by the database client library to determine the length of data to reservefor processing the column.

db_width

Mandatory. Used by the database column library to specify the typeconversion to be performed on the data. You can use one of the followingkeywords:

db_type

• CHAR

• INT

• RAW

Example 22-3 shows a single input and output mapping for OCI and ODBC.

358 SQL Access

Example 22-3 User and Password Input and Output Mappings

For OCI:input RAD(User-ID, REPLY) DBP(userid,64,CHAR)

output DBC(user_password,128,CHAR) RAD(Password, CHECK) DBC(address_pool, 128, CHAR) RAD(Address-Pool, REPLY)

For ODBC:input RAD(User-Id, REPLY) DBP(1, 254,CHAR)

output DBC(user_password, 128, CHAR) RAD(Password,CHECK) DBC(address_pool, 128, CHAR) RAD(Address-Pool,REPLY)

The input mapping locates the RADIUS attribute User-Id in the reply queue andassociates a data pointer to the local value. The output mapping maps the value retrievedfrom the database column user_password to the RADIUS attribute Password as acheck item, and the value retrieved from the database column address_pool to theRADIUS attribute Address-Pool as a reply item.

RET Mapping

RET can be used when DBR is a source mapping. RET is used to return FSM events ifthe return values and error codes configured in DBR match. RET has the followingsyntax:RET(return event)

For more information on RET mapping, see “SQL Result Mapping” (page 364).

Mapping Functions

Mapping functions can be used in input and output mapping entries either as a sourceor target definition.Mapping function definitions have the following syntax:FUNC (mappingfunction)

Where:mappingfunction The function name to execute a mapping. Can either be a

pre-defined function included in the AAA Server, or a customdefined function. See “Advanced SQL Mapping Configuration”(page 369) for more information on custom mapping functions.

HP provides the following pre-defined mapping function, listed in Table 22-8:


Table 22-8 Pre-defined Mapping Functions

DescriptionMapping FunctionMapping Type

Returns the AAA Server hostname. It uses the RADIUSServer host name stored in aaa.config or the result

AAALocalHostSource

of the gethostname() system call when hostnameis not configured.

Returns the local IP address in binary format asreturned by getaddrinfo() for AAALocalHost.

AAALocalIPSource

Returns the local IPv6 address in binary format asreturned by getaddrinfo() for AAALocalHost.

AAALocalIPv6Source

Retrieves the session ID from the RADIUS request’sCLASS attribute-value pair or generates a session ID ifthe CLASS attribute-value pair does not exist.

get_sidSource

Initiates the release of the input IP address via DHCP(IPv4 only). Can be used only if session managementwith DHCP is enabled in the FSM.

AAAFreeIPTarget

Returns ACK irrespective of the input. Typically usedwith theDBR source mapping to force the continuation

ACKonAllTarget

of mapping execution even if a previous SQL statementfailed.

Returns ACK if the function’s input data is zero. Else,it returns NAK. Typically used with the DBR source

ACKonZeroTarget

mapping to return ACK when DBResultCode orDBMatchRow are zero.

Returns RETRIEVE_SUCCESS is the function’s inputdata is zero. Else, it returns NAK. Typically used with

RetrieveOnZeroTarget

the DBR source mapping to returnRETRIEVE_SUCCESS for user retrieval actions.

Returns NAK if the function’s input data is zero.Typically used with the DBR source mapping to returnNAK when DBResultCode or DBMatchRow are zero.

NAKOnZeroTarget

A failure of a mapping function results in the termination of the SQL action.The following input mapping example for OCI uses the pre-defined mapping functionget_sid as a source to set a session ID.input FUNC(get_sid) DBP(sessid, 254, CHAR)

The following output mapping example for OCI uses the pre-defined mapping functionAAAFreeIP as a target to initiate the freeing of the input IP address via DHCP:output DBP(ipaddr, 11, INT) FUNC(AAAFreeIP)

360 SQL Access

Conversion Functions

A conversion function is executed between the source and target mapping and can beused to convert or modify data.You can identify a conversion function in the conversion_function variable foreach mapping entry. conversion_function is the name of the function to execute.It can either be a pre-defined function included in the AAA Server, or a user-definedfunction. See “Advanced SQL Mapping Configuration” (page 369) for more informationon user-defined conversion functions.Table 22-9 lists the pre-defined conversion functions:

Table 22-9 Pre-defined Conversion Functions

DescriptionConversion Function

Converts the binary IP address to an ASCII string.AAAIPtoString

Converts the binary IPv6 address to an ASCII string as specified in DFC2373.

AAAIPv6toString

Converts the ASCII string to a binary IP address.AAAStringtoIP

Converts the ASCII string to a binary IPv6 address as specified in RFC 2373.AAAStringtoIPv6

Converts a RADIUS IPv6 Prefix attribute type to an ASCII string containingthe prefix/length format as specified by RFC 2373.

AAAIPv6PrefixtoString

Converts an ASCII string containing the prefix/length format as specifiedby RFC 2373 to the RADIUS IPv6 Prefix attribute type.

AAAStringtoIPv6Prefix

Converts the RADIUS IPv6 interface identifier attribute type to an ASCIIstring as specified by RFC 2373.

AAAIPv6InterfaceIDtoString

Converts the ASCII value of the Tagged Integer attribute representedas :<tag value>:<integer value> into octets.

AAATagInttoOctets

Converts the ASCII value of the Tagged String attribute represented as:<tag value>:<string> into octets.

AAATagStrtoOctets

Converts an hexadecimal string to a binary string format The hex string canbe of the form 0x< hex string> or can be just < hex string>.

AAAHexToBinaryString

A failure of a conversion function results in the termination of the SQL action.The following example for OCI uses the pre-defined conversion functionAAAIPtoString in an input mapping entry to convert a binary IP address to an ASCIIstring:input RAD(Login-IP-Host) DBP(iphost, 46, CHAR) AAAIPtoString


SQL StatementThe SQLStatement section defines the SQL statement using standard SQL statementsyntax to execute on the input data. Following is the syntax of the SQLStatementdatastructure:SQLStatement instance {sql_statement}

Where:instance Database instance identified by the DBID structure.sql_statement User defined SQL statement. Passed unmodified to the database

client library.Example 22-4 shows a complete SQL action definition where a row is deleted from thesession table for a stop session action:

362 SQL Access

Example 22-4 SQL Statement to Delete a Row

For OCI:SQLAction StopSession { { input RAD(Class) DBP(sessid, 254, CHAR)

output DBR(DBretCode) FUNC(ACKonZero) SQLStatement db_oci { DELETE FROM RAD_SESS_TABLE WHERE session_id=:sessid } }}

For ODBC:SQLAction StopSession { { input RAD(Class) DBP(1, 254, CHAR)

output DBR(DBretCode) FUNC(ACKonZero) SQLStatement db_odbc { DELETE FROM RAD_SESS_TABLE WHERE session_id=sessid } }}

The following example is the equivalent replacement of the above examples for thenew result mapping syntax using RET:For OCI:SQLAction StopSession { { input RAD(Class) DBP(sessid, 254, CHAR)

output DBR(-1:*) RET(ERROR) DBR(0:0) RET(ACK) DBR(*:*) RET(NAK)

SQLStatement db_oci { DELETE FROM RAD_SESS_TABLE WHERE session_id=:sessid } }}


For ODBC:SQLAction StopSession { { input RAD(Class) DBP(1, 254, CHAR)


SQLStatement db_odbc { DELETE FROM RAD_SESS_TABLE WHERE session_id=sessid } }}

SQL Result MappingThe SQL Access AATV does not check the result of the SQL statement execution.However, if you want to have control over the actions based on the SQL statementresult, use the DBR (result) mapping and a pre-defined or custom mapping function toset an event based on the SQL statement return values or uses the newly added featurewith syntax,DBR (return code:error code)mapping along withRET (returnevent), which offers more customization without writing a mapping function. Youcan use SQL result mapping anywhere in your input or output maps, it will operateon the return code from the last SQL statement executed prior to the SQL result mappingentry.The sample implementation tests for successful SQL statement execution for all SQLactions using the mapping function AckonZero except in the RetrieveUser action,which uses theRetrieveonZeromapping function to set the event code. See “MappingFunctions” (page 359) for more information on pre-defined mapping functions to setevent codes. For more information on event code handling for user retrieval action,see “Result Handling for Retrieval Requests” (page 366) in this section.If your mapping function returns an event other than ACK, control is returned to theFSM immediately with the event code set in the mapping function.The syntax for SQL result mapping can be one of the following:• DBR (result) FUNC (mappingfunction)

Where result can take one of the following values:DBMatchRow Returns the number of matched rows. This is useful if your

database returns a SQL result code of 0 (success) even if thenumber of retrieved rows is zero. With a custom defined mappingfunction you can then overwrite the event code handling andreturn event codes other than ACK to the FSM.

364 SQL Access

DBRetCode Returns the SQL result from the SQL statement as defined by thedatabase client library. HP provides the following pre-definedmapping functions useful with a DBR mapping:— ACKonAll

— ACKonZero

— NAKonZero

— RETRIEVEonZero

See “Mapping Functions” (page 341) for more information on theevent handling functions.

• DBR (return code:error code) RET (return event)

Where values are described as follows:return code Integer return value from ODBC or OCI APIs. For example, 0

or 100. The following table describes the different return valuesfor OCI and ODBC:

Table 22-10 Return Values and Description for OCI and ODBCAPIs

ODBCOCIReturn Values

SQL_SUCCESSOCI_SUCCESS0

SQL_SUCCESS_WITH_INFOOCI_SUCCESS_WITH_INFO1

SQL_NEED_DATAOCI_NEED_DATA99

SQL_NO_DATAOCI_NO_DATA100

SQL_ERROROCI_ERROR–1

SQL_INVALID_HANDLEOCI_INVALID_HANDLE–2

OCI_STILL_EXECUTING–3123

SQL_STILL_EXECUTING2

error code Native error codes from the database. For example, ORA-00000for success. You can configure this error code as 0. Otherexamples are 1, 17, and 18.Following is an example to configure the SQL result mappingwhose return code is 0, error code is 0, and return event is ACK:DBR (0:0) RET (ACK)

Following is an example to configure the SQL result mappingwhose return code is 0, error codes are 0,1, and 2, and returnevent is ERROR:DBR (0:0,1,2) RET (ERROR)


NOTE: You can use wildcard to represent the return code anderror code.For more information on event names, see “Event Names ”(page 399).

NOTE: The DBR (ret code:error code) RET (ret event) is a new syntax.It offers more options to customize your SQL result mapping.

Result Handling for Retrieval Requests

The default FSM expects anACK event to indicate success with the exception of retrievinguser entries, where RETRIEVE_SUCCESS is expected. Use SQL result mapping withthe RetrieveonZero mapping function in your user retrieval actions as the lastmapping entry in the output map to set the event to RETRIEVE_SUCCESS.

366 SQL Access

Example 22-5 SQL Statement with Result Mapping - OCI

SQLAction RetrieveUser {

{ input RAD(User-Id,REPLY) DBP(userid, 254, CHAR)

output DBC(user_password, 128, CHAR) RAD(Password,CHECK) DBC(address_pool, 128, CHAR) RAD(Address-Pool,REPLY) DBR(DBretCode) FUNC(RETRIEVEonZero)

SQLStatement db_oci { SELECT user_password, address_pool FROM RAD_USERS_TABLE WHERE user_name=:userid } }}


Example 22-6 SQL Statement with Result Mapping - OCI Using the New Syntax

SQLAction RetrieveUser {

{ input RAD(User-Id, REPLY) DBP(userid, 253, CHAR)

output DBR(100:*) RET(RETRIEVE_ERROR) DBR(-1:*) RET(ERROR) DBC(user_password, 128, CHAR) RAD(Password, CHECK) DBC(address_pool, 128, CHAR) RAD(Address-Pool, REPLY) FUNC(get_sid) RAD(Class, REPLY) DBR(0:0) RET(RETRIEVE_SUCCESS) DBR(*:*) RET(RETRIEVE_ERROR)

SQLStatement db_oci { SELECT user_password, address_pool FROM RAD_USERS_TABLE WHERE user_name=:userid } }}

The above example shows the Result mapping using the new syntax. This feature givesmore flexibility on controlling the return events based on the return codes from oracleand oci and native error codes from the database. You will not have to write a mappingfunction to return an event.In the above example, on the successful execution of SELECT query configured. Theoutput mappings would get executed. The first output mapping has been configuredasDBR(100:*) RET(RETRIEVE_ERROR)

The return event from OCI/ODBC would be compared with the configured ones 100:*, For a successful sql query the OCI/ODBC would return 0 and error code from thedatabase would be 0 so the first DBR entry would not match and so as the second one.So all the next mappings would get executed until the following entry, which wouldmatch and RETRIEVE_SUCCESS would be returned:DBR(0:0) RET(RETRIEVE_SUCCESS)

368 SQL Access

NOTE: In the above example, few entries have wild card “*” code configured whichwould match any error codes. This can be replaced with the explicit values that databasereturns. In case RET is configured to ACK and DBR entry matches the same, then all themapping entries of the current mapping would be skipped and the next SQL mapping,if configured, would be executed whereas for other return events it would return fromthe SQL action.

Global DefinitionsGlobal definitions are placed anywhere in the sqlaccess.config file, but outsidethe DBID and SQLAction data structures. They allow you to set up the path to custommapping and conversion functions.The syntax is as follows:[SQLMapConvLibs [“path_to_lib:path_to_lib:…:path_to_lib”]]

Where:path_to_lib Define the list of libraries containing mapping and conversion

functions with full path name.

Advanced SQL Mapping ConfigurationThis section covers the following advanced SQL Access topics:• “Developing Custom Functions” (page 369): to extend the functionality of the AAA

Server utilizing the flexible design of the SQL Access feature;• “Null SQL Statements” (page 370): for SQL statements without mapping or SQL

statements;• “Time Synchronization” (page 371): to synchronize across multiple AAA Servers;• “Finite State Table Configuration in the FSM” (page 372): to enable SQL action

execution for complex database interactions or function execution;• “Stored Procedures” (page 373): to use stored procedures in the database.

Developing Custom FunctionsYou can define your own mapping and conversion functions, which must reside inlibraries that are located at the paths configured in the SQLMapConvLibs setting ofthe global definition in the sqlaccess.config file.Ensure that the names of thecustom functions do not conflict with the names of any other pre-defined or customizedfunctions.HP suggests that you use a unique prefix for your custom functions.Mapping functions use the following prototype:int32 mappingfunction (void *radrequest, void *data, uint *len)

Where:


radrequest Pointer to the RADIUS request currently processed.data For source mapping: Address where to store the result.

For target mapping: Address from where to copy data.

len For source mapping: Address of the maximum permissible lengthfor the data buffer. The function returns the actual length of datacopied to target buffer.For target mapping: Address of actual length of data in the databuffer.

Return Values Custom or pre-defined event code. See “Event Names ” (page 399)for more information on pre-defined event codes.

Conversion functions use the following prototype:int32 ConversionFunction (void *source, uint *sourceLen, void*Target, uint *TargetLen)

Where:source Address of the data to convert.sourceLen Address of the length of the source data.Target Address to store the converted data.TargetLen Passes address of maximum length allowed for target buffer into

function. Returns the actual data length copied to the target buffer.Return Values Custom or pre-defined event code. See “Event Names ” (page 399)

for more information on pre-defined event codes.

Null SQL StatementsSQL action mappings can be defined without an SQL statement. This flexibility isprovided so that you can execute pre-defined or customer defined functions on thesource or target data, where database access is not required. This is useful for situationssuch as complex parsing of an attribute that require extracting sub realms from anNetwork Access Identifier (NAI).

Null Source and Target MappingYou can also specify SQL action mappings without the source or target mapping. Inthis case, no data will be input to the SQL statement and/or the SQL statement executionwill not return any data. An example of an SQL action containing only SQL statementsis an expired session cleanup operation as shown in Example 22-7:

370 SQL Access

Example 22-7 SQL Action with Null Source and Target Mappings

SQLAction CleanupExpiredSessions { TimedEvent 120 ## Invoke the action every 120 seconds. { output DBR(-1:*) RET(ERROR) DBR(0:0) RET(ACK) DBR(*:*) RET(NAK)

SQLStatement db_oci { DELETE FROM RAD_SESS_TABLE WHERE (current_timestamp - sess_start_time) > '+000000001 00:00:00' } }}

The SQL action CleanupExpiredSessions executes an SQL statement every 120seconds that deletes all the rows from the session table RAD_SESS_TABLE containinginformation for expired sessions. In this example, a session is considered expired if itsstarting time, sess_start_time indicates that its older than 24 hours.

Time SynchronizationIf multiple AAA Server access a common database using SQL Access, timesynchronization is critical. Features such as accounting and session management relyon time stamps stored in the database tables. This can best be provided by utilizing thedatabase timestamps in the SQL actions in place of the local AAA Server timestamps.


Example 22-8 Timestamp Synchronization

For OCI:SQLAction UpdateAcct { { input RAD(Class) DBP(sessid, 254, CHAR)


SQLStatement db_oci { UPDATE RAD_ACCT_TABLE SET update_time=current_timestamp WHERE session_id=:sessid } }}

Finite State Table Configuration in the FSMSQL Access for user profile retrieval requires no modification to the FSM. Use the LocalRealm screen in the Server Manager to configure the SQL action for the desired realm.However, the FSM must be modified to perform more complex database interactionssuch as accounting or session management with SQL Access.At server startup, the FSM reads instructions from a state table by loading and parsingthe radius.fsm file. The radius.fsm file consists of definitions for states, events,and actions that determine how a request is processed. See Chapter 26: “Customizingthe HP-UX AAA Server Using the Finite State Machine” (page 396) for more details onstate tables in the FSM.To specify the SQL action to be executed during a particular state, modify theradius.fsm file as follows:1. Set ‘ Action’ to ‘SQLAccess’ for the state event to trigger the execution of an

SQL action.2. Specify the SQL action in the xstring argument.The following is an example of a modified FSM that executes account log requests viaSQL Access:

372 SQL Access

Example 22-9 FSM with Accounting Log via SQL Access

####################################### Start Accounting via SQL Access ##AcctLog:*.*.ACCT_START SQLAccess ReplyHold xstring="ActionID=InsertAcct"*.*.ACCT_STOP SQLAccess ReplyHold xstring="ActionID=StopAcct"*.*.ACCT_ALIVE SQLAccess ReplyHold xstring="ActionID=UpdateAcct"*.*.ACCT_MSTART SQLAccess ReplyHold xstring="ActionID=StopAllAccts"*.*.ACCT_MSTOP SQLAccess ReplyHold xstring="ActionID=StopAllAccts"*.*.ACCT_CANCEL SQLAccess ReplyHold xstring="ActionID=StopAcct"*.*.ACCT_ON SQLAccess ReplyHold xstring="ActionID=StopAllAccts"*.*.ACCT_OFF SQLAccess ReplyHold xstring="ActionID=StopAllAccts"## End Accounting via SQL Access #######################################

Stored ProceduresMost databases support stored procedures. Stored procedures are a set of SQLstatements that are stored on the database server and executed when necessary, insteadof issuing individual SQL statements.Stored procedures are particularly useful, but not restricted to, the following:• Executing multi-statement transactions: Stored procedures simplify the SQL access

configuration when multiple SQL statements forming a transaction need to beexecuted. For example, the sample configuration includes a stored procedure thatdeletes a session row from the session table, while returning the database columncontaining the IP address.

• Utilizing database schemas that contain child tables: Since SQL Access does notsupport output of multiple database rows, stored procedures can be used to providea "normalized" view of the database parent and child tables to the AAA Server.

• Enhancing database security: Stored procedures can be written so that eachexecution is logged in the database server. Furthermore, common operations onthe database table can be performed using stored procedures. This preventsapplications and users from directly accessing the database tables.

Stored procedures are executed in an SQL action as specified in the SQL statementusing standard SQL syntax.

NOTE: Use the IN and OUT parameters for stored procedures. INOUT for storedprocedures is not supported.UseDBP for mapping to stored procedure input (target) and output (source) parameters.

The following example shows the definition of a stored procedure for OCI to removesession entries, and its usage in the SQL action definition:


Example 22-10 Remove Session Stored Procedure Definition

create or replace procedure remove_session(sessid IN varchar2, ipaddr OUT NUMBER)IS

BEGIN

select ASSIGNED_FRAMED_IP into ipaddr from RAD_SESS_TABLE where session_id=sessid; delete from RAD_SESS_TABLE where session_id=sessid;END;Run

Stored Procedure Call to remove_session in SQL Action:SQLAction StopSession-DHCP { { input RAD(Class) DBP(sessid, 254, CHAR)

output DBR(-1:*) RET(ERROR) DBP(ipaddr, 11, INT) FUNC(AAAFreeIP DBR(0:0) RET(ACK) DBR(*:*) RET(NAK)

SQLStatement db_oci { BEGIN remove_session( :sessid, :ipaddr ); END; } }}

Administering Users and Tokens Stored in an SQL DatabaseThe User Database Administration Manager is a web-based interface that enablesadministrators to manage users that are stored in an SQL database. Using the interface,administrators can add users, modify the credentials of existing users, and view userand token information. Administrators can also use this tool to manage users withtokens, required for OATH standards-based One Time Password (OTP) authentication.The User Database Administration Manager has been created using PHP scripts thatenable administrators to easily customize this interface for specific deployment scenarios.The PHP scripts are available in the /opt/aaa/examples/sqlaccess/userdbdirectory.You must set up the User Database Administration Manager and configure it with theHP-UX Apache Web Server before following the procedures described in this section.For configuration and set up procedures, see the /opt/aaa/examples/sqlaccess/userdb/README file.

374 SQL Access

This section discusses the following topics:• “Managing Users” (page 375)• “Managing Users Using OTP to Authenticate” (page 378)

Managing UsersThis section discusses the following topics:• “Adding Users to an SQL Database” (page 375)• “Modifying User Credentials” (page 377)• “Viewing User and Token Statistics” (page 383)

Adding Users to an SQL DatabaseTo add a user into the SQL database, complete the following steps:1. Enter the following URL to launch the User Database Administration Manager on

your browser:https://<hostname>/userdb/admin/

2. Enter your login and password when prompted.The User Database Administration Manager launches, as shown in Figure 22-3.

Figure 22-3 The User Database Administration Manager

3. Click Add User.The Add User screen is displayed, as shown in Figure 22-4 (page 376)

Administering Users and Tokens Stored in an SQL Database 375

Figure 22-4 The Add User Screen

4. Enter the relevant information according to the guidelines stated in Table 22-11

Table 22-11 Fields in the Add Users Form

DescriptionField Name

Assign a user ID for the user. A user ID can comprisealpha-numeric characters, '-', '_', '!' and '@'. A user ID cannotexceed 128 characters.

User Name

Enter the first name and last name of the user. The namescan comprise alpha-numeric characters, '_', '-', '.', and thespace character.

First Name, Last Name

Enter the password in the Password field. Enter the samepassword in the Confirm Password to confirm it.

User Password and Confirm Password

376 SQL Access

Table 22-11 Fields in the Add Users Form (continued)


Enter the token number listed on the token device to assigna specific token to a user. To randomly allocate a free tokenserial number, check the Allocate a Free Token checkbox.

NOTE: This is an optional field. If you are not using OTPauthentication, leave this field blank.

Enter Token Serial Number or Allocatea Free Token

Enter the contact information in the corresponding fields.Contact InfoAddress Enter the mailing address

of the user using anyalpha-numeric characters.

City, State, Country Enter the city, state, andcountry of the user usingany alpha-numericcharacter.

Work / mobile phone Enter the work and mobilephone of the user innnn-nnn-nnnn format.

Email-Id Enter the e-mail addressof the user.

NOTE: The Email-Id field is the only mandatory field inthis section.

An integer value for the framing to be used for framedaccess. The valid values for Framed-Protocol can be checkedin the dictionary file.

Framed-Protocol

IP address or netmask configured for the user in the n.n.n.nformat.

Framed-IP-Address andFramed-IP-Netmask

An integer value for the routing method for the user. Thevalid values can be referred to in dictionary file.

Framed-IP-Routing

An attribute that is sent by the HP-UX AAA Server to theNAS and contains the name of an assigned pool that mustbe used to assign an IPv4 address for the users.

Address-Pool

5. Click Add User.The new user is added in the SQL database.

Modifying User CredentialsTo modify a user’s credentials, complete the following steps:1. Enter the following URL to launch the User Database Administration Manager on

your browser:https://<hostname>/userdb/admin/


2. Enter your login and password when prompted.The User Database Administration Manager launches, as shown in Figure 22-3.

3. Search the database by entering data for any one of the following fields:• User Id• Email Id• L. Name or F. Name• Work Phone• Token Serial NumberA list of matching users is displayed.

4. Click Modify User or the matching user listed.The Manage User screen is displayed.

5. Modify the relevant information. For information on modifying token informationsuch as token status, see “Valid Token Status Values” (page 383). For informationon validating tokens, see “Synchronizing Tokens (Procedure for Users)” (page 382).

6. Click Modify User Info.

Managing Users Using OTP to AuthenticateThis section provides a brief overview illustrating how administrators can manageusers who use OTP to authenticate.The following screens are provided to ease administration.• The Administrator's screen that enables administrators to add, view, and modify

user and token information.• The User's screen enabled users to do basic self-management tasks such as enrolling

and synchronizing their tokens.Following is the process that administrators need to follow to manage user and tokeninformation:1. “Importing Tokens into the Database” (page 378)2. “Assigning Tokens to Users” (page 379)3. “Enrolling Tokens (Procedure for Users)” (page 380)4. “Synchronizing Tokens (Procedure for Users)” (page 382)5. “Terminating Tokens” (page 383)

Importing Tokens into the DatabaseTokens are devices or software that generate OTP. Usually, token vendors provide thetoken in bulk along with a file that contains the secret associated with each token. Thistoken information must be imported into the database token table. The HP-UX AAAServer includes a sample /opt/aaa/examples/sqlaccess/userdb/aaatoken2sql.pl file that can be used to convert a CSV file containing token

378 SQL Access

information into SQL insert statements. The generated file can be executed on thedatabase to populate the database with the token table.After the tokens are imported into the database, they are in an AVAILABLE state,indicating that it is free and can be assigned to any user.

Assigning Tokens to UsersOnce tokens are imported into the database, they must be assigned to users. Theprocedure to assign tokens varies slightly depending on whether you want to assigna specific token serial number or whether you want to allocate any free token. Thissection documents both these procedure.

Assigning a Specific Token to a User

To assign a specific token to a user, complete the following procedure:1. In the Add or Manage Users screen, enter the serial number listed on the token in

the Enter Token Serial Number field.2. Click Validate.

The Token Validate screen appears in a new browser window as shown inFigure 22-5.

Figure 22-5 The Token Validate Screen

3. Enter two consecutive OTPs generated by the device.


4. If OTP validation is successful, assign the token to the user by clicking Add Useror Modify User Info at the bottom of the screen.The token is assigned to the user and its status changes from AVAILABLE toASSIGNED.Additionally, the User Database Administration Manager generates and e-mailsan activation code to the user.

5. If you are using a token device, mail it to the user.

Allocating Any Available Tokens to a User

To allocate any available token to a user, complete the following steps:1. In the Add or Modify Users screen, select the Allocate a free token checkbox.

The User Database Administration Manager assigns the first unassigned token inthe database to the user. The token status changes from AVAILABLE to ASSIGNED.Additionally, the User Database Administration Manager generates and e-mailsan activation code to the user.

2. If you are using a token device, mail it to the user.

TIP: You can modify the PHP scripts available in /opt/aaa/examples/sqlaccess/userdb to send the activation code by SMS to the user's mobilephone.

Enrolling Tokens (Procedure for Users)On receiving the token and the activation code the user can use the Enroll Tokens screento enroll or activate their tokens. This is a one-time activity.To enroll your token, complete the following steps:1. In your browser window, enter the url of the User Database Administration

Manager as follows:https://<hostname>/userdb/user/

NOTE: The connection between the browser and web server is secured usingHTTPS.

2. Type in the log-in name and the answer to the Security question that you haveprovided while activating the token.

3. From the main screen of the User Database Administration Manager, click EnrollToken.The Enroll Token screen appears as shown in Figure 22-6.

380 SQL Access

Figure 22-6 The Enroll Token Screen

4. Complete the form in the Enroll Token screen according to the information inTable 22-12.

Table 22-12 Fields in the Enroll Token Device Form


Enter the user name assigned to you by the administrator. Usernames cannot exceed 128 characters. Besides alpha numericcharacters, '-', '_', '!' and '@' can also be used.

User Name

This code is provided to activate the token device or softwareassociated for your identification. This is sent to you by theadministrator either by post, e-mail, or SMS.

Activation Code

Enter two consecutive OTPs generated by your tokenOTP1 , OTP2

Choose a security question and answer to secure your account.This will allow the administrator to verify your identity forupdating or replacing the token device or software.

Question, Answer

5. To enroll the token, click Enroll.Once this procedure is completed, the status of the token changes from ASSIGNEDto ACTIVE. The user can now use the token for authentication.


Synchronizing Tokens (Procedure for Users)The HOTP algorithm is sequence-based; therefore the token and the user profile databaseshare a counter value. The counter value of the token increments each time a requestis sent to the server. The counter value in the user profile database increments eachtime a client request is successfully authenticated. As a result, the counter value of thetoken does not always correspond with that in the database. In such scenarios, userscan use the Synchronize Token screen to synchronize their tokens.Users can also use this procedure to unlock locked tokens.To synchronize your tokens, complete the following steps:1. In your browser window, enter the url of the User Database Administration

Manager as follows:https://<hostname>/userdb/user/

NOTE: The connection between the browser and web server is secured usingHTTPS.

2. Type in the log-in name and the answer to the Security question that you haveprovided while activating the token.

3. From the main screen of the User Database Administration Manager, clickSynchronize Token.The Synchronize Token screen appears as shown in Figure 22-7.

Figure 22-7 The Synchronize Token Screen

4. Complete the form in the Synchronize Token screen according to the informationin Table 22-13.

382 SQL Access

Table 22-13 Fields in the Synchronize Token Form


Enter the user name assigned to you by the administrator. Usernames cannot exceed 128 characters. Besides alpha numericcharacters, '-', '_', '!' and '@' can also be used.

User Name

Enter two consecutive OTPs generated by your tokenOTP 1, OTP 2

5. To synchronize or unlock the token, click Synchronize.The User Database Administration Service calculates the OTP using the counterin the user profile database and increments the counter value till the OTP generatedmatches the two consecutive OTPs entered by the user.

Terminating TokensIf a token is lost or cannot be reused, then the administrator can change the status ofthe token to TERMINATE. This token cannot be reused if its status is TERMINATE. Tochange a user's token status to TERMINATE, use the Token Status drop-down menu inthe Manage Users screen (if the user already exists).

Viewing User and Token StatisticsTo view user and token statistics, click Statistics in the User Database AdministrationManager. The User Statistics screen displays as shown in Figure 22-8.

Figure 22-8 The User Statistics Screen

Valid Token Status ValuesTable 22-14 lists the valid values that can be assigned to a token.


Table 22-14 Valid Token Status Values

DescriptionToken Status

Indicates that the token has been assigned to a user, but has not yet beenactivated. Once the token is activated, the token status changes to ACTIVE.

ASSIGN

Indicates that the token is currently assigned to a userACTIVE

Indicates that the token is free and can be assigned to a user. When tokensare initially loaded into the database, their token status is AVAILABLE. Can

AVAILABLE

also be used to disassociate a token from a user, for example, when thetoken user is leaving the organization.

Used when there is more than the configured number of failedauthentication attempts. When a token status is set to LOCKED, no one can

LOCKED

authenticate using that token. To unlock the token, change the token statusto ACTIVE.

Indicates that a token user has lost his token. When a token status is set toTERMINATE, no one can authenticate using that token.

TERMINATE

Invoking the User Database Administration Manager Interface from Server ManagerTo invoke the User Database Administration Manager from the Server Manager,complete the following steps:1. Navigate to the Server manager directory using the following command:

# cd /opt/hpws22/tomcat/webapps/aaa

2. Add a new menu item in the menu listing file. In the end of the filemenulist.jsp.Add an entry for menu-item-userdb.html as follows: # vi menulist.jsp ……………………………………………………………. <%@ include file="menu-item-maintenance-close.html" %> <%@ include file="menu-item-wizards.html" %><%@ include file="menu-item-userdb.html" %>

<%@ include file="menu-item-help.html" %> ……………………………………………………………...

3. Create the menu-item-userdb.html file with information about the UserDatabase Administration Manager GUI using the menu-item-wizards.htmlfile as a reference, as follows:# sed 's#Secure LAN Advisor#UserDatabase Admin Manager#g' \ menu-item-wizards.html > /tmp/menu-item-userdb.html

If example.com is hosting the User Database Manager Interface:# sed 's#8021x/8021x_advisor.html#https://example.com/userdb/admin//#g' \/tmp/menu-item-userdb.html > menu-item-userdb.html

A menu item file for Server manager, menu-item-userdb.html is created.4. Reload the Server Manager screen to invoke the User Database Administration

Manager from the Server Manager Screen.

384 SQL Access

Multi-Row Support For SQL AccessCurrently, SQL Access handles only one row returned by an SQL query. If an SQLquery returns multiple rows of the database, only the first row is processed and theremaining ones are ignored. However, to support client functionality, SQL Accessmust handle multiple rows returned by an SQL query. For example, an SQL querychecking the database for expired sessions can return multiple rows, and disconnectrequests may have to be sent every second to all rows in the database. Currently, onequery is required per row, resulting in poor performance. Therefore, SQL Access isenhanced to support multiple rows.By default, the multi-row support is not enabled. To enable the multi-row feature foran SQL Action, add the following line:QueryType multi_row

Multi-row functionality can be used only in conjunction with another AATV, which isdesigned to handle the multiple rows returned by an SQL query. The CLIENT AATV,used to implement the client functionality at the HP-UX AAA Server, is an example ofsuch an AATV. Specifically, this AATV should handle two internal attributes whichare used for implementing multi-row functionality. The following table lists theseinternal attributes:

Table 22-15 Internal Attributes for Implementing Multi-Row Functionality

DescriptionTypeAttribute

Contains informationrequired to retrieve the

IntegerSQL-Statement-Handle-Info

SQL statement handle fora multi-row SQL action

Contains the status of theSQL statement handle.

IntegerSQL-Statement-Handle-Status

Allowed values are 0 (forEXPIRED) and 1 (forACTIVE)

The SQL Access AATV, after executing a multi-row SQL query, will save the SQLstatement handle and add the internal attribute SQL-Statement-Handle-Info tothe request. This internal attribute will contain the information required to retrieve theSQL statement handle. The second AATV should pass this internal attributeSQL-Statement-Handle-Info unchanged to the SQL Access AATV whileretrieving the next row. To stop processing the rows in a multi-row query and ignorethe remaining rows, the AATV must use the internal attributeSQL-Statement-Handle-Status. If the AATV passes in this attribute with valueset to 0, the SQL Access AATV will free the SQL statement handle and ignore theremaining rows.For more details on a specific implementation of the multi-row functionality using theCLIENT AATV, see Chapter 19 (page 291) and Chapter 20 (page 297).

Multi-Row Support For SQL Access 385

23 Simple Network Management Protocol (SNMP) SupportSimple Network Management Protocol (SNMP) Support provides a mechanism for acentrally located management workstation to monitor the activity of remote computersand network services. An SNMP management framework includes the following:• SNMP management workstation that requests information• Master agent that handles and responds to the requests• Application-specific subagent that translates the SNMP requests for and responses

from the applicationThe HP-UX AAA Server includes an SNMP application subagent. At startup, the serverautomatically activates its SNMP subagent and the subagent registers the applicationwith the master agent. The HP-UX AAA server can exchange information with anySNMP master agent software that supports the AgentX protocol. See RFC 2741 formore information about the AgentX protocol.Information exchanged through SNMP is represented by objects in the ManagedInformation Base (MIB). The MIB is defined by the IETF for use with network protocolsin the Internet community. The MIB includes extensions for RADIUS authenticationand accounting servers which are supported by the HP-UX AAA Server. See Chapter 35:“MIB Objects” (page 566) for more information.

IMPORTANT: The SNMP application sub-agent supports only IPv4 clients. In a mixedenvironment (comprising of IPv4 and IPv6 clients), the sub-agent can return informationon the IPv4 clients only. Information on the IPv6 clients will not be returned.

Setting Up SNMP to Monitor the HP-UX AAA ServerUse the following steps to set-up an SNMP workstation to monitor the HP-UX AAAServer:1. Install and start up an SNMP manager and master agent on the SNMP workstation.

You will need to copy the SNMP configuration file,iaaaAgent.conf, to the/usr/local/share directory on the SNMP workstation. The SNMP master agent thatyou use must support and be configured for the AgentX protocol.

2. After you have installed the AAA Server, load the RADIUS MIB files (includedwith the server) into the SNMP manager according to your SNMP managersinstructions.

3. Enter http://IP-Address:Port/aaa as the URL (orhttps://IP-Address:Port/aaa for HTTPS) in an Internet browser to accessthe Server Manager graphic interface. IP-Address is the machine that hosts themanagers program. Port is the port used by the Server Manager program forcommunication. By default the value is 8081 (8443 for HTTPS). If you are prompted

386 Simple Network Management Protocol (SNMP) Support

for a user name and password, you must enter the values specified duringinstallation.

4. From the navigation tree, click Server Properties.5. On the Server Properties screen that appears, select SNMP Properties.6. On the SNMP Server Properties screen that appears, select the Yes radio button

and click Modify.7. From the navigation tree, click Save Configuration.8. From the navigation tree, click Administration.9. Click Start.

If the server successfully starts, a green GO icon appears next to the name of theserver in the Status Frame (in the lower left corner of the programs interface). TheAAA subagent will check the appropriate sockets and TCP ports for an activemaster agent. When the subagent detects the running master agent, it will registerwith the master agent, and you can begin to send SNMP requests from theworkstation to the server.

10. To configure the SNMP manager to monitor the RADIUS information, completethe required steps for your SNMP manager.

NOTE: You must specify the same context name that you used to start theRADIUS server while configuring your SNMP manager to monitor RADIUSinformation. The SNMP manager uses the context name to distinguish one HP-UXAAA Server from another, on the same host. For more information on contextname, see Table 4-2 (page 77).

Setting Up SNMP to Monitor the HP-UX AAA Server 387

24 VPN TunnelingTunneling involves access to a server that provides secure intranet or other networkfunctionality through a dial-up or Internet connection from a client workstation. Thisprocess can be categorized as one of two types: voluntary or compulsory. Someapplications, such as secure access to corporate intranets through the Internet, arecharacterized by voluntary tunneling, where users create the tunnel through clientsoftware at their workstation. These tunnels are created independently of the AAAserver.Compulsory VPN tunnels are established by returning tunneling attributes to the accessdevice. The HP-UX AAA Server supports tagged attributes that can be used to specifytunneling alternatives, in the event that the access device cannot establish the preferredtunnel configuration.

NOTE: How you configure the server to handle hints in the Access-Request may alsoaffect how or if the tunnel is established

Establishing a Tunnel for a User• If the user profile is stored in a AAA server users file, select the Free tab from

the Modify User screen and then add the tunneling attributes that will define thetunnel.

• If the user profile is stored in an LDAP LDIF file, add the attributes to the profile,following the aaaReply: Tunneling-Attribute = Value syntax.

• If you want to specify alternative tunnels, you should use tagged attributes withthe Tunneling-Attribute =:Tag-no:Value syntax. Each set of attributes that establishone of the possible tunnels should be tagged with the same Tag-no. The order inwhich the access device should consider the tunnel alternatives is specified withthe Tunnel Preference attribute. In the following example, the access device willestablish a tunnel according to those attributes tagged with 1, since that group hasTunnel Preference set to “first,” and if the access device cannot establish the tunnelwith those attributes, it will use the alternative tagged with 2 (Tunnel Preferenceof “second.”)

388 VPN Tunneling

Tunnel-Type =:1:PPTP,Tunnel-Medium-Type =:1:IPv4,Tunnel-Client-Endpoint =:1:192.168.127.1, Tunnel-Server-Endpoint =:1:192.155.111.1, Tunnel-Password =:1:Michigan, Tunnel-Private-Group-Id =:1:engineering, Tunnel-Assignment-Id =:1:management, Tunnel-Preference =:1:first, Tunnel-Client-Auth-Id =:1:NET, Tunnel-Server-Auth-Id =:1:Michigan, Tunnel-Type =:2:L2TP, Tunnel-Medium-Type =:2:IPv4, Tunnel-Client-Endpoint =:2:192.168.127.1, Tunnel-Server-Endpoint =:2:192.170.130.1, Tunnel-Password =:2:California, Tunnel-Private-Group-Id =:2:engineering, Tunnel-Assignment-Id =:2:management, Tunnel-Preference =:2:second, Tunnel-Client-Auth-Id =:2:NET, Tunnel-Server-Auth-ID =:2:California

Establishing a Tunnel for a User 389

25 Using DHCPThe HP-UX AAA server can act as a Dynamic Host Configuration Protocol (DHCP)relay to request IP address assignments from a DCHP server. Currently, only DHCPv4is supported. To use DHCP, you must associate address pools with the AAA server’sincoming requests. The following are the two methods you can use to associate addresspools with incoming requests:• Associate an address pool with specific users or specific realms• Configure HP-UX AAA Server decision files to associate an address pool for a

condition. See Chapter 27 (page 411) for more information.The HP-UX AAA Server can act as a relay for most DHCP servers.

Required DHCP Server FeaturesDHCP server has the ability to assign addresses from its IP address pools based on theUser Class or Vendor Class Identification attribute.

Recommended DHCP Server Features• DHCP server has the ability to assign IP addresses outside the network it resides

in. Many RADIUS/DHCP deployments will require this capability.• DHCP server has the ability to send to ports above the well-known port range

(0-1023). Without this capability the AAA server will not be able to run as a non-rootprocess.

Defining DHCP Address Pools for Specific UsersUse the following steps to associate DHCP address pools with specific users. Theprocedure for associating address pools with specific users depends on where the userprofile is stored.

NOTE: The name of the pool referenced in the user profile must match the name ofa pool defined on the DHCP server.

To Associate an Address Pool with a User Profile in AAA Server Flat Files1. On the navigation tree, select Local Realms.

The Local Realms screen is displayed.2. Click the Users icon for the realm the user is in.

The Users screen appears.3. Click the Edit icon next to the user you want to associate with an address pool.

The Add/Modify Users screen appears.

390 Using DHCP

4. Select the Free tab on top of the Modify Users screen.5. Enter the address pool for the user in the Reply Item field, for example:

Address-Pool=<Name-of-pool>

6. Click Modify.

To Associate an Address Pool with a User Profile in an LDAP LDIF File1. From the command line, open the LDIF file the user profile is stored in.2. Add the following lines to the user profile:

aaaReply: Interlink:Address-Pool=<Name-of-pool>

Associating Address Pools with Realms and Other ConditionsUse the following steps to associate address pools with realms and other conditionsby modifying HP-UX AAA Server decision files. Refer to Chapter 26: “Customizingthe HP-UX AAA Server Using the Finite State Machine” (page 396) andChapter 27(page 411) for more information. The following steps and examples associate an IPaddress pool named test_pool with a realm named test.com.1. Create a policy file in/etc/opt/aaa/dhcp.grp as follows:

Group NORMAL { Condition { (User-Realm = test.com) } Reply { Decision = ACK Interlink:Address-Pool = "test_pool" }}Group NORMAL { Reply { Decision = ACK }}

2. Define a new state named CheckTestPolicy to check for the policy you createdin Step 1. Replace the following lines in/etc/opt/aaa/radius.fsm as follows:Replace:UserDone: *.*.ACK POLICY AuthWait *.*.NAK REPLY Hold

With:UserDone: *.*.ACK POLICY CheckTestPolicy *.*.NAK REPLY HoldCheckTestPolicy *.*.ACK POLICY AuthWait Xstring=decisionfile:dhcp.grp *.*.NAK REPLY Hold

Associating Address Pools with Realms and Other Conditions 391

Part V Customizing the HP-UX AAA ServerThis part of the HP-UX AAA Server Administrator’s Guide contains the following chapters:• Chapter 26: “Customizing the HP-UX AAA Server Using the Finite State Machine”

(page 396)• Chapter 27: “Customizing the HP-UX AAA Server Using Policies” (page 411)• Chapter 28: “Customizing the HP-UX AAA Server Using the SDK” (page 446)

392

Table of Contents26 Customizing the HP-UX AAA Server Using the Finite State Machine...........................................396

States ................................................................................................................................396Using Xstring to call Policy .........................................................................................399Using Xstring to Call an Alternate authfile ................................................................399

Event Names ....................................................................................................................399Predefined Event Names ............................................................................................400Creating New Names .................................................................................................403

Actions .............................................................................................................................403FSM Tables...................................................................................................................405

Custom State Tables .........................................................................................................406Tracking Versions .......................................................................................................406Examples .....................................................................................................................406

Preprocessing Module ...........................................................................................406Interim Logging ..........................................................................................................408Custom Logging Format ............................................................................................408Proxy Accounting Messages........................................................................................409

27 Customizing the HP-UX AAA Server Using Policies...................................................................411Policy Overview................................................................................................................411Defining a Policy in a Decision File..................................................................................412

Action Commands.......................................................................................................413The delete Command..........................................................................................414The insert Command..........................................................................................415The modify Command..........................................................................................417The exit Command..............................................................................................418The log Command................................................................................................419The if Command..................................................................................................420

Attribute Specifications...............................................................................................422Attribute Names.....................................................................................................422Vendor Names........................................................................................................422Attribute Instance Specifications...........................................................................422

No Instance Specification..................................................................................423Numeric Instance Specification........................................................................423Keyword Instance Specification........................................................................423

Attribute Functions................................................................................................424The count Attribute Function.........................................................................424The length Attribute Function.......................................................................424The strcat Attribute Function.......................................................................425The substr Attribute Function.......................................................................426The tolower Attribute Function.....................................................................429The toupper Attribute Function.....................................................................430


Value Types..................................................................................................................430Arithmetic Expressions...............................................................................................431

Arithmetic Operator Precedence and Association.................................................431Supported Boolean Operators.....................................................................................432

Boolean Operator Precedence and Association.....................................................433Type Compatibility......................................................................................................434

Invoking a Policy..............................................................................................................435Invoking Policies Through Predefined Policy Hooks.................................................435

Request Ingress Policy............................................................................................435User Policy..............................................................................................................436

Invoking Policy from User Profiles...................................................................437Reply Egress Policy................................................................................................437Proxy Egress Policy................................................................................................438Proxy Ingress Policy...............................................................................................439

Useful Attributes for Policy Conditions......................................................................440Modifying the FSM for Specific Customizations .......................................................441

Sample Policy Implementations.......................................................................................442Dynamic Access Control.............................................................................................442

Step 1 – Modifying the Default FSM for DAC.......................................................442Step 2 – Defining the DAC Policies........................................................................443

DNIS Routing..............................................................................................................444Step 1 – Modifying the Default FSM for DNIS Routing........................................444Step 2 – Defining the DNIS Routing Policies.........................................................444

28 Customizing the HP-UX AAA Server Using the SDK..................................................................446SDK Overview..................................................................................................................446Migrating Plug-ins Created Using Previous Versions of the SDK...................................448Prerequisites for Using the SDK.......................................................................................448SDK Directory Structure...................................................................................................448SDK Concepts...................................................................................................................448

Overview of AATVs....................................................................................................448AATV Components.....................................................................................................449

The init Function.................................................................................................449The action Function................................................................................................449The timer or callback Function...............................................................................450The cleanup Function.............................................................................................450

Creating Plug-ins..............................................................................................................450Using AATVs to Create a Plug-in................................................................................451Compiling and Loading a Plug-in...............................................................................452Testing and Debugging a Plug-in................................................................................453

Using the GNU Project Debugger..........................................................................453Using gdb to Debug Your Software Module....................................................453

Creating Plug-ins for AATVs............................................................................................454A3 and A8 Algorithm Plug-in for EAP-SIM...............................................................454


Creating A3, A8 Plug-ins.......................................................................................455AKA Algorithm Plug-in for EAP-AKA.......................................................................456

Creating AKA Plug-ins..........................................................................................457


26 Customizing the HP-UX AAA Server Using the FiniteState Machine

The main component of the server’s software engine is the Finite State Machine (FSM)and a few associated routines. At server startup, the FSM reads instructions from astate table by loading and parsing a .fsm file. By default, it loads the radius.fsmfile, unless it is missing or if you have specified another .fsm file using the radiusd-f command. The .fsm file defines a state table that includes the states, events, andactions that determine how a request is processed.You can track different versions of state tables by adding the following line to the .fsmfile:%FSMID Version-String

Version-String is the version information. This string will appear in radcheckoutput.

StatesIn the Finite State Machine, a request will transition through a series of states, beginningwith a state that includes possible starting events. The action specified to be called firstin response to an initial authentication request will return a value, an event thatdetermines the next state to transition to. Within each state, the next action is triggeredby an event (based on previous state and action and a value, typically ACK or NAK,returned by the previous action), which in turn directs the flow of the request to anotherstate, until an End state is reached. Figure 26-1 shows at a high level the process thatoccurs, as the result of a request, in the finite state machine.

396 Customizing the HP-UX AAA Server Using the Finite State Machine

Figure 26-1 Default FSM State Transitions

The actions triggered during this process read information from the server’sconfiguration, and from stored user profiles, and policy. Based on this information theactions perform the server’s authentication, authorization, and accounting functions.The server can be set up to do a variety of different functions by modifying existing orcreating new FSM state tables. For example, interim accounting messages can be loggedby calling the appropriate module at a certain point in the authentication process.Each state defined in a finite state table starts with a line containing the name of thestate, followed by a colon character. Each subsequent line is an event handler withthree required and two optional fields, delimited by spaces or tabs. Below is the syntaxof a state in a finite state table:State-name: Event-1 Action-1 Next-state-1 Xvalue=integer Xstring=string ... ... ... Event-n Action-n Next-state-n Xvalue=integer Xstring=string

States 397

State-name An arbitrary string to represent a state in the FSM. It can be anyprintable ASCII character except space, new line, carriage return,tab, and colon characters.• Every state except the Start state must be referenced by at

least one event handler in any state as its next state.• Every state except the End must have at least one associated

event handler.• Every state referenced in an event handler must be defined.

A state is defined only once in the FSM.

Event-n Three-tuple with each part separated by a period character inthe form Last-state.Last-action.Event-name

• Last-stateThe name of the state that generated the eventor an asterisk character (*). Use the asterisk character (*) tomatch any state if there is no last state for the event, or ifthe last state does not matter.

• Last-action The name of the action that generated theevent or an arbitrary string (found in the code or arrivedin a packet), prefixed with a plus character. This action canalso be an asterisk character (*). Use the asterisk character(*) to match any action if there is no last action, or if the lastaction does not matter. When preceded by a plus sign, thisstring does not refer to the last action, but a value that isassigned to an internal attribute, Interlink-Proxy-Action,according to the type of message received and from whereit was received.

Event Name The string returned from Last-actionAction-n Name of the action to call. The called action will return a value

that will be used to determine the next action. Refer to “Actions” (page 403) for a list of commonly called modules.Typically, the HP-UX AAA server invokes AUTHENTICATEupon receipt of an authentication request. AUTHENTICATE inturn invokes the proper authentication module (PROLDAP,SQL Access, etc.), depending on the configuration of the requestin question. This process is specific to the server’s default statetable.

Next-state-n Name of next state in the AAA transaction. The currentState-name, Action-n, and the value returned from the calledAATV (Event-name) will be used to determine which eventlisted under Next-state-n should be processed.


Xvalue=integer An A-V pair (integer value) that may be passed to an Action asan argument. Only one integer argument may be specified foreach event.

Xstring=string An A-V pair (string value) that may be passed to an Action asan argument. Only one string argument may be specified foreach event.

Using Xstring to call PolicyWith the POLICY module, you can use the Xstring parameter to specify an URL wherepolicy definitions are stored. These policies group requests based on Attribute Value(A-V) pairs in an Access-Request. These policies allow the request to be resolveddifferently according to those values. For example, with some additional modificationsto the FSM you can control access based on dial-in date and time, or perform DialedNumber Identification Service (DNIS) routing based on the number dialed, or othersuch criteria. Xstring=decisionfile:Filename

Where:Filename The name of the file.This syntax allows you to point to policy stored in a flat file (called a decision file, seeChapter 27 (page 411)).

NOTE: You can configure the FSM to call the POLICY action more than once. TheFSM must call POLICY in multiple instances for each different decision file you wishto use.

Using Xstring to Call an Alternate authfileWith the REALM action you can use the Xstring parameter to point to an alternateauthfile. Use the following syntac to use Xstring to call an alternate authfile:Xstring=Filename

Filename is the name of the alternate file.The authfile is used by the REALM action while processing the Authentication request.Set Xstring with the prefix name of the authfile to use an alternate authfile insteadof the default authfile.

Event NamesAfter an action completes its task, it returns an event name to the FSM. The previousstate, action, and the event name determine the current event, which in turn determinesthe next action of the FSM. The event names returned by the standard HP-UX AAAServer actions are predefined, but you can create your own names by modifying theFSM. To implement your own policy decisions or custom logging, you can configure

Event Names 399

the server to return predefined or custom event names by using the Decision attributein stored policy.

Predefined Event NamesSeveral event names that can be returned by an action are predefined in the server.

Table 26-1 Predefined Event Names

DescriptionEvent Name

The incoming request is an Accounting-Request.ACCT

Access-Challenge message must be sent in response to anaccess challenge.

ACC_CHAL

The incoming Accounting-Request is an interimaccounting message.

ACCT_ALIVE

The incoming Accounting-Request is a message to cancelthe session.

ACCT_CANCEL

The incoming Accounting-Request is a duplicate.ACCT_DUP

The originating NAS has just rebooted, so all activesessions from this client can be purged.

ACCT_MSTART

The originating NAS is about to reboot.ACCT_MSTOP

Received accounting message has a Status-Type ofAccounting-Off.

ACCT_OFF

Received accounting message has a Status-Type ofAccounting-On.

ACCT_ON

Received accounting message has a Status-Type of Start.ACCT_START

Received accounting message has a Status-Type of Stop.ACCT_STOP

The incoming Accounting-Request is a message to start asession through an established tunnel.

ACCT_TUNNEL_LINK_START

The incoming Accounting-Request is a message to end asession through an established tunnel.

ACCT_TUNNEL_LINK_STOP

The incoming Accounting-Request indicates that arequested tunnel could not be established.

ACCT_TUNNEL_REJECT

The incoming Accounting-Request is a message toestablish a tunnel.

ACCT_TUNNEL_START

The incoming Accounting-Request is a message toeliminate a tunnel.

ACCT_TUNNEL_STOP

Acknowledgment of the previous action.ACK


Table 26-1 Predefined Event Names (continued)


The incoming Accounting-Request that the user has beendenied access to an established tunnel.

ACT_TUNNEL_LINK_REJECT

The incoming request is an Access-Request.AUTHEN

Received Access-Request has a Status-Type ofAuthenticate-Only.

AUTH_ONLY

The incoming Access-Request is a continuation of anin-progress EAP conversation. In general, you can allow

CONTINUE

the server to handle these events without any modification.This event is not pre-defined, it must be defined in theFSM file.

The request is a CLIENT request.CLIENT_REQ

The request must be dropped without any furtherprocessing. This event is not pre-defined, it must be

DROP

defined in the FSM file with a value that matches the valueof DROP for the Interlink-Reply-Status attributedefined in the dictionary file.

The incoming Access-Request is a duplicate. Generally,you should allow the server to handle these events withoutmodification.

DUP

The previous action generated an error. Generally, youcan allow the server to handle these events withoutmodification.

ERROR

The incoming Accounting-Request is anaccounting-interim-update. Generally, you can allow the

LASCP

server to handle these events without modification. Thisevent is not pre-defined, it must be defined in the FSMfile.

Negative acknowledgment of the previous action.NAK

This event is returned by the REALMAction when a user'srealm cannot be found in the authfile.

NO_SUCH_REALM

Event Names 401



This event is returned by the reply-egress policy. Thisevent handles post reply egress actions when OTPauthentication is configured.

NOTE: The default policy file uses SQLAccess.

POST_REPLY_EGRESS

Proxies OTP to the target proxy server when OTPauthentication is configured.

NOTE: The default policy file uses RAD2RAD AATV.

PROXY_CREDENTIAL

This event may be returned by the RAD2RAD AATV(RADIUS proxy) module to indicate that a request is about

PROXY_EGRESS

to be forwarded. In the default FSM this invokes the proxyreply-egress policy. This event is not pre-defined, it mustbe defined in the FSM file.

This event is returned by the AUTHENTICATE Action ifthe user profile includes an out-of-date value for theExpiration configuration attribute.

PW_EXPIRED

This event is returned by iaaaUsers, PROLDAP, oranother data store action if the action could not locate theuser’s profile in the configured data store.

RETRIEVE_ERROR

Retrieves token information from the repository.RETRIEVEOTP_INFO

This event is returned by iaaausers, PROLDAP, SQLAccess, or another data store action if the action couldlocate the user profile in the configured data store.

RETRIEVE_SUCCESS

The number of received duplicate requests has exceededthe retry limit.

RETRY_LIMIT

Typically used after a reply-egress policy to cause therequest to be forwarded or the reply to be sent. This eventis not pre-defined, it must be defined in the FSM file.

SEND

The request has timed out due to inactivity.TIMEOUT

The timer value has expired.TIMER

The previous action generated a pending event. Generally,you should allow the server to handle these events withoutmodification.

WAIT

EAP-SIM Authentication needs to be done based onPermanent Identity

SIM_AUTH_BY_PERMANENT_ID

EAP-SIM Authentication needs to be done based onPseudonym Identity

SIM_AUTH_BY_PSEUDONYM




EAP-SIM Authentication needs to be done based on FastReauth Identity

SIM_AUTH_BY_FAST_REAUTH_ID

EAP-SIM Pseudonym or Fast Reauth Identity databaseupdate

SIM_UPDATE

EAP-AKA Authentication needs to be done based onPermanent Identity

AKA_AUTH_BY_PERMANENT_ID

EAP-AKA Authentication needs to be done based onPseudonym Identity

AKA_AUTH_BY_PSEUDONYM

EAP-AKA Authentication needs to be done based on FastReauth Identity

AKA_AUTH_BY_FAST_REAUTH_ID

EAP-AKA Pseudonym or Fast Reauth Identity databaseupdate

AKA_UPDATE

EAP-AKA Sequence Number re-synchronization.AKA_RESYNCHRONIZATION

Creating New NamesYou can create custom event names. An event can be defined anywhere in the statetable, but it must be defined before it is referenced. Use the following syntax for creatingnew event names:event Name

Name Can be any alphanumeric string and can include underscores (_).

ActionsThe actions in the state table correspond to the AATV actions defined. These actionsperform discrete functions, such as initiating an authentication request, replying to anauthentication request, or logging an accounting record. Any action in the state tablemust exist in a HP-UX AAA library or plug-in (located in the /opt/aaa/aatvdirectory). Table 26-2 lists some of the available actions.

Table 26-2 Available Actions

DescriptionActions

Writes Livingston call detail recordsACCT

Direct FSM to next state based on reason code of the Accounting-RequestACCT_SWITCH

Signifies successACK

Parses and verifies the password received in the request against thepassword in the stored user profile.

iaaaAuthenticate

Actions 403

Table 26-2 Available Actions (continued)

DescriptionActions

Initial action to handle an Access-RequestAUTHENTICATE

Verifies check items in user profileCHK_DNY

Exits the FSMCLEANUP

Enqueues the CLIENT request in a message queue and spawns a newCLIENT request.

CLIENT

Resume processing of an in-progress EAP conversation.CONTINUE

Performs EAP authenticationEAP

Attempts to retrieve a user profile stored in a users file.iaaaUsers, iaaaFile

Retrieves user profile from a users or realm file and verifies passwordFILE

Assigns IP address from a reserved pool of addressesIPADDR

Unconditionally removes pending eventsKILL

Evaluates realm-based authorizationLAS

Initial action to handle an Accounting-RequestLAS_ACCT

Writes Merit session log recordsLOG

No action placeholderNULL

Retrieves UNIX user profile and verifies passwordPASSWD

Checks for pending eventsPENDING

Evaluates complex policy decisions that apply to a requestPOLICY

Forwards proxy requests.ProxySend

Allocates tokensPOSTLAS

Retrieves user profile from an LDAP server and verifies passwordPROLDAP

Sends RADIUS proxy requestsRAD2RAD

Resolves DNS namesRADDNS

Receives RADIUS requests and repliesRADIUS

Attempts to locate where a user profile is stored for the realm extractedfrom a user request.

iaaaRealm

Handles realm-based authenticationREALM

Repeat an actionREDO

Send a RADIUS reply (access or accounting) to a clientREPLY


Table 26-2 Available Actions (continued)

DescriptionActions

Translates the Interlink-Reply-Status attribute to an FSM event.ReplyDispatch

Prepares to generate reply messages prior to reply-egress policy.ReplyPrep

Generates reply messages after reply-egress policy.ReplySend

Translates the Interlink-Proxy-Action attribute to an FSM event.RequestDispatch

Triggers the SQL action specified in the xstring argumentSQLAccess

For Status-Server (Management-Poll) requestsSRV_STATUS

Performs timeout logging. If thexstring value oftracing isoff, defaultlogging is disabled.

TIMEOUT

Encrypts Tunnel-Password and resolves hints from clientTUNNELING

EAP-SIM, EAP-AKA protocol action functionEAP-SIMAKA

Performs EAP-SIM EAP-AKA credential lookup using configured AATVSIMAKA-Credentials

Calculates The Vector for EAP-SIM EAP-AKASIMAKA-VectorCalc

Performs EAP-SIM EAP-AKA Fast-Reauth database lookup usingconfigured AATV

SIMAKA-ReauthLookup

Performs EAP-SIM EAP-AKA Fast-Reauth database update usingconfigured AATV

SIMAKA-ReauthUpdate

Performs EAP-SIM EAP-AKA Pseudonym database lookup UsingConfigured AATV

SIMAKA-PseudonymUpdate

Performs EAP-SIM EAP-AKA Pseudonym database update usingconfigured AATV

SIMAKA-PseudonymUpdate

Performs re-synchronization of the Sequence Number for EAP-AKA usingconfigured AATV

SIMAKA-ResyncUpdate

Performs Authentication Result Update for EAP-AKA using configuredAATV

SIMAKA-AuthResultUpdate

FSM TablesTable 26-3 lists the various FSM tables you can use.

Table 26-3 Predefined FSM Tables

FunctionFilename

Basic authentication, authorization, and accounting functions/etc/opt/aaa/radius.fsm

For use with legacy applications that require the finite state tableused in HP-UX AAA Server versions before A.06.02.

/opt/aaa/examples/config/merit.fsm

Actions 405

Table 26-3 Predefined FSM Tables (continued)

FunctionFilename

Logs all accounting messages in Merit-style session logs./opt/aaa/examples/config/logall.fsm

Template file that allows accounting messages to be logged at aremote proxy server.

/opt/aaa/examples/config/proxyacct.fsm

Template file that adds an example of DNIS routing to default.fsm/opt/aaa/examples/config/DNIS.fsm

Template file that adds an example of dynamic access control(DAC) to default.fsm

/opt/aaa/examples/config/DAC.fsm

Sample FSM file required to implement accounting without sessionmanagement using SQL access

/opt/aaa/examples/config/sqlacess-acct.fsm

Sample FSM file required to implement accounting with sessionmanagement using SQL access

/opt/aaa/examples/config/sqlaccess-acct-sess.fsm

To use any of the above predefined state tables for the HP-UX AAA server, copy therequired .fsm file to /etc/opt/aaa/radius.fsm and start the AAA server

NOTE: The product is installed with logall.fsm as radius.fsm in /etc/opt/aaa/.

Custom State TablesThe server can be set up for different functions by modifying existing FSM tables, orcreating new FSM tables. Edit the state table for authorization sequence, or to haveinterim accounting messages logged by calling the appropriate module at a certainpoint in the authentication process.

Tracking VersionsYou can embed version information into a state table using the following syntax:%FSMID Version

Version Can be any string and will appear as the ID in radcheck output.

ExamplesState table modifications can range from simple to more involved customization andoffer a great deal of flexibility when configuring the HP-UX AAA software.

Preprocessing ModuleAn Access-Request message may need to be pre-processed for a variety of reasons. Forexample, if the client sends a User-Name value with extraneous information, theextraneous information may need to be stripped out before the server authenticates


the user. Preprocessing requires that you write or obtain a plug-in that will parse themessage and pass the processed A-V pairs to the iaaaUsers action.Modify the state table to call the preprocessing plug-in when the message is firstreceived. Add a preprocessing state that calls the iaaaUsers action and transitionsto the UsersCheck state.

Custom State Tables 407

1 START:2 *.+AUTHEN.ACK PREPROC Preauth3 *.+AUTHENTICATE.ACK PREPROC Preauth4 Preauth:5 *.PREPROC.ACK iaaaUsers UsersCheck6 *.PREPROC.NAK REPLY Hold7 . . .

Lines 1-3 *.+AUTHEN.ACK or+AUTHENTICATE.ACK indicates that the receivedmessage is an Access-Request. PREPROC indicates the action, whichcalls the custom PREPROC software module. PREPROC is programmedto parse User-Name, strip out the extraneous information, and assignthe result to the User-Id attribute. (The server uses User-Id to locate astored user profile.) If PREPROC is successful it returns an ACK eventname; otherwise, it returns a NAK. Preauth indicates the next state theFSM must proceed to, afterPREPROC returns anACK orNAK event name.

Line 4 As described for steps 1 to 3, Preauth is the next state after PREPROChas parsed User-Name and returned an ACK or NAK value.

Line 5 If PREPROC returns an ACK value, handling of the request continuesnormally with the modified user name.

Line 6 If PREPROC returns a NAK value, the request will be rejected.

NOTE: When listing an event, you need to specify the last action only if it is requiredfor the finite state table to correctly determine the next action. In this case, the Preauthevents *.*.ACK and *.*.NAK on lines 5 and 6 would also work.

Interim LoggingTo indicate that a session is still active, the client will send an accounting message atregular intervals (defined by the client) during the session. To generate session logswhen the server receives this accounting message, you need to modify one line in theAACTlog state. The following example uses the default radius.fsm FSM file.*.*.ACCT_ALIVE LOG REPLYHold

The REPLY action has been replaced with LOG, which is the Action that writes thesession log. If you want to log other accounting messages, you must change the actionto LOG for the event that corresponds to the message that must be logged.

NOTE: A AAA Server-provided state table, logall.fsm, will log all accountingmessages.

Custom Logging FormatUsing a custom-logging format requires that you write or obtain a plug-in that willgenerate a session log. In each instance when you want to use your custom format, youmust replace the LOG action in the state table with the name of the appropriate action


defined in your plug-in. TheACCTLog state in the following example uses a loggingformat generated by MYLOG for an ordinary session and uses another format generatedby TUNNELLOG for tunnel sessions.ACCTlog: *.*.ACCT_START REPLY Hold *.*.ACCT_STOP MYLOG REPLYHold *.*.ACCT_ALIVE REPLY Hold *.*.ACCT_MSTART REPLY Hold *.*.ACCT_MSTOP MYLOG REPLYHold *.*.ACCT_CANCEL REPLY Hold *.*.ACCT_ON MYLOG REPLYHold *.*.ACCT_OFF MYLOG REPLYHold *.*.ACCT_TUNNEL_START REPLY Hold *.*.ACCT_TUNNEL_STOP TUNNELLOG REPLYHold *.*.ACCT_TUNNEL_REJECT TUNNELLOG REPLYHold *.*.ACCT_TUNNEL_LINK_START REPLY Hold *.*.ACCT_TUNNEL_LINK_STOP TUNNELLOG REPLYHold *.*.ACCT_TUNNEL_LINK_REJECT TUNNELLOG REPLYHold

Proxy Accounting MessagesIf you have a distributed network of AAA servers, you can choose to centralize logrecords for some or all of the accounting logs at a single location. The RAD2RAD actioncan forward accounting messages to another server, as specified by an Xstring value.If all accounting messages will be forwarded to a remote server, the ACCTlog state inthe forwarding server's state table can be removed, or commented out as shown below.1 . . . 2 ACCTwait: 3 *.*.ACK RAD2RAD REPLYHold Xstring="default.accounting.proxy.server" 4 IPPool: 5 *.*.ACK POSTLAS Tunneling 6 *.*.NAK POSTLAS REPLYHold 7 . . . 8 REPLYHold: 9 *.*.ACK REPLY Hold 10 *.*.NAK REPLY Hold 11 *.*.ACC_CHAL REPLY Hold 12 *.*.ACCT_DUP RAD2RAD REPLYHold Xstring="default.accounting.proxy.server" 13 Hold: 14 *.*.TIMEOUT NULL End 15 End:

Line 1 to 2 The FSM handles the request normally until it reaches theACCTwait state.

Lines 2 to 4 RAD2RAD forwards the message todefault.accouting.proxy.server. When a response is received fromthe remote server, the FSM transitions to the REPLYHold state.

Lines 5 to 8 The next state listed in the state table is IPPool, since ACCTlog isno longer required. The remaining states handle authenticationrequests.

Custom State Tables 409

Lines 9 to 15 Handle the accounting response from the remote server and closethe request.

NOTE: This example appears in the AAA Server-provided template file,proxyacct.fsm.


27 Customizing the HP-UX AAA Server Using PoliciesThis chapter explains how you can use policies to customize the HP-UX AAA Server.This chapter also discusses some sample policy implementations.This chapter addresses the following topics:• “Policy Overview” (page 411)• “Defining a Policy in a Decision File” (page 412)

— “Action Commands” (page 413)— “Attribute Specifications” (page 422)— “Attribute Functions” (page 424)— “Value Types” (page 430)— “Arithmetic Expressions” (page 431)— “Supported Boolean Operators” (page 432)— “Type Compatibility” (page 434)

• “Invoking a Policy” (page 435)— “Invoking Policies Through Predefined Policy Hooks” (page 435)— “Modifying the FSM for Specific Customizations ” (page 441)

• “Sample Policy Implementations” (page 442)— “Dynamic Access Control” (page 442)— “ DNIS Routing” (page 444)

Policy OverviewAdvanced policy actions enable you to manipulate the RADIUS contents based on thecontents of the RADIUS request and reply packets, and various system contexts (forexample, a local IP Address). Policy modules are invoked using the Finite State Machine(FSM) and can be executed at any time during processing of the RADIUS packet. Whena policy AATV is invoked, you can specify the policy definition file. The followingpredefined policy files are included in the default FSM:• request-ingress.grp

• reply-egress.grp

• proxy-egress.grp

• proxy-ingress.grp

Policy Overview 411

Notes:• Customers can also write their own policy decision files and invoke them from

the FSM or the user profiles.• This chapter discusses only the new (and easier to use) format for creating decision

files. The old format contains policy group entries that are still supported. However,the old format is not documented in this chapter. For information about the oldsyntax, see Appendix E (page 596).

• You cannot create a single decision file using syntax from both formats.

Defining a Policy in a Decision FileA decision file is evaluated from beginning to end against the request, by removing,modifying and/or adding A-V pairs as specified until an Exit command is encountered.Any remaining lines are not evaluated. The Exit command specifies the event to bereturned to the FSM. The event is used to control the flow through the FSM. If the endof the file is reached without executing an Exit command then the ACK event is returnedto the FSM. For more information on FSMs, see Chapter 26 (page 396).

412 Customizing the HP-UX AAA Server Using Policies

Example 27-1 An example of a policy file that restricts Session-Timeout to one hour forguests, removes unwanted attributes, and provides administrative privileges toadministrators

# Guests have a session-timeout of one hour. Normal users# have 5 hours.if (substr (User-Name after "@") = "guest.example.com"){ insert Session-Timeout = 3600} else

{ insert Session-Timeout = 18000}if( NAS-IP-Address = "192.168.0.1"){# Delete Filter-Id for NASes that do not support it. delete Filter-Id}if( User-Name = "admin"){# Modify Service-Type to provide administrative privileges. modify Service-Type = "Administrative"}

This section describes the syntax and usage of the various commands. It also explainshow to specify attributes and values. This section discusses the following topics:• “Action Commands.”• “Attribute Specifications” (page 422)• “Value Types” (page 430)• “Supported Boolean Operators” (page 432)• “Type Compatibility” (page 434)

Action CommandsA decision file contains a series of action commands that specify the action to beperformed by the policy. Following are the action commands that you can specify:• “The delete Command.”• “The insert Command.”• “The modify Command” (page 417)• “The exit Command” (page 418)• “The log Command” (page 419)• “The if Command” (page 420)The following sections discuss these action commands in detail.

Defining a Policy in a Decision File 413

The delete Command

Syntax

delete <attr-spec>

Parameters

The <attr-spec> parameter is an attribute specification. For more information onspecifying attributes, see “Attribute Specifications” (page 422).

Operation

The delete command deletes the specified attribute instance(s) from the request. If<attr-spec>, refers to an instance that is not present, no instance is deleted.

Examples

Table 27-1 discusses some examples that illustrate the use of the delete command.

Table 27-1 Examples Illustrating the Use of the delete Command

ResultCommandAttributes in the Request

NAS-Port = 2NAS-IP-Address = "2.3.4.5"

delete Reply-Message[*]NAS-Port = 2 Reply-Message = "Hello, world!" Reply-Message = "So long"NAS-IP-Address = "2.3.4.5"

NAS-Port = 2Reply-Message = "Hello,

delete Reply-MessageNAS-Port = 2 Reply-Message = "Hello,

world!"NAS-IP-Address = "2.3.4.5"

world!" Reply-Message = "So long"NAS-IP-Address = "2.3.4.5"

NAS-Port = 2Reply-Message = "So long"NAS-IP-Address = "2.3.4.5"

delete Reply-Message[0]NAS-Port = 2Reply-Message = "Hello, world!"Reply-Message = "So long"NAS-IP-Address = "2.3.4.5"

NAS-Port = 2Reply-Message = " Hello, world!"

delete NAS-IP-Address[*]NAS-Port = 2Reply-Message = "Hello, world!"


Table 27-1 Examples Illustrating the Use of the delete Command (continued)



delete NAS-IP-Address[0]NAS-Port = 2Reply-Message = "Hello, world!"


deleteNAS-IP-Address[last]

NAS-Port = 2Reply-Message = "Hello, world!"

The insert Command

Syntax

insert <attr-spec> = <value-expr>

Parameters

• <attr-spec>: The <attr-spec> parameter is an attribute specification. For moreinformation on specifying attributes, see “Attribute Specifications” (page 422).

• <value-expr>: The <value-expr> parameter is a value expression. It can be a valuespecification, an attribute specification, an arithmetic expression, or an attributefunction. For more information, see “Attribute Specifications” (page 422),“Arithmetic Expressions” (page 431), “Value Types” (page 430), and “AttributeFunctions” (page 424).

NOTE: The types of <attr-spec> and <value-spec> must be compatible. For moreinformation, see “Type Compatibility” (page 434).

The instance location specified by <attr-spec> indicates the desired target location forthe inserted instance. The algorithm used is “final opportunity", as opposed to "earliestopportunity". This implies that inserting "last" is the same as inserting at the end, andinstance n occurs just before the already-present instance n (or the end if instance n isnot already present).

Operation

The insert command inserts <attr-spec> with <value-expr> into the request. Table 27-2discusses the behavior of the insert command in various scenarios.


Table 27-2 Behavior of the insert Command in Various Scenarios

ThenIf

the attribute is inserted at the end of the listThe <attr-spec> parameter refers to an instance thatis not present

the tag for the inserted attribute is set to 0The <attr-spec>parameter refers to a tagged attribute(tag-int or tag-str) and <value-spec> is not a taggedvalue

the tag is ignoredThe <attr-spec> parameter refers to an attribute thatis not tagged and <value-spec> is a tagged value

Examples

Table 27-3 discusses some examples illustrating the use of the insert command.

Table 27-3 Examples Illustrating the Use of the insert Command


NAS-Port = 2 Reply-Message =

insert Reply-Message =Reply-Message

NAS-Port = 2 Reply-Message = "message#1" "message#1"Reply-Message = Reply-Message = "message#2" "message#2"NAS-IP-Address = "2.3.4.5"

NAS-IP-Address = "2.3.4.5"Reply-Message = "message#2"

NAS-Port = 2Reply-Message = "a new

insert Reply-Message[0]= "a new message"

NAS-Port = 2 Reply-Message = "message#1" message"Reply-Message = Reply-Message = "message#2" "message#1"NAS-IP-Address = "2.3.4.5"

Reply-Message = "message#2"NAS-IP-Address = "2.3.4.5"

Reply-Message = "Hello, world!"

insertReply-Message[begin] ="Hello, world!"

NAS-Port = 2 NAS-IP-Address = "2.3.4.5" NAS-Port = 2

NAS-IP-Address = "2.3.4.5"

NAS-Port = 2Xvalue = 10Xvalue = 12

insert Xvalue = Nas-Port+ 20 - Xvalue[0]

NAS-Port = 2 Xvalue = 10

Tunnel-Password = :2:"abc"Tunnel-Password = :3:"def"

insert Tunnel-Password =:3:"def"

Tunnel-Password = :2:"abc"

Reply-Message = "hello"Reply-Message = "def"

insert Reply-Message =:3:"def"

Reply-Message = "hello"


Table 27-3 Examples Illustrating the Use of the insert Command (continued)


Reply-Message = "abc"NAS-Port = 1

insert NAS-Port = count(Reply-Message[*] )

Reply-Message = "abc"

Idle-Timeout = 10Xvalue = 20Session-Timeout = 200

insert Session-Timeout =Idle-Timeout * Xvalue

Idle-Timeout = 10Xvalue = 20

For information on attribute functions (such as the count attribute function), see“Attribute Functions” (page 424).

The modify Command

Syntax

modify <attr-spec> = <value-expr>

Parameters

• <attr-spec>: The <attr-spec> is an attribute specification. For more information onspecifying attributes, see “Attribute Specifications” (page 422).

• <value-expr>: The <value-expr> is a value expression. It can be a value specification,an attribute specification, an arithmetic expression, or an attribute function. Formore information, see “Attribute Specifications” (page 422), “ArithmeticExpressions” (page 431), “Value Types” (page 430), and “Attribute Functions”(page 424).

NOTE: The types of <attr-spec> and <value-expr> must be compatible. For moreinformation on compatibility, see “Type Compatibility” (page 434).

Operation

The modify command modifies <attr-spec> to obtain the value <value-expr>.

NOTE: If <attr-spec> refers to a tagged attribute (tag-int or tag-str) and <value-spec> isa tagged value, the tag of <attr-spec> is not modified. The value of the <attr-spec>parameter is only modified.

Examples

Table 27-4 discusses some examples illustrating the use of the modify command.


Table 27-4 Examples Illustrating the Use of the modify Command


Reply-Message = "123" Reply-Message = "abc"

modify Reply-Message ="abc"

Reply-Message = "123" Reply-Message = "456"


modify Reply-Message =Reply-Message[0]


NAS-Identifier = "wxyz"modify NAS-Identifier ="wxyz"

NAS-Identifier = "abc.def.ghi"

Tunnel-Password = :2:"def"modify Tunnel-Password ="def"


Tunnel-Password = :2:"ghi"modify Tunnel-Password =:4:"ghi"


Reply-Message = "abc" Tunnel-Password = :17:"abc"

modify Reply-Message =Tunnel-Password

Reply-Message = "hello" Tunnel-Password = :17:"abc"

Reply-Message = "hello" Tunnel-Password = :17:"hello"

modify Tunnel-Password =Reply-Message

Reply-Message = "hello" Tunnel-Password = :17:"abc"

NAS-Port = 2 Reply-Message = "abc" Reply-Message = "def"

modify NAS-Port = count(Reply-Message[*] )

NAS-Port = 7 Reply-Message = "abc" Reply-Message = "def"

Reply-Message = "def" Reply-Message = "def"

modify Reply-Message[0]= Reply-Message[1]

Reply-Message = "abc" Reply-Message = "def"


modify Idle-Timeout =Session-Timeout /Xvalue[0]


Nas-Port = 2Xvalue = 7

modify Xvalue = Xvalue +Nas-Port - 5

Nas-Port = 2Xvalue = 10

The exit Command

Syntax

exit "<event-name>"

Parameters

The <event-name> parameter must be a quoted string and must specify an event that isdefined. There are a number of predefined events. You can also define additional eventsin the FSM file using the %event<name> syntax. For more information on FSM events,see “Event Names ” (page 399).


NOTE: Event names are case-insensitive (MyEvent is considered identical withMYEVENT).

Operation

The exit command terminates the evaluation of the policy and returns the namedevent to the FSM. The use of an undefined event name results in an undefined-eventload-time error.

The log Command

Syntaxlog "<log-level>" "<log-message>” log "<log-level>" "<log-message>”, <attr-spec>log "<log-level>" "<log-message>”, <attr-spec>, <attr-spec>, ...<attr-spec>

Parameters

• <log-level>: The <log-level> parameter must be a quoted string and a log-level type.Following are the valid log levels:— ERROR

— CRITICAL

— ALERT

— WARNING

— INFO

NOTE: The <log-level> parameter is case-insensitive. For example, ERROR isconsidered identical with Error.

• <log-message>: The <log-message> parameter must be a quoted string. You can usemultiple instances of <attr-spec> and cause all named instances to be reported inthe log file. For more information on attribute specifications, see “AttributeSpecifications” (page 422). If <attr-spec> refers to an instance that is not present, thisis indicated in the log file output.

Operation

Executing the log command results in a message being written to the log file. Whenattributes are specified, they are appended to the log message. All log output linesinclude the name of the decision file and the line location of the log command thatgenerated the message. All log output is generated using the standard logging functionsthat prepend a timestamp to the output line.


ExamplesLog “Warning” “This user should not come in through this NAS”, User-Name, NAS-IP-Address

Results in the following logs in the logfile:<date>: decisionfile://request-ingress.grp(line 100, character 1): This user should not come in through this NAS, RADIUS:User-Name[last]="test_user", RADIUS:NAS-IP-Address[last]=15.146.225.145

The if Command

Syntax

• if (<bool-expr> {<action-list1>} else {<action-list2>}

• if (<bool-expr> {<action-list>}

Parameters

• <bool-expr>: The <bool-expr> parameter is a Boolean expression.• <actionlist1> and <actionlist2>: The <actionlist1> and <actionlist2> are sequences of

action commands that can include additional if commands, nested to an arbitrarydepth. When the else clause is omitted, <action-list2> can be considered as anempty sequence of action commands.

Operation

The if command first evaluates the boolean expression <bool-expr>. If <bool-expr>evaluates to true, the sequence of action commands <action-list1> is executed. If<bool-expr> evaluates to false and an else clause is present, the sequence of actioncommands <action-list2> is executed.


Example 27-2 Examples Illustrating the Use of the if Command

Example 1The following if statement:if ( Session-Limit[1] < 30 ){ modify Session-Limit[1] = 30}else{ if ( Session-Limit[1] > 240 ) { modify Session-Limit[1] = 240 }}

With the following input:Session-Limit[0] = 10 Session-Limit[1] = 300

Results in:Session-Limit[0] = 10Session-Limit[1] = 240

Example 2The following if statement:if ( (NAS-IP-Address = "192.168.1.2") &&((NAS-Identifier = .jack.) || (Port-Limit > 20))){ exit "NAK"}

With the following input:NAS-IP-Address = “192.168.1.2NAS-Identifier = “fred”Port-Limit = 23

Results in:A NAK event is returned to the FSM. Depending on the FSM, the request may berejected.Example 3The following if statement:if( Idle-Timeout * 10 = Session-Timeout + Xvalue ) { exit "ACK"}

With the following input:


Idle-Timeout = 10Session-Timeout = 90Xvalue = 10

Results in:An ACK event is returned to the FSM.

Attribute SpecificationsYou can use the following keywords to specify an attribute:• “Attribute Names.”• “Vendor Names.”• “Attribute Instance Specifications.”• “No Instance Specification.”• “Numeric Instance Specification.”• “Keyword Instance Specification” (page 423)The following sections describe these keywords in detail.

Attribute NamesAttribute names defined in the server's dictionary file can be used. Attribute namesare case-insensitive. For example, Reply-Message is considered identical withREPLY-MESSAGE. For more information on attribute names, see “The dictionaryFile ” (page 531).

Vendor NamesIf multiple vendors have used the same name to define an attribute, you mustdifferentiate these names by prefixing the vendor’s name to that of the attribute in thefollowing format.<vendor-name>:<attribute-name>Vendor names are defined in the server'svendors file. For more information on vendornames and the syntax of vendor names in the vendors file, see “The vendors File ”(page 538).

Attribute Instance SpecificationsA given attribute can have more than one instance on the request. As a result, you mustspecify the instance of a given attribute that is of interest. You must also specify theabsolute location of an attribute instance (for example, when inserting an attributename).


Attribute instance specifications are provided using the [] syntax, after the attributename. The instance of interest is indicated inside the square brackets ([]). You canspecify an attribute instance in one of the following ways:• “No Instance Specification.”• “Numeric Instance Specification.”• “Keyword Instance Specification” (page 423)While specifying attribute instance specifications, ensure that there is no white spacearound and between the square brackets ([]).

No Instance Specification

You need not specify a specific instance if it is of no consequence. The no instancespecification is equivalent to specifying the last keyword. For more information onthe last keyword, see “Keyword Instance Specification.”

Numeric Instance Specification

When a specific instance is required, you can specify it numerically. Instances arenumbered from 0 (the first instance). Negative instance numbers are not allowed.

Keyword Instance Specification

When a specific instance is required, it can be specified using one of the followingkeywords, or by using the asterisk (*) symbol:• The begin keyword: If you want to specify an attribute instance located at the

beginning of the list, use the begin keyword. This keyword is supported only bythe insert command, on the left side of the = operator. Following is an exampleof a correctly formatted keyword instance specification:insert Reply-Message[begin] = "This is first"

For more information on the insert command, see “The insert Command”(page 415).Using the begin keyword with other commands results in aninvalid-instance-specification load-time error.

• The last keyword: If you want to specify the last instance of an attribute , usethe last keyword. Following is an example of a correctly formatted keywordinstance specification:Reply-Message[last]

NOTE: This is the default value if no keyword is specified.

• The asterisk keyword: If you want to specify all instances of an attribute, use theasterisk (*) symbol. The following example specifies all instances of theReply-Message attribute:Reply-Message[*]


This format is supported only by the delete command, the log command, andthe count() attribute function. Using this format in unsupported contexts resultsin an invalid-instance-specification load-time error. For more information on thedelete and log action commands, see “The delete Command” (page 414) and“The logCommand” (page 419). For more information on the count() attributefunction, see “The count Attribute Function” (page 424).

Attribute FunctionsFollowing are the supported attribute functions:• “The count Attribute Function” (page 424)• “The length Attribute Function” (page 424)• “The strcat Attribute Function” (page 425)• “The substr Attribute Function” (page 426)• “The tolower Attribute Function” (page 429)• “The toupper Attribute Function” (page 430)The following sections describe these attribute functions in detail.

The count Attribute Function

Syntax

count (<attr-spec>)

Parameters

The <attr-spec> parameter is an attribute specification. For more information onspecifying attributes, see “Attribute Specifications” (page 422). Numeric instances,lastand * can be used as arguments for the count attribute function. If no attributes arespecified, last is taken as the default.However, you cannot use attribute functions as arguments to the count function.

Operation

Returns an integer value that indicates the number of instances, as follows:• If <attr-spec> refers to the * instance, then count() yields the total number of

<attr-spec> instances present.• If <attr-spec> refers to a specific instance that is present, then count() yields the

value 1.• If <attr-spec> refers to an instance that is not present, then count() yields the value

0.

The length Attribute Function

Syntax

length (<attr-spec>)


Parameters

The <attr-spec> parameter is an attribute specification. For more information onspecifying attributes, see “Attribute Specifications” (page 422).

Operation

Returns an integer value that indicates the number of characters in the string attribute.For a tag-str attribute, the tag octet is not included. If <attr-spec> refers to an instancethat is not present, then a no-such-instance run-time error is generated.

The strcat Attribute Function

Syntax

strcat (<value-expr>, <value-expr>)

Parameters

The <value-expr> parameter is a value expression. It can also be a string valuespecification, a string attribute specification, or an attribute function that returns stringvalue. For more information, see“Attribute Specifications” (page 422), “Value Types”(page 430), and “Attribute Functions” (page 424).

Operation

Returns a string value that is a concatenation of the value expressions used in the strcatfunction. For a tag-str attribute, the tag octet is not included. If <value-expr> refers to aninstance that is not present, then a no-such-instance run-time error is generated.Table 27-5 illustrates the usage of the strcat attribute function.

Table 27-5 Examples of the strcat Attribute Function



insert Reply-Message =strcat (Reply-Message,"456")

Reply-Message = "123"

Reply-Message = "123" Tunnel-Password =

modify Tunnel-Password[0]= strcat(

Reply-Message = "123" Tunnel-Password = :2:"abc" :2:"def123"

Tunnel-Password = :2:"def"Tunnel-Password,Reply-Message)Tunnel-Password =

:2:"def"

Reply-Message = "123" Tunnel-Password = :2:"abc"

insert Reply-Message =strcat (


Reply-Message = "bc123"substr(Tunnel-Passwordafter “a” ),Reply-Message)


Table 27-5 Examples of the strcat Attribute Function (continued)


Reply-Message = "123ABC" Tunnel-Password = :2:"abc"”

modify Reply-Message =strcat ( Reply-Message,toupper( Tunnel-Password) )


Reply-Message = "123" Tunnel-Password = :2:"ABC"

insert Tunnel-Password =strcat ( tolower(

Reply-Message = "123" Tunnel-Password = :2:"ABC"

Tunnel-Password = :0:"abc123"

Tunnel-Password ),Reply-Message )

Reply-Message = "123" Tunnel-Password = :2:"123456abc"

modify Tunnel-Password =strcat( Reply-Message,strcat ( "456",Tunnel-Password ) )


The substr Attribute Function

The substr function can be used with the following keywords:• “The offset Keyword” (page 426)• “The before Keyword” (page 427)• “The after Keyword” (page 428)The following sections describe these keywords in detail.

The offset Keyword

Syntax

substr (<attr-spec> offset <start>)substr (<attr-spec> offset <start> length <number>)

Parameters

Following are the parameters for the offset keyword:• <attr-spec>: The <attr-spec> parameter is an attribute specification. For more

information on specifying attributes, see “Attribute Specifications” (page 422).• <start>: Specifies the offset from the beginning of the string to the first character

of the desired substring. It must be a non-negative integer constant.• <number>: The optional length of the desired substring. It must be a non-negative

integer constant.


NOTE: If length <number> is not present then the length defaults to theremainder of the string.

Operation

Returns the requested substring with same type as the source. If the offset is off theend of the string, then substr returns an empty string.

Example 27-3 Examples Illustrating the Use of the offset Keyword

If Reply-Message = "a string of characters" , then:Example 1substr ( Reply-Message offset 0 length 8 )

returns the following string:a string

Example 2substr ( Reply-Message offset 16 length 82 )

returns the following string:acters

Example 3substr ( Reply-Message offset 12 )

returns the following string:characters

Example 4substr ( Reply-Message offset 32 )

returns an empty string.

NOTE: If <attr-spec> refers to an instance that is not present, then ano-such-instance run-time error is generated.

The before Keyword

Syntax

substr (<attr-spec> before “<before-string>”)substr (<attr-spec> before last “<before-string>”)


Parameters

Following are the parameters for the before keyword:• <attr-spec>: The <attr-spec> parameter is an attribute specification. For more

information on specifying attributes, see “Attribute Specifications” (page 422).• <before-string>: Must be a quoted string constant.

Operation

Returns the requested substring with same type as the source.If <before> is specified, the substring starts from the beginning of the string up to butnot including the first occurrence of <before-string>.If <before-last> is specified, the substring starts from the beginning of the string up tobut not including the last occurrence of <before-string>.

NOTE: If <before> or <before-string> is not found, the entire string is returned.

Example 27-4 Examples Illustrating the Use of the before Keyword

If Reply-Message = “a string of characters”, then:Example 1substr ( Reply-Message before " of" )

returns the following string:a string

Example 2substr ( Reply-Message before last " " )

returns the following string:a string of

Example 3substr ( Reply-Message before "not-there" )

returns the entire string.

NOTE: If <attr-spec> refers to an instance that is not present, then a no-such-instancerun-time error is generated.

The after Keyword

Syntax

substr (<attr-spec> after “<after-string>”)

substr (<attr-spec> after last "<after-string>")


Parameters

Following are the parameters for the after keyword:• <attr-spec>: The <attr-spec> parameter is an attribute specification. For more

information on specifying attributes, see “Attribute Specifications” (page 422).• <after-string>: Must be a quoted string constant.

Operation

Returns the requested substring with same type as the source.If <after> is specified, the substring starts after the first occurrence of <after-string>.If <after-last> is specified, the substring starts after the last occurrence of <after-string>.If <after-string> is not found, the empty string is returned.

Example 27-5 Examples Illustrating the Use of the after Keyword

If Reply-Message = "a string of characters", then:Example 1substr ( Reply-Message after " of" )

returns the following string:“ characters”

Example 2substr ( Reply-Message after last " " )

returns the following string:characters

Example 3substr ( Reply-Message after "not-there" )

returns an empty string.

NOTE: If <attr-spec> refers to an instance that is not present, then a no-such-instancerun-time error is generated.

The tolower Attribute Function

Syntax

tolower (<attr-spec>)


Parameters


Operation

Returns the string value converted to lowercase with same type as the source. If<attr-spec> refers to an instance that is not present, then a no-such-instance run-timeerror is generated.

The toupper Attribute Function

Syntax

toupper (<attr-spec>)

Parameters


Operation

Returns the string value converted to uppercase with same type as the source. If<attr-spec> refers to an instance that is not present, then a no-such-instance run-timeerror is generated.

Value TypesYou can specify the following value types for attributes:• Integer Values: Integer values can be specified as decimal integers, including a

leading '-' sign. They can also be specified as hexadecimal integers prefixed with0x, in which case they are treated as unsigned. A tag can also be specified byprefixing the :tag: syntax to the value. The tag value must be in the range of 0 to31.

NOTE: Integer values can be used with integer, tag-int, and short type attributes.

• Named IntegerValues:Named integer values defined in the server's dictionaryfile can be specified by enclosing these values in double quotes.

NOTE: Named integer values can only be used with attributes of type integerand tag-int that have defined name values in the dictionary.

• StringValues: String values are enclosed in double quotes ("). Tags can be specifiedby prefixing the :tag: syntax prefixed to the value.


NOTE: String values can be used with string, tag-str, and octets type attributes.

• IP Address Values: IP address values are enclosed in double quotes ("), andspecified using standard dotted-quad notation (in case of IPv4 addresses) andcolons (in case of IPv6 addresses). Using an invalid IP address results in asyntax-error load-time error.

NOTE: IP address values can be used only with attributes of type ipaddr,ipv6addr, ifid, and ipv6prefix.

• DateValues: You can compare and copy the value of date type attributes. However,you cannot specify date value constants. The use of a constant value in conjunctionwith a date type attribute results in a syntax-error load-time error.

Arithmetic ExpressionsThe integer type attributes, attribute functions returning integer type, and integervalues can be combined to form arithmetic expressions. The attribute types whichqualify as integer type are integer, short, octet, and tag-int.The supported operations are addition, subtraction, multiplication, and division.Table 27-6 “Supported Arithmetic Operators” lists the arithmetic expressions that aresupported in the policy files.

Table 27-6 Supported Arithmetic Operators

DescriptionOperator

Addition+

Subtraction and Negation—

Multiplication*

Division/

Arithmetic Operator Precedence and AssociationFollowing are the precedence and association rules in decreasing order:• Precedence Rules:

Following are the precedence rules in decreasing order:— ( )— - (negation)


— * /— + -

• Association Rules:Following are the association rules in decreasing order:— + - left-to-right— * / left-to-right— - (negation) non-associative

The following example illustrates the use of arithmetic expressions.

Example 27-6 Using arithmetic expressions

Example 1insert Xvalue = Xvalue + 10 insert Nas-Port = Nas-Port + Xvalue[0] modify Xvalue = count( Framed-IP-Address[*]) + Tunnel-Type modify Acct-Session-Time = ( Session-Timeout + Idle-Timeout ) * (Xvalue – 10 ) if( Acct-Session-Time + 10 = Session-Timeout + Idle-Timeout ) { modify Acct-Session-Time = Acct-Session-Time / 10 } if( count( Login-IP-Host ) * Login-TCP-Port != Xvalue * 10 ) { insert Login-TCP-Port = Login-TCP-Port + 1}

Supported Boolean OperatorsTable 27-7 lists the operators you can use to create an expression with variouscombinations of A-V pairs.

Table 27-7 Supported Boolean Operators

DescriptionOperator

Equal toThe = operator

Not equal toThe != operator

Less thanThe < operator

Less than or equal toThe <= operator

Greater thanThe > operator

Greater than or equal toThe >= operator

Logical andThe && operator

Logical orThe || operator

Logical notThe ! operator

You can also use parentheses to nest expressions.


Boolean Operator Precedence and AssociationWhen multiple operators appear in a Boolean expression, the following precedenceand association rules are applied:• Precedence Rules:

Following are the precedence rules in decreasing order:— ( )— !— <, >, <=, >=— !=— &&— ||— =

• Association Rules:Following are the association rules:— && left-to-right— || left-to-right— ! right

The following examples illustrate the rules of precedence:


Example 27-7 Examples Illustrating Precedence Rules

Example 1The boolean expression:Reply-Message = "hello" && NAS-Port > 7 ||Reply-Message = "goodbye" || Reply-Message = "nothing"

is fully parenthesized as:( ( (Reply-Message = "hello") && (NAS-Port > 7) ) ||(Reply-Message = "goodbye") ) ||(Reply-Message = "nothing")

and is evaluated as:if ( Reply-Message = "hello" ) if ( NAS-Port > 7 ) return true if ( Reply-Message = "goodbye" ) return true if ( Reply-Message = "nothing" ) return true return false

Example 2The boolean expression:Reply-Message = "goodbye" || ! Reply-Message = "hello" && NAS-Port > 7

is fully parenthesized as:( (Reply-Message = "goodbye") || ( ! (Reply-Message = "hello") ) && (NAS-Port > 7)

and is evaluated as: if ( Reply-Message = "goodbye" ) if ( NAS-Port > 7 ) return true else return false else if ( Reply-Message = "hello" ) return false else if ( NAS-Port > 7 ) return true else return false

Type CompatibilityTable 27-8 lists the compatible attribute types.


Table 27-8 Compatible Attribute Types

Compatible Attribute TypesValue Type

Integer-value • integer• tag-int• short• octet

String-value • string• tag-str• octets

• dateDate-value

IP-address-value • ipaddr• ipv6addr• ifid• ipv6prefix

You must not mix attributes from different value-type groups, because this can causea type mismatch load-time error.

Invoking a PolicyYou can invoke policy using one of the following methods:• “Invoking Policies Through Predefined Policy Hooks.”• “Modifying the FSM for Specific Customizations ” (page 441)This section also discusses the commonly used attributes for specifying policies.

Invoking Policies Through Predefined Policy HooksThe following predefined hooks can be used to invoke policies without modifying theFSM:• “Request Ingress Policy.”• “User Policy” (page 436)• “Reply Egress Policy” (page 437)• “Proxy Egress Policy” (page 438)• “Proxy Ingress Policy” (page 439)

Request Ingress PolicyRequest ingress policy can be configured in the request-ingress.grp decision filein the server's configuration directory. The policy configured in this file is applied as

Invoking a Policy 435

the first step in the FSM, before the request is dispatched for processing. The requestingress policy can be used to alter the request in one of the following ways:• A-V pairs may be added, changed, or removed.• The request classification may be altered.• The request may be rejected immediately.• The request may be dropped entirely and no reply is sent.Figure 27-1 (page 436) illustrates the flow of the request ingress policy.

Figure 27-1 Flow of the Request Ingress Policy

User PolicyAfter authentication, all requests are subjected to user policy. The user policy is appliedonly after successful authentication. A user policy can be specified in a Policy-Pointerattribute on the request, either as a check item or a reply item.If the Policy-Pointer attribute is found in the check items, then the HP-UX AAA Serverdoes not look for one in the reply items. The value of the Policy-Pointer attribute mustspecify the URL for the decision file to be evaluated.If a request contains a Policy-Pointer attribute, either as a check item or a reply item,the specified policy is applied.If the request does not contain a Policy-Pointer, then no user policy is applied. In thiscase, the POLICY action returns an ACK event to the FSM.Figure 27-2 illustrates the flow of the user policy.


Figure 27-2 Flow of the User Policy

Invoking Policy from User Profiles

In the user profile (can be local users file, LDAP, or SQLAccess), add a Policy-Pointeras a check or reply item with the full pathname of the decision file containing the groupauthorization policies. Enclose the pointer in single or double quotes. The Policy-Pointerstring cannot be more than 63 characters in length. For example:carl Password = carl, Policy-Pointer = “decisionfile://path-to-file” or fred Password = fred Policy-Pointer = “decisionfile://path-to-file”

Reply Egress PolicyReply egress policy can be defined in the reply-egress.grp decision file in theserver's configuration directory. The reply egress policy is applied as the final step inthe FSM, just before the RADIUS reply message is created and sent. The reply egresspolicy can be used to alter the request in one of the following ways:• A-V pairs may be added, modified, or removed• The reply type may be changed• The request may be dropped entirely and no reply is sent.

NOTE: If the client is defined as type=NAS or type=PROXY+PRUNE (possiblyincluding vendors), the pruning rules specified in the dictionary file are appliedaccording to the reply type that was in effect before the reply-egress policy is evaluated.

Figure 27-3 (page 438) illustrates the flow of information in the reply egress policy.


Figure 27-3 Flow of the Reply Egress Policy

Proxy Egress PolicyProxy egress policy can be defined in the proxy-egress.grp decision file in theserver's configuration directory. The proxy egress policy is applied before the RADIUSproxy request message is created and sent. The proxy egress policy can be used to alterthe request in one of the following ways:• A-V pairs may be added, modified, or removed.• The request may be rejected immediately.• The request may be dropped entirely and no reply is sent.• The proxy target host may be changed.

IMPORTANT: Do not modify, or remove any Proxy-State or Proxy-Action A-V pairsbecause it can interfere with the proxy functionality.

Figure 27-4 (page 439) illustrates the flow of the proxy egress policy.


Figure 27-4 Flow of the Proxy Egress Policy

Proxy Ingress PolicyProxy ingress policy can be defined in the proxy-ingress.grp decision file in theserver's configuration directory. The proxy ingress policy is applied after the proxyresponse is received. The proxy ingress policy can be used to alter the request in oneof the following ways:• A-V pairs may be added, modified, or removed.• The reply type may be altered.• The request may be rejected immediately.• The request may be dropped entirely and no reply is sent.Figure 27-5 (page 440) illustrates the flow of the proxy ingress policy.


Figure 27-5 Flow of the Proxy Ingress Policy

Useful Attributes for Policy ConditionsTable 27-9 lists and describes attributes that are typically used for policy groupconditions or replies.

Table 27-9 Attributes Typically Used in Policy Group Conditions and Replies


This attribute contains the code from the RADIUS packet header.It can have an Access-Request or an Accounting-requestvalue.

Interlink-Packet-Code

This attribute contains an event which indicates the type of therequest. This is also the event which will be delivered to the FSM

Interlink-Proxy-Action

(as per the default FSM). If this policy returns ACK, it can have oneof the following values:• AUTHEN - This value indicates a normal access request.• AUTH_ONLY - This value indicates an Authenticate-Only type

request.• AUTHENTICATE- This value indicates a proxied access request,

or an inner authentication request in the case of tunneled EAPmethods like TTLS or PEAP.

• ACCT - This value indicates an accounting request.• LAS_ACCT - This value indicates a proxied accounting request.• MGT_POLL - This values indicates a server status request

(radcheck request)


Table 27-9 Attributes Typically Used in Policy Group Conditions and Replies (continued)


This attribute contains information about whether this is a normalrequest or a continuation of an in-progress EAP conversation. Itcan have a REQUEST or CONTINUATION value.

Interlink-Request-Type

This attribute contains the reply status. It can have one of thefollowing values:

Interlink-Reply-Status

• ACK - This results in an Access-Accept response being sent foran Access-Request and an Accounting-Response forAccounting-Request.

• ACC_CHAL - This results in an Access-Challenge response beingsent for an Access-Request. No response is sent for anAccounting-Request.

• NAK - This results in an Access-Reject response being sent for anAccess-Request. No response is sent for an Accounting-Request.

This attribute contains the name of the proxy target, which isnormally configured in one of the authfiles. The proxy target canbe overridden in this policy file by modifying this attribute.

Interlink-Proxy-Target

Contains the userid portion of the NAI (userid@realm) after theserver parses the NAI

User-ID

Contains the realm portion of the NAI (userid@realm) after theserver parses the NAI

User-Realm

A string that contains the time of day when the request was received.It uses a 24-hour clock in the hh:mm format.

Time-of-Day

An integer that represents the day of the week when the requestwas received, where 0 represents Sunday and 6 represents Saturday.

Day-Of-Week

A string that contains the date and time when the request wasreceived. It uses a 24-hour clock in the yyyy:mm:dd:hh:mm format.

Date-Time

Modifying the FSM for Specific CustomizationsTo invoke policies from within the FSM, you must use the POLICY AATV. The policyto be evaluated must be passed in the xstring parameter. The xstring parameter usesthe following URL syntax:decisionfile:// <name of decision file>

For example, if MyPolicy.policy is a decision file present in the configurationdirectory, then use the following URL as the value of xstring parameter for the POLICYAATV to invoke this policy:decisionfile://MyPolicy.policy

For more information on FSM modifications, and the xstring parameter, see Chapter 26(page 396).


When a policy is evaluated, it can return an event to the FSM to direct the subsequentprocessing of a request. The policy can return events to the FSM in the following ways:• Exit Command: Using the Exit command terminates the evaluation of the policy.

The specified event is returned to the FSM.• Default Event: If evaluation of a decision file reaches the end without encountering

an Exit command, the default event is returned to the FSM. The default event isACK.

• Error Conditions: When an error occurs, an ERROR event is returned to the FSM.

Sample Policy ImplementationsHP-UX AAA Server A.08.01 contains sample FSM and decision files to support policiesfor the following implementations:• “Dynamic Access Control.”• “ DNIS Routing” (page 444)The following sections discuss these implementations in detail.

Dynamic Access ControlDynamic Access Control (DAC) enables you to provide different levels of networkaccess to the same users depending on the following:• Access periods• Account and password expiry date and timeDynamic Access Control uses three Interlink-specific attributes to check the values inuser requests. Table 27-10 describes the interlink-specific attributes used by DAC.

Table 27-10 Interlink-specific Attributes Used by DAC


A string that contains the time of day when the request was received.It uses a 24-hour clock in hh:mm format.

Time-of-Day

An integer that represents the day of the week when the request wasreceived, where 0 represents Sunday and 6 represents Saturday.

Day-Of-Week

A string containing the date and time when the request was received.It uses a 24-hour clock in yyyy:mm:dd:hh:mm format.

Date-Time

To implement the sample policy for Dynamic Access Control, you must complete thefollowing steps:• “Step 1 – Modifying the Default FSM for DAC.”• “Step 2 – Defining the DAC Policies” (page 443)

Step 1 – Modifying the Default FSM for DACTo modify the default radius.fsm file for DAC, complete the following steps:


1. Replace the radius.fsm file in the server's configuration directory with /opt/aaa/examples/config/DAC.fsm. For example, if the server's configurationdirectory is /etc/opt/aaa/radius.fsm, then enter the following command:# cp /opt/aaa/examples/config/DAC.fsm /etc/opt/aaa/radius.fsm

NOTE: Take a backup of /etc/opt/aaa/radius.fsm before replacing it.

IMPORTANT: If you are using a different decision file than the supplied DAC.grpdecision file, change the CheckDAC state so that the POLICY action calls the DACdecision file. For example,CheckDAC: *.*.ACK POLICY AuthWait Xstring=decisionfile://DAC.grp

2. Copy the sample decision file /opt/aaa/examples/config/DAC.grp to theserver's configuration directory using the following command:# cp /opt/aaa/examples/config/DAC.grp /etc/opt/aaa/

Step 2 – Defining the DAC PoliciesThe default DAC.grp decision file contains sample entries. You must edit the DAC.grpdecision file to define your DAC policies. To edit the DAC.grp decision file, completethe following steps:1. Modify each group in the DAC.policy file according to your implementation

requirements. For example,# Daytime Access Check if ( (Access-Group = "daytime") && ((Time-Of-Day >= "06:00") && (Time-Of-Day <= "20:00")) ) { insert Reply-Message = "Daytime access allowed" exit "ACK"}

NOTE: The Reply-Message reply item attribute may not be returned if the useris authenticated using a tunneled EAP method.

Comment out any condition you do not need by placing a hash symbol (#) beforeeach line. The last line must remain unchanged so that a user who does not matchone of the conditions is rejected.

2. If you rename the DAC.grp file, move it to the server's configuration directoryand edit radius.fsm so that the CheckDAC state Xstring parameter points to thecorrect file name.

Sample Policy Implementations 443

DNIS RoutingIn a typical DNIS routing scheme, requests are handled according to the CallingStation-Id and Called-Station-Id attributes. The POLICY action matches theCalling-Station-Id and Called-Station-Id attribute values in theAccess-Request to the conditions defined in the DNIS decision file, and returns thematching policy group reply items and the FSM events Forward and Abandon. Therequired events and states are defined in the DNIS.fsm file delivered with the server.To implement the sample policy for DNIS Routing, complete the following steps:• “Step 1 – Modifying the Default FSM for DNIS Routing.”• “Step 2 – Defining the DNIS Routing Policies” (page 444)

Step 1 – Modifying the Default FSM for DNIS RoutingTo modify radius.fsm to support DNIS routing, complete the following steps:1. Replace the radius.fsm file in the server's configuration directory with /opt/

aaa/examples/config/DNIS.fsm. For example, if the server's configurationdirectory is /etc/opt/aaa/radius.fsm, then enter the following command:# cp /opt/aaa/examples/config/DNIS.fsm /etc/opt/aaa/radius.fsm

NOTE: Take a backup of /etc/opt/aaa/radius.fsm before replacing it.

2. Modify the Start4 state, as shown below, so that the Xstring parameter pointsto the fully qualified domain name or IP address of the server to which you areforwarding requests. The server must be listed in the HP-UX AAA server’sclients file. The clients file entry is needed to obtain the shared secret. Formore information, see Chapter 7 (page 100) and Chapter 9 (page 117). For moreinformation on the clients file, see “The clients File” (page 526)Start4: *.*.Forward RAD2RAD Start4a Xstring=192.168.0.0

3. Save and close the radius.fsm file.4. Copy the sample decision file /opt/aaa/examples/config/DNIS.grp to the

HP-UX AAA server's configuration directory using the following command:# cp /opt/aaa/examples/config/DNIS.grp /etc/opt/aaa/

Step 2 – Defining the DNIS Routing PoliciesYou must edit the DNIS.grp file to define DNIS routing policies. To edit the DNIS.grpfile, complete the following steps:


1. Edit the DNIS.grp decision file to reflect your station-based access policies. Forexample, to change the Calling-Station and Called-Station numbers in theControlled Access condition, edit the DNIS.grp file as follows:# Controlled Accessif ( (Calling-Station-Id = "7341234567") ||(Called-Station-Id = "7341236543") ){ exit "Forward"}

You can enter additional attributes to these access groups if your policies requirethat other conditions must be met.Comment out any condition you do not need by placing a hash symbol (#) beforeeach line. The last line must remain unchanged so that it authenticates a user whodoes not match one of the other conditions.

2. If you rename theDNIS.grp file, move it to the HP-UX AAA server's configurationdirectory and editradius.fsm so that theStart3 stateXstringparameter pointsto the correct file name.

Sample Policy Implementations 445

28 Customizing the HP-UX AAA Server Using the SDKThis chapter describes how to use the Software Developer's Kit (SDK) to customize theHP-UX AAA Server. This chapter addresses the following topics:• “SDK Overview.”• “Migrating Plug-ins Created Using Previous Versions of the SDK” (page 448)• “Prerequisites for Using the SDK” (page 448)• “SDK Directory Structure” (page 448)• “SDK Concepts” (page 448)

— “Overview of AATVs” (page 448)— “AATV Components” (page 449)

• “Creating Plug-ins” (page 450)— “Using AATVs to Create a Plug-in” (page 451)— “Compiling and Loading a Plug-in” (page 452)— “Testing and Debugging a Plug-in” (page 453)

• “Creating Plug-ins for AATVs” (page 454)For information on the header files, data structures, and APIs included with the SDK,see Appendix D (page 579).

SDK OverviewThe SDK is a tool that enables you to customize the way the HP-UX AAA Serverprocesses RADIUS requests. This kit is particularly useful for creating plug-ins to extendor even replace server processes, such as how an authentication or accounting requestis handled. Using this SDK, you can create plug-ins to handle tasks such as customizedlogging of accounting requests, and pre and post-authentication tasks.Example 28-1 illustrates how to use an SDK plug-in to customize authentication andauthorization services.

446 Customizing the HP-UX AAA Server Using the SDK

Example 28-1 Example of a Pre-Paid Billing Application Using a Plug-in Created Usingthe HP-UX AAA Server SDK

In this example, a service provider wants to implement a service where blocks of connecttime are purchased in advance. In addition to being authenticated, each user must beauthorized based on his or her account balance. Only those users with a positive balanceare granted network access and their session is limited to the time equivalent of theirbalance at the time they are authenticated. Figure 28-1 (page 447) shows how the plug-inworks.

Figure 28-1 SDK Plug-in Example

Two tasks (AATVs) are identified to implement this service. You can create a singlesoftware module with an AATV for both the tasks or you can create two softwaremodules with each containing a single AATV. The first task authenticates and authorizesthe user as a part of the RADIUS Access-Request process. This AATV performs thefollowing functions:1. Retrieves the user credentials and account balance from a database2. Authenticates the user based on the credentials3. Authorizes the user if there is a positive account balance4. Converts the account balance into the equivalent amount of connect time and

returns that time as a Session-Timeout Reply-ItemThe second task is to update the user’s account balance based on the time used duringeach user session. To work properly, this must be done in real-time. Therefore, thedatabase must be updated at the time the RADIUS Accounting-Stop is received. ThisAATV performs the following tasks:1. Converts the length of the user session into a dollar amount2. Debits the user account by the computed value of the completed session

SDK Overview 447

Migrating Plug-ins Created Using Previous Versions of the SDKPlug-ins created using previous versions of the SDK must be ported to use the newSDK and recompiled before using it with HP-UX AAA Server A.08.01. For informationon recompiling your plug-in, see “Compiling and Loading a Plug-in” (page 452)

Prerequisites for Using the SDKHP recommends installing the HP aC++ Compiler (# B3913DB) to compile plug-inscreated using the HP-UX AAA Server SDK.

SDK Directory StructureThe HP-UX AAA Server SDK consists of the following files and directories:• The /opt/aaa/include/sdk.h header file• The following sample plug-ins:

— /opt/aaa/examples/sdk/CSI/checkCSI.c

— /opt/aaa/examples/sdk/ace/samplesc.c

• READMEs that describe the sample AATVs

Important Note:For information on the header files, data structures, and APIs included with the SDK,see Appendix D (page 579).

SDK ConceptsThis section explains how the plug-ins interface with the HP-UX AAA Server operation.To ensure that the HP-UX AAA Server processes the functions included in your plug-ins,you can modify the state tables in the Finite State Machine (FSM) to refer to the functions(actions) defined in your custom plug-ins, or you can add it to the authfile forauthentication AATVs. Modified FSM tables can include instructions to add or changethe order of the processing steps. Plug-ins can be inserted as steps anywhere in theFSM table. AATVs are directly referenced as actions in the FSM table. For moreinformation on AATVs, see “Overview of AATVs.”

Overview of AATVsAn AATV is a framework for various functionalities, such as password validation.These AATVs are functional blocks that perform basic AAA functions, such asauthentication, authorization, and accounting. However, an AATV's functions are notlimited to these. This framework provides you enough flexibility to add your ownplug-ins as well.


AATV ComponentsAn AATV is implemented as a shared library that contains specific functions. Thesefunctions are called from the HP-UX AAA Server. An AATV can contain the followingfunctions:• “The init Function.”• “The action Function.”• “The timer or callback Function” (page 450)• “The cleanup Function” (page 450)

NOTE: These functions are optional. However, you must implement at least one ofthese functions.

The init FunctionThe init function establishes the environment required for other AATV functions.The init function is commonly used to open sockets and to create or open files forwriting, or reading module specific configurations.Following is the prototype of the init function:void myinit();

The action FunctionThe action function responds immediately to a received RADIUS request. Followingis the prototype of the action function:static int myaction(sdk_authreq_t *authreq, int value, constchar *string);

Following are the input parameters:authreq A pointer to the authreqvalue The Xvalue from the FSM table for this action if configured. If not, 0 is

passed in by the Server.string This parameter can have one of the following values:

• The Xstring from FSM table if the AATV is configured in the FSM.• The Xstring from authfile if the AATV is configured to process an

authentication request.• If the Xstring parameter is not configured, NULL is passed.

The action function returns an event code. This event code determines the next actionto be taken in the FSM. Following are the two commonly used event codes:AAA_EV_ACK Defined as 0. It indicates that the operation is successful.AAA_EV_NAK Defined as –1. It indicates that the operation failed.

SDK Concepts 449

IMPORTANT: All common event codes and corresponding event names are definedin the sdk.h header file. You can also define new event codes, for example, in scenarioswhere the AATV action produces multiple results that need to be handled by an AATVseparately. However, do not use the sdk.h file to define new event codes. Instead, usethe FSM file radius.fsm to define new event codes. Use the following syntax to createnew event codes:% event event_name event_code

The new event codes and event names must not overlap with the ones defined in thesdk.h file. To avoid event code or event name synchronization issues, use event codesthat are larger than 500.

The timer or callback FunctionThe timer or callback function is called once a second to enable AATVs to perform thescheduled work at regular intervals. However, if the server is blocked, the functionmay not be called for each elapsed second. This function is typically used for periodiccleanup of any session information saved by the AATV.The timer function does not have any parameter; the function returns an event code.Following is the prototype of the timer or callback function:int mytimer();

The cleanup FunctionThe cleanup function is called when the HP-UX AAA Server terminates. This functionis used to perform tasks such as flushing out the last records to a file before closingthat file and closing sockets.The cleanup function does not have any parameter and does not return a value.Following is the prototype of the cleanup function:void mycleanup();

Creating Plug-insYou can create plug-ins using the following sample plug-ins:• /opt/aaa/examples/sdk/csi/checkCSI.c

• /opt/aaa/examples/sdk/ace/samplesc.c

The following sections describe the working of these sample plug-ins, as well asprocedures to do the following tasks:• “Using AATVs to Create a Plug-in” (page 451)• “Compiling and Loading a Plug-in” (page 452)• “Testing and Debugging a Plug-in” (page 453)


The ACE AATVThe ACE AATV is a sample challenge-response authentication AATV. At a high level,this plug-in performs the following functions:1. Checks that the User-Id A-V pair is present in the request. If it is not present, an

error is returned.2. If the User-Id A-V pair is present, then it checks whether the State A-V pair is

present. If the State A-V pair is present, it proceeds to step 3.If it is not present, it creates aStateA-V pair with theUser-Id value and appendsa string .pw to it, and inserts the State A-V pair into the REPLY queue. AReply-Message A-V pair is created with a challenge string that prompts the userto enter a challenge response.

NOTE: In this sample AATV, the State A-V pair contains the password.However, it can also contain a pointer to a password, or a session table.

3. If the State A-V pair is present, it checks the user's challenge response againstthe value in the State A-V pair. If the values match, the user is authenticated. Ifthe values do not match, the connection is terminated.

For more information on the ACE AATV, see the README located at /opt/aaa/examples/sdk/ace/README.

The checkCSI AATVThe checkCSI AATV is typically used for preprocessing RADIUS Access-Requests.This AATV enables the HP-UX AAA Server to authenticate the user based onCalling-Station-Id instead ofUser-Name. For more information on thecheckCSIAATV, see the README file located at /opt/aaa/examples/sdk/csi/README.

Using AATVs to Create a Plug-inYou can create a plug-in using one of the sample plug-ins as a base. The procedure andthe example described in this section use the checkCSI.c to create a plug-in.To create a plug-in using the checkCSI.c file, complete the following steps:1. Rename the checkCSI.c file and open it for editing.2. Add the function prototype for the action function. For example,

static int checkCSI (AUTH_REQ * authreq, int Value, const char * checkString);

where:• The Value parameter is the Xvalue from the fsm file• The checkString parameter is the Xstring from the fsm file

Creating Plug-ins 451

3. Add the aatv_load function to register the AATV to the HP-UX AAA Server.The aatv_load function, shown below, initializes the global aatv_info_v2_tstructure that contains the function pointer to the init(), action(), timer(),and cleanup() functions.int aatv_load (aatv_info_v2_t **aatv_list, int * aatv_count)

where:aatv_list is a list of all the AATVs that are loaded.aatv_count is the number of AATVs that are loaded.aatv_info_v2_t is the data structure containing the function pointer to the

init(),action(),timer(), andcleanup() functions.For more information on the aatv_info_v2_t datastructure, see “Header Files, Data Structures, and APIs inthe HP-UX AAA Server SDK” (page 579).

4. Set the parameters of the aatv_info_v2_t data structure. Add them toaatv_list and set the value of aatv_count.

NOTE: You can also add init (), timer (), and cleanup () functions, basedon your requirements. These functions are not used in this example, because thecheckCSI AATV does not use them.

Compiling and Loading a Plug-inTo compile and load a plug-in, complete the following steps:

NOTE: Before you start this procedure, ensure that the HP-UX AAA Server is notrunning.

1. Navigate to the /opt/aaa/examples/sdk/CSI directory.2. Enter the following command:

# cc -I /opt/aaa/include -c +z checkCSI.c

3. Enter the following command to link the AATV with the libradlib file:# ld -b -o checkCSI.so -L/opt/aaa/lib -lradlib checkCSI.o

4. Enter the following command to copy the compiled plug-in to the /opt/aaa/aatv/ directory:# cp checkCSI. so /opt/aaa/aatv/

After copying the AATV to the /opt/aaa/aatv/ directory, you can configurethe AATV name in the authfile or in the FSM.

5. Start the radiusd daemon by entering the following command:# /opt/aaa/bin/radiusd


6. To ensure that the AATV is loaded correctly, check the logfile for an entry similarto the following:read_dyn_cfg: Loaded shared object: <aatvname>, <No. of aatvs>

Testing and Debugging a Plug-inYou must test the software module before you start using it in a productionenvironment. You can use several different methods to debug any modules that youcreate. This section discusses testing the software module using the GNU ProjectDebugger (gdb).

Using the GNU Project DebuggerHP recommends using gdb to debug software modules created using the HP-UX AAAServer SDK.

NOTE: To debug a software module with gdb, your program must be compiled withdebug information enabled (using the -g option).

Using gdb to Debug Your Software Module

To debug your software module using gdb, complete the following steps:1. Determine the RADIUS server’s process ID by entering the following command:

# ps -ef | grep radiusd

2. End the RADIUS server process by entering the following command:# kill <radius pid>

3. Enter the following command:# chatr +dbg enable /opt/aaa/bin/radiusd

4. Start radiusd by entering the following command:# /opt/aaa/bin/radiusd

5. Start the debugger by entering the following command:# gdb

This command starts a gdb session in UNIX and the gdb prompt appears. You canaccess help by typing help at the gdb prompt. For more information about gdb,enter man gdb at the command prompt.If you start the gdb session from some other location, you must specify the directoryin which your plug-in module source code is located (for more information, seegdb help).

6. At the gdb prompt, enter the dir command to include the path of your softwaremodule, as shown in the following example:# gdb> dir /opt/aaa/examples/sdk/csi

Creating Plug-ins 453

7. Attach the radius pid, as follows:# gdb> attach <radius pid>

An output similar to the following displays:Reading symbols from /opt/aaa/aatv/proldap.so...done. Reading symbols from /opt/aaa/aatv/securidAatv.so...done. Reading symbols from /opt/aaa/aatv/snmpAgent.so...done. Reading symbols from /opt/aaa/aatv/tacplus.so...done. Reading symbols from /opt/aaa/aatv/tunneling.so...done. Reading symbols from /opt/aaa/aatv/vlogit.so...done. Reading symbols from /opt/aaa/aatv/samplesc.so...done

8. Set a breakpoint at the specified line of function, as shown in the following example:# gdb> b <function>

9. Enter the continue command, as shown below:# gdb> c

10. At another window prompt, enter the radpwtst command as shown in thefollowing example:# radpwtst -a localhost -w password test_user

11. Use gdb commands to step through the code and look at the data to see how it isbeing processed in your plug-in module.

12. To quit gdb, enter the following command:# gdb> q

Creating Plug-ins for AATVsThis section addresses plug-ins that are used to customize AATVs, such as ExtensibleAuthentication Protocol (EAP) Subscriber Identity Module (SIM) and EAPAuthentication and Key Agreement (AKA). This section addresses the following:• “A3 and A8 Algorithm Plug-in for EAP-SIM” (page 454)• “AKA Algorithm Plug-in for EAP-AKA” (page 456)

A3 and A8 Algorithm Plug-in for EAP-SIMThe Global System for Communications (GSM) A3 and A8 algorithms are used inEAP-SIM. The content of A3 and A8 algorithm plug-ins is specific to the EAP-SIMprotocol requirements. [GSM-03.20] specifies the general GSM authentication procedureand the external interface of the A3 and A8 algorithms. The operations of these functionsare associated with the domain of an individual GSM network operator. Therefore, thefunctions are not standardized. Instead, each operator specifies the functions. The A3and A8 algorithm plug-ins are software modules that contain these specific functions.They customize the GSM authentication for each network operator.


An A3 or A8 plug-in may include zero or one A3 algorithm. If you write a plug-in forA3, an A8 plug-in with the same name must exist. Similarly, if you write a plug-in forA8, an A3 plug-in with the same name must exist.

Creating A3, A8 Plug-insYou can create a plug-in using one of the sample plug-ins as a base. The procedure andthe example described in this section use the sample_sim_a3a8.c file to create aplug-in.To create a plug-in using the sample_sim_a3a8.c file, which is available at /opt/aaa/examples/sdk/sim_a3a8, complete the following steps:1. Rename the sample_sim_a3a8.c file and open it for editing.2. Add any header file specific to your module along with the following mandatory

header files:#include "sdk.h"#include "plugin.h"#include <syslog.h>

You can also add other header files that you require.3. Change the (a3impl and a8impl) function names in the following prototype, if

required:static int a3impl( const unsigned char * ki, const unsigned char * rand, unsigned char * sres );

static int a8impl( const unsigned char * ki, const unsigned char * rand, unsigned char * kc );

NOTE: Changing the function names is not mandatory. However, the parametersmust not be modified.

4. Register the A3 and A8 algorithm plug-ins.1. To modify the number of plug-ins, change the array size ofplugin_array[1]

to the number of plug-ins to be written for this module.2. Modify the plugin_load function in the following code:

sim_a3a8_plugin_info_t * sim_a3a8_info;static const char func[] = "plugin_load";

a. Set the name of the plug-in in the following code to the required name:sim_a3a8_info->name = "sample_sim_a3a8";

b. Set the description of the plug-in in the following code:sim_a3a8_info->info = "Sample EAP-SIM A3/A8 algorithm plugin";

Creating Plug-ins for AATVs 455

c. If the (a3impl and a8impl) function names are modified, make thecorresponding changes in the following code:sim_a3a8_info->a3 = a3impl;sim_a3a8_info->a8 = a8impl;

d. Enter the value of plugin_array as described in the code. For example,for the second plug-in, modify the code as follows:plugin_array[0].type = SIM_A3A8;plugin_array[0].info = (void *)sim_a3a8_info;

e. If there is more than one plug-in, modify the value accordingly in thefollowing code:*plugin_count = 1;

5. To implement the sample A3 algorithm, modify the following code:unsigned int idx;for ( idx = 0; idx < 4; ++idx ){ sres[idx] = 0;}return SDK_SUCCESS;

On success, A3 Algorithm returns sdk_success. Otherwise, it returnssdk_failure.

6. To implement the sample A8 algorithm, modify the following code:unsigned int idx;for ( idx = 0; idx < 8; ++idx ){ kc[idx] = 0;}return SDK_SUCCESS;

On success, A3 Algorithm returns sdk_success. Otherwise, it returnssdk_failure.

AKA Algorithm Plug-in for EAP-AKAThe GSM AKA algorithms are used in EAP-AKA. The content of the AKA 3GPPalgorithm plug-ins is specific to the EAP-AKA protocol requirements. [GSM-03.20]specifies the general GSM authentication procedure and the external interface of thef1, f1x, f2, f3, f4, f5 and f5x functions. The operations of these functions are associatedwith the domain of an individual GSM network operator. Therefore, the functions arenot standardized. Instead, each operator specifies the functions. AKA algorithm plug-insare software modules that contain these specific functions. They customize the GSMauthentication for each network operator.


Creating AKA Plug-insYou can create a plug-in using one of the sample plug-ins as a base. The procedure andthe example described in this section use the checkCSI.c file to create a plug-in.To create a plug-in using the sample_aka_algo.c file, which is available at /opt/aaa/examples/sdk/aka_algo, complete the following steps:1. Rename the sample_aka_algo.c file and open it for editing.2. Include the following mandatory header files:

#include "sdk.h"#include "plugin.h"#include <syslog.h>

You can also add other header files that you require.3. Change the (f1impl, f1ximpl, f2impl, f3impl, f4impl, f5impl and

f5ximpl) function names in the following prototypes, if required:static int f1impl( const unsigned char * ki, const unsigned char * rand, const unsigned char * sqn, const unsigned char * amf, unsigned char * maca );

static int f1ximpl( const unsigned char * ki, const unsigned char * rand, const unsigned char * sqn, const unsigned char * amf, unsigned char * macs );

static int f2impl( const unsigned char * ki, const unsigned char * rand, unsigned char * res );

static int f3impl( const unsigned char * ki, const unsigned char * rand, unsigned char * ik );

static int f4impl( const unsigned char * ki, const unsigned char * rand, unsigned char * ck );

static int f5impl( const unsigned char * ki, const unsigned char * rand, unsigned char * ak );

static int f5ximpl( const unsigned char * ki, const unsigned char * rand, unsigned char * ak );


NOTE: Changing the function names is not mandatory. However, the parametersmust not be modified.

4. Register the AKA algorithm plug-ins.1. If your plug-in includes more than one plug-in entry, modify the array size

accordingly. To modify the array size, change the value withinplugin_array[1] to the number of plug-ins to be written for this module.

2. Modify the plugin_load function in the following code:aka_algo_plugin_info_t * aka_algo_info;static const char func[] = "plugin_load";

a. Set the name of the plug-in in the following code to the required name:aka_algo_info->name = "sample_aka_algo";

b. Set the description of the plug-in in the following code:aka_algo_info->info = "Sample EAP-AKA algorithm plugin";

c. If the (f1impl, f1ximpl, f2impl, f3impl, f4impl, f5impland f5ximpl) function names are modified, make the correspondingchanges in the following code:aka_algo_info->f1 = f1impl;aka_algo_info->f1x = f1ximpl;aka_algo_info->f2 = f2impl;aka_algo_info->f3 = f3impl;aka_algo_info->f4 = f4impl;aka_algo_info->f5 = f5impl;aka_algo_info->f5x = f5ximpl;

d. Enter the value of the plugin_array as described in the code. Forexample, for the second plug-in, modify the code as follows:plugin_array[1].type = AKA_ALGO;plugin_array[1].info = (void *)aka_algo_info;

e. If there is more than one plug-in, complete the described steps for each ofthem. Also, modify the value accordingly in the following code:*plugin_count = 1;

5. To implement the sample f1() algorithm, modify the following code in the f1implfunction:unsigned int idx;for ( idx = 0; idx < 8; ++idx ){ macs[idx] = 0;}return SDK_SUCCESS;


On success, the f1() algorithm returns sdk_success. Otherwise, it returnssdk_failure.

6. To implement the sample f1x() algorithm, modify the following code in thef1ximpl function:unsigned int idx;for ( idx = 0; idx < 8; ++idx ){ maca[idx] = 0;}return SDK_SUCCESS;

On success, the f1x() algorithm returns sdk_success. Otherwise, it returnssdk_failure.

7. To implement the sample f2() algorithm, modify the following code in the f2implfunction:unsigned int idx;for ( idx = 0; idx < 8; ++idx ){ res[idx] = 0;}return SDK_SUCCESS;


8. To implement the sample f3() algorithm, modify the following code in the f3implfunction:unsigned int idx;for ( idx = 0; idx < 16; ++idx ){ ik[idx] = 0;}return SDK_SUCCESS;


9. To implement the sample f4() algorithm, modify the following code in the f4implfunction:unsigned int idx;for ( idx = 0; idx < 16; ++idx ){ ck[idx] = 0;}return 0;



10. To implement the sample f5() algorithm, modify the following code in the f5implfunction:unsigned int idx;for ( idx = 0; idx < 6; ++idx ){ ak[idx] = 0;}return SDK_SUCCESS;


11. To implement the sample f5x() algorithm, modify the following code in thef5ximpl function:unsigned int idx;for ( idx = 0; idx < 6; ++idx ){ ak[idx] = 0;}return SDK_SUCCESS;

On success, the f5x() algorithm returns sdk_success. Otherwise, it returnssdk_failure.


Part VI TroubleshootingThis part of the HP-UX AAA Server A.08.01 Administrator’s Guide is organized as follows:• Chapter 29: “Troubleshooting Overview” (page 464): Describes the AAA environment and

an overview of HP-UX AAA Server troubleshooting.• Chapter 30: “Troubleshooting Procedures” (page 469): Provides a troubleshooting flowchart

followed by specific troubleshooting tables that enable you to identify the problem, andtake the necessary corrective actions.

• Chapter 31: “Troubleshooting Resources” (page 509): Describes the troubleshootingresources available in the Server Manager and the HP-UX AAA Server.

• Chapter 32: “Reporting Problems” (page 513): Provides a checklist of information that youmust collect before reporting a problem to HP.

461

Table of Contents29 Troubleshooting Overview.....................................................................................................464

AAA Environment Components......................................................................................464HP-UX AAA Server Operation.........................................................................................465Probable Causes for Failure..............................................................................................467

Configuration Problems..............................................................................................467External Service Problems...........................................................................................467Protocol Limitations....................................................................................................468RADIUS Client and Supplicant Considerations.........................................................468

30 Troubleshooting Procedures...................................................................................................469Troubleshooting Flowchart...............................................................................................469

Troubleshooting Flowchart Process............................................................................471Troubleshooting the Server Manager Administration Utility..........................................472

Common Problems With the Server Manager............................................................473Troubleshooting Server Manager Launch Problems.............................................475Troubleshooting Remote Management Problems..................................................476

Troubleshooting the HP-UX AAA Server.........................................................................477Troubleshooting HP-UX AAA Server Startup Problems............................................478

Common Problems with HP-UX AAA Server Startup..........................................478Troubleshooting Bind Errors at HP-UX AAA Server Startup..........................482

Troubleshooting an Unresponsive HP-UX AAA Server.............................................483Troubleshooting Common Configuration Problems.............................................484Troubleshooting External Services.........................................................................488

Identifying External Service Failures using Logfile Error Messages...............488Identifying Unrecorded External Datastore Failures.......................................493Identifying Proxy Server Failures.....................................................................493Identifying Unrecorded DHCP Failures...........................................................493

Troubleshooting Access-Rejects from the HP-UX AAA Server..................................494Common Authentication Failure Problems...........................................................494

EAP Problems..............................................................................................................502Troubleshooting Provisioning Errors..........................................................................506Troubleshooting the HP-UX AAA Server Admin Utility...........................................506

31 Troubleshooting Resources.....................................................................................................509HP-UX AAA Server Troubleshooting Utilities.................................................................509

The radcheck Utility: For Checking the Server Status..............................................509The radpwtst Utility: For Testing Authentication....................................................510The raddbginc Utility: For Setting Debug Output Levels........................................510The radsignal Utility: For Rolling Over the Debug Output to New Files..............511

The HP-UX AAA Server Logfile and Debug File.............................................................511The HP-UX AAA Server Logfile.................................................................................511The HP-UX AAA Server Debug File...........................................................................511


32 Reporting Problems...............................................................................................................513Server Set Up Information................................................................................................513Server Manager Related Information...............................................................................514External Components.......................................................................................................514

External Databases......................................................................................................514SNMP Servers..............................................................................................................514DHCP Servers..............................................................................................................514OpenSSL......................................................................................................................514

EAP Related Information..................................................................................................514Clients..........................................................................................................................515Access Points...............................................................................................................515


29 Troubleshooting OverviewThis chapter of the HP-UX AAA Server Administrator's Guide provides an overviewof HP-UX AAA Server troubleshooting with respect to the AAA environment.This section discusses the following:• “AAA Environment Components” (page 464)• “HP-UX AAA Server Operation” (page 465)• “Probable Causes for Failure” (page 467)

AAA Environment ComponentsThe AAA environment consists of the following interoperating components:• HP-UX AAA Server Daemon, Libraries, Configuration Files, and Utilities: Perform

the authentication, authorization, and accounting functions to process requests.• Web Based Server Manager Administration Utility: Configures and manages the

servers. The Server Manager can retrieve logfile messages and statistics fromHP-UX AAA Servers.

• Supplicants: Application software that request access to network services viaRADIUS clients.

• RADIUS Clients: Communicate with the HP-UX AAA Server using the RADIUSprotocol standard. They serve as enforcement points to control access to networkservices.

• External Services: Interoperate with the HP-UX AAA Server to provide user profilestorage (databases) and other services such as DHCP (IP address management)and SNMP (network management).

Figure 29-1 depicts the AAA environment and components. Troubleshooting the AAAenvironment involves determining the component that caused the problem and takingthe necessary corrective actions.

464 Troubleshooting Overview

Figure 29-1 AAA Environment Components

HP-UX AAA Server OperationFigure 29-2 depicts the HP-UX AAA Server operation from the troubleshootingperspective.

HP-UX AAA Server Operation 465

Figure 29-2 HP-UX AAA Server Operation

The HP-UX AAA Server operation consists of the following steps:1. The user or device that requires authentication communicates with the RADIUS

client and provides authentication credentials such as user name and password.At this stage, incorrect supplicant configuration or invalid credentials can lead toauthentication failures or an unresponsive HP-UX AAA Server.

NOTE: Troubleshooting the supplicant is outside the scope of this chapter. Seeyour supplicant vendor’s documentation for troubleshooting information.

2. The RADIUS client (for example, access point or NAS) sends a RADIUSAccess-Request Message to the HP-UX AAA Server.At this stage, incorrect client configuration and bad RADIUS messages can leadto authentication or accounting failures, or an unresponsive HP-UX AAA Server.

3. The HP-UX AAA Server examines the request and validates the user credentialsbased on the configured authentication mechanism.At this stage, incorrect HP-UX AAA Server configuration, internal errors, or invalidcredentials passed to it by the RADIUS client can cause authentication/accountingfailures. These cases may cause the HP-UX AAA Server to ignore the RADIUSclient’s request.

4. Based on the configured authentication mechanism, the HP-UX AAA Server cancontact one or more external services:


a. The HP-UX AAA Server can contact an external service such as a database orLDAP directory server to retrieve user information and perform authentication.

b. The HP-UX AAA Server can forward the request to a proxy HP-UX AAA Serverfor authentication.

c. The HP-UX AAA Server can contact a DHCP server for IP address management.If the external service is busy, unavailable, or invalid credentials are passed to itby the HP-UX AAA Server, the HP-UX AAA Server will not authenticate the userand may not respond.

5. If authentication is successful, the HP-UX AAA Server returns an Access-Acceptmessage along with provisioning attributes to the RADIUS client.The RADIUS client allows the supplicant to connect to the configured networkservice.At this stage, incorrect attributes returned to the RADIUS client (or incorrectattributes expected by the RADIUS clients) can prevent the supplicant fromconnecting to the network service.

The HP-UX AAA Server is administered through the Server Manager. Here, problemswith the browser, Tomcat, and RMI object, or incorrect credentials by the administratorcan lead to problems while launching or using the Server Manager.

Probable Causes for FailureThis section discusses the problems, limitations, and considerations beforetroubleshooting the AAA environment.

Configuration ProblemsThe RADIUS client, supplicant, or the HP-UX AAA Server is configured incorrectlyand lead to problems.Some configuration related problems can result in the HP-UX AAA Server silentlydiscarding the message without any reply being sent to the RADIUS client. For example,if the authentication queue is full, subsequent authentication requests are dropped.

External Service ProblemsThe HP-UX AAA Server interoperates with external services in the environment, suchas database servers, LDAP, DHCP, and SNMP. The following problems can be causedby external services:• An external service failure can result in the HP-UX AAA Server not sending a

reply back to the RADIUS client.• The RADIUS message packet contains information about the realm. The realm

configuration specifies the external datastore used for user profile lookup. This

Probable Causes for Failure 467

information can be used to identify the external service accessed to process theRADIUS request.Some external service failures do not result in the HP-UX AAA Server recordinga message in the server logfile. For example, if the HP-UX AAA Server times outon waiting on a busy database server, it does not record an error in the logfile. Noreply is sent to the RADIUS client.

Protocol LimitationsThe HP-UX AAA Server communicates with the RADIUS client using the RADIUSprotocol. The RADIUS protocol has the following limitations:• RADIUS packets are transmitted using the connectionless UDP transport protocol.

Therefore, a RADIUS request that does not reach the recipient needs to beretransmitted by the sender. Usually, the sender retransmits the request if it timesout while waiting for the acknowledgement.

• The RADIUS protocol specification allows the HP-UX AAA Server to sendAccess-Accept and Access-Reject messages only, in response to an Access-Request.The HP-UX AAA Server cannot send status information about a request to theRADIUS client.

Messages that do not contain correct information in accordance with the RADIUSprotocol specifications will be silently discarded by the HP-UX AAA Server withoutany reply or status being sent to the clientSupplicants connecting to the HP-UX AAA Server over a WLAN can use EAP protocols.The same EAP protocols must be configured at the supplicant, access point, and HP-UXAAA Server EAP realm configuration.

RADIUS Client and Supplicant ConsiderationsThe HP-UX AAA Server supports several RADIUS clients, supplicants, and OTP tokengenerators. For a list of RADIUS clients, supplicants, and OTP token generators thathave been certified for the HP-UX AAA Server, see the HP-UX AAA Server A.08.01Release Notes (T1428-90067). Consider the following:• If the RADIUS client does not receive a reply from the HP-UX AAA Server, it

behaves as if the HP-UX AAA Server is offline. It can retransmit the request afterthe timeout to the same HP-UX AAA Server or a secondary HP-UX AAA Server,based on the configuration.

• Not all RADIUS clients maintain an error log.


30 Troubleshooting ProceduresThis chapter describes how to troubleshoot problems that you encounter while usingthe HP-UX AAA Server in the AAA environment. This chapter includes a diagnosticflowchart and troubleshooting tables that enable you to identify the problem andperform the appropriate corrective actions.This chapter addresses the following topics:• “Troubleshooting Flowchart” (page 469)• “Troubleshooting the Server Manager Administration Utility” (page 472)• “Troubleshooting the HP-UX AAA Server” (page 477)

Troubleshooting FlowchartFigure 30-1 enables you to identify whether the problem is with the Server Manager,the HP-UX AAA Server startup, or its operation. The flowchart will lead you toindividual troubleshooting sections that describe how to identify the problem andperform the necessary corrective steps.

Troubleshooting Flowchart 469

Figure 30-1 Troubleshooting Flowchart

470 Troubleshooting Procedures

Troubleshooting Flowchart ProcessThis section describes the troubleshooting process that you can follow to troubleshootand identify problems with the HP-UX AAA Server. Each step listed below maps tothe problem that is depicted in Figure 30-1.1. Can launch Server Manager and view all applets and icons?

Launch the Server Manager administration and verify if all the applets and iconscan be viewed.

ResolutionProblem

See “Troubleshooting the Server Manager Administration Utility”(page 472). If you are able to resolve the problem using the suggestionslisted in this section, but are facing other problems, proceed to step 2.If you are not facing any other problems, end the troubleshootingprocess.If you are unable to resolve the problem using the suggestions listed inthis section, report it to HP after collecting all the information listed inChapter 32: “Reporting Problems” (page 513).

Unable to launch ServerManager?

End the troubleshooting process. If you face a different problem, proceedto step 2.

Able to launch ServerManager?

2. Can start/administer HP-UX AAA Server from Server Manager?Try to start and administer the HP-UX AAA Server from the Server Manageradministration utility.

ResolutionProblem

The problem may be with the HP-UX AAA Server startup or a remotemanagement issue. See “Troubleshooting Remote Management

Unable to start oradminister the ServerManager? Problems” (page 476) or “Troubleshooting HP-UX AAA Server Startup

Problems” (page 478).If you are able to resolve the problem using the suggestions listed inthis section, but are facing other problems, proceed to step 3.If you are not facing any other problems, end the troubleshootingprocess.

End the troubleshooting process. If you face a different problem, proceedto step 3.

Able to start oradminister the ServerManager?

Troubleshooting Flowchart 471

3. HP-UX AAA Server responds to request?Check to see if the HP-UX AAA Server responds to access-requests fromclients/supplicants.

ResolutionProblem

See “Troubleshooting an Unresponsive HP-UX AAA Server”(page 483).

Is the server not respondingto requests?

If you are able to resolve the problem using the suggestions listed inthis section, but are facing other problems, proceed to step 4.If you are not facing any other problems, end the troubleshootingprocess.

End the troubleshooting process. If you face a different problem,proceed to step 4.

Is the server responding torequests?

4. HP-UX AAA Server returns Access-Accept (when the user is expecting anAccess-Accept)?Check to see if the HP-UX AAA Server returns Access-Accepts toclients/supplicants.

ResolutionProblem

See “Troubleshooting Access-Rejects from the HP-UX AAA Server”(page 494).If you are able to resolve the problem using the suggestions listedin this section, but the user still cannot connect to the networkservice, see “Troubleshooting Provisioning Errors” (page 506).If you are not facing any other problems, end the troubleshootingprocess.

Is the server returning Access-Rejects?

If the HP-UX AAA Server returns Access-Accept to theclient/supplicant, but the user cannot connect to the networkservice, see “Troubleshooting Provisioning Errors” (page 506). Ifyou are not facing any other problems, end the troubleshootingprocess.If you are unable to resolve the problem using the suggestionslisted in this section, report the problem to HP after collecting allthe information listed in Chapter 32: “Reporting Problems”(page 513)

Is the server returning AccessAccepts?

Troubleshooting the Server Manager Administration UtilityThis section describes how to troubleshoot problems with the Server Manageradministration utility.


Common Problems With the Server ManagerTable 30-1 lists the common problems that you can encounter while using the ServerManager administration utility. Compare the problem you observe with those listedin this table and perform the corresponding corrective actions.

Table 30-1 Common Problems with the Server Manager

SolutionCauseProblem

Server Manager cannot belaunched for the followingreasons:

Cannot launch the Server Manager 1. Use a supported browser. Fora list of supported browsers,see HP-UX AAA Server A.08.01Release Notes (T1428-90070).• An unsupported browser is

used. 2. Specify the correct URL andport number in the browseraddress bar.

• Incorrect URL or portnumber specified.

3. Verify that Tomcat is running.• Tomcat is not running.4. Verify that the correct Tomcat

username and password (as• Incorrect Tomcat username

or password.specified in /opt/hpws22/• Java Version lower than 1.5

is used. tomcat/conf/tomcat-users.xml isspecified.

5. Use Java Version 1.5 or later.For more information, see“Troubleshooting Server ManagerLaunch Problems” (page 475).

Install JRE and enable JavaScriptfor your browser. For more

The Java Runtime Environment(JRE) is not installed for your

Cannot view the Server Managerapplets and icons

information, see your vendor’sdocumentation.

browser. Or, JavaScript is notenabled for your browser.

The RMI object is not running.Can launch the Server Manager,but cannot start, stop, administer,

1. Verify that the RMI object isrunning. If not, start the RMIobject.or view statistics of the HP-UX

AAA Server 2. Ensure that port 7790 is usedby the Java process.

3. Ensure that the shared secretfor rmi.config.secret isthe same on the HP-UX AAAServer and the system runningthe Server Manager.

4. Check the RMI log files in/opt/aaa/remotecontrol/.

5. Ensure that Java Version 1.5 isused.

For more information, see“Troubleshooting RemoteManagement Problems” (page 476).

Troubleshooting the Server Manager Administration Utility 473

Table 30-1 Common Problems with the Server Manager (continued)


Tomcat is not IPv6 enabled.Can launch the Server Manager,but cannot start, stop, load or save

1. Stop tomcat.2. Execute the following

command:export JAVA_OPTS=”$JAVA_OPTS \-Djava.net.preferIPv4Stack=false”

or view statistics of the HP-UXAAA Servers configured with aIPv6 address in the ‘Domain Nameor IP address field’.

3. If you get this error afterexecuting the above command:“JAVA_OPTS: Parameter not set” then execute the following command,

export JAVA_OPTS=”-Djava.net.preferIPv4Stack=false”

Otherwise skip this step.

4. Start Tomcat.

The RMI object is not running. 1. Verify that the RMI object isrunning. If not, start the RMIobject.

2. Ensure that port 2099 is usedby the Java process using thefollowing command:# lsof –i:2099

Port 2099 must be in theLISTEN state and used by aJava process

3. Ensure that the shared secretfor rmi.config.secret isthe same on the HP-UX AAAServer and the system runningthe Server Manager.

For more information, see“Troubleshooting RemoteManagement Problems”

Server is configured with invalidvalues for Server Attributes,

Can launch the Server Manager,but cannot start the server. Starting

1. Verify that the RMI object isrunning. If not, start the RMIobject.such as the combination of the

Listen IP Address andthe server fails with either of thefollowing messages “Address 2. Modify the configured Server

Attributes which is failing toAdministration Port values ofthe server is already in use by

already in use” (OR) “Can’t assignrequested address.” start using HP-UX AAA Server

Manager.another server, host names oraddresses specified in the For more information, see

“Administering HP-UX AAA‘Domain Name or IP Address’and ‘Listen IP Address’ do not


Table 30-1 Common Problems with the Server Manager (continued)


correspond to the same host.HP-UX AAA Server Manager

Servers Using HP-UX AAA ServerManager”

has not validated theses valuesbecause the RMI object was notrunning when the server wasconfigured.

Error while parsing the groupconfiguration file.

Can launch the Server Manager,but get ‘Parse Error’ in the HP-UXAAA Server Status Frame.

1. Stop the HP-UX AAA ServerManager and Tomcat.

2. Stop the RMI Objects runningon all the remote hosts.

3. Start the Tomcat and HP-UXAAA Server Manager.

4. Start the RMI Objects on all theremote hosts.

5. Modify all the Serversconfigured. For moreinformation, see“Administering HP-UX AAAServers Using HP-UX AAAServer Manager”

Troubleshooting Server Manager Launch ProblemsThis section describes how to troubleshoot problems when you cannot launch theServer Manager administration utility.If you are unable to launch the Server Manager, complete the following steps:1. Verify that you are using a supported browser. For a list of supported browsers,

see HP-UX AAA Server A.08.01 Release Notes at www.docs.hp.com in the Internetand Security Solutions section.

2. Verify the port number specified in the URL. The default port number is 8081(HTTP) or 8443 (HTTPS). This is configured in Tomcat’s /opt/hpws22/tomcat/conf/server.xml file. If secure communication (HTTPS) is used, ensure thatthe SSL configuration matches that described in Using Secure Socket Layer (SSL)for Secured Remote Server Manager Administration on page 48.

3. Verify that the user name and password provided in the browser matches the username and password configured in/opt/hpws22/tomcat/conf/tomcat-users.xml.

4. Verify that the Tomcat server is running by entering the following command:# ps -efx | grep tomcat | grep -v grep

If Tomcat is running, following is a portion of the output that is displayed:root 15408 1 Mar 29 ? 10:10 /opt/java1.5bin/IA64N/java

Troubleshooting the Server Manager Administration Utility 475

www.docs.hp.com

If the Tomcat server is not running, export the Java path and then use the Tomcatstartup script to start Tomcat, as follows:# export JAVA_HOME=/opt/java1.5# /opt/hpws22/tomcat/bin/startup.sh

Verify that the Tomcat server is running after running the startup script.If the Tomcat server is not running, check the Tomcat server logs, /opt/hpws22/tomcat/logs/catalina.out.

5. Use the lsof command to verify that the Tomcat port (usually 8081 for HTTP or8443 for HTTPS) is in the LISTEN state and is used by the correct process. Forexample:# lsof -i :8081

The port must be in theLISTEN state used by aJavaprocess with the same processID as the Tomcat bootstrap process displayed in Step 4.

NOTE: The lsof tool is an open source tool and is not available by default onHP-UX operating systems.

6. If the problem persists, report it to HP after collecting the information listed inChapter 32: “Reporting Problems” (page 513).

Troubleshooting Remote Management ProblemsThis section describes how to troubleshoot remote management problems. If you areunable to use the Server Manager to administer an HP-UX AAA Server, complete thefollowing steps:1. Verify that the version number of the HP-UX AAA Server is same as that of the

Server Manager administration utility.2. Verify that the RMI object is running, by entering the following command:

# ps -efx | grep RMIServerManagement | grep -v grep

If the RMI object is running, following is a portion of the output that is displayed:root 23965 1 0 14:46:47 pts/ta 0:00 /opt/java1.5/bin/IA64N/java

If the RMI service is not displayed, start the RMI object by entering the followingcommand:# /opt/aaa/remotecontrol/rmistart.sh


NOTE: Before starting and stopping the RMI server, the JAVA_HOMEenvironment variable must be set to appropriate path. For example, to use Java6,export JAVA_HOME to the /opt/java6 path. If the JAVA_HOME environmentvariable is not set or set incorrectly, the default value /opt/java1.5 is used tostart and stop the RMI Server.

3. Verify that port 2099 is in the LISTEN state and that it is used by the correct process,by entering the following command:# lsof -i :2099

Port 2099 must be in the LISTEN state and used by a Java process with the samePID as the RMI service displayed in Step 2.


4. Verify the shared secret configured for rmi.config.secret in/opt/aaa/remotecontrol/rmiserver.properties (located on the serverbeing managed) and/opt/hpws22/tomcat/webapps/aaa/WEB-INF/gui.properties (locatedat the system running the Server Manager) are the same.

5. Check the following RMI log files for errors:• /opt/aaa/remotecontrol/admin.log - If you cannot start or stop the

HP-UX AAA Server or reload the server configuration.• /opt/aaa/remotecontrol/file.log - If you cannot load or save the

HP-UX AAA Server configuration.• /opt/aaa/remotecontrol/maintenance.log - If you cannot view the

HP-UX AAA Server Status or the Server Logfile, Accounting, or Statisticsscreens.

6. If the problem persists, report the problem to HP after collecting the informationlisted in Chapter 32: “Reporting Problems” (page 513).

Troubleshooting the HP-UX AAA ServerThis section describes how to troubleshoot problems with HP-UX AAA Server startupand operation. The troubleshooting flowchart in Figure 30-1 leads you to one of thefollowing sections:• “Troubleshooting HP-UX AAA Server Startup Problems” (page 478)• “Troubleshooting an Unresponsive HP-UX AAA Server” (page 483)• “Troubleshooting Access-Rejects from the HP-UX AAA Server” (page 494)• “Troubleshooting Provisioning Errors” (page 506)

Troubleshooting the HP-UX AAA Server 477

Troubleshooting HP-UX AAA Server Startup ProblemsThis section describes how to troubleshoot problems encountered while starting theHP-UX AAA Server.To troubleshoot HP-UX AAA Server startup problems, complete the following steps:1. Search for the failure error messages in the HP-UX AAA Server logfile using the

Server Logfile screen in the Server Manager administration utility. For moreinformation on using the Server Logfile screen, see “Using Server Manager toRetrieve Logfile Information” (page 142).

2. Compare the failure error messages and the command line errors to those listedin Table 30-2, and perform the appropriate corrective actions.

Common Problems with HP-UX AAA Server StartupTable 30-2 lists the common problems that you can encounter while attempting to startthe HP-UX AAA Server. Compare the problem that you observe with those listed inthis table and perform the necessary corrective actions:

Table 30-2 Common Problems with HP-UX AAA Server Startup

TroubleshootingProblem

Error '13' (Permission denied). Cannot launch radiusd daemon.User '<user name>' cannot open '/var/opt/aaa/logs/logfile'.Verify read/write permissions for user on the file

Log MessageThe logfile doesnot haveread-writepermissions for

This error can occur whenradiusd is started as a non root user,and it was previously started as a root user.

Causethe user who istrying to start theradiusddaemon. To start radiusd as a non root user, see Running the HP-UX

AAA Server as a non-root User on page 51.Solution


Table 30-2 Common Problems with HP-UX AAA Server Startup (continued)


radiusd: Error '13' (Permission denied). Cannot launch radiusddaemon. User <user name> cannot open

Log MessageIncorrectpermissions

/var/opt/aaa/run/radiusd.pid. Verify read/write permissions foruser on the file.

The radius.pid file does not have read-write permissionsfor the user who is trying to start the radiusd daemon.

Cause

To start radiusd as a non root user, see Running the HP-UXAAA Server as a non-root User on page 51.

Solution

setupv6sock: could not bind socketOr

Log MessageSocket errors

setupsock: could not bind socketCommand line error:bind: address already in use

This problem occurs because of one of the following reasons:Cause• An instance of the radiusd daemon is already running.• The ports configured for authentication and accounting are

being used by a different process.

Solution 1. Use grep to verify if the radiusd daemon is running. If thedaemon is running, use the existing instance of the daemon,or restart radiusd after killing the existing instance.

2. Check for other processes using the authentication andaccounting port configured for the radiusd and radacctentries, respectively in /etc/services.

3. If the authentication or accounting port is occupied, configuredifferent ports in /etc/services and restart radiusd.You can also configure different ports using the Start Optionsin the Administration screen of Server Manager.

For more information, see “Troubleshooting Bind Errors atHP-UX AAA Server Startup” (page 482).




open_library: Cannot open shared object '<AATV>': ‘<error>'.Log MessageUnable to loadAATVs

The specified AATV cannot be loaded due to one of the followingreasons:

Cause

• A dependent library cannot be found at the specified location• The AATV or its dependent library does not have executable

permissions

Solution • Ensure that all the dependent libraries are present in thespecified locations

• Ensure that the AATV and dependent libraries haveexecutable permissions. See the chmod(1M) manpage for moreinformation on changing permissions.

read_auth: Missing AATV for entry on line 3 of /etc/opt/aaa/authfile

Log MessageInvalid ormissing AATV

The AATV specified in/etc/opt/aaa/authfile is not found.Cause

Specify a valid existing AATV in /etc/opt/aaa/authfileSolution

doconfig: init_fsm() failed rad_fsminit: non-reachable state logall-3.00::unreachable <line no> <date><time> rad_fsminit:state invalid seen but not defined

Log MessageFSM-relatedproblems

The FSM file /etc/opt/aaa/radius.fsm contains anundefined state at line <line no>.

Cause

Ensure that the state specified on the <line no> is correct. Ifthe correct state has been specified, define it.

Solution

See “States ” (page 396)for more information on defining a state.

doconfig: init_fsm() failed rad_fsminit: invalid event name:'invalid' line <line no>

Log Message

The FSM file /etc/opt/aaa/radius.fsm contains an invalidevent name specified on line <line no>.

Cause

Edit the /etc/opt/aaa/radius.fsm to specify a valid eventname at line <line no>.

Solution

See “Event Names ” (page 399) for more information onspecifying events.




doconfig: init_fsm() failed rad_fsminit: invalid action name:'invalid' line <line no>

Log MessageFSM-relatedproblems

The FSM file /etc/opt/aaa/radius.fsm contains an invalidaction specified at line <line no>.

Cause

Edit the /etc/opt/aaa/radius.fsm to specify a valid actionname at line <line no>.

Solution

See “Actions ” (page 403)for more information on specifyingactions.

doconfig: init_fsm() failed rad_fsminit: duplicate state: line<line no><date><time>: ‘state’<date><time>doconfig:init_fsm() failed

Log Message

The FSM file/etc/opt/aaa/radius.fsm contains a duplicatestate specified at line line no.

Cause

Edit the /etc/opt/aaa/radius.fsm to remove the duplicatestate at line <line no>.

Solution

See “Event Names ” (page 399) for more information onspecifying events.

vend_init: Missing Vendor number on line <line no> ofvendors dict_init: Could not initialize the 'vendors' file

Log Message

The/etc/opt/ aaa/vendors file is missing a vendor numberentry on line line no.

Cause

Edit the /etc/opt/aaa/vendors file to specify the vendornumber in line no.

Solution

dict_init: Invalid value <invalid> in column <column no>at line <line no> in /etc/opt/aaa/dictionary. Specify <correctvalue range>.

Log Message

The/etc/opt/aaa/dictionary file contains an invalid valueat line line no.

Cause

Edit the /etc/opt/aaa/dictionary file and specify a validvalue as specified by <correct value range>.

Solution

read_auth: Missing AATV for entry on line 15 of/etc/opt/aaa/authfile doconfig: iaaa_config_files() failed.

Log MessageHP-UX AAAServer fails tostart

Authfile may have configured realm entries for Oracle or SecurIDauthentication.

Cause

Starting with HP-UX AAA Server A.08.00 release, Oracle andSecurID AATVs are obsolete. The corresponding entries must

Solution




be removed from the /etc/opt/aaa/authfile and /etc/opt/aaa/EAP.authfile.HP recommends that you use the SQL Access AATV insteadof Oracle AATV, EAP-PEAP instead of EAP-LEAP, and OATHstandard-based authentication instead of SecurID authentication.For information on how to configure SQL database basedauthentication, see Chapter 22 “SQL Access”. For informationon how to configure OTP or Two-factor authentication, seeChapter 16 “OATH Standards-Based OTP Authentication”.

RealmEAP::configure: Unknown AATV 'CiscoLEAP' in'/etc/opt/aaa/EAP.authfile' at '12' for EAP-Type. Specify a valid

Log MessageHP-UX AAAServer logs an

AATV for EAP-TYPE RealmEAP::readauth: AATV for EAP-Typeerror messagewhile starting is missing or not valid for realm 'oracle.test.test' on line 13 in

/etc/opt/aaa/EAP.authfile read_auth: /etc/opt/aaa/EAP.authfile( 3 entries) read to memory, 1 error

Authfile has configured realm entries for EAP-LEAPauthentication.

Cause

Starting with HP-UX AAA Server A.08.00 release, EAP-LEAPAATV is obsolete. The corresponding entries must be removed

Solution

from the /etc/opt/aaa/authfile and /etc/opt/aaa/EAP.authfile.HP recommends that you use EAP-PEAP instead of EAP-LEAP.For information on EAP-PEAP, seeChapter 13 “Securing LANAccess With EAP”

Troubleshooting Bind Errors at HP-UX AAA Server Startup

This section describes how to troubleshoot problems when you cannot start the HP-UXAAA Server because of bind errors.If you are unable to start the HP-UX AAA Server, complete the following steps:1. Check if the radiusd daemon is already running by entering the following

command:# ps -ef |grep radiusd

If radiusd is running, the radiusd process must be displayed.If the radiusd daemon is already running, you can stop and start the HP-UXAAA Server from the Server Manager Administration utility or the command line.For more information, see “Starting HP-UX AAA Servers Using Server Manager”(page 74) or “Starting HP-UX AAA Servers From the Command Line” (page 77).You can also continue with the HP-UX AAA Server instance that is already running.

2. Enter the following command to verify that the authentication and accountingports specified for the RADIUS service in /etc/services (entries for radius


andradacct respectively) are in theLISTEN state and used by the correct process.For example:# lsof -i :<authentication port>

The authentication port (default, 1812) and accounting port (default, 1813) mustbe in the LISTEN state and used by the radius process.


3. If another process is using the authentication or accounting port, configure differentports in the /etc/services file or from the Start Options in the Administrationscreen of Server Manager

Troubleshooting an Unresponsive HP-UX AAA ServerTo troubleshoot an unresponsive HP-UX AAA Server, first determine whether theHP-UX AAA Server is receiving requests.To determine whether the HP-UX AAA Server is receiving requests, perform thefollowing steps:1. View the HP-UX AAA Server logfile using the Server Logfile screen as described

in “Using Server Manager to Retrieve Logfile Information” (page 142). The serverlogfile messages are displayed.

2. If the message was received, check the logfile for error messages and comparethem to the errors listed in the following sections:• “Troubleshooting Common Configuration Problems” (page 484): Lists errors

caused because of incorrect configuration on the HP-UX AAA Server or theRADIUS client

• “Troubleshooting External Services” (page 488): Lists errors caused byunresponsive or failed external services

3. If the HP-UX AAA Server received the request and remained unresponsive, butdid not log an error in the logfile, see “Troubleshooting External Services”(page 488).

If the HP-UX AAA Server did not receive the request, perform the following steps:1. Verify that the DNS server is available by entering the nslookup command. For

more information on the nslookup command, see nslookup(1M).2. Ensure that the RADIUS client is receiving requests from the supplicant and is

configured to send requests to the correct HP-UX AAA Server.3. If proxy HP-UX AAA Servers are used, see “Identifying Proxy Server Failures”

(page 493) to check for proxy server failures.


Troubleshooting Common Configuration ProblemsTable 30-3 lists the problems caused because of incorrect configuration on the RADIUSclient or the HP-UX AAA Server. Compare the error recorded in the logfile with thefollowing and perform the appropriate corrective actions.

Table 30-3 Common Configuration Problems


Request from unknown client <client IP orhostname> dropped. Configure client in

Log MessageRequest dropped

/etc/opt/aaa/clients or Access Devices screen in ServerManager.

The HP-UX AAA Server is not configured to receiverequests from the RADIUS client.

Cause

Solution 1. Ensure that the RADIUS client is sending requests tothe correct HP-UX AAA Server.

2. If the client is configured correctly, configure theHP-UX AAA Server to receive requests from the clientusing the Access Devices screen of the Server Manager.

3. If the HP-UX AAA Server receives the request from aproxy server, configure the proxy server using theProxies screen of the Server Manager.

For information about configuring RADIUS clients, seeConfiguring RADIUS Client Using the Access DevicesScreen on page 89.


Table 30-3 Common Configuration Problems (continued)


get_radrequest: Request dropped. Unknown RADIUSpacket 'invalid(66)' received from client'example.com:50390


Orget_radrequest: ill formed packet from <server> [55421] -code = 1, vers = 1, len(hdr) = 1000, len(rcvd) = 56Orget_radrequest: NO a/v pairs from <server> [55697] - access(type 1), len = 20OrRequest from 'example.com: port' dropped. InvalidRADIUS request received from '<client-name>' [udp-port= '<udp-port>''] of type '<type>' (type-code = '<type-code>'),version = '<version>' and length = '<length>'

The HP-UX AAA Server received a bad RADIUS requestthat did not contain correct information, or did notconform to the RADIUS protocol.

Cause

Solution 1. Ensure that the RADIUS client transmits packets thatconform to the RADIUS protocol standards. See HP-UXAAA Server A.08.01 Release Notes (T1428-90070) fora list of supported RADIUS protocol RFCs.

2. Ensure that the RADIUS client is current with the latestpatches.

3. Perform a packet trace using the raddbginc utility orWireshark.

For information on the raddbginc utility and the debugfile, see “The raddbginc Utility: For Setting DebugOutput Levels” (page 510).For more information on WireShark, see thedocumentation for Internet Express at www.docs.hp.com.

Unable to execute <exit> command. Attributes are notvalid arguments for the <exit> command. Pre-defined


events or events defined in the FSM file should bespecified within quotes as argument to <exit>

This error message occurs if a string is specified withoutquotes. If the string is specified as an attribute, then it is

Cause

not defined in the dictionary file. If the string isspecified as a string constant, then it is not enclosed inquotes.

If the string is specified as a string constant, check that itis enclosed within double quotes. If it specified as anattribute, check that it is defined in the dictionary file.

Resolution


http://www.docs.hp.com/en/internet.html#Internet%20Express



The specified attribute instance 'RADIUS:State[10]' couldnot be found.


This error can occur if one of the policy files is using anattribute instance that is not present in the incomingrequest.

Cause

If you are unsure whether the attribute used in the policyfile will be present in all the incoming requests, verify that

Resolution

it is present in the request before actually using it. Youcan use the count attribute function to verify that theattribute is present. For example,if ( count(State) = 10 && State = "xxxxx" )

Instance <begin> is not allowed in the argument for<tolower>. Only numeric instances and 'last' are allowed


This error can occur if you have used the begin keywordto specify the first occurrence of an attribute instance with

Cause

any command other than theinsert command. For moreinformation on the usage of the begin keyword, see“Keyword Instance Specification” (page 423).

Use numeric instances to specify the first occurrence ofan attribute instance. For example:tolower(User-Name[0])

Resolution

Instance '*' is not allowed in the argument for 'tolower'.Only numeric instances and 'last' are allowed.

NOTE: In this example, tolower has been used.However, this kind of error message can appear wheneverany unsupported arguments are specified.


This error can occur if you have specified an asterisk withcommands or attribute functions that do not support it.

Cause

For more information on the usage of the asteriskkeyword, see “Keyword Instance Specification” (page 423).

Specify a particular instance instead of specifying allinstances of an attribute where it is not supported.

Resolution

AAASQL_aatv_action: No such attribute 'Client-Request-Create-ActionId'of vendor 'HP' found in the Authreq

Log MessageCannot generate clientrequests.

AAASQL_aatv_action: No such attribute 'Client-Request-Update-ActionId'of vendor 'HP' found in the Authreq




AAASQL_aatv_action: No such attribute 'Client-Request-Timeout-ActionId'of vendor 'HP' found in the Authreq

The HP-UX AAA Server is not configured to set the SQLAccess action IDs used for generation of client requests.

Cause

Verify the policies configured in theclient-request-init.grp file. Ensure that the

Resolution

Client-Request-Create-ActionId,Client-Request-Update-ActionId andClient-Request-Timeout-ActionId attributes areassigned correct SQL Access action IDs for all theconfiguredCLIENT actions. Ensure that theCLIENT actionnames configured in the aaa.config file match theCLIENT action names used in this policy file.For more information on HP-UX AAA Server clientfunctionality, see Chapter 19 “Configuring the HP-UXAAA Server for Client Functionality ”

AAASQL_aatv_action: No such attribute 'Client-Request-Cleanup-ActionId' of vendor 'HP' found in the Authreq

Log MessageResponses to clientrequests getting dropped.

The HP-UX AAA Server is not configured to set the SQLAccess action IDs used for processing the responses toclient requests.

Cause

Verify the policies configured in theclient-reply-ingress.grp file. Ensure that the

Resolution

Client-Request-Cleanup-ActionId attribute isassigned the correct SQL Access action ID for variousresponse types.For more information on HP-UX AAA Server clientfunctionality, see Chapter 19 “Configuring the HP-UXAAA Server for Client Functionality ”

parse error: syntax errorLog MessageRequest dropped

This error occurs if the syntax used in the policy files isincorrect. The error may also occur if an operator is usedwithout spaces along with its operand.

Cause

For example,insert Session-Timeout = Idle-Timeout- 10ORinsert Session-Timeout = Idle-Timeout -10

Use a space between the operators and operands.SolutionFor example,insert Session-Timeout = Idle-Timeout - 10


Troubleshooting External ServicesThis section describes how to troubleshoot problems related to external services.External service failures cause the HP-UX AAA Server to be unresponsive. If the logfilerecords an error, see “Identifying External Service Failures using Logfile Error Messages”(page 488) to determine the problem and perform the necessary corrective actions.However, not all external service problems result in error messages being recorded inthe logfile. If the HP-UX AAA Server remains unresponsive but no error is recordedin the server logfile, see the following sections:• “Identifying External Service Failures using Logfile Error Messages” (page 488)• “Identifying Proxy Server Failures” (page 493)• “Identifying Unrecorded DHCP Failures” (page 493)

Identifying External Service Failures using Logfile Error Messages

Compare the errors recorded in the HP-UX AAA Server logfile with those listed inTable 30-4 and perform the appropriate corrective actions:

Table 30-4 External Service Failure Problems


proldap_open: Cannot connect to LDAP server 'server'. ERROR'-1' (Can't contact LDAP server). LDAP server not found. Verify

Log MessageUnable to connectto the LDAPServer. LDAP properties in the Local Realms configuration in Server

Manager or verify LDAP server host and port configurationvalues in the appropriate authfile in '/etc/opt/aaa

This problem may occur if the LDAP Server is not running,or if the LDAP properties are not correctly configured.

Cause

Solution 1. Ensure that the LDAP server is running.2. Verify the following LDAP configuration parameters for

the affected realm:• Host• Port

For more information on verifying the LDAP configurationfor a realm, see “Configuring Realms for LDAP ” (page 112).


Table 30-4 External Service Failure Problems (continued)


get_open_result: Cannot connect to LDAP server '<servername>' as LDAP user (Keyword 'Keyword')

Log MessageUnable to connectto the LDAP serveras administrator 'cn=value,dc=value,dc=value,dc=com'. ERROR '49' (Invalid

credentials). Access denied . Verify LDAP properties in theLocal Realms configuration in Server Manager or verify LDAPuser and password in the appropriate authfile in '/etc/opt/aaa

This problem may occur if the LDAP properties are notcorrectly configured.

Cause

Verify the following LDAP configuration parameters for theaffected realm:

Solution

• Administrator• Password• Search Base• Filter• Authentication TypeFor more information on verifying the LDAP configurationfor a realm, see “Configuring Realms for LDAP ” (page 112).

Connecting DB '<database>' with service'example:152/ora10g', user 'system'

Log MessageUnable to opendatabaseconnection OCI_ERROR(AAA_OCIServerAttach -1): ORA-12541: TNS:no

listener 2006: OCI_ERROR(AAA_OCISessionBegin -1):ORA-24327: need explicit attach before authenticating a userFailed to open database connections for db_oci db id.

No listener is running on the Oracle server. If the listener isrunning, the connection configuration (hostname and port) isincorrect

Cause

Verify that an instance of the Oracle database server is runningon the server and port specified in theDBID structure of/etc/opt/aaa/sqlaccess.config.

Solution

For more information on using the SQL Access feature withOracle, see Chapter 22 (page 338).

Connecting DB '<database>' with service'example:1521/ora10g', user 'system'OCI_ERROR

Log MessageUnable to connectto the Oracledatabase server (AAA_OCIServerAttach -1): ORA-12154: TNS:could not resolve

the connect identifier specifiedOCI_ERROR(AAA_OCISessionBegin -1): ORA-24327: needexplicit attach before authenticating a user Failed to opendatabase connections for db_oci db id

The Oracle server and port that the HP-UX AAA Server istrying to connect to cannot be resolved.

Cause




Specify the correct server and port specified in the DBIDstructure of/etc/opt/aaa/sqlaccess.config.For more

Solution

information on using the SQL Access feature with Oracle, seeChapter 17, SQL Access on page 221.If thesqlaccess.config configuration is correct, the OCI clientis unable to resolve the database name. Ensure that thetnsnames.ora file contains all the databases that your OCIclient can connect to. Also ensure that the TNS_ADMN pathvariable is set to the location of tnsnames.ora.For more details, see your vendor’s documentation.




wrong ODBCdatastore in sqlaccess.config Connecting DB'<database>' with data source '<data source>', user

Log MessageUnable to connectto the MySQLdatabase server '<user name>'SQL_ERROR(IM002 0): [unixODBC][Driver

Manager]Data source name not found, and no default driverspecifiedSQL_ERROR(08003 0): [unixODBC][DriverManager]Connnection does not exist ERROR:AAA_SQLAllocHandle(SQL_HANDLE_STMT) failed!

An incorrect ODBC datastore was specified for the MySQLserver.

Cause

Specify the correct value for ODBCDataStore in the DBIDstructure of /etc/opt/aaa/sqlaccess.config.

Solution

For more information on using the SQL Access feature withMySQL, see Chapter 22 (page 338).

Connecting DB '<database>' with data source'<datasource>', user '<user name>'SQL_ERROR(HYT00 2005):

Log Message

[unixODBC][MySQL][ODBC 3.51 Driver]Unknown MySQLServer Host'minolt'(0)SQL_ERROR(080030):[unixODBC][DriverManager]Connnection does not existERROR:AAA_SQLAllocHandle(SQL_HANDLE_STMT)failed!Failed to open database connections for db_odbc db id.

The MySQL server that the HP-UX AAA Server is trying toconnect to cannot be resolved.

Cause

Specify the correct server and port in the MySQL serverodbc.ini file. For more information on using the SQL Accessfeature with MySQL, see Chapter 22 (page 338).

Solution

Connecting DB '<database>' with data source '<datasource>', user '<user name>'SQL_ERROR(HYT00 2003):

Log Message

[unixODBC][MySQL][ODBC 3.51 Driver] Can't connect toMySQL server on 'example' (239)SQL_ERROR(08003 0):[unixODBC][Driver Manager]Connnection does not existERROR: AAA_SQLAllocHandle(SQL_HANDLE_STMT)failed!Failed to open database connections for db_odbc db id

No instance of the MySQL server is found on the serverspecified in the odbc.ini file.

Cause

Verify that an instance of the MySQL database server isrunning on the server specified in the odbc.ini file.

Solution

You can also check if the correct port is listed in the odbc.inifile.For more information on using the SQL Access feature withMySQL, see Chapter 22 (page 338).




Authentication: 205/0 '<user name>' via <hostname/IPaddress> from <hostname/IP address> port <port

Log MessageUnable to connectto the DHCP server

no> Outbound (8 retries) - FAILED DHCP server notresponding -- total 24, holding 0

The DHCP server is busy or unavailable.Cause

Verify if the DHCP server is running and can service IPaddress requests.

Solution

Or,Specify an alternate DHCP server.

mschap2Authenticate: user ‘<user name>’ hasunknown hash ‘crypt’

Log MessageTwo-factorauthenticationusing MS-CHAP v2

mschap2Authenticate: user ‘<user name>’ hasfails when theunknown hash ‘sha’ or Mschap2Authenticate: encrypted useruserpassword is stored‘<user name>’ has unknown hash ‘SHA’in LDAP and the

token informationmschap2Authenticate: user ‘<user name>’ has is stored in SQL

database. unknown hash ‘ssha’ or Mschap2Authenticate: user ‘<user name>’ has unknown hash ‘SSHA’

mschap2Authenticate: user ‘<user name>’ hasunknown hash ‘md5’

Two-factor authentication using MS-CHAP v2 supports onlyclear text user password stored in LDAP.

Cause

If the user encrypted password is stored in the SQL Database,SQL Access conversion function is required to convert the

Solution

respective encrypted password to clear text user password.MS-CHAP v2 supports only clear text user password storedin LDAP.

iaaa.SNMP: AgentX master agent failed to respond to ping.Attempting to re-register.

Log MessageRequest droppedfor around 18seconds.

This problem may occur if the SNMP master agent is notresponding.

Cause

Ensure that the SNMP master agent is running and isresponding.

Solution

For more information on SNMP properties, see “Theiaaa.SNMP Property” (page 521).


Identifying Unrecorded External Datastore Failures

If your AAA environment uses one or more external datastores, a failure in a datastorecan cause the HP-UX AAA Server to be unresponsive, but not record an error to thelogfile.To determine if an unrecorded external datastore failure is causing the problem,complete the following steps:1. Examine the Access-Request for the User-Name attribute value to determine the

realm.2. Select the realm from the Local Realms screen of the Server Manager,3. Check the User Profile Storage selection in the Modify Realms screen.This

determines the datastore used for the user profile. If an external datastore (forexample, SQL Access) is selected, check the datastore access parameters specifiedfor the datastore. If Database via SQL Access is selected, the database accessparameters are specified in the DBID structure of the /etc/opt/aaa/sqlaccess.config file.

4. Ensure that the external datastore is responsive.

Identifying Proxy Server Failures

If your AAA environment uses proxy HP-UX AAA Servers, a failure in one or moreproxies can cause the HP-UX AAA Server to be unresponsive, but not record an errorto the logfile.If proxy HP-UX AAA Servers are used, verify the proxy configuration for each proxystarting with the proxy server closest to the RADIUS client/supplicant. For each proxyserver, use the Add/Modify Proxy screen of the Server Manager and verify the following.• Shared Secret: The shared secret on the proxy server must match that of the remote

server to which the requests are forwarded.• Realms to Forward: Ensure that the appropriate realms are selected.• Authentication Relay Port: Ensure that the correct UDP port that is used to relay

authentication requests (configured in /etc/services) is specified. The defaultauthentication relay port is 1812.

• Accounting Relay Port: Ensure that the correct UDP port that is used to relayaccounting requests (configured in /etc/services) is specified. The defaultaccounting relay port is 1813.

For more information on proxy server configuration, see Configuring Proxies on page119. If a proxy server is offline or does not forward the requests, see “TroubleshootingFlowchart” (page 469) to troubleshoot it.

Identifying Unrecorded DHCP Failures

Unrecorded DHCP failures can occur because of a shortage of addresses in theconfigured address pool, or if the DHCP server sends a malformed packet to the HP-UXAAA Server.


To determine if an unrecorded DHCP failure caused the problem, complete the followingsteps:1. Access the datastore used for user profile storage as described in “Identifying

Unrecorded External Datastore Failures” (page 493).2. If the DHCP address pool is configured, ensure that there are sufficient addresses

in the pool.3. Ensure that the DHCP server is sending valid packets to the HP-UX AAA Server.

Troubleshooting Access-Rejects from the HP-UX AAA ServerThe HP-UX AAA Server sends an Access-Reject message to the RADIUS client ifauthentication fails. Authentication failures occur because of incorrect configurationon the HP-UX AAA Server or the RADIUS client, or due to incorrect credentials passedto the HP-UX AAA Server.Use the following sections to troubleshoot problems related to authentication failures.• “Common Authentication Failure Problems” (page 494): This section lists the

common problems related to authentication failures and the necessary correctiveactions.

• “EAP Problems” (page 502): This section lists EAP implementation-specific problemsrelated to authentication failures.

Common Authentication Failure ProblemsCompare the error messages recorded in the logfile to those in Table 30-5 and performthe corresponding corrective actions.

Table 30-5 Common Authentication Failure Problems


Authentication failed. Unsuccessful password comparison foruser '<user name>' in realm '<realm name>'. Verify password

Log MessageUnable toauthenticate

in request and user profile. Verify shared secret match betweenclient '<client>' and client configuration in '/etc/opt/aaa/clients'or Access Devices screen in Server Manager

This error occurs because of any of the following reasons:Cause• The shared secret configured for the RADIUS client and the

HP-UX AAA Server do not match.• The password provided by the user does not match the

password configured in the user profile datastore.

Solution 1. Ensure that the shared secret configured on the RADIUS clientmatches the one specified in the Access Devices screen of theServer Manager.

2. Ensure that the password supplied by the user is correct.


Table 30-5 Common Authentication Failure Problems (continued)


session_allowed: Access rejected. Active sessions for user is atmaximum configured (Simultaneous-Use) limit '<limit>


The HP-UX AAA Server received an Access-Request from a userwhose number of active sessions equal the configuredsimultaneous session limit.

Cause

Or,The NAS went offline abruptly and resulted in a stale session inthe HP-UX AAA Server, for the affected user.

Advise the user to terminate the existing session before attemptingto start a new one.

Solution

If the user does not have an active open session, use the Sessionscreen of the Server Manager to delete the stale session. For moreinformation, see Chapter 14 (page 169).Or,Increase the simultaneous session limit for the user. For moreinformation on configuring simultaneous sessions, see “LimitingSimultaneous Sessions” (page 172).




aaa_realm: Request denied. Unknown realm '<realm name>'for user '<user name>'. Verify realm configuration through


Server Manager or in files '<authfile>' for the realm and'<EAP.authfile>' for the realm or default realm entry

The HP-UX AAA Server is not configured to service requestsfrom the realm.

Cause

Solution 1. Ensure that the client is configured to send requests to thecorrect HP-UX AAA Server.

2. If the client configuration is correct, configure the realm in theHP-UX AAA Server as described in Chapter 8 (page 105).

parse_password: Authentication failed.Incomplete or no profilefound for user '<user name>' in realm '<realm name>'. Verifythat a complete user profile exists for the user


The request contains an incorrect user name.CauseOrThe user is not a part of the realm

Solution 1. Verify that the user belongs to the realm.2. If the user belongs to the realm, configure the user profile in

the data store for the realm.If the datastore is the local file, use the Users screen in theServer Manager to configure the user.For more information on configuring local users, seeChapter 10 (page 127).

3. Verify that the correct realm and Otp-ActionIdareconfigured in the request-ingress.grp file.

If you have modified the configuration, save the configurationand restart the HP-UX AAA Server.

compare_password_hash: Hash mechanism '<incorrect>' isnot supported

Log Message

An invalid password hash mechanism is specified manually forthe user in the user profile.

Cause

Solution 1. Navigate to the Users screen of the Server Manager and selectthe user.

2. Select a password hash mechanism.If you have modified the configuration, save the configurationand restart HP-UX AAA Server.




check_request: Access denied. Request does not match check item'<check item attribute>' for user '<user name>' in realm


'<realm name>'. Expected: '<IP address>',received: '<IPaddress>'Orcheck_request: Access denied. Request matched deny item '<denyitem attribute>' for user '<user name>' in realm '<realmname>'

The attribute value sent by the client does not match the CHECKitem value configured for the user profile.

Cause

Or,The attribute value sent by the client matches the DENY valueconfigured for the user profile.

Solution 1. Verify the attributes sent by the client to the HP-UX AAAServer.

2. If the client sent correct attributes, verify the CHECK andDENY items configured for the user in the user profiledatastore.

If the datastore is the local file, use the Users screen in the ServerManager to configure the user.For more information on configuring local users, see Chapter 10(page 127).If you have modified the configuration, save the configurationand restart the HP-UX AAA Server.




dhcpRelayAatv_ActionFunction: Request failed. DHCP Relay isdisabled. Verify DHCP Server-Name/ IP-Address at DHCP server


properties in the Server Manager at Server Properties > DHCPRelay Properties or in /etc/opt/aaa/aaa.config Authentication: 24/0'<user name>' via <host name/IP address> from <hostname/IP address> port <port no> Outbound - FAILEDProblem allocating IP address -- total 0, holding 0

The DHCP configuration in the /etc/opt/aaa/aaa.configfile is incorrect.

Cause

Manually edit the/etc/opt/aaa/aaa.config file and modifythe value <value> or keyword <keyword>

Solution

Or1. Navigate to the DHCP Relay screen through the Server

Properties screen of the Server Manager.2. Ensure that you specify a correct entry for the DHCP server

and port.3. If you have modified the configuration, save the configuration

to the HP-UX AAA Server and restart it.

dhcpRelayAatv_InitFunction: ERROR attribute not in'<attribute>' dictionary dhcpRelayAatv_InitFunction: DHCPRelay disabled: No DHCP server configured. check dictionary

Log Message

An attribute used for DHCP configuration in /etc/opt/aaa/aaa.config was not found in the dictionary file.

Cause

Manually edit the /etc/opt/aaa/dictionary file and addthe attribute <attribute>.

Solution




Sequence counter resynchronization failed for user<user name>in realm <realm name> after <number> unsuccessful OTPvalidations. The last sequence counter attempted is <number>.


The HP-UX AAA Server is not able to resynchronize the sequencecounter as the OTP in the request is incorrect. This can happenbecause of one of the following reasons:

Cause

• The OTP is out of synchronization beyond the value configuredin OTP-Lookup-Window.

• The length of the OTP does not match the configured value.• The OTP is incorrect (wrongly entered by the user).• The shared secret to be used to generate OTP may not be in

the binary format.

Validate the OTP using the User Database Administration tool.You can also check if the OTP-Token-Length for the user is

Resolution

correct. In addition, you can check if the user has correctly enteredthe OTP.Verify that you have used theAAAConvertandSetHexToBinaryString()conversionfunction or your own conversion function to convert the sharedsecret to binary.

Configured OTP token length for user <user name> in realm<realm name> is less than 6. The valid OTP token length iseither 6, 7 or 8. Verify that the configured token length is valid


OrConfigured OTP token length for user <user name> in realm<realm name> is greater than 8. The valid OTP token length iseither 6, 7 or 8. Verify that the configured token length is valid"

The OTP is wrongly configured in the OTP-Token-Lengthattribute or in the otp_token_length system-wideconfiguration item.

Cause

Check the value of the OTP-Token-Length attribute in the userprofile, in the request-ingress.grp file, or in the

Resolution

aaa.config file. For more information, see “Attributes forConfiguring OTP Authentication” (page 192).




Invalid OTP Action Id. The OTP Action Id set through the bitmask for user <user name> in realm <realm name> is zero.


The valid OTP Action Id value is range from 1 to 127. Configurethe valid OTP Action Id.OrInvalid OTP Action Id. The OTP Action Id set through the bitmask for user<user name> in realm<realm name> is negative.The valid OTP Action Id value is range from 1 to 127. Configurethe valid OTP Action Id.OrInvalid OTP Action Id. The OTP Action Id set through the bitmask for user <user name> in realm <realm name> is greaterthan the maximum OTP Action Id value 127. The valid OTPAction Id value is range from 1 to 127. Configure the valid OTPAction Id.

An invalid OTP action is configured in therequest-ingress.grp file.

Cause

Check the configuration in the request-ingress.grp file. Thevalue for the OTP Action must be between 1 and 127. For more

Resolution

information on OTP authentication configuration, see “AdvancedOTP Authentication Configuration Concepts” (page 187).

The token for user <user name> in realm <realm name> isnot active. HP-UX AAA Server validates the OTP only for activetokens. Verify the token status in the token repository.


OrThe token with serial number <serialnumber> for user <username> in realm <realm name> is not active. The current tokenstatus is<tokenstatus>. HP-UX AAA Server validates the OTPonly for active tokens. Verify the token status in the tokenrepository.

The token status of the user is in a state other than ACTIVE. OTPauthentication can happen only if the user's token status isACTIVE.

Cause

Use the Manage Users screen in the User DatabaseAdministration Manager to change the user's token status to

Resolution

ACTIVE. For more information on this procedure, see “ModifyingUser Credentials” (page 377). For more information on tokenstatuses, see “Valid Token Status Values” (page 383).




Shared secret for user <user name> in realm <realm name>is <number> bytes. The shared secret must not be less than 16


bytes. Verify the length of the shared secret in the tokenrepository.

The length of the shared secret is too short.Cause

Verify that you have entered a shared secret that is more than 16bytes.

Resolution

Shared secret not found for user <user name> in realm <realmname>. The shared secret is required to generate and validate the


OTP. Verify that the shared secret is configured in the tokenrepository.

The shared secret is not configured in the token repository.Cause

Check that the shared secret is configured in the tokens table inthe SQL database for that user. In addition, verify that the correct

Resolution

realm name is configured in the/etc/opt/aaa/authfile and/etc/opt/aaa/request-ingress.grp file

Sequence counter resynchronization failed for user<user name>in realm <realm name>. The sequence counter is required to

Log MessageSequence counternot found for user

generate and validate the OTP. Verify that the sequence counteris configured in the token repository

The sequence counter is not configured in the token repositoryCause

Check that the sequence counter is configured in the tokens tablein the SQL database for that user. In addition, verify that the

Resolution

correct realm name is configured in the /etc/opt/aaa/authfile and /etc/opt/aaa/request-ingress.grp file

Invalid hexadecimal string for the user <user name> in realm<realm name>. The configured hexadecimal string <string>


length <stringlength> is less than the minimum value. Thehexadecimal string length must not be less than 16 bytes.

The hexadecimal shared secret in the SQL database is less than16 bytes.

Cause

Check that the hexadecimal shared secret in the SQL database ismore than 16 byes.

Resolution




Configured hexadecimal string for user <user name> of realm<realm name> has one or more non-hexadecimal characters.Verify the configured hexadecimal string in the token repository.


The configured hexadecimal shared secret has non-hexadecimalcharacters.

Cause

Hexadecimal characters range from 0–9 and a-f. Check that thehexadecimal shared secret does not contain any other characters.

Resolution

Invalid hexadecimal string. Configured hexadecimal string foruser <user name> of realm <realm name> is NULL. Verifythe configured hexadecimal string in the token repository.


The shared secret is not configured.Cause

Check the tokens table in the SQL database to check that theshared secret is configured for that user.

Resolution

Incoming OTP length for user <user name> in realm <realmname> is less than the minimum OTP token length <number>.The incoming OTP length must be <number>.


The password entered by the user is less than the configured OTPlength.

Cause

Verify that the user has sent the correct OTP value.Resolution

EAP ProblemsCompare the error messages recorded in the logfile to those in Table 30-6 and performthe corresponding corrective actions.


Table 30-6 EAP Problems


Invalid EAP type '<invalid>' specified for the user '<username>' for realm '<realm name>'. Verify the EAP type

Log MessageInvalid EAP typespecified

configured for the realm 'example.com' in the appropriateauthfile in '/etc/opt/aaa'. Or, verify the EAP configurationin the Local Realms screen in Server Manager.

The EAP type specified in the request does not match theEAP type configured for the realm.

Cause

Configure the supplicant to use the EAP type specifiedfor the affected realm.

Solution

You can access the realm configuration using the LocalRealm screen in the Server Manager administration utility.See Chapter 8, Configuring Realms on page 97 for moreinformation.

ProcessHandshake TLS: AAA Server generated TLSalert:'unknown_ca'. The certificate was not accepted. The

Log MessageUnable to authenticate

CA certificate could not be located or matched with aknown trusted CA.

The CA certificate for the client’s certificate is not foundin the HP-UX AAA Server.

Cause

Configure the client to use a certificate whose CA isspecified on the HP-UX AAA Server.

Solution

Or1. Navigate to the Certificates screen under Server

Properties in the Server Manager administration utility.2. Specify a fully qualified filename in the .pem format.

This file must contain one of more CA certificates usedto authenticate client certificates in the Client CertificateAuthority Path field.If the path exists, ensure that it contains the client’s CAcertificate.

Save the configuration to the HP-UX AAA Server andrestart it.

ProcessHandshake TLS: AAA Server generated TLS alert:'certificate_expired'. Verify the validity of the user andCA certificates.

Log Message

The client or supplicant certificate has expired.Cause

Advise the user to acquire a new certificate from theadministrator or ISP, and retry authentication.

Solution


Table 30-6 EAP Problems (continued)


ProcessHandshake TLS: AAA Server generated TLS alert:'certificate_revoked'. The certificates used for validationhave been revoked by the CA


The client or supplicant certificate has been revoked.Cause

Advise the user to acquire a new certificate from theadministrator or ISP, and retry authentication.

Solution

VerifyIdentity: Field <Field> in the user certificate did notmatch the User-Id '<user-Id>' in the request.

Log Message

The User Name configured in the certificate does notmatch the User Name specified in the request.

Cause

Verify the Client User Name Attribute configured in theCertificates screen under Server Properties in the ServerManager.

Solution

This value identifies the attribute in the digital certificateused to retrieve the user name. The user name in the usercertificate attribute value must match a valid EAP-TLSuser profile.For example, if the the Client User Name Attribute isconfigured as Subject EmailAddress and thecorresponding attribute value in the certificate [email protected]. Then, example.com must be avalid EAP-TLS realm with test as a valid user.If you have modified the configuration, save theconfiguration to the HP-UX AAA Server and restart it.

<EAP type> <field> missing or invalid. Verify <entry> inServer Properties > Certificate Properties in the ServerManager and that the file contains a valid <entry>


The Certificate Properties configured on the HP-UX AAAServer are invalid.

Cause

Navigate to the Certificates screen under Server Propertiesof the Server Manager. Specify a fully qualified filenamefor each of the following:

Solution

• Server Certificate Path• Server Private Key Path• Client Certificate Authority Path• Random Seed PathFor more information, see Chapter 13, Securing LANAccess with EAP on page 181.If you have modified the configuration, save theconfiguration to the HP-UX AAA Server and restart it.




EAP-SIM : FSM does not define all of these events: 'SIM_AUTH_BY_PERMANENT_ID', 'SIM_AUTH_BY_PSEUDON YM', 'SIM_AUTH_BY_FAST_REAUTH_ID' 'SIM_UPDATE'. Disabling EAP-SIM.

Log MessageEAP-SIM functionalityis disabled

If the radius.fsm file is modified prior to upgrading toHP-UX AAA Server A.08.01 from an older version, theFSM does not upgrade.

Cause

You must merge the changes present in the legacy FSMwith the radius.fsm file available in the HP-UX AAAServer A.08.01 release.

Resolution

For more information, see Chapter 2 “Upgrading toVersion A.08.01”

EAP-AKA : FSM does not define all of these events: 'AKA_AUTH_BY_PERMANENT_ID', 'AKA_AUTH_BY_PSEUDON YM',

Log MessageEAP-AKAfunctionality disabled 'AKA_AUTH_BY_FAST_REAUTH_ID', 'AKA_UPDATE'

'AKA_RESYNCHRONIZATION'. Disabling EAP-AKA.

If the radius.fsm file is modified prior to upgrading toHP-UX AAA Server A.08.01 from an older version, theFSM does not upgrade.

Cause

You must merge the changes present in the legacy FSMwith the radius.fsm file available in the HP-UX AAAServer A.08.01 release.

Resolution

For more information, see Chapter 2 “Upgrading toVersion A.08.01”

SIM-TripletCalc: Required attributes missing or malformed


Either the Subscriber-Key, A3-Algorithm, orA8-Algorithm attribute is not configured, or does notmeet the required specifications.

Cause

Verify the Subscriber-Key configured for the user inthe user profile and the A3_Algorithm and

Resolution

A8_Algorithm configured for the realm in theEAP.authfile file.For information on how to configure, seeChapter 17 “Configuring EAP-SIM and EAP-AKAAuthentication Methods”

AKA-VectorCalc: Required attributes missing or malformed





Either theSubscriber-Key, AKA-Sequence-Number,AKA-Mode and AKA-Algorithm attribute is notconfigured, or does not meet the required specifications.

Cause

Verify the Subscriber-Key,AKA-Sequence-Number, AKA-Mode configured for the

Resolution

user in the user profile and the AKA_Algorithmconfigured for the realm in the EAP.authfile file.For information on how to configure, seeChapter 17 “Configuring EAP-SIM and EAP-AKAAuthentication Methods”

Troubleshooting Provisioning ErrorsThe supplicant will not be able to connect to the network service unless the HP-UXAAA Server sends the provisioning attributes (such as session key, tunneling, and filterattributes) expected by the RADIUS client. This occurs even if the HP-UX AAA Serversends an Access-Accept to the RADIUS client.To troubleshoot provisioning errors, perform the following steps:1. Check the provisioning attributes expected by the RADIUS client from the HP-UX

AAA Server (along with the Access-Accept message).2. Verify the Reply items configured for the user in the user profile store.3. Turn debugging on and set the debug output level to 2. For more information on

using debugging, see “The raddbgincUtility: For Setting Debug Output Levels”(page 510). Examine the/var/opt/aaa/logs/radius.debug file for attributessent to the Access-Accept message. Ensure that the client is configured to expectthe reply items sent by the HP-UX AAA Server.

4. If you have modified the user profile through the Server Manager, save the changesto the HP-UX AAA Server.

Troubleshooting the HP-UX AAA Server Admin UtilityThis section describes how to troubleshoot the HP-UX AAA Server Admin Tool.

Table 30-7


Configure the required Groupsand Servers using HP-UX AAAServer Manager as follows:

Groups and Servers are notconfigured using the HP-UXAAA Server Manager.

HP-UX AAA Server Admin tool/opt/aaa/bin/rad_admin.shfails to administer HP-UX AAA


Table 30-7 (continued)

Servers configured on the hostwith any one of the following


errors “File /opt/aaa/ 2. Add the required Groups andServers.remotecontrol/

gui.properties is not found” 3. Click the ‘Server Connections’from the left panel. Select the(OR) “File /opt/aaa/

remotecontrol/groups.config is not found”.

group in which the servers thatneed to be run belong to fromthe ‘Select a group foradministration’ menu.

4. Click the ‘Save Configuration’from the left panel.

5. Select the servers which youlike to administer using theHP-UX AAA Server AdminTool.

6. Click the ‘Save’ button.For more information, see“Administering HP-UX AAAServers Using HP-UX AAA ServerManager”

Save the Server Attributes usingHP-UX AAA Server Manager asfollows:

Server Attributes are not savedon the host where the Servers areconfigured to run


2. Click the ‘Server Connections’from the left panel. Select thegroup in which the servers thatneed to be run belong to fromthe ‘Select a group foradministration’ menu.

3. Click the ‘Save Configuration’from the left panel.

4. Select the servers which youlike to administer using theHP-UX AAA Server AdminTool.

5. Select the ‘Server AttributesOnly’ option.

6. Click the ‘Save’ button.

Modify and Save Server Attributesusing HP-UX AAA ServerManager as follows:

Error while loading groupsconfiguration file

HP-UX AAA Server Admin tool/opt/aaa/bin/rad_admin.shfails to administer HP-UX AAA


Table 30-7 (continued)

Server configured on the hostwith the following error “Error


while loading groups.configfile”

2. Verify that the RMI object isrunning. If not, start the RMIobject.

3. Modify the configured ServerAttributes which is failing tostart using HP-UX AAA ServerManager.For more information, see“Administering HP-UX AAAServers Using HP-UX AAAServer Manager”

4. Save the Server Attributesusing the HP-UX AAA Serveras follows:a. Click the ‘Server

Connections’ from the leftpanel. Select the group inwhich the servers that needto be run belong to from the‘Select a group foradministration’ menu.

b. Click the ‘SaveConfiguration’ from the leftpanel.

c. Select the servers which youlike to administer using theHP-UX AAA Server AdminTool.

d. Select the ‘Server AttributesOnly’ option.

e. Click the ‘Save’ button.


31 Troubleshooting ResourcesThe HP-UX AAA Server includes a set of utility programs that can:• check the status of the HP-UX AAA Server• emulate a RADIUS client• turn debugging on and off• set and modify the debug levelAdditionally, the RADIUS client and EAP supplicant vendors typically providetroubleshooting capabilities for their components. Protocol analyzers can also be usedif more detailed troubleshooting is required.This chapter addresses the following topics:• “HP-UX AAA Server Troubleshooting Utilities” (page 509)• “The HP-UX AAA Server Logfile and Debug File” (page 511)

NOTE: You can also troubleshoot the HP-UX AAA Server from the Server Manageradministration utility. For more information on troubleshooting resources available inthe Server Manager, see Chapter 13, Logging and Monitoring on page 161.

HP-UX AAA Server Troubleshooting UtilitiesThe following utilities enable you to troubleshoot the HP-UX AAA Server from theHP-UX command line:• The radcheck utility - Checks if the AAA Server is active and displays usage

statistics.• The radpwtst utility - Simulates a RADIUS client that sends a user specified

request message to the HP-UX AAA Server and checks the response from theHP-UX AAA Server.

• The raddbginc utility - Turns debugging on and off, and sets the debug logginglevel. It is a wrapper for the radsignal utility.

• The radsignal utility - Turns debugging on and off, sets the debug logging level,and rolls over the debug and session accounting output to new files.

This section describes these troubleshooting utilities.

The radcheck Utility: For Checking the Server StatusThe radcheck utility sends a RADIUS protocol status request to the HP-UX AAAServer and displays the contents of the status reply. The radcheck utility can beinvoked from any host and by any user. However, the HP-UX AAA Server returnsmore information to hosts that are registered in the /etc/opt/aaa/clients file.Following is the syntax for the radcheck command:

HP-UX AAA Server Troubleshooting Utilities 509

radcheck [-p port] [-t timeout] [-r retries] [-x] [-x] [-x] [-x][-v] Server

If radcheck is successful, a message similar to the following is displayed:Server Name (UDP-port) is responding on standard output.

For more information on the radcheck utility, see radcheck (1M).

The radpwtst Utility: For Testing AuthenticationThe radpwtst utility simulates a RADIUS client that sends and receives RADIUSmessages to and from the HP-UX AAA Server. The radpwtst utility forwards theuser specified A-V pairs and other information to the HP-UX AAA Server. The HP-UXAAA Server processes the received requests and returns an ACCEPT or REJECT reply.Following is the syntax for the radpwtst command:radpwtst -s server [-a acks] [-c code] [-f fileprefix] [-g group] [-h][-i clientaddress] [-l asyncport] [-n] [-p port] [-r retries] [-t timeout] [-u type] [-v version] [-w password] [-x|X] [[-:attribute=value]...] [-0] userid[@realm]

If radpwtst is successful, the following message is displayed:authentication OK

If radpwtst fails, the following message is displayed:'[email protected]' authentication failed: <reason>

Following is the syntax for the radpwtst command in Dynamic Authorization Servermode: radpwtst -S [-c code] [-F authorizeonly authport] [-F require_etimestamp interval] [-F send_mesgauth] [-p port] [-x] [[-:attribute=value] ...] [-0]

For more information on the radpwtst utility, see radpwtst (1M).

The raddbginc Utility: For Setting Debug Output LevelsThe raddbginc utility enables you to set debugging on or off, and to specify the debuglevel if the HP-UX AAA Server is running.For a list of debug levels, see Table 31-1 (page 512).Following is the syntax for the raddbginc command:raddbginc [-h] [-v] [-di ipcdir] pid level

The debug output is sent to the /var/opt/aaa/logs/radius.debug file, unlessyou specify a different location using the radiusd command with the -dl option.For more information on the raddbginc utility, see raddbginc (1M).

510 Troubleshooting Resources

The radsignal Utility: For Rolling Over the Debug Output to New FilesThe radsignal utility rolls over the logfile (/var/opt/aaa/logs/logfile) andaccounting stream (/var/opt/aaa/acct/session.yyyy-mm-dd.log) output tonew files. The radsignal utility can also be used to set the log level based on theRADIUS message type. For more information on these files, see “The HP-UX AAAServer Logfile and Debug File” (page 511). The new file can be identified by the "partnumber" appended to the file name.Following is the syntax for the radsignal command:radsignal [-h] [-v] [[-di ipcdir] pid level] [[ ipcdir] pid roll logfile] [[-di ipcdir] pid roll stream [stream-name]] [[-di ipcdir] log level msg_type msg_sub_type log_level ]

For more information on radsignal, see radsignal (1M).

The HP-UX AAA Server Logfile and Debug FileYou can use the following logfile and debug file to troubleshoot the HP-UX AAA Server:• /var/opt/aaa/logs/logfile - The HP-UX AAA Server Logfile• /var/opt/aaa/logs/radius.debug - The HP-UX AAA Server Debug FileThis section discusses the HP-UX AAA Server logfile and debug file.

The HP-UX AAA Server LogfileThe server log file /var/opt/aaa/logs/logfile includes information about startand stop of HP-UX AAA Server, RADIUS requests, success and failure of access andaccounting requests, warnings, and internal events. Following are the other log filesrelated to the HP-UX AAA Server:• /var/opt/aaa/logs/logfile_part<01-09>.yyyymmdd.gz - The

compressed daily HP-UX AAA Server log.• /var/opt/aaa/acct/session.yyyy-mm-dd.log - The default session

accounting log file in the Merit style format.• /var/opt/aaa/radacct/* - The session accounting log files in the Livingston

Call Detail Records (CDR) directory style format.You can also access the HP-UX AAA Server logfile using the Server Manageradministration utility. For more information on using the Server Manager to access theHP-UX AAA Server logfile, see see Using Server Manager to Retrieve LogfileInformation on page 163.

The HP-UX AAA Server Debug FileThe /var/opt/aaa/logs/radius.debug is the HP-UX AAA Server debug file. Itlogs debug messages at the following levels:

The HP-UX AAA Server Logfile and Debug File 511

Table 31-1 Debugging Levels in the HP-UX AAA Server

Level of InformationDebug Level

Minimal information1

2 • Level 1 information• High-level FSM output and limited function tracing

3 • Level 2 information• Full function tracing

4 • Level 3 information• Low-level FSM and configuration file output

At runtime, radiusd logs debugging information that may be useful fortroubleshooting. The debug output can be turned on in the following ways:• At Server startup - Use the radiusd command to turn on the debug output. For

more information on the radiusd command options, see Table 4-2.• At server startup using the Server Manager - Use the Start configuration options

in the Administration screen to set the debug level. The debug output is not setdynamically. Stop and start the HP-UX AAA Server for the debug output to berecorded.

• After server startup - Use the raddbginc utility to turn the debug output on andoff, and to set the debug level while the HP-UX AAA Server is running. Thismethod is dynamic. You need not start and stop the HP-UX AAA Server to logthe debug output.

If the log files do not contain adequate information to isolate or solve a problem, usedebugging to increase the level of tracing and logging.

IMPORTANT: Logging debug information increases the HP-UX AAA Server'sprocessing overhead and can impact performance. Turn debugging off after youtroubleshoot the problem.

512 Troubleshooting Resources

32 Reporting ProblemsIf you are unable to solve the problem, do the following:1. Read the release Notes for [Product/Platform/Component] to see if the problem

is known. If it is, follow the workaround offered to solve the problem.2. Determine whether the product is still under warranty or whether your company

purchased support services for the product. Your operations manager can supplyyou with the necessary information.

3. Access http://www.itrc.hp.com and search the technical knowledge databases todetermine if the problem you are experiencing has already been reported. Thetype of documentation and resources you have access to depend on your level ofentitlement.

NOTE: The ITRC resource forums at http://www.itrc.hp.com offer peer-to-peersupport to solve problems and are free to users after registration.

If this is a new problem or if you need additional help, log your problem with theHP Response Center, either on line through the support case manager athttp://www.itrc.hp.com, or by calling HP Support. If your warranty has expiredor if you do not have a valid support contract for your product, you can still obtainsupport services for a fee, based on the amount of time and material required tosolve your problem.

4. If you are requested to supply any information pertaining to the problem, gatherthe necessary information and submit it. The following sections describe some ofthe information that you might be asked to submit.

Server Set Up InformationInclude the following information about your HP-UX AAA Server implementation:• Product number and version• /opt/aaa/bin/radcheck <servername> output• /var/opt/aaa/logs/logfile

• Level 4 debug information• core file and gdb trace in case of a core dump• Output of ps -ef radiusd in case of a memory leak• CPU usage statistics

Server Set Up Information 513

http://www.itrc.hp.com



Server Manager Related InformationIf you are facing problems with the GUI based administration, include the followinginformation:• Server Manager version number• HP-UX Java SDK version number• HP-UX Tomcat-based Servlet Engine version number• Contents of the /opt/aaa/remotecontrol/admin.log file• Contents of the /opt/aaa/remotecontrol/file.log file• Contents of the /opt/aaa/remotecontrol/maintenance.log file• Contents of the /opt/aaa/remotecontrol/session.log file• Browser type and version

External ComponentsInclude information on the following external components that interoperate withHP-UX AAA Server:

External Databases• Database type and version number• Configuration details• Log files and debug information

SNMP Servers• Vendor name and version number• Configuration details• Log files and debug information

DHCP Servers• Vendor name and version number• Configuration details• Log files and debug information

OpenSSL• Version number• Configuration details

EAP Related InformationFor EAP implementations, include information on the following components:

514 Reporting Problems

Clients• Client type• Patch type• Tracing logs for EAP log files

Access Points• The make of the access point (such as Cisco or HP)• Version of hardware and firmware

EAP Related Information 515

Part VII ReferenceThis part of the HP-UX AAA Server Administrator’s Guide contains the following chapters:• Chapter 33: “Configuration Files ” (page 519)• Chapter 34: “Attribute-Value Pairs” (page 546)• Chapter 35: “MIB Objects” (page 566)

516

Table of Contents33 Configuration Files ...............................................................................................................519

HUP Processing................................................................................................................519The aaa.config File.......................................................................................................520

Variables in the aaa.config File...............................................................................520The strict_duplicate_check Variable..........................................................520The aatv.ProLDAP Property...............................................................................521The iaaa.SNMP Property......................................................................................521The log_threshold_limit and suppression_interval Variables...........522The list_copy_limit Variable..........................................................................522The localUsersFile.FilterType Property...................................................522The default_users_file_cis_search Property..........................................523The log_forwarding Variable............................................................................523The log_generated_request Variable............................................................523The ourhostname Variable..................................................................................523The packet_log Variable.....................................................................................524The radius_log_fmt Variable............................................................................524The reply_check Variable..................................................................................524

OTP Authentication-Related Configuration Items.....................................................525Dynamic Authorization-Related Configuration Items...............................................525

The clients File.............................................................................................................526Prefixed Users and authfile....................................................................................527Wildcard Support for IPv4 and IPv6...........................................................................527

The users File .................................................................................................................528Syntax of a User Entry ................................................................................................528Syntax of IPv6 Attributes.............................................................................................528

NAS-IPv6-Address.................................................................................................528Framed-Interface-Id...............................................................................................529Framed-IPv6-Prefix................................................................................................529Login-IPv6-Host.....................................................................................................529Framed-IPv6-Route................................................................................................530Framed-IPv6-Pool...................................................................................................530

With Tunneling ...........................................................................................................530The dictionary File ......................................................................................................531

Attribute Entries .........................................................................................................532Pruning Expressions ...................................................................................................533Value Entries ...............................................................................................................534

The las.conf File ..........................................................................................................535LAS Session Timing Parameters .................................................................................535Token Pool Configuration ...........................................................................................536Realm Configuration ..................................................................................................537


The vendors File ............................................................................................................538Syntax of a vendors File............................................................................................538

The log.config File ......................................................................................................539Syntax of a Stream Entry.............................................................................................539Default Entry ..............................................................................................................541End Entry ....................................................................................................................541Logging Multiple Streams ..........................................................................................541

Values Logged by Default......................................................................................541Examples......................................................................................................................542

Livingston Call Detail Record (CDR) Format........................................................542Multiple Logging Streams .....................................................................................542Logging Based on attributes..................................................................................543Accounting Log Based on Attribute Value............................................................544Changing the Accounting Log Rollover Interval...................................................545

34 Attribute-Value Pairs..............................................................................................................546Specifying Attribute-Value Pairs......................................................................................546

Attribute-Value Formats..............................................................................................546Examples......................................................................................................................547Tagged Attributes .......................................................................................................547

Attributes in User Profiles................................................................................................547Configuration Attributes.............................................................................................548

Local Authorization Service (LAS) Configuration.................................................549Simultaneous-Use Attribute.............................................................................550Attributes Concerning OTP Authentication.....................................................550

Check (and Deny) Items...................................................................................................550Attributes Concerning the NAS..................................................................................551Policy Attributes..........................................................................................................552Other Attributes...........................................................................................................552

Reply Items.......................................................................................................................553General Attributes.......................................................................................................554Attributes Concerning Login Users.............................................................................556Attributes for Framed Users........................................................................................556Tunneling Attributes...................................................................................................558Other Attributes...........................................................................................................560

Attributes in Accounting Records....................................................................................561Additional Session Information..................................................................................561

35 MIB Objects.........................................................................................................................566MIB Objects.......................................................................................................................566


33Configuration FilesThe Server Manager interface configures most of the HP-UX AAA Server’s configurationfiles. However, some features of the HP-UX AAA Server cannot be configured throughthe Server Manager interface. If you want to define policy, vendor-specific attributes,or logging behavior, you must manually edit the configuration files. The informationin this chapter is provided as a reference for the configuration files that Server Managercannot configure.Following lists the configuration files that you must manually edit from the commandline:• radius.fsm — see Chapter 26: “Customizing the HP-UX AAA Server Using the

Finite State Machine” (page 396)• “The dictionary File ” (page 531)• “The las.conf File ” (page 535)• “The vendors File ” (page 538)• “The log.config File ” (page 539)The following is a list of the configuration files that you can edit from the commandline after editing them with Server Manager. Some features are not configurable throughServer Manager, therefore additional command line editing is sometimes required:• “The aaa.config File” (page 520)• “The clients File” (page 526)• “The users File ” (page 528)• “sqlaccess.config Sample File” (page 343)

NOTE: If the configuration files in/etc/opt/aaadirectory are incorrectly configuredor deleted during the course of configuring AAA Server, you can get the originalconfiguration files as provided during installation from the /opt/aaa/newconfig/etc/opt/aaa directory.

HUP ProcessingThe HUP signal (kill -HUP) provides the ability to update some of your configurationwhile the AAA server is running. The signal tells the AAA server a process a changeoccurred and to read configuration files again. The HUP signal will read the followingfiles:• users

• clients

• authfile

• aaa.config

HUP Processing 519

• engine.config (all values except the certificate properties, which require aserver stop and start to be refreshed)

• las.conf

• EAP.authfile

• aaa.config.license

• sqlaccess.config

The aaa.config FileThe aaa.config file contains keyword-value entries, one-per-line, which allows theuser to override compiled-in default values in the AAA server. The aaa.config filecan be used for performance tuning, debugging, or overriding built-in defaults.

IMPORTANT: Configuration files have maximum input line length of 255 characters.No checking is done to ensure that a configuration statement has not exceeded thislimit.

You can include configuration data in multiple text files and load them at server startup.For each text file, add a one-line entry to the aaa.config file according to the formatshown below:include “File-name”

If File-name does not specify a path, the server will look for the file in the configurationdirectory.Syntax of a Keyword-Value Entry in the aaa.config file as shown below:variable = value

NOTE: Any space or tab characters before the variable or surrounding the equal signcharacter are ignored. Space and tab characters after the value may be considered partof the value assigned to the variable.

Variables in the aaa.config FileFollowing lists the variables that you can modify in the aaa.config file:

The strict_duplicate_check VariableThis variable is used to change the behavior for detecting duplicate RADIUS packets.To identify a RADIUS packet as duplicate the AAA Server checks the identifier, sourceport, source IP address, and the packet length. This is the default behavior when thestrict_duplicate_checkvariable is “off”. This default behavior allows the AAAServer to support a wider range of NASs.When the strict_duplicate_check variable is enabled to “on” the AAA Serveralso checks if the request authenticator is the same. Setting this variable to “on” resultsin significant performance increase.

520 Configuration Files

The aatv.ProLDAP PropertyThis property controls AAA server connections to an LDAP server.• Retry-Interval sets the number of seconds for the AAA server to wait before trying

to reconnect to a LDAP directory server, when a realm has failover directory serversconfigured. Defaults to 60 seconds.

• Retry-Wait sets the number of seconds that the AAA server will wait beforeattempting to connect to the same failover LDAP server. When all failover directoryservers configured for a realm are down, the AAA server will try to reconnect toone every time an access request is received. In such a situation, this parameterguarantees that the software does not spend too much time in trying to reconnectthose directory servers. Default value is 1 second.

• Timeout sets the number of seconds that an LDAP connection will remain openwhen the AAA server has not been able to successfully perform any successfulLDAP operation. This parameter allows better handling of the situation where theLDAP directory times out client connections.

• TCP-Timeout sets the number of seconds that the AAA server will wait for anLDAP server when trying to establish the TCP connection.

• Debug determines whether OpenLDAP debug messages must be written to theradius.debug file. A value of 0 disables writing these messages; a value of -1enables writing these messages. The syntax of this property follows a block syntaxthat is different than the other aaa.config variables.

For example:aatv.ProLDAP{ Retry-Interval 60 Retry-Wait 1 Timeout 60 TCP-Timeout 3 Debug 0}

The iaaa.SNMP PropertyThe iaaa.SNMP property controls AAA server connections to SNMP master agent.• When the Enabled option is set to yes, the HP-UX AAA Server automatically

checks the local host (and not the network) to communicate with the SNMP masteragent. The HP-UX AAA Server can be monitored by an SNMP workstation. Whenthe Enabled option is set to No, the server does not communicate with an SNMPmaster agent and cannot be monitored by an SNMP workstation. The default valueis No.

• agentxTimeout sets the time (in seconds) for which the AAA server waits for aresponse from the master agent.

• agentxRetries sets the number of times a request is resent when a timeout occurs.

The aaa.config File 521

For example:iaaa.SNMP{ Enabled yes agentxTimeout 1 agentxRetries 2}

The log_threshold_limit and suppression_interval VariablesThese variables can be used to suppress a message from being repeatedly recorded inthe log file. For example:log_threshold_limit=150 supression_interval=20

Where:log_threshold_limit The number of times that the same message can be

recorded to the log file within two seconds, before it issuppressed. Default: 100.

supression_interval The time in seconds for which the logging of a messageis suppressed. Default: 30 seconds.

In the above example, a message will be suppressed for 20 seconds, if it is logged morethan 150 times within 2 seconds.

The list_copy_limit VariableThis variable can be used for customized server configurations that accumulate A-Vpairs or generate large responses. The default (and maximum) value is 512. Followingis the syntax of the list_copy_limit variable:list_copy_limit=256

The localUsersFile.FilterType PropertyThis property can be used to specify the case matching for each users file. Followingis the syntax of the localUsersFile.FilterType property:localUserFile.FilterType{ fred CIS bill bIN}

where the user files are fred.users and bill.users. The above configurationenables case insensitive search for fred.users and case sensitive search forbill.users. The default behavior is case sensitive search.


The default_users_file_cis_search PropertyThis property can be used to specify the case matching while searching the defaultusers file. If this property is set to yes, case insensitive search is enabled. If thisproperty is set to no, case sensitive search is enabled. The default behavior is casesensitive search.

The log_forwarding VariableThis variable turns logging in the logfile on (or off) when packets are forwarded throughthe server to another RADIUS server. In addition, it also controls the logging of theforwarding vector, reply vector, or dumping of the packet being forwarded on (or off).This allows finer detail when tracking problems, at the expense of increased log filesize. Following is the syntax of the log_forwarding variable:log_forwarding=on log_forwarding=off log_forwarding=+vector log_forwarding=+digest log_forwarding=+dump log_forwarding=-vector log_forwarding=-digest log_forwarding=-dump log_forwarding=clear

The log_generated_request VariableThis variable turns the logging of internally generated packets on (or off) when theyare created, and when they reach their end-state. It is useful for a customized serverconfiguration that produces accounting requests based on internal state transitionsrather than on an externally delivered requests. Following is the syntax of thelog_generated_request variable:log_generated_request=on log_generated_request=off

The ourhostname VariableThis variable sets the interface (DNS name or IP address) that a multihomed serverwould use. By default, the AAA server determines hostname by calling gethostname.For multihomed hosts this call may not return the correct name for the interface thatthe AAA server should use to send and listen for messages. Following is the syntax forthe ourhostname variable:DNS host name: ourhostname=interface1.radius.server.netTraditional IP (IPv4) address: ourhostname=192.0.2.0IPv6 Address: ourhostname=fedc:ba98:7654:3210:fedc:ba98:7654:3210


CAUTION: If you configure an IPv6 address in the ourhostname variable, thentraditional IP (IPv4) hosts will not be able to send or receive messages. Similarly, if youconfigure an IPv4 address here, then IPv6 hosts will not be able to send or receivemessages. If you configure a DNS name, then the first address returned by the DNSserver is used.

The packet_log VariableThis variable controls checks to match a current request with an original request, whichcan occur when logging certain attributes in a request log (NAS-Identifier, NAS-Port,User-Name, and so on). This check can cause an abort and core-dump if the +abortoption is given. This check is useful for tracking situations where a remote RADIUSserver is responding with incorrect values. In addition, it can also be used to investigateif an AATV is corrupting the current request. Following is the syntax for thepacket_log variable:packet_log=default packet_log=clear (or none) packet_log=+abort packet_log=+both (or +comp) packet_log=+current (or +cur) packet_log=+original (or +orig) packet_log=-abort packet_log=-both (or -comp) packet_log=-current (or -cur) packet_log=-original (or -orig)

The value of defserver connection means to report only from the original request. Thevalue of +abort means to abort and core-dump if there is a mismatch.

The radius_log_fmt VariableThis variable overrides the logfile format string used.

The reply_check VariableThis variable specifies which attributes to check on a reply from a forwarded requestto ensure that they are the same as the forwarded request. Besides specifying whichattributes to check, you can specify the action to take when a mismatch occurs. Listedbelow are the actions you can choose to take:• Ignore the reply• Ignore the mismatch• Abort and core dumpUseful attributes to check are NAS-Identifier, Acct-Session-Id, Class, User-Name. Forexample:reply_check=first reply_check=all


reply_check=+abort reply_check=+dump reply_check=+ignore reply_check=+verbose reply_check=clear reply_check=none reply_check=Attribute

The value of first (default) means to check only the first match. The value of allmeans to check all the attributes for matches. The value of +abort means to abort andcoredump if a check fails. The value of +dump means to dump the offending packet(in hexadecimal). You can specify a specific attribute to check with the syntaxreply_check=Attribute.

NOTE: This feature may not work well in situations where the HP-UX AAA Serveris communicating with non-HP servers.

OTP Authentication-Related Configuration ItemsThe following OTP authentication related configuration items can be set in theaaa.config file:• otp_token_length <6–8>

• otp_lookup_window <0 -any positive integer>

• otp_token_lock_counter <1-any positive integer>

• otp_add_checksum <yes or no>

For more information on these configuration items, see “System-Wide OTPConfiguration Items” (page 195).

Dynamic Authorization-Related Configuration ItemsThe following Dynamic Authorization-related configuration items can be set in theaaa.config file:

Table 33-1 Dynamic Authorization-Related Configuration Items

DescriptionConfiguration Items

The maximum number of client requests allowed in the clientqueue.

global_client_q.limit

The size of the hash table used for performing retransmissions ofclient requests.

client_retry_tbl_size

The time interval for which an incoming Event-Timestamp isvalid.

event_timestamp_window

Enforces the HP-UX AAA server to perform Reverse PathForwarding (RPF) checks on the incoming Disconnect and CoArequests. This is disabled by default.

enable_rpf_check


Table 33-1 Dynamic Authorization-Related Configuration Items (continued)

DescriptionConfiguration Items

The maximum number of retries for client requests. This is a globalvalue.

default_client_retries

The retransmission interval for client requests. This is a globalvalue.

default_client_retry_interval

The CLIENT AATV is a generic AATV, which you can use to perform the requiredclient functions. You must configure the CLIENT AATV in the aatv.CLIENT blockwithin the aaa.config file. The syntax of the aatv.CLIENT block parameters is asfollows:aatv.CLIENT{ <action name>.client_timer_value <time interval> <action name>.client_max_requests <value>}

Following is an example of the aatv.CLIENT block within the aaa.config file:aatv.CLIENT{ Disconnect.client_timer_value 1 Disconnect.client_max_requests 10}

The clients FileThe server configuration must include all the clients (NASs, RADIUS proxy servers,and other network devices) that can communicate with the AAA server. If a client isnot included in the configuration, the server discards its messages.The /etc/opt/aaa/clients file contains the identifying information for these clients.

IMPORTANT: Configuration files have a maximum input line length of 255 characters.No checking is done to ensure that a configuration statement has not exceeded thislimit.

Syntax of a Client EntryName:authport:acctport:dynport Shared-Secret Type=vendor:{NAS|PROXY}optionsVersion PrefixAn IPv4 example of a client that is a NAS:192.0.2.0 secret type=Ascend+USR:NAS+RAD_RFC+ACCT_RFC v1

An IPv4 example of a client that is a proxy:192.0.2.0:3400 secret type=Ascend+USR:PROXY+RAD_RFC+ACCT_RFC v1

An IPv6 example of a client that is a NAS:


fedc:ba98:7654:3210 secret type=Ascend+USR:NAS+RAD_RFC+ACCT_RFC v1

An IPv6 example of a client that is a proxy:[fedc:ba98:7654:3210]:3400 secret type=Ascend+USR:PROXY+RAD_RFC+ACCT_RFC v1

NOTE: In case of a Proxy, if the Name field is an IPv6 literal address then you mustseparate the address from the port by enclosing the address in square brackets.

A DNS name example of a client that is a NAS:danish secret type=Ascend+USR:NAS+RAD_RFC+ACCT_RFC v1

A DNS name example of a client that is a proxy:danish:3400 secret type=Ascend+USR:PROXY+RAD_RFC+ACCT_RFC v1

Prefixed Users and authfileIn the clients file, it is possible to specify a prefix for a client. When an Access-Requestis matched to a client, the AAA server will search for the users profile in theprefix.users file. Likewise, if the user profile indicates the Realm authenticationtype, the server will search for an entry that matches the users realm in theprefix.authfile file.

Wildcard Support for IPv4 and IPv6To allow access from any IP address or from any IP address of a particular subnet,specify a wildcard pattern in the etc/opt/aaa/clients file. Wildcard IP addressesare specified by using the high order components followed by the asterisk wildcard.Following are some examples of valid IPv4 wildcard patterns:* 192.* 192.0.* 192.0.2.*

Following are some examples of invalid IPv4 wildcard patterns:*.0 192.0*

To allow access from any IPv6 address or from a group of IPv6 addresses, specify anIPv6 wildcard pattern. The allowed IPv6 wildcard patterns are constructed by appendingan ‘*’ to a partial IPv6 address or by specifying a single ‘*’. Following are some examplesof valid IPv6 wildcard patterns:* fedc:ba98:7654:3210:fe* fedc:ba98:7654:3210*

The special IPv6 syntax of compressing zeroes using "::" is not allowed in IPv6 Wildcardpatterns. Following example is incorrect:

The clients File 527

fedc::ba98:fe*

The users FileUser profiles associate information, like check and reply items, with a user name. Theserver configuration must include profiles for all the users that can access servicesthrough the AAA server. Profiles can be stored in flat text files, or in an externaldatabase. If a user profile is not included in the configuration, the server will reject theuser's access request.The default users, realm, or prefix.users files may contain user profiles forauthentication. Each user entry in one of these files can be one or more lines ofinformation. You do not have to edit the default users file when mapping realms toauthentication types in the authfile, since the user information for each definedrealm will be stored in a realm file or external database. Unless the default installationof the configuration files has been changed, the users file can be found in the /etc/opt/aaa directory.

IMPORTANT: Configuration files have a maximum input line length of 255 characters.No checking is done to insure that a configuration statement has not exceeded thislimit.

NOTE: The order of the entries is important; the first entry that matches the requestwill be used to authenticate the user. The server will ignore the remaining entries;therefore, you should list the most specific entries first and the default entry should belast.

Syntax of a User EntryThe first line of each entry consists of one or more fields:Users-Name configuration-items check-items reply-item, reply-item . . .

Syntax of IPv6 AttributesThis section briefly describes the syntax of the IPv6 attributes that the users filecontains. For more information on IPv6 Attributes, refer to RFC 3162.

NAS-IPv6-AddressThis attribute indicates the identifying IPv6 address of the NAS which is requestingauthentication of the user, and it must be unique to the NAS within the scope of theRADIUS server.


Example 33-1 Examples of NAS-IPv6-Address Attribute Syntax

fedc:ba98:7654:3210:fedc:ba98:7654:3210 12ab::4871 2222::4

Framed-Interface-IdThis attribute indicates the IPv6 interface identifier to be configured for the user.

Example 33-2 Examples of Framed-Interface-Id Attribute Syntax

fedc:ba98:7654:3210 a:b:c:d

IMPORTANT: Do not use “::” in the Framed-Interface-Id syntax.

Framed-IPv6-PrefixThis attribute indicates an IPv6 prefix to be configured for the user.

Example 33-3 Examples of Framed-IPv6-Prefix Attribute Syntax

0/64/12ab::cd30:0:0:0:0 0/28/fedc:ba98:7654:3210

The first field in the above examples is the Reserved field. If you do not list this field,the default value 0 will be used. However, HP recommends using 0 in the Reservedfield to comply with RFC 3162.The second field in the above example is the Prefix-Length field. This field can takeany value from 0 to 128. If nothing is specified in the Prefix-Length field, the defaultvalue 64 is used.The last field in the above example is the Prefix field. In this field, the complete IPv6address must be listed.

Login-IPv6-HostThis attribute indicates the system that the user will connect to when Service-Type isdefined as Login. You can also specify a valid hostname to this attribute, if that hostnameis configured in the clients file.

The users File 529

Example 33-4 Examples of Login-IPv6-Host Attribute Syntax

fedc:ba98:7654:3210 12ab::4871 2222::4 hostname.domain.com

CAUTION: A value of 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF in theLogin-IPv6-Host indicates that the radius clients (NAS) must allow the user to selectan address or name of the server to be connected to.A value of 0x0 in the Login-IPv6-Host indicates that the Radius clients (NAS) mustselect an address or the name of the server the user has to be connected to.HP recommends that you set the value of Login-IPv6-Host keeping the aboveconsiderations in mind.

Framed-IPv6-RouteThis attribute provides routing information to be configured for the user on the NAS.

Example 33-5 Example of a Framed-IPv6-Route Attribute Syntax

12ab::cd30:0:0:0:0/64 fedc:ba98:7654:3210:fedc:ba98:7654:3210 1

NOTE: The format of the Framed-IPv6-Route attribute must contain a destinationprefix optionally followed by a slash and a decimal length that specifies how manyhigh order bits of the prefix to use. This is followed by a space, a gateway address, aspace, and one or more metrics (encoded in decimal) separated by spaces.

Framed-IPv6-PoolThis attribute is sent by the AAA server to the NAS and contains the name of an assignedpool that must be used to assign an IPv6 address for the user. The pool is a stringattribute sent to the NAS. This value is returned to the NAS. The NAS then handlesthe IPv6 prefix allocation based on the value returned. If a NAS does not supportmultiple address pools, the NAS must ignore this attribute.

Example 33-6 Example of a Framed-IPv6-Pool Attribute Syntax

Pool1 UserPool

With TunnelingWhen the AAA server receives an Access-Request from a client that matches the user,fred-eng, it will first attempt to match the password to the User-Password attribute


value in the request and then will check the request for a tunnel hint. If the passworddoes not match, or there is no hint for medium type or the hint does not specify the IPaddress type, the server will respond with an Access-Reject; otherwise, the server willreturn the listed tunneling attribute values to the client.fred-eng Password = "laser", Tunnel-Medium-Type = IPv4 Tunnel-Type = PPTP, Tunnel-Medium-Type = IPv4, Tunnel-Client-Endpoint = 192.168.127.1, Tunnel-Server-Endpoint = 192.155.111.1, Tunnel-Password = Michigan, Tunnel-Private-Group-ID = engineering, Tunnel-Assignment-ID = management, Tunnel-Preference = first, Tunnel-Client-Auth-ID = NET, Tunnel-Server-Auth-ID = Michigan, Tunnel-Type = L2TP

Attribute tags are used in the next example. If the password does not match, or thereis no hint for medium type or the hint does not specify the IP address type, the serverwill respond with an Access-Reject; otherwise, the server will return the listed tunnelingattribute values to the client. Because the tunnels tagged with 1 are defined first, theclient will establish a tunnel according to those attributes, unless the client cannot usethe PPTP protocol—then the attributes tagged with 2 will be used instead.fred-eng Password="laser", Tunnel-Medium-Type = IPv4 Tunnel-Type =:1:PPTP, Tunnel-Medium-Type =:1:IPv4, Tunnel-Client-Endpoint =:1:192.168.127.1, Tunnel-Server-Endpoint =:1:192.155.111.1, Tunnel-Password =:1:Michigan, Tunnel-Private-Group-ID =:1:engineering, Tunnel-Assignment-ID =:1:management, Tunnel-Preference =:1:first, Tunnel-Client-Auth-ID =:1:NET, Tunnel-Server-Auth-ID =:1:Michigan, Tunnel-Type =:2:L2TP, Tunnel-Medium-Type =:2:IPv4, Tunnel-Client-Endpoint =:2:192.168.127.1, Tunnel-Server-Endpoint =:2:192.170.130.1, Tunnel-Password =:2:California, Tunnel-Private-Group-ID =:2:engineering, Tunnel-Assignment-ID =:2:management, Tunnel-Preference =:2:second, Tunnel-Client-Auth-ID =:2:NET, Tunnel-Server-Auth-ID =:2:California

The dictionary FileThe dictionary file lists dictionary translations that the server uses to parse incomingrequests and generate outgoing responses. All transactions are composed of

The dictionary File 531

Attribute-Value (A-V) pairs. See Chapter 34: “Attribute-Value Pairs” (page 546) forinformation about the data format of A-V pairs in RADIUS messages.

IMPORTANT: Configuration files have a maximum input line length of 255 characters.No checking is done to insure that a configuration statement has not exceeded thislimit. All configuration files must end with a new line.

You can track different versions of the dictionary file by adding the following line tothe file:%DICTID Version-String


Attribute EntriesBelow is the syntax of Dictionary Attribute entries:ATTRIBUTE attribute-name integer-encoding type pruning

NOTE: Vendor-specific attribute identifier strings are defined in the vendors fileand can be used in place of the default string ATTRIBUTE. For more information, see“Syntax of a vendors File” (page 538).

attribute-name Replaced with the unique name of an attribute.integer-encoding Replaced with the actual attribute number code used in the

A-V pair data format.type Replaced with one of the following data types for the

attribute:• octet: 8-bit unsigned integer value• short: 16-bit unsigned integer value• integer: 32 bit value in big endian order (high byte first)• date: 32 bit value in big endian order (seconds since

00:00:00 GMT, Jan. 1, 1970)• octets: 0-253 undistinguished octets• a binary: 0-253 Ascend binary filter octets• string: 0-253 octets• vendor: 0-253 octets with octets 0-3 representing the

IANA number• ipaddr: 4 octets in network byte order• ipv6addr: 16 octets in network byte order (used for IPv6

attributes)• ipv6prefix: 4-20 octets (used for IPv6 attributes)• ifid: 8 undistinguished octets (used for IPv6 attributes)


• tag-int: single octet followed by three octets of integervalue (used for tunneling attribute)

• tag-string: single octet followed by 0-252 octets (usedfor tunneling attribute)

pruning May be replaced with an optional expression that controlsthree server features• whether the attribute is ever sent to the NAS• whether or not the attribute may be logged• encapsulation, if used, for vendor-specific attributes

Pruning ExpressionsPruning is a feature that allows the server to remove A-V pairs from an Access-Accept,Access-Reject, or Access-Challenge message before sending the message to a client thathas been configured for pruning in the clients file, see “The clients File” (page 526).The pruning to apply is defined by pruning expressions in the dictionary's attributeentries.These optional expressions are defined in an attribute entry as follows:(ack, nak, chall, {NOLOG | ENCAPS | NOENCAPS | CONFIG | INTERNAL})

NOTE: If any value is omitted, but the comma is present for that value, that valuewill use its default. If the expression is omitted, all values use their defaults.

ack, nak, chall, determine how many instances of the attribute may be addedto an Access-Accept (ack), an Access-Reject (nak), or anAccess-Challenge (chall) reply. They can be specified as oneof the following values:

• 0: no attributes of this kind are part of the final reply. This is the default value.• 1: at most, one attribute of this kind can be part of the final reply.• *: any number of attributes of this kind can be part of the final reply.

NOTE: Since the default values for ack, nak, and chall are 0, added vendor-specificattributes will not be returned to the NAS in any replies if you do not include a pruningexpression.

{NOLOG | ENCAPS | NOENCAPS} define how the server reacts to the attribute:• NOLOG: the attribute will not be added to the logfile or session logs.• ENCAPS (orENCAPSULATE): the attribute will be encapsulated in the vendor-specific

attribute, regardless of the vendor. This is a default value.• NOENCAPS: the attribute will not be encapsulated within the vendor-specific

attribute.

The dictionary File 533

• CONFIG: the attribute is a configuration item.• INTERNAL: the attribute is internal to the server and will be removed from incoming

and outgoing RADIUS messages.

NOTE: ENCAPS andNOENCAPS keywords are mutually exclusive. If you specify both,only the last one will apply. CONFIG is mutually exclusive from NOLOG, ENCAPS,NOENCAPS, and INTERNAL.

Examples:ATTRIBUTE Framed-Protocol 7 integer (1, 0, 0) ATTRIBUTE User-Realm 223 string (*, 0, 0, NOENCAPS)

# # Interlink Networks Vendor Specific Extensions # Interlink.Attr Address-Pool 1 string (0,0,0,INTERNAL) Interlink.Attr Date-Time 2 string (0,0,0,INTERNAL)

Value EntriesSyntax of Dictionary Value entries is shown below:VALUE attribute-name value-name integer-encoding

NOTE: Vendor-specific value identifier strings are defined in the vendors file andmay be used in place of the default strings VALUE. For more information, see “Syntaxof a vendors File” (page 538).

attribute-name is replaced by the name of the attribute that this value isassociated with.

value-name is replaced by the name of the value.integer-encoding is replaced with the actual value code used in the A-V pair

data format.Examples# Framed Protocol ValuesVALUE Framed-Protocol PPP 1 VALUE Framed-Protocol SLIP 2 VALUE Framed-Protocol ARA 3 VALUE Framed-Protocol Gandalf 4 VALUE Framed-Protocol Xylogics 5

# LAS Session Termination Code Values Merit.VALUE LAS-Code LAS-Normal 0 Merit.VALUE LAS-Code LAS-Reject 1 Merit.VALUE LAS-Code LAS-Cancel 2 Merit.VALUE LAS-Code LAS-Noconfirm 3 Merit.VALUE LAS-Code LAS-Overtime 4 Merit.VALUE LAS-Code LAS-Unknown 5


Merit.VALUE LAS-Code LAS-Notoken 6 Merit.VALUE LAS-Code LAS-Notlocal 7 Merit.VALUE LAS-Code LAS-Suspend 8 Merit.VALUE LAS-Code LAS-Failed 9 Merit.VALUE LAS-Code LAS-Authorized 10 Merit.VALUE LAS-Code LAS-NASreboot 11 Merit.VALUE LAS-Code LAS-Remote 12 Merit.VALUE LAS-Code LAS-Duplicate 13 Merit.VALUE LAS-Code LAS-Collision 14 Merit.VALUE LAS-Code LAS-Stop 15

The las.conf FileThe las.conf file contains a list of configuration items for the Local AuthorizationServer (LAS) that controls realm-based authentication. These items are organized intoseveral sections. There are configuration sections for realms, token pools, and genericLAS configuration items. These sections do not have to maintain a particular order;however, you must define an item (a token pool, for example) before it can be referenced.

CAUTION: You need to edit the las.conf file by adding a realm entry only if youwish to include token pools, or define session timing parameters. Token pools andsession timing parameters are not configurable through the Server Manager graphicinterface. When defining realm attributes in the Server Manager graphic interface, theSession Tracking radio buttons automatically add or remove a realm las.conf entry.If you add a realm entry by editing this file directly, and then select the No SessionTracking radio button in the Server Manager, and save the change, the las.confrealm entry will be deleted.

IMPORTANT: Configuration files have maximum input line length of 255 characters.No checking is done to insure that a configuration statement has not exceeded thislimit. In addition, all configuration files must end with a new line character.

LAS Session Timing ParametersYou can override the default times for built-in parameters related to session timing.Table 33-2 lists the default LAS session timing parameters.

The las.conf File 535

Table 33-2 Default LAS Session Timing Parameters

DescriptionDefaultParameter

Tells LAS how long to wait for an Accounting-Startmessage from the NAS. After the specified number

45 secondsSession-Hold-Time

of seconds, a session is moved into not-confirmedstate, in which it is not counted as a simultaneoussession. This parameter us only used forHunt-groups.

Tells LAS when to remove a session when it is in theNot-Confirmed, Disconnected, Rejected, Collided,or Rebooted state.

300 seconds (5minutes)

Session-Kill-Time

States the time interval to check the session table.300 seconds (5minutes)

Session-Check-Time

Tells when to remove a session when it is in asuspended state.

172800 seconds(48 hours)

Session-Clear-Time

Tells LASCP Authentication/Authorization TravelVector (AATV) how long to wait for checkpointmessages before suspending a session.

915 seconds (15minutes and 15seconds)

Session-Idle-Time

States the maximum number of sessions that can beheld in the Session Table. When this number is met,

2147483647number of

Session-Table-Limit

authentication requests that would normally resultin a new session are ignored.

sessions(maximumallowed)

Specifies how often status of sessions are to beupdated.

5 secondsSession-Update-Time

Specifies how long a token may be held after asession is accepted yet no confirmation is received

5 secondsToken-Hold-Adjustment

after the request is released by the engine. A tokenmay be held up to hold time (<30 seconds) plusToken-Hold-Adjustment.

Specifies the interval for the LAS to save the sessiontable if there’s any change.

300 seconds (5minutes)

Auto-Save

Token Pool ConfigurationThis section the token pools, and the number of tokens for each token pool. Token poolsare used for limiting the total number of simultaneous sessions for a given realm.Below is the syntax of a token pool configurationTokenpool token-pool-Name number-of-tokens . . . End-Tokenpool

token-pool Name of the token pool


number-of-tokens Number of tokens in the token pool.ExampleTokenpool Sample-pool 4End-Tokenpool

Realm ConfigurationThis section lists realms by name and, optionally, any services, token pools or anycustom AATV support for a realm. A realm entry las.conf is required to performsession tracking. The default server behavior is to log accounting messages locally,whether the server processes Access-Request messages locally or sends them to a proxyserver. If a realm entry exists in the las.conf file, the server will send accountingmessages to the remote server that processed the authentication for the correspondinguser. Thelas.conf realm entries must have corresponding realm entries in the ServerManager’s Define Realm screen, which can be accessed through the Local Realms linkon the Server Manager.Syntax of Realm configurationRealm realm-name Authorization LAS-authorization-AATV Accounting LAS-accounting-AATV

Service number-of-services service-name service-name . . . End-Service

Tokenpool number-of-tokenpools Token-pool-name max-number-of-tokens Token-pool-name max-number-of-tokens . . . End-Tokenpool End-Realm

Realm defines a name for the realm.Authorization specifies the AATV for performing authorization. The default is

LASGEN.Accounting specifies the AATV to use for user accounting. The default is

GENACCT.Service specifies the number of services supported by the realm and lists

the names of the defined services to support.Tokenpool specifies the token pools supported by the realm and lists the

token pools by following the syntax: Token-pool-name max-number-of-tokens

The las.conf File 537

• A Token-pool-name is the name of a defined token pool.• max-number-of-tokens specifies how many tokens a realm

may use.

The vendors FileThe vendors file contains a list of vendor entries. Each vendor entry contains a vendorname and vendor number. The vendor numbers are SMI Network Management PrivateEnterprise Code numbers, as managed by Internet Assigned Numbers Authority(IANA). Each entry optionally contains an interim way of mapping external (withrespect to the RADIUS server) attribute numbers to internal (with respect to the RADIUSserver) vendor-specific attributes. This optional mapping is used on RADIUS requestsand responses.

IMPORTANT: Configuration files have a maximum input line length of 255 characters.No checking is done to insure that a configuration statement has not exceeded thislimit. All configuration files must end with a new line character.

You can track different versions of the vendors file by adding the following line to thefile:%VENDORSID Version-String


Syntax of a vendors FileBelow is the syntax of a vendors file:attribute-string value-string vendor-code vendor-name (standard-value vendor-specific-value ...)

attribute-string An optional string that defaults to Attribute whennot specified. Non-default strings can be used tospecify vendor specific attributes in the dictionaryfile.

value-string An optional string that defaults to Value when notspecified. Non-default strings can be used to specifyvendor specific values in the dictionary file.

vendor-code The private enterprise number assigned by IANA.vendor-name The vendor name that can appear in the clients

file as a type=vendor:nas entry, or in thedictionary and users files in vendor specificattribute names.

standard-value The external or common attribute number in RADIUSrequests on the network.


vendor-specific-value The internal attribute number.The standard-value and vendor-specific-value fields are optional and canbe repeated any number of times. When used, the list of standard and vendor valuesis enclosed in parenthesis. These values are used to map attributes from the commonattribute space defined in the RADIUS RFC to internal nonconflicting vendor-specificattributes. These fields address the issue that occurs when a vendor has assignedvendor-specific attributes in the standard attribute address space. Listed below is thesyntax:61 Merit ( 211 211 213 213 )

The log.config FileThe log.config file specifies configuration information for session logging in theserver. Session logging configuration allows users to define multiple logging streams,which can be used with sophisticated FSM tables. For most applications, you need toconfigure only the default stream. Configuration of any stream (including the defaultstream) allows some control over the following:• Format• Frequency of switching a stream from one file to another• Location of the session log file• Name of the file

Syntax of a Stream EntryThe stream is configured through one or more sub-commands that follow the first lineof the entry. Listed below is the syntax of a stream entry in the log.config file:stream name { aatv AATV_NAME aatv-value integer alias alternate_stream filename string buffer integer chmod {octal|{ugo}{+-}{rw}} close {on| off} dont attribute attribute . . . {gmt|local} join joined_stream header {none|type|full} on-endfile command path pathname update seconds wrap integer } end

name Identifies the stream.

The log.config File 539

aatv Specifies one of the following AATVs to use for logging.• LOG_ACCT (Livingston/Lucent/RABU style call detail format,

default)• LOG_ALL (logs all streams defined in log.config)• LOG_BRIEF (simple session format)• LOG_BY_ATTRIBUTE (logging based on user specified attribute

in radius.fsm file)• LOG_BY_NAS (logging based on NAS-Identifier attribute)• LOG_BY_REALM (logging based on User-Realm attribute)• LOG_TACACS+Cisco Terminal Access Controller Access Control

System + (TACACS+) accounting record format)• LOG_V1_1 (previous version of Merit logging)• LOG_V2_0 (Merit logging)

alias Specifies another stream name to record when this stream is logged.filename Defines the naming convention for accounting log files and the

frequency that a new time-stamped file is generated. This parameterfollows the same format as the strftime command. A newtime-stamped file will be generated according to the shortest unitof time indicated by the parameter. For example,file.%Y--%m-%d.extension will generate a new file each day.file.%Y-%m-%d-%h.extension will generate a new file eachhour.

buffer Indicates how many records must be buffered before they are writtento the log file.

chmod Defines permissions for the file.close Determines whether the log file must be closed after records are

written to it.dont A list of attributes that must not be recorded.{gmt|local} These keywords determines what time to use for time stamps.join Merges this stream with the specified stream.header Determines the information that must appear in the beginning of

the log file before the list of log records.on-endfile Shells the specified command or program when a new log file is

generated.path Specifies an alternate location for log files.update Determines how often the log file must be updated.wrap Determines how many attributes will appear on each line of the

session record.


Default EntryThe stream entry identified with the name, *default*, will be used when LOG isinvoked by the FSM without an Xstring parameter.

End EntryThe one-keyword end entry tells the session logging subsystem to stop reading theconfiguration file, allowing subsequent text to be ignored.

Logging Multiple StreamsTo log multiple streams you must define a default stream with the AATV sub-commandset toLOG_ALL. When you specify alog.configdefault entry with this sub-command,all other streams defined in the log.config file will also generate session logs.

Values Logged by DefaultThe default LOG_v2_0value used for session logs records the information listed inTable 33-3.

Table 33-3 Information Recorded by LOG_V2_o

DescriptionValueTypeField

Start of session, as calculated bythe LAS.

LAS_start_timeseconds since midnight Jan.1, 1970.

1

LAS termination code.LAS_codeinteger2

Duration, as best calculated bythe directly connected NASserver

local_durationduration in seconds3

Time when record is logged bythis system

nowseconds, relative toLAS_start_time

4

Duration, as best calculated bythe LAS

LAS_durationduration in seconds5

The (corrected) access ID,user@realm

accessIDstring6

reservedreservedstring7

Session ID, found in Classattribute

sessionIDquoted_string8

Token Pool name, found inattribute Token

token_poolstring9

Session time (duration) limitsession_timeoutduration in seconds10

NAS-Identifier or NAS-Portattribute value

NAS_ID or NAS_portstring / integer11


Table 33-3 Information Recorded by LOG_V2_o (continued)

DescriptionValueTypeField

Service-Class attribute valueservice_classstring12

filterstring13

Service-Type followed byadditional fields separated by a

service_typestring[/string[/string]]14

‘/’, depending on Service-Type.If framed, the other fields (ifpresent) are:• Framed-Protocol• Framed-IP-Address• Framed-IPv6-Prefix• Framed-Interface-IdIf Login, the other fields (ifpresent) are:• Login-Service-Type• Login-IP-Host or Login-

IPv6-Host• Login-TCP-Port

For a complete description of the session log format and recorded values, see Chapter 12:“Logging and Monitoring ” (page 142).

ExamplesThe following examples illustrate some basic session log configurations.

Livingston Call Detail Record (CDR) FormatBy specifying log_acct for aatv, LOGwill generate CDRs in a single flat file. Followingis the syntax:stream *default* { aatv log_acct buffer 1 close on filename session.%Y-%m-%d.log update 900 wrap 3 } end

Multiple Logging StreamsBy specifying log_all for aatv, LOG will generate a record for each stream defined inthe log.config file (before the end keyword). Following is the syntax:stream *default* aatv log_all stream old {


aatv log_v1_1 buffer 1 close on filename record.%y%m%d.las }

stream new { aatv log_v2_0 aatv-value 7 buffer 1 close on filename recordv2.%y%m%d.las } end

Logging Based on attributesThis sample aatv logs all accounting request logs for yourorg.com in theyourorg.%Y%M.log file and the rest of the accounting request in therealm.%Y%M.logfile. This stream configuration for logging is based on log_by_realm. Thelog_by_realm AATV searches for the User-Realm attribute. Following is the syntax:Stream *default* { aatv LOG_BY_REALM buffer 1 close on filename session.%Y-%m-%d.log update 900 wrap 3 }

stream User-Realm::*default* { aatv log_acct buffer 1 close on filename realm.%Y%M.log update 900 wrap 3 }

stream User-Realm::yourorg.com { aatv log_acct buffer 1 close on filename yourorg.%Y%M.log update 1 wrap 3 } end


Accounting Log Based on Attribute ValueYou can write accounting log to different log files, based on the RADIUS attribute valuein the RADIUS accounting-request. To write accounting log to a different log file, youmust modify the /etc/opt/aaa/log.config and /etc/opt/aaa/radius.fsmfiles.To write accounting log to different log files, complete the following steps:1. Modify the /etc/opt/aaa/log.config file by replacing the following code:

stream *default* { aatv log_v2_0 buffer 1 close on filename session.%Y-%m-%d.log update 900 wrap 3 } end

with the code shown below:# log_by_attribute logging configuration# stream *default* { aatv LOG_BY_ATTRIBUTE } stream Called-Station-Id::*default* { aatv log_acct buffer 1 close on filename logotherattr.%Y-%m-%d.log update 900 wrap 3 } stream Called-Station-Id::12345 { aatv log_acct buffer 1 close on filename logbyattr.%Y-%m-%d.log update 900 wrap 3 } end

2. Modify the radius.fsm file by changing all the lines in Acctlog that referencethe LOG AATV as in the following.*.*.ACCT_START LOG_BY_ATTRIBUTE ReplyHold xstring="Called-Station-Id" *.*.ACCT_STOP LOG_BY_ATTRIBUTE ReplyHold xstring="Called-Station-Id"

3. HUP or stop and start the server.4. Send accounting Start and/or Stop request with Called-Station-Id attribute.

You can now see the following file: /var/opt/aaa/acct/logbyattr.2005-05-16.log


5. Send accounting Start and/or Stop request withoutCalled-Station-Id attribute.Example of an accounting start message:radpwtst -c 4 -s localhost -u ppp -i 1.1.1.1 -l 4 -:Acct-Status- Type=Start-:Called-Station-Id=12345 -w password test_user

Example of an accounting stop message:radpwtst -c 4 -s localhost -u ppp -i 1.1.1.1 -l 4 -:Acct-Status- Type=Stop-:Called-Station-Id=12345 -w password test_user

You can now see the following file: /var/opt/aaa/acct/logotherattr.2005-05-16.log

Changing the Accounting Log Rollover IntervalThe log rollover interval (how often a new log file is created to store accounting records)is determined by the timestamp portion of the filename. To change the interval followthe steps described in “Changing the Accounting Log Filename” (page 150). The logginginterval will change to the finest unit of time in the timestamp portion of the filename.For example, %Y-%m-%d-%H, will change the rollover interval to hourly.


34Attribute-Value PairsThe RADIUS protocol defines things in terms of attributes. Each attribute may take onone of a set of values. When a RADIUS packet is exchanged among clients and servers,one or more attributes and values are sent pairwise as an Attribute-Value pair (A-Vpair). For the HP-UX AAA Server software, all valid attributes and values are listed inthe dictionary file.This chapter organizes the attributes by the information and data that they contain andthe functions they perform, including the following:• Check and deny items to define simple policy for authorization• Reply items to configure the user’s session for authorization• Accounting attributes that stores usage information in logged accounting records• Configuration attributes that are used in a user profile to implement built-in HP-UX

AAA Server features.• Session attributes that appear in the HP-UX AAA Server binary session files.

Specifying Attribute-Value PairsAttribute names and their enumerated value names are defined in the dictionary file.When specifying attribute values in configuration files, you must have a space beforethe equal to (=) or not equal to (!=) operator. A list of A-V pairs may be delimited bycommas, white space, or both.

Attribute-Value FormatsThe attribute values (to the right of the equal sign) can take on any of the supported,legal values described in the dictionary file. The attributes and their correspondingvalues are defined to be one of the following types: IP address, ipv6prefix, ipv6addr,ifid, string, vendor, tag string, tag integer, date, integer, string, octet, and short values.• The string values must be surrounded by the double quote ('"') character if they

contain spaces; otherwise, the quotation marks are optional. These values arelimited to a maximum of 253 characters.

• LDAP policy and decision files cannot handle tag string and tag integer values• The IPv4 address values can use the common dotted-quad notation.• The IPv6 address values can use the colon or double-colon (::) notation.• The date values follow the format of three character month abbreviation (e.g., Jan,

Feb, Mar, etc.), followed by the day, followed the year expressed as four digits(e.g., 1998). Each field must be delimited by a space or hyphen (e.g., Jan 8 2002,Jan-21-2002, etc.)

• A-V pair lists must be delimited by white space. For readability you may use botha comma and white space as a delimiter.

546 Attribute-Value Pairs

ExamplesThe following examples are syntactically valid A-V pair lists:Password = "rock", Service-Type = "Framed", Comment = "This is OK" Password =rock Service-Type =Framed Comment ="This is OK"

The following examples are not syntactically valid A-V pair lists:Password="rock"Service-Type="Framed"Comment="This is not OK" Password= rock Service-Type= Framed Comment= This is not OK

Tagged AttributesA RADIUS message can include multiple values for one or more attributes that aretagged to organize the attributes into defined groups. Depending on its capabilities, aclient or server can selectively use one set of tagged attributes. For example, anAccess-Accept can contain several different tunnel definitions. If it supports taggedattributes, the client can select the definition to use. Tagged attributes can be used ascheck or reply items.Tagged attributes follow the syntax:Attribute=:Tag:Value Attribute: The attribute to tag. Tag: A unique integer (less than 32) that identifies what set this attribute belongs to. Value: The attribute value.

For example, Tunnel-Type =:1:PPTP indicates an attribute value of PPTP thatbelongs to a larger set of attributes, all tagged with 1, that collectively define one typeof tunnel that might be established for a user.

IMPORTANT: Some NASs do not support tagged attributes. HP recommends thatwhen you return multiple tunnel definitions to a client, you have at least one set ofattributes that is untagged or tagged with a 0 value, so that there is a tunnel definitionavailable to a client that does not support tags.

Attributes in User ProfilesThe following attributes can be used to establish the authorization rules for a userprofile. Authorization determines the following:• The services and network resources that the user can access• The services that the user can access• The time duration that the user can access the networkThe attributes in a user profile may act a configuration, check (and deny), or reply item.Some attributes may act as both a check and reply items.

Attributes in User Profiles 547

Configuration AttributesYou can add configuration attributes that are not directly supported by the ServerManager graphic interface. You can add configuration attributes through the ServerManager as a check item under the Free tab on the User Creation screen. For moreinformation, see “Tabs on the Add Users Screen” (page 130).Authentication-Type The authentication type is applied to a user just as it

would be applied to a user belonging to a realm. Checkand reply items in the user entry will be appended toany items used later in the authentication process.

Comment This attribute does not perform any server function. Itallows you to provide any necessary explanation for theentry.

Deny-Message This attribute specifies a string that would be returnedas a Reply-Message value to the user in the Access-Rejectif any deny item for this user caused a rejection. You canconfigure a denial message (using the Free tab in theCheck Item list box in the Server Manager) as follows:Deny-Message = "You can't do that." NAS-Port != 3160

You can also use an asterisk wildcard:Deny-Message = "*" NAS-Port != 3160

This wildcard string sends the following messageindicating what deny item triggered the rejection:Access denied, NAS-Port != 3160

IMPORTANT: The Deny-Message will only be returnedif a deny item (Attribute!= Value) comparison fails. Itwill not be returned if a check item fails.

Expiration In date format, specifies when an entry expires. Afterthe date, the user will receive an Access-Reject with themessage, “Password has expired,” in response to allAccess-Requests. The correct syntax is as follows:Expiration = mth day year

mth is the first three letters of the month. day is thetwo-digit date. year is the four-digit year. The followingis an example of an Expiration check item:Expiration = Jan 31 2004


Group-Name Can be any string value. Unlike other configuration-onlyattributes, Group-Name initially appears in a user entryas a reply item and would be used as a check item in apolicy definition by LDAP or a customizedauthentication method.

Password Specifies the value to compare to the User-Passwordattribute value in the Access-Request or the user's inputin response to an Access-Challenge. The\ character mustnot be used.

NOTE: The RADIUS protocol does not send clear textpasswords. Passwords are encrypted with the client andserver’s shared secret according to RFC 2865.

To specify an encrypted password you must follow thesyntax {Encrypt-type} Encryptd-password, whereEncrypt-type is the method used to encrypt thepassword and Encryptd-password is the encryptedpassword. Encrypt-type can be specified as:• crypt• md5• x-nthash• x-lmhash

Server-Name The additional parameter, usually a DNS name or IPaddress, required to perform the specified authenticationtype.

User-Category Can be any string value. Unlike other configuration-onlyattributes, User-Category initially appears in a user entryas a reply item and would be used as a check item in apolicy definition by LDAP or a customizedauthentication method.

Xvalue This attribute provides a means to pass an integer valueto an action.

Xstring This attribute provides a means to pass a string value toan action.

Local Authorization Service (LAS) ConfigurationSome configuration-only attributes define information for authorization through theservers LAS. To activate the features related to these attributes for users in a givenrealm, you must enable session tracking for the user’s realm. A NULL realm entry will

Attributes in User Profiles 549

still be required if the user does not belong to a realm. The Simultaneous-Useattribute can be used in a user entry for LAS functions.

Simultaneous-Use Attribute

This attribute’s value determines the maximum number of active sessions the user canhave. The default is 1 (if the LAS is enabled for the user’s realm, but noSimultaneous-Use attribute value is specified for the user or the user’s realm). Avalue of -1 disables the feature—providing no limit to number of simultaneous sessionsfor a user in a realm enabled to use the LAS.

NOTE: Simultaneous session control is based on the inner identity (realm) fortunneled-EAP authentications.

Attributes Concerning OTP Authentication

These attributes are used for configuring OTP authentication and customizing thefeature to suit various deployments. For information on these attributes, see “Attributesfor Configuring OTP Authentication” (page 192).

Check (and Deny) ItemsA user entry can include check, configuration-only, and reply items to implementsimple policy decisions. Check items are A-V pairs that are compared to pairs in aRADIUS Access-Request data packet. Reply items are A-V pairs that are included inan Access-Accept, Access-Challenge, or Access-Reject messages to provide instructionto the NAS for authorizing the user.There are two types of check items:• Regular check items• Deny itemsA check item is used to authenticate a user by matching the attribute value in a requestto the attribute value specified as a check item. A deny item is a regular attribute,identical to a check item, except the value is not matched to the attribute as being equalto a value but by being not equal (indicated by !=). In other words, a deny item causesan Access-Request to be rejected if the deny item's value matches the correspondingattribute value in the request.


IMPORTANT: The HP-UX AAA Server only compares a check item with the first valuethat appears for an attribute in an Access-Request. The server will disregard anyadditional instances of the same attribute in the request. This limitation also applies totagged attributes, like those used to establish VPN tunnels.

Attributes Concerning the NASNAS-IP-Address This attribute indicates the identifying IPv4 address of the

NAS which is requesting authentication of the user. Eitherthe NAS IP address, NAS-IPv6-Address, or theNAS-Identifier must be present in an Access-Request.

NAS-IPv6-Address This attribute indicates the identifying IPv6 address of theNAS which is requesting authentication of the user. Thisattribute must be unique to the NAS within the scope of theRADIUS server. Either the NAS-IP-Address,NAS-IPv6-Address, or NAS-Identifier must be present in anAccess-Request.

NAS-Identifier This attribute contains a string identifying the NASoriginating the Access-Request. Either the NAS -IP-Address,NAS-IPv6-Address, or the NAS-Identifier must be presentin an Access-Request.

NAS-Port This attribute indicates the physical port number of the NASwhich is authenticating the user.

NOTE: NAS port refers to a physical connection on theNAS, not a TCP or UDP port number. If the NASdifferentiates among its ports, either NAS-Port orNAS-Port-Type or both should be present in anAccess-Request packet.

NAS-Port-Type This attribute indicates the type of the physical port of theNAS that is authenticating the user. It may appear in anAccess-Request instead of or in addition to the NAS portattribute value. NAS-Port, NAS-Port-Type, or NAS-Port-Idshould be present in an Access-Request packet if the NASdifferentiates among its ports. Valid values for this attributeare:• Async• Sync• ISDN-Sync• ISDN-Async-V120

Check (and Deny) Items 551

• ISDN-Async-V110• Virtual

NAS-Port-Id This attribute is similar to the NAS-Port Attribute in that itindicates the physical port number of the NAS that isauthenticating the user. NAS-Port-ID contains a text stringthat identifies the port of the NAS that is authenticating theuser. The text string is intended for use by NASs that cannotconveniently number their ports.

Policy AttributesThese attributes are useful while specifying policy group conditions or replies. Forinformation on these attributes, see “Useful Attributes for Policy Conditions” (page 440)

Other AttributesCalled-Station-ID This attribute indicates where the user called to, using

Dialed Number Identification Service (DNIS), or similartechnology. Note that this may be different from the phonenumber the call comes in on.

Calling-Station-ID This attribute indicates where the user called from, usingAutomatic Number Identification (ANI) or similartechnology.

Connect-Info This attribute is sent from the NAS to indicate the natureof the user's connection. The Connect-Info text fieldconsists of UTF-8 encoded 10646 characters. Theconnection speed should be included at the beginning ofthe first Connect-Info Attribute in the packet. If thetransmit and receive connection speeds differ, they mayboth be included in the first attribute with the transmitspeed first, a slash (/), then the receive speed. Optionallyother modem information may also be included. See thefollowing examples:28800 V42BIS/LAPM 52000/31200 V90

Day-Of-Week A string, representing the day of the week (spelled out orthree letter abbreviation), or a number from 0 to 6, where0 represents Sunday and 6 represents Saturday. Thisattribute is compared to the current system clock of themachine hosting the AAA server that is making thecomparison.

Auth-Grace-Period The server will terminate a session after theSession-Timeout or the combined Authorization-Lifetimeand Auth-Grace-Period value expires.


Reply ItemsTable 34-1 identifies which reply item attributes may appear as a hint that could bechecked by the server, and those that would not appear as a hint that could be checked.

Table 34-1 Reply Item Attributes

Reply ItemCheck Item (HInt)Attribute

YesNoAcct-Interim-Interval

YesNoCallback-ID

YesYesCallback-Number

YesNoConfiguration-Token

YesNoFilter-Id

YesYesFramed-Compression

YesYesFramed-IP-Address

YesYesFramed-IPv6-Prefix

YesYesFramed-Interface-Id

YesYesFramed-IP-Network

YesNoFramed-IPX-Network

YesNoFramed-MTU

YesNoFramed-Pool

YesNoFramed-IPv6-Pool

YesYesFramed-Protocol

YesNoFramed-Route

YesNoFramed-IPv6-Route

YesNoFramed-Routing

YesNoIdle-Timeout

YesNoLogin-IP-Host

YesYesLogin-IPv6-Host

YesYesLogin-LAT-Group

YesYesLogin-LAT-Node

YesYesLogin-LAT-Port

YesYesLogin-LAT-Service

Reply Items 553

Table 34-1 Reply Item Attributes (continued)

Reply ItemCheck Item (HInt)Attribute

YesYesLogin-Service

YesNoLogin-TCP-Port

YesYesPort-Limit

YesNoPrompt

YesNoReply-If-Ack-Message

YesNoReply-Message

YesYesService-Type

YesNoSession-Timeout

YesNoTunnel-Assignment-ID

YesYesTunnel-Client-Auth-ID

YesYesTunnel-Client-Endpoint

YesYesTunnel-Medium-Type

YesYesTunnel-Password

YesYesTunnel-Preference

YesYesTunnel-Private-Group-ID

YesYesTunnel-Server-Auth-ID

YesYesTunnel-Server-Endpoint

YesYesTunnel-Type

General AttributesService-Type This attribute indicates a type of provided service. When used

as a reply item, the server returns the value to the NAS as aninstruction to determine the service to provide. When used asa check item, the server will reject an Access-Request that doesnot include a hint for the specified Service-Type.Valid values for this attribute are:• Login: The user should be connected to a host.• Framed : A Framed Protocol should be started for the

user, such as PPP or SLIP.• Callback-Login: The user should be disconnected and

called back and then connected to a host.


• Callback-Framed: The user should be disconnected andcalled back and then a Framed Protocol should be startedfor the user, such as PPP or SLIP.

• Outbound: The user should be granted access to outgoingdevices.

• Administrative: The user should be granted access to theadministrative interface to the NAS from which privilegedcommands can be executed.

• NAS-Prompt: The user should be provided a commandprompt on the NAS from which non-privileged commandscan be executed.

• Authenticate-Only: Only Authentication is requested, andno authorization information needs to be returned in theAccess-Accept (typically used by proxy servers ratherthan the NAS itself).

• Callback-NAS-Prompt: The user should be disconnectedand called back and then provided a command prompton the NAS from which non-privileged commands canbe executed.

Session-Timeout This attribute sets the maximum number of seconds of serviceto be provided to the user before termination of the session orprompt.

Idle-Timeout This attribute sets the maximum number of consecutiveseconds of idle connection allowed to the user beforetermination of the session or prompt.

Filter-ID This attribute indicates the name of the filter list for this user.Different attribute values may be used to add more than oneFilter-ID reply item to an entry. Identifying a filter list by nameallows the filter to be used on different NAS(s) without regardto filter-list implementation details.

IMPORTANT: When using the Server Manager interface, youcan define only one Filter-ID.

Callback-Number This attribute indicates a dialing string to be used for callback.Callback-ID This attribute indicates the name of a place to be called, to be

interpreted by the NAS.

Reply Items 555

Attributes Concerning Login UsersLogin-IP-Host This attribute indicates the system that the user will connect

to when Service-Type is defined as Login. This attribute isused in an IPv4 environment.

Login-IPv6-Host This attribute indicates the system that the user will connectto when Service-Type is defined as Login. This attribute isused in an IPv6 environment.

Login-Service This attribute indicates the service that should be used toconnect to the login host. Valid values are:• Telnet• Rlogin• TCP-Clear• PortMaster (proprietary)• LAT

Login-TCP-Port This attribute indicates the TCP port that the user is to beconnected to when Service-Type is defined as Login.

Login-LAT-Service This attribute indicates the system that the user is to beconnected to when Login-Service is defined as LAT.

Login-LAT-Node This attribute indicates the node that the user is to beconnected to when Login-Service is defined as LAT.

Login-LAT-Group This attribute contains a string that identifies the groupsthat the user is authorized to use when Login-Service isdefined as LAT.

Login-LAT-Port This attribute indicates the port that the user is to beconnected to when Login-Service is defined as LAT.

Attributes for Framed UsersFramed-Protocol This attribute indicates the framing to be used for framed

access. Valid values for this attribute are:• PPP• SLIP• ARA (AppleTalk Remote Access Protocol, ARAP)• Gandalf (proprietary SingleLink/MultiLink protocol)• Xylogics (proprietary IPX/SLIP)

Framed-IP-Address This attribute indicates the IP address to be configuredfor the user.

Framed-IPv6-Prefix This attribute indicates an IPv6 prefix to be configuredfor the user.


Framed-Interface-Id This attribute indicates the IPv6 interface identifier tobe configured for the user.

Framed-IP-Netmask This attribute indicates the IP netmask to be configuredfor the user when the user is a router on a network.

Framed-Routing This attribute indicates the routing method for the userwhen the user is a router to a network. Valid values forthis attribute are:• None• Broadcast (routing packets)• Listen (for routing packets)• Broadcast-Listen

Framed-MTU This attribute indicates the Maximum Transmission Unitto be configured for the user when it is not negotiatedby some other means (such as PPP).

Framed-Compression This attribute indicates a compression protocol to beused for the link. Valid values for this attribute are:• None• Van-Jacobsen-TCP-IP• IPX-Header-Compression

Framed-Route This attribute provides routing information to beconfigured for the user on the NAS. This attribute is usedin an IPv4 environment.

Framed-IPv6-Route This attribute provides routing information to beconfigured for the user on the NAS. This attribute is usedin an IPv6 environment.

Framed-Pool This attribute is sent by the AAA Server to the NAS andcontains the name of an assigned pool that must be usedto assign an IPv4 address for the users. If a NAS doesnot support multiple address pools, the NAS must ignorethis attribute. Address pools are usually used for IPaddresses, but can be used for other protocols if the NASsupports pools for those protocols.

Framed-IPv6-Pool This attribute is sent by the AAA Server to the NAS andcontains the name of an assigned pool that must be usedto assign an IPv6 address for the user. If a NAS does notsupport multiple address pools, the NAS must ignorethis attribute. Address pools are usually used for IPaddresses, but can be used for other protocols if the NASsupports pools for those protocols.

Reply Items 557

Framed-IPX-Network This attribute indicates the IPX Network number to beconfigured for the user.

Tunneling AttributesWhen a tunneling attribute is used as a reply item, the AAA server will return the A-Vpair, which the NAS will use as instruction for establishing the tunnel. The server mayrecognize hints in an Access-Request. If hints appear in an Access-Request for a userwith tunneling attributes as reply items, the server will use the tunneling keyword inthe aaa.config file to determine what information will be used to establish the tunnel.When you use a tunneling attribute as a check item, you are controlling access to thetunnel server based on what the user is requesting.Tunnel-Type Indicates the tunneling protocol to use when

establishing the tunnel. Valid values for thisattribute are:• PPTP (Point-to-Point Tunneling Protocol)• L2F (Layer Two Forwarding)• L2TP (Layer Two Tunneling Protocol)• ATMP (Ascend Tunnel Management Protocol)• VTP (Virtual Tunneling Protocol)• AH (IP Authentication Header in the

Tunnel-mode)• IP-IP-Encap (IP-in-IP Encapsulation)• MIN-IP-IP (Minimal IP-in-IP Encapsulation)• ESP (IP Encapsulating Security Payload in the

Tunnel-mode)• GRE (Generic Route Encapsulation)• DVS (Bay Dial Virtual Services)• IP-IP (IP-in-IP Tunneling)

Tunnel-Medium-Type Transport medium to use when creating a tunnelfor those protocols (e.g., L2TP) that can operateover multiple transports. Valid values for thisattribute are:• IPv4 (IP version 4)• IPv6 (IP version 6)• NSAP• HDLC (8-bit multidrop)• BBN-1822 (1822)• IEEE-802 (All 802 media plus Ethernet

“canonical format”)• E-163 (POTS)


• E-164 (SMDS, Frame Relay, ATM)• F-69 (Telex)• X-121 (X.25, Frame Relay)• IPX• Appletalk• DecnetIV• Banyan-Vines• E-164-NSAP

Tunnel-Client-Endpoint Address of the client that initiated the tunnel.Tunnel-Server-Endpoint Address of the server that provides the tunnel to

the user.Tunnel-Password This password is not used for authentication by

the AAA server but is a separate check made foraccess to the machine specified byTunnel-Server-Endpoint.

Tunnel-Private-Group-ID A group identifier for a private session. Privategroups may be used to associate a tunneled sessionwith a particular group of users. For example, itmay be used to facilitate routing of unregisteredIP addresses through a particular interface.

Tunnel-Assignment-ID This attribute indicates what tunnel will be usedto provide an appropriate level of service for theuser. Data transfer for users that share the sameassignment will be multiplexed over a sharedtunnel. A client that supports this attribute willhandle it as follows:• If this attribute is present and a tunnel exists

between the specified endpoints with thespecified ID, then the session should beassigned to that tunnel.

• If this attribute is present and no tunnel existsbetween the specified endpoints with thespecified ID, then a new tunnel should beestablished for the session and the specifiedID should be associated with the new tunnel.

• If this attribute is not present, then the sessionis assigned to an unnamed tunnel. If anunnamed tunnel does not yet exist betweenthe specified endpoints then it is establishedand used for this and subsequent sessions

Reply Items 559

established without theTunnel-Assignment-ID attribute.

NOTE: The same ID may be used to namedifferent tunnels if the tunnels are betweendifferent endpoints.

Tunnel-Preference When returning more than one tagged tunneldescription, this attribute indicates each tunnel’srelative level of preference. Values for this attributeare specified as an ordinal number (e.g., first,second, etc.).

Tunnel-Client-Auth-ID Name used by the client during the authenticationthat occurs between the Tunnel-Client-Endpointand Tunnel-Server-Endpoint based onTunnel-Password and any other checks that maybe configured for Tunnel-Server-Endpoint.

Tunnel-Server-Auth-ID Name used by the server during the authenticationthat occurs between the Tunnel-Client-Endpointand Tunnel-Server-Endpoint based onTunnel-Password and any other checks that maybe configured for Tunnel-Server-Endpoint.

Other AttributesAcct-Interim-Interval This attribute indicates the number of seconds

between each interim update for a specific session. Ifthe server wishes to receive interim accountingmessages for a given user, it must include thisRADIUS attribute in the message which indicates theinterval in seconds between interim messages.

NOTE: TheAcct-Interim-Interval value fieldcontains the number of seconds between each interimupdate to be sent from the NAS for a session. Thevalue must not be smaller than 60 seconds and shouldnot be smaller than 600. Careful consideration shouldbe given to its impact on network traffic.

Configuration-Token The Configuration-Token Attribute is supported bythe AAA Server as a reply item and is animplementation specific attribute that is based upona lookup table configured outside of the AAA server.It is used in large distributed authentication networks


and is sent from a RADIUS Proxy Server to a RADIUSProxy Client in an Access-Accept message thatindicates a type of user profile to be used.

Port-Limit This attribute sets the maximum number of ports tobe provided to the user by the NAS. It is intended foruse in conjunction with Multilink PPP or similar uses.

Prompt This attribute is used only in Access-Challengepackets and indicates to the NAS whether it shouldecho the user's response as it is entered.

Reply-If-Ack-Message This is a Merit-specific attribute, similar toReply-Message, that is only sent in an Access-Acceptmessage.

Reply-Message This attribute indicates text that may be displayed tothe user when the server responds to a request withany RADIUS message. Different attribute values maybe used to add more than one Reply-Message replyitem to an entry.

IMPORTANT: When using the Server Managerinterface, you can define only one Reply-Messagevalue.

NOTE: When using complex policy, it is possibleto use the Reply-Message attribute to send onemessage when the authentication succeeds and adifferent message if the authentication fails.

Attributes in Accounting RecordsThis section describes the attributes that may appear in an accounting record. Anaccounting record is stored in the HP-UX AAA Server session logs. These attributesmay appear in a record in addition to the basic session information.

Additional Session InformationThe following attributes, supported by the HP-UX AAA Server software, may appearin a session record.Acct-Status-Type An integer that indicates whether this

Accounting-Request marks the beginning of the user

Attributes in Accounting Records 561

service (Start), the end (Stop), or some other state. Thisattribute appears in all accounting messages as follows:• 1 (Start)• 2 (Stop)• 3 (Interim-Update)• 7 (Accounting-On)• 8 (Accounting-Off)• 9 (Tunnel-Start)• 10 (Tunnel-Stop)• 11 (Tunnel-Reject)• 12 (Tunnel-Link-Start)• 13 (Tunnel-Link-Stop)• 14 (Tunnel-Link-Reject)• 15 (Reserved for Failed)

Acct-Delay-Time How many seconds the client has been trying to sendthis record, and can be subtracted from the time ofarrival on the server to find the approximate time ofthe event generating this Accounting-Request.(Network transit time is ignored.)

Acct-Input-Octets How many octets have been received from the portover the course of this service being provided. Onlyappears in a stop message.

Acct-Output-Octets How many octets have been sent to the port in thecourse of delivering this service. Only appears in a stopmessage.

Acct-Session-Id Unique Accounting ID to make it easy to match startand stop records in a log file. The start and stop recordsfor a given session will have the same Acct-Session-Id.This attribute appears in all accounting messages.

Acct-Authentic An integer that indicates how the user wasauthenticated, whether by RADIUS, the NAS itself, oranother remote authentication protocol:• 1 (RADIUS)• 2 (Local)• 3 (Remote)

Acct-Session-Time How many seconds the user has received a service.Only appears in a stop message.


Acct-Input-Packets How many packets have been received from the portover the course of this service being provided to aframed user. Only appears in a stop message.

Acct-Output-Packets How many packets have been sent to the port in thecourse of delivering this service to a framed user. Onlyappears in a stop message.

Acct-Terminate-Cause How the session was terminated. The terminationcauses are listed in Table 34-2.

Table 34-2 Session Termination Causes

DescriptionCause

User requested termination of service, for example with LCP Terminateor by logging out.

User Request

DCD was dropped on the port.Lost Carrier

Service can no longer be provided; for example, user's connection to ahost was interrupted.

Lost Service

Idle timer expired.Idle Timeout

Maximum session length timer expired.Session Timeout

Administrator reset the port or session.Admin Reset

Administrator is ending service on the client, for example prior torebooting the client.

Admin Reboot

Client detected an error on the port that required ending the session.Port Error

NAS detected some error (other than on the port) which required endingthe session.

NAS Error

NAS ended session for a non-error reason not otherwise listed here.NAS Request

The NAS ended the session in order to reboot.NAS Reboot

Client ended session because resource usage fell below low-water mark(for example, if a bandwidth-on-demand algorithm decided that theport was no longer needed).

Port Unneeded

Client ended session in order to allocate the port to a higher priorityuse.

Port Preempted

Client ended session to suspend a virtual session.Port Suspended

Client was unable to provide requested service.Service Unavailable

NAS is terminating current session in order to perform callback for anew session.

Callback


Table 34-2 Session Termination Causes (continued)

DescriptionCause

Input from user is in error, causing termination of session.User Error

Login Host terminated session normally.Host Request

Acct-Multi-Session-Id A unique Accounting ID to make it easy to linktogether multiple related sessions in a log file.Each session linked together would have aunique Acct-Session-Id but the sameAcct-Multi-Session-Id.

Acct-Link-Count The count of links which are known to have beenin a given multilink session at the time theaccounting record is generated.

Acct-Input-Gigawords This attribute indicates how many times theAcct-Input-Octets counter has wrapped around232 (4,294,967,295) over the course of the servicebeing provided. Working in concurrence withthe Acct-Input-Octets attribute, this attributeallows for the continuous accounting of datainput beyond the limit of the Acct-Output-Octetsattribute and can only be present inAccounting-Request records where theAcct-Status-Type is set to Stop or Interim-Update.

Acct-Output-Gigawords This attribute indicates how many times theAcct-Output-Octets counter has wrapped around232 (4,294,967,295) over the course of the servicebeing provided. Working in concurrence withthe Acct-Output-Octets attribute, this attributeallows for the continuous accounting of dataoutput beyond the limit of theAcct-Output-Octets attribute and can only bepresent in Accounting-Request records wherethe Acct-Status-Type is set to Stop orInterim-Update.

Acct-Interim-Interval This attribute indicates the number of secondsbetween each interim update for a specificsession. If the server wishes to receive interimaccounting messages for a given user, it mustinclude this RADIUS attribute in the messagewhich indicates the interval in seconds between


interim messages. This value can only appear inthe Access-Accept message.

NOTE: The Acct-Interim-Interval valuefield contains the number of seconds betweeneach interim update to be sent from the NAS fora session. The value must not be smaller than 60seconds or greater than 600. Carefulconsideration must be given to impact onnetwork traffic.

Event-Timestamp This attribute is included in anAccounting-Request packet to record the timethat an event had stopped on the NAS, and isrecorded in seconds since January 1, 1970 00:00UTC.

Acct-Tunnel-Connection Identifier assigned to the tunnel session.Acct-Tunnel-Packets-Lost Number of packets lost on a given link.


35MIB ObjectsRFCs 2619, 2621, and 4672 describe the MIB objects for HP-UX AAA Server. All of theRADIUS MIB objects that are sent to the management workstation by the server inresponse to SNMP requests are read-only, except radiusAuthServConfigResetand radiusAcctServConfigReset.

Notes:• When you check the server status, the server increases the

radiusAuthServTotalAccessRequests count but does not increaseradiusAuthServAccessRequests for any client. This behavior results in atotal authentication request count that does not equal the sum of requests receivedby individual clients.

• The MIB objects do not support IPv6 addresses.

MIB ObjectsTable 35-1 describes the various MIB objects.

Table 35-1 MIB Objects and Definitions

DefinitionMIB Object

SnmpAdminString containing name andversion of the server.

radiusAuthServIdent, radiusAccServIdent

TimeTicks, in hundredths of a second, sincethe server was started.

radiusAuthServUptime, radiusAccServUptime

TimeTicks, in hundredths of a second, sincethe server’s configuration files werereloaded.

radiusAuthServResetTime,radiusAccServResetTime

The only RADIUS MIB objects for SNMPrequests that allows a write operation.

radiusAuthServConfigReset,radiusAccServConfigReset

Sending an integer value of 2 from theSNMP workstation to the HP-UX AAAServer will reload the server’s configurationfiles but only if the server was started withthe -H option.A read operation will return one of thefollowing integer values:• 1 (server in some unknown state)• 3 (server initializing)• 4 (server currently running)

The number of messages of any typereceived through the authentication port.

radiusAuthServTotalAccessRequests

566 MIB Objects

Table 35-1 MIB Objects and Definitions (continued)


The number of messages of any typereceived through the accounting port.

radiusAccServTotalRequests

Total number of authentication requestsreceived from an unknown address.

radiusAuthServTotalInvalidRequests

Total number of accounting requestsreceived from an unknown address.

radiusAccServTotalInvalidRequests

Total number of duplicate authenticationrequests received.

radiusAuthServTotalDupAccessRequests

Total number of duplicate accountingrequests received.

radiusAccServTotalDupRequests

Total number of successful authentications(Access-Accept messages sent).

radiusAuthServTotalAccessAccepts

Total number of accounting responses sentto clients.

radiusAccServTotalResponses

Total number of failed authentications(Access-Reject messages sent).

radiusAuthServTotalAccessRejects

Total number of challenges sent to clients.radiusAuthServTotalAccessChallenges

Total number of malformed Access-Requestmessages. Some causes of malformedrequests:

radiusAuthServTotalMalformedAccessRequests

• invalid message length• message contains non A-V pairs• message not RFC compliant• user password too long• RADIUS message contains an EAP

message that does not contain aMessage-Authenticator attribute.

Total number of malformed accountingmessages received from clients. Somecauses of malformed requests:

radiusAccServTotalMalformedRequests

• invalid message length• message contains non A-V pairs• message not RFC compliant• user password too long• RADIUS message contains an EAP

message that does not contain aMessage-Authenticator attribute.

MIB Objects 567



Total number of Access-Request messageswith invalid Message-Authenticatorattributes.

radiusAuthServTotalBadAuthenticators

Total number of accounting messages withinvalid Message-Authenticator attributesreceived from clients.

radiusAccServTotalBadAuthenticators

Total number of incoming messagessilently discarded for some reason other

radiusAuthServTotalPacketsDropped,radiusAccServTotalPacketsDropped

than malformed, bad authenticators, orunknown types.

Total number of unknown RADIUSmessages received.

radiusAuthServTotalUnknownTypes,radiusAuthServTotalUnknownTypes

Table listing the RADIUS clients andservers that share a secret with the HP-UX

radiusAuthClientTable, radiusAccClientTable

AAA Server. The table will containmultiple radiusAuthClientEntryobjects.

A row in the radiusAuthClientTable thatrepresents the data for a single client or

radiusAuthClientEntry, radiusAccClientEntry

proxy server that shares a secret with theHP-UX AAA Server. Each row will containthe following objects:• radiusAuthClientIndex

• radiusAuthClientAddress

• radiusAuthClientClientID

• radiusAuthServAccessRequests

• radiusAuthServDupAccessRequests

• radiusAuthServAccessAccepts

• radiusAuthServAccessRejects

• radiusAuthServAccessChallenges

• radiusAuthServMalformedAccessRequests

• radiusAuthServBadAuthenticators

• radiusAuthServPacketsDropped

• radiusAuthServUnknownTypes

A number that identifies aradiusAuthClientEntry or

radiusAuthClientIndex, radiusAccClientIndex

radiusAccClientEntry object thatrepresents a client. The client-specific datais differentiated by the index appended tothe name of the MIB object that containsthe data.

568 MIB Objects



The IP-Address of the corresponding client.radiusAuthClientAddress,radiusAccClientAddress

The NAS-Identifier of the correspondingclient.

radiusAuthClientClientID,radiusAccClientClientID

Number of messages of any type receivedthrough the authentication port from thecorresponding client.

radiusAuthServAccessRequests

Number of messages of any type receivedthrough the accounting port from thecorresponding client.

radiusAccServRequests

Number of duplicate authenticationrequests received from the correspondingclient.

radiusAuthServDupAccessRequests

Number of duplicate accounting requestsreceived from the corresponding client.

radiusAccServDupRequests

Number of successful authentications(Access-Accept messages sent to thecorresponding client).

radiusAuthServAccessAccepts

Number of accounting responses sent tothe corresponding client.

radiusAccServResponses

Number of failed authentications(Access-Reject messages sent to thecorresponding client).

radiusAuthServAccessRejects

Number of challenges sent to thecorresponding client.

radiusAuthServAccessChallenges

Number of malformed Access-Requestmessages (bad authenticators, unknown

radiusAuthServMalformedAccessRequests

types) received from the correspondingclient.

Number of malformed accountingmessages (bad authenticators, unknown

radiusAccServMalformedRequests

types) received from the correspondingclient.

Number of Access-Request messages withinvalid Message-Authenticator attributesreceived from the corresponding client.

radiusAuthServBadAuthenticators

Number of accounting messages withinvalid Message-Authenticator attributesreceived from the corresponding client.

radiusAccServBadAuthenticators

MIB Objects 569



Number of incoming packets from the thecorresponding client entry that were

radiusAuthServPacketsDropped,radiusAccServPacketsDropped

silently discarded for some reason otherthan malformed, bad authenticators, orunknown types.

Number of unknown RADIUS messagesreceived from the corresponding client.

radiusAuthServUnknownTypes,radiusAccServUnknownTypes

These counts are always 0, because theHP-UX AAA Server discards accountingmessages it cannot respond to.

radiusAccServTotalNoRecords,radiusAccServNoRecords MIB objects

The total number of RADIUSDisconnect-Ack/Nak received fromunknown address.

radiusDynAuthClientDisconInvalidServerAddresses

The total number of RADIUSCoA-Ack/Nak received from unknownaddress.

radiusDynAuthClientCoAInvalidServerAddresses

The table listing the RADIUS DynamicAuthorization Server (DAS) with whichthe AAA Server shares a secret.

radiusDynAuthServerTable

A row in theradiusDynAuthServerTable that

radiusDynAuthServerEntry

represents data for one server with whichthe AAA server shares a secret. Each rowwill contain the following objects:• radiusDynAuthServerIndex

• radiusDynAuthServerAddressType

• radiusDynAuthServerAddress

• radiusDynAuthServerClientPortNumber

• radiusDynAuthServerID

• radiusDynAuthClientRoundTripTime

• radiusDynAuthClientDisconRequests

• radiusDynAuthClientDisconRetransmissions

• radiusDynAuthClientDisconAcks

• radiusDynAuthClientDisconNaks

• radiusDynAuthClientMalformedDisconResponses

• radiusDynAuthClientDisconBadAuthenticators

• radiusDynAuthClientDisconPendingRequests

• radiusDynAuthClientDisconTimeouts

• radiusDynAuthClientDisconPacketsDropped

• radiusDynAuthClientCoARequests

• radiusDynAuthClientCoAAuthOnlyRequest

570 MIB Objects



• radiusDynAuthClientCoARetransmissions

• radiusDynAuthClientCoAAcks

• radiusDynAuthClientCoANaks

• radiusDynAuthClientMalformedCoAResponses

• radiusDynAuthClientCoABadAuthenticators

• radiusDynAuthClientCoAPendingRequests

• radiusDynAuthClientCoATimeouts

• radiusDynAuthClientCoAPacketsDropped

• radiusDynAuthClientUnknownTypes

• radiusDynAuthClientCounterDiscontinuity

A unique number identifying the DynamicAuthorization server (DAS).

radiusDynAuthServerIndex

The type of IP address of the DAS.radiusDynAuthServerAddressType

IP address of the DAS.radiusDynAuthServerAddress

The UDP port that is used by AAA Serverto send request to the DAS.

radiusDynAuthServerClientPortNumber

The NAS-Identifier of the DAS.radiusDynAuthServerID

The time interval (in hundredth of thesecond) between the most recent

radiusDynAuthClientRoundTripTime

Disconnect or CoA request and thecorresponding reply.

The number ofDisconnect/CoA-Request messages

radiusDynAuthClientDisconRequests,radiusDynAuthClientCoARequests

sent to this DAS. This includes requestcontainingService-Type=Authorize-Only.

The number of RADIUSDisconnect/CoA-Request that areretransmitted for this DAS.

radiusDynAuthClientDisconRetransmissions,radiusDynAuthClientCoARetransmissions

The number of RADIUSDisconnect/CoA-Acks received fromthis DAS.

radiusDynAuthClientDisconAcks,radiusDynAuthClientCoAAcks

The number of RADIUSDisconnect/CoA-Naks received from

radiusDynAuthClientDisconNaks,radiusDynAuthClientCoANaks

this DAS. This includes packets withService-Type=Authorize-Only andthose messages received because no sessioncontext was found.

MIB Objects 571




radiusDynAuthClientDisconNakAuthOnlyRequest,radiusDynAuthClientCoANakAuthOnlyRequest

this DAS that have packets withService-Type=Authorize-Only.


radiusDynAuthClientDisconNakSessNoContext,radiusDynAuthClientCoANakSessNoContext

this DAS because no session context wasfound.

The number of RADIUSDisconnect/CoA-Acks and RADIUS

radiusDynAuthClientMalformedDisconResponses,radiusDynAuthClientMalformedCoAResponses

Disconnect/CoA-Naks received fromthis DAS that were malformed. Thisexcludes RADIUS packet of same typewhich had bad authenticator or unknowntype.

The number of RADIUSDisconnect/CoA-Acks and RADIUS

radiusDynAuthClientDisconBadAuthenticators,radiusDynAuthClientCoABadAuthenticators

Disconnect/CoA-Naks that containedinvalid Authenticator field from this DAS.

The number of RADIUSDisconnect/CoA-Requests for which

radiusDynAuthClientDisconPendingRequests,radiusDynAuthClientCoAPendingRequests

the AAA Server is waiting for response.This count is incremented whenDisconnect-Request is sent anddecremented when theDisconnect-Ack,Disconnect-Nak, a timeout, or aretransmission.

The number of RADIUSDisconnect/CoA-Request timeouts forthis DAS.

radiusDynAuthClientDisconTimeouts,radiusDynAuthClientCoATimeouts

The number of incoming RADIUSDisconnect/CoA Ack and

radiusDynAuthClientDisconPacketsDropped,radiusDynAuthClientCoAPacketsDropped

Disconnect/CoA Nak from this DAS thatwere dropped. This excludes the packetthat was malformed, or had badauthenticator, or unknown types.

The time (in hundredths of a second) sincethe last counter discontinuity (AAA Server

radiusDynAuthClientCounterDiscontinuity

restart or re-initialization). Note that all theentry in radiusDynAuthServerEntryis re-initialized.

572 MIB Objects

A Supported IETF RFCsTable A-1 lists the key IETF RFCs the HP-UX AAA Server supports. Refer to the IETFWebsite for more information on these RFCs at http://www.ietf.org.

Table A-1 Supported IETF RFCs

RFC TitleRFC #

PPP Extensible Authentication Protocol (EAP)2284

RADIUS Authentication Server MIB2619

RADIUS Accounting Server MIB2621

PPP EAP-TLS Authentication Protocol2716

Remote Authentication Dial In User Service (RADIUS)2865

RADIUS Accounting2866

RADIUS Accounting Modifications for Tunnel Protocol Support2867

RADIUS Attributes for Tunnel Protocol Support2868

RADIUS Extensions2869

Table A-2 lists additional IETF RFCs supported by HP-UX AAA Server

Table A-2 Additional IETF RFCs Supported by HP-UX AAA Server

RFC TitleRFC #

Implementation of L2TP Compulsory Tunneling via RADIUS2289

Microsoft Vendor-specific RADIUS Attributes2548

RADIUS Authentication Client MIB2618

RADIUS Accounting Client MIB2620

Implementation of L2TP Compulsory Tunneling via RADIUS2809

RADIUS Extensions (Message-Authenticator)2869

Network Access Servers Requirements: Extended RADIUS Practices2882

Introduction to Accounting Management2975

Accounting Attributes and Record Formats2984

Criteria for Evaluating AAA Protocols for Network Access2989

Authentication, Authorization, and Accounting: Protocol Evaluation3127

RADIUS and IPv63162

573

Table A-2 Additional IETF RFCs Supported by HP-UX AAA Server (continued)

RFC TitleRFC #

Authentication, Authorization and Accounting (AAA) Transport Profile3539

IANA Considerations for RADIUS3575

Dynamic Authorization Extensions to Remote Authentication Dial In User Service(RADIUS)

3576

RADIUS (Remote Authentication Dial In User Service) Support For ExtensibleAuthentication Protocol

3579

IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines3580

EAP Method for Global System for Mobile Communications (GSM) SubscriberIdentity Modules (EAP-SIM)

4186

EAP Method for 3rd Generation Authentication and Key Agreement (EAP-AKA)4187

HOTP: An HMAC-Based One-Time Password Algorithm4226

RADIUS Dynamic Authorization Client MIB4672

Dynamic Authorization Extensions to Remote Authentication Dial In User Service(RADIUS)

5176

Table A-3 lists the IETF AAA RFCs supported by HP-UX AAA Server.

Table A-3 AAA RFCs Supported by HP-UX AAA Server

RFC TitleRFC #

Generic AAA Architecture2903

AAA Authorization Framework2904

AAA Authorization Application Examples2905

AAA Authorization Requirements2906

Criteria for Evaluating AAA Protocols for Network Access 3141 CDMA2000Wireless Data Requirements for AAA 3539 Authentication, Authorization andAccounting (AAA) Transport Profile

2989

574 Supported IETF RFCs

B Supported Authentication MethodsThe following list describes the authentication methods the HP-UX AAA Serversupports:

Password Authentication Protocol (PAP)This authentication method is most appropriately used where a plaintext passwordmust be used to simulate a login at a remote host. In such use, this method provides asimilar level of security to the usual user login at the remote host. This protocol providesthe user with a great deal of flexibility because this password can be decrypted at theRADIUS server site.

OTP AuthenticationThis authentication method is based on the HOTP algorithm developed by the OATHconsortium. Can be used to provide OTP and two-factor authentication in a variety ofdeployment scenarios. For more information on OTP authentication, see Chapter 16(page 179)

Challenge Handshake Authentication Protocol (CHAP)CHAP is a one way hashing algorithm that is used to periodically identify the identityof a user. The challenge occurs between the user and NAS before the NAS sends anAccess-Request. The user must respond by encrypting the challenge (usually a randomnumber) and returning the result. The NAS will then forward the challenge and theresponse in the Access-Request, which the AAA server will use to authenticate theuser.

Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)MS-CHAP is an implementation of the CHAP protocol created by Microsoft toauthenticate remote Windows workstations. In most respects, MS-CHAP is identicalto CHAP, but there are some differences. MS-CHAP is based on the encryption andhashing algorithms used by Windows networks, and the MS-CHAP response to achallenge is in a format optimized for compatibility with Windows operating systems.

Extensible Authentication Protocol (EAP)EAP is a secure authentication protocol to establish a connection. It offers more flexibilityto handle authentication requests with different encryption algorithms. It allowsauthentication by encapsulating various types of authentication exchanges, such asMD5. These EAP messages can be encapsulated in the packets of other protocols, suchas RADIUS, for compatibility with a wide range of authentication mechanisms. Thisflexibility also allows EAP to be implemented in a way that is more suitable for wirelessand mobile environments than other authentication protocols. EAP allows authenticationto take place directly between the user and server without the intervention by the accessdevice that occurs with CHAP.

575

The following is a list of the EAP supported authentication methods you can use withthis version of the HP-UX AAA Server:• Transport Layer Security (TLS): Uses TLS (also known as SSL) to authenticate the

client using its digital certificate.

NOTE: Some wireless supplicants require specific extensions to supportcertificates for EAP.

TLS features include Dynamic Key Exchange; Mutual Authentication; DigitalCertificate/Token Card-based Authentication; and, Encrypted Tunnelling.

• Tunneled TLS (TTLS): Can carry additional EAP or legacy authentication methodslike PAP and CHAP. Integrates with the widest variety of password storage formatsand existing password-based authentication systems. Supplicants are availablefor a large number of clients. TTLS features include Dynamic Key Exchange; MutualAuthentication; Password-based Authentication; and, Encrypted Tunnelling.

• Protected EAP (PEAP): Functionally very similar to TTLS, but does not encapsulatelegacy authentication methods. PEAP features include: Dynamic Key Exchange;Mutual Authentication; and, Encrypted Tunnelling.

• Message Digest 5 (MD5): Passwords are hashed using the MD5 algorithm. Can bedeployed for protecting access to LAN switches where the authentication trafficwill not be transmitted over airwaves. Can also be safely deployed for wirelessauthentication inside EAP tunnel methods. The main feature in MD5 isPassword-based Authentication.

• Generic Token Card (GTC): Carries user specific token cards for authentication.The main feature in GTC is Digital Certificate/Token Card-based Authentication.

• EAP MS-CHAP: Passwords are hashed using a Microsoft algorithm. Can bedeployed for protecting access to LAN switches where the authentication trafficwill not be transmitted over airwaves. Can also be safely deployed for wirelessauthentication inside EAP tunnel methods. EAP-MS-CHAP features include MutualAuthentication and Password-based Authentication.

• EAP-SIM: Capable of operating in wireless networks. EAP-SIM is used forauthentication and session key distribution using the GSM SIM.

• EAP-AKA: Based on the challenge-response mechanism and symmetriccryptography. An authentication and session key distribution mechanism used inthe third generation mobile networks: UMTS and CDMA2000.

576 Supported Authentication Methods

C RADIUS Data PacketsThe Access-Request and other RADIUS data packets contain a header and a set ofattribute-value (A-V) pairs, which are used by the server during the AAA transaction.The RADIUS RFC 2865 defines how vendors can extend the protocol. Encapsulationis the RFC defined way of extending RADIUS. Conflicts can occur when the RFC is notfollowed. In those cases, the server can map the attributes to unique internal valuesfor processing. For a full description of RADIUS attribute-value pairs, see Chapter 34:“Attribute-Value Pairs” (page 546).

Data Packet FormatRADIUS requests and replies share a common format, see Figure C-1). These messagesare transported by UDP. By default, the server listens on UDP port 1812 forAccess-Requests and port 1813 for Accounting-Requests.

Figure C-1 RADIUS Request/Reply Message Format

Table C-1 RADIUS Request/Reply Message Format Description

DescriptionData

8-bit request/reply type1=Access-Request

Code

2=Access-Accept 3=Access-Reject 4=Accounting-Request 5=Accounting-Response 11=Access-Challenge40=Disconnect-Request41=Disconnect-ACK42=Disconnect-NAK43=CoA-Request44=CoA-ACK45=CoA-NAK

8-bit message sequence number: value in reply = value in request.Id

16-bit message length, including the header beginning at Code.Length

16 octet binary vector: For Access requests, value in request is randomlygenerated. Value in reply is MD5 digest of reply message data appended withsecret, using authenticator value from request.

Authenticator

For Accounting, Disconnect and CoA requests, value in request is MD5digest of request message data appended with secret, using 16 zero octets as

Data Packet Format 577

Table C-1 RADIUS Request/Reply Message Format Description (continued)

DescriptionData

authenticator value. Value in reply is MD5 digest of reply message dataappended with secret, using authenticator value from request.

Arbitrary numbers of information pairs with format shown in Figure C-2.Attributes

Attribute-Value Pair FormatAn attribute-value (A-V) pair represents a variable and one of the possible values thatthe variable can hold. The A-V pair data format is depicted in Figure C-2. In the HP-UXAAA server, A-V pairs may be added to configuration files to compare values whentrying to authenticate an Access-Request (check items) or to add authorizationinstructions or other messages to an Access-Accept data packet (reply items). TheseA-V pair’s values will also appear in server session logs. The A-V pairs usually appearas AttributeName=Value in the configuration files and AttributeName=:Type:Value inthe log files.

Figure C-2 Attribute-Value Pair Format

Table C-2 Attribute Value Pair Format Description

DescriptionData

8-bit value-pair code, listed in the dictionary fileattribute

8-bit integer from 2-255length

0 - 253 octet information item. (The data type of value is determined by thedata type associated with the attribute code.)

value

As shown in Figure C-2, the Access-Request contains a set of attribute-value pairs. TheA-V pairs typically placed in these requests are the User-Name and User-Password,along with the NAS-IP-Address, NAS-Port, Service-Type, and Framed-Protocol A-Vpairs-Framed-Protocol being present only if the user is making a PPP or SLIP connection.Only a few attributes, such as User-Password and CHAP-Password, are encrypted.(For a full description of RADIUS attribute-value pairs, see Chapter 34: “Attribute-ValuePairs” (page 546).

578 RADIUS Data Packets

D Header Files, Data Structures, and APIs in the HP-UXAAA Server SDK

This appendix discusses the header files, data structures, and APIs that the HP-UXAAA Server SDK includes. This chapter addresses the following topics:• “Header Files and Data Structures in the SDK.”• “APIs in the HP-UX AAA Server SDK” (page 579)

Header Files and Data Structures in the SDKThis section lists the header files and the predefined data structures that the SDKincludes.The HP-UX AAA Server SDK includes the sdk.h header file. This file containsdefinitions of all the data structures and APIs that are included in the SDK.You must use the aatv_info_v2_t data structure to register the AATV with theHP-UX AAA Server. The aatv_info_v2_t data structure includes the followingfields:char name[MAX_NAME_LENGTH + 1]; /*AATV Name */aatvInit_v2_t init; /* AATV init function */ aatvTimer_v2_t timer; /* AATV Timer function */ aatvAction_v2_t act_func; /* AATV action function */ aatvCleanup_v2_t cleanup; /* AATV clean up function */

The following additional data structures are used to represent the HP-UX AAA Serverattribute-value and HP-UX AAA Server request:• typedef void sdk_avp_t;• typedef void sdk_authreq_t;

NOTE: These data structures are documented here for your reference. Customers arenot expected to modify the data structures. APIs are provided to modify or read thedata elements in the data structure.

APIs in the HP-UX AAA Server SDKYou can use the following API types to create AATVs:• A-V pair APIs — These APIs can be used to modify, add, delete, or display attribute

values.• Authreq APIs — These APIs provide an interface to modify the HP-UX AAA

Server request by adding or deleting A-V pairs in radius queues, and retrievinginformation about the request.

• Logging APIs — These APIs are used for logging messages in the log file.

Header Files and Data Structures in the SDK 579

• Asynchronous APIs — These APIs enable you to write AATVs that are requiredfor making asynchronous calls to external servers.

• Secondary APIs — These additional APIs enable you to further customize theHP-UX AAA Server.

The following sections describe these APIs in detail.

A-V Pair APIsThis section discusses the A-V pair APIs.

sdk_avp_t *sdk_avp_allocate()Allocates an A-V pair, initializes all fields as 0, and returns a pointer to it.ReturnReturns a pointer to the allocated A-V pair, or NULL if the A-V pair is not allocated.

void sdk_avp_free()void sdk_avp_free (sdk_avp_t *avp)

UsageFrees the memory and any allocated string storage associated with an A-V pair. Thestring storage must not be shared with other objects.Inputavp A pointer to the A-V pair that must be freed.

int sdk_get_avp_info()int sdk_get_avp_info (sdk_avp_t *avp, uint32_t *vendid, uint32_t*attrid, uint32_t *attrlen, void ** attrval, u_char *tag)

UsageObtains information from an A-V pair.Inputavp A pointer to an A-V pair.vendid The address of an unsigned integer variable to store the vendor ID of the

A-V pair. This value is NULL if the vendor ID is not applicable.attrid The address of an unsigned integer to store the attribute ID of the A-V

pair.attrlen The address of an unsigned integer to store the length of the A-V pair

attribute.attrval The address of a pointer intended to point to the attribute value.tag The address of an unsigned character variable to store the tag for the tagged

attribute. This value is NULL if the tag is not applicable.Outputvendid The input variable that stores the vendor ID of the A-V pair.

580 Header Files, Data Structures, and APIs in the HP-UX AAA Server SDK

attrid The input variable that stores the attribute ID of the A-V pair. For vendorspecific attributes, the attribute ID is the vendor type or sub-attribute.

attrlen The input variable that stores the length of the attribute (in bytes) of theA-V pair. For vendor-specific attributes, this value is the vendor length.

attrval The input pointer that points to the attribute value of the A-V pair. Forvendor-specific attributes, the attribute value is the sub-attribute value.You must copy the contents of the attribute value. Ensure that you do notfree the memory for the attribute value after copying the contents of theattribute value.

tag The input variable that stores the value of the tag for tagged attributes. Ifthe attribute is untagged, the value is 0.

ReturnThis API returns one of the following values:• SDK_SUCCESS if the operation succeeds• SDK_INVALID_ARG if the arguments are invalid• SDK_FAILURE if the operation fails

int sdk_set_avp()int sdk_set_avp (sdk_avp_t *avp, uint32_t attrid, uint32_tattrlen, void *attrval, u_char tag)

UsageSets or modifies a standard RADIUS A-V pair.Inputavp A pointer to an A-V pair to be set or modified.attrid The attribute ID to be set or modified.attrlen The length of the attribute (in bytes) to be set or modified.attrval The attribute value to be set or modified.tag The tag for the tagged attribute. This value is 0 if the attribute is untagged.ReturnThis API returns one of the following values:• SDK_SUCCESS if the operation succeeds• SDK_INVALID_ARG if the arguments are invalid• SDK_FAILURE if the operation fails

int sdk_set_vend_avp()int sdk_set_vend_avp(sdk_avp_t *avp,uint32_t vendid, uint32_tattrid, uint32_t attrlen, void *attrval, u_char tag)

UsageSets or modifies an A-V pair (including vendor specific A-V pairs).

APIs in the HP-UX AAA Server SDK 581

Inputavp A pointer to an A-V pair to be set or modified.vendid The vendor ID of the attribute to be set or modified. For a standard RADIUS

attribute, use VC_RADIUS which is 0attrid The attribute ID to be set or modified. For a vendor-specific attribute, the

attribute ID is the vendor type or sub-attribute.attrlen The length of the attribute (in bytes) to be set or modified. For a

vendor-specific attribute, the length is the vendor length.attrval The attribute value to be set or modified. For a vendor-specific attribute,

the attribute value is the sub-attribute value.tag The tag for a tagged attribute; 0 for untagged attribute.ReturnThis API returns one of the following values:• SDK_SUCCESS if the operation succeeds• SDK_INVALID_ARG if the arguments are invalid• SDK_FAILURE if the operation fails

Authreq APIsThis section discusses the authreq APIs.

NOTE: The following constants are defined for different queue types that are usedin authreq:• AUTHREQ_REQUEST_QUEUE for the inbound request attributes queue• AUTHREQ_REPLY QUEUE for the reply attributes queue• AUTHREQ_CHECK_QUEUE for the check items queue• AUTHREQ_DENY_QUEUE for the deny items queueThe check items and deny items are A-V pairs configured in the user profile for thecorresponding user request.

sdk_avp_t *sdk_find_avp()sdk_avp_t *sdk_find_avp (sdk_authreq_t *authreq, u_char qtype,uint32_t attrid, uint32_t attrlen, void *attrvalue, void*position, u_char tag)

UsageDiscovers the next standard RADIUS A-V pair with the specified attribute ID, attributelength, attribute value, and the tag for a tagged attribute, after the specified positionin the authreq’s A-V pair list of qtype. For example, if position points to one A-Vpair in the list, this API starts searching from the next A-V pair after position. Ifposition is NULL, this API searches from the beginning of the list.Input


authreq A pointer to an authreqqtype The type of list to be accessed. It can be one of the following types:

• AUTHREQ_REQUEST_QUEUE• AUTHREQ_REPLY QUEUE• AUTHREQ_CHECK_QUEUE• AUTHREQ_DENY_QUEUE

attrid The attribute to be discoveredattrlen The attribute length to be matched. If the length is 0, the attribute length

and value are not considered in the match.attrvalue The attribute value to be matched. If the value is NULL, the attribute

length and value are not considered in the match.position A pointer to an A-V pair that is already found from the list. If this value

is NULL, then the search starts from the beginning of the list.tag The tag value for a tagged attribute. This value is 0 for an untagged

attribute, or if the tag is not a search parameter.ReturnReturns a pointer to the A-V pair found. If no A-V pair is found, it returns a NULL value.

sdk_avp_t *sdk_find_vend_avp()sdk_avp_t *sdk_find_vend_avp(sdk_authreq_t *authreq, u_charqtype, uint32_t vendid, uint32_t attrid, uint32_t attrlen, void*attrvalue, void *position, u_char tag)

UsageDiscovers the next A-V pair with the specified vendor ID, attribute ID, attribute length,attribute value, and the tag for a tagged attribute, after position in the authreq’s A-Vpair list of qtype. If position points to one A-V pair in the list, this API startssearching from the next A-V pair after position. If the value of position is NULL,this API starts the search from the beginning of the list.Inputauthreq A pointer to an Authreqqtype The type of list to be accessed. It can be one of the following types:


vendid Vendor ID of the attribute to be discovered. For a standard RADIUSattribute, use VC_RADIUS that is 0.

attrid Attribute to be discovered. For a vendor-specific attribute, the attributeID is the vendor type.


attrlen The attribute length to be matched. If the attrlen value is 0, theattribute length and value are not considered in the match. Forvendor-specific attributes, the attribute length (attrlen) is the vendorlength.

attrvalue The attribute value to be matched. If the attrvalue value is NULL,the attribute length and value are not considered in the match. For avendor-specific attribute, the attribute value (attrvalue) is thesub-attribute value.

position Pointer to an A-V pair already found in the list. If this value is NULL,then the search starts from the beginning of the list.

tag The tag value for a tagged attribute. This value is 0 for an untaggedattribute, or if the tag is not a search parameter.

ReturnReturns a pointer to the A-V pair found. If no A-V pair is found, it returns a NULL value.

int sdk_del_avp()int sdk_del_avp ( sdk_authreq_t *authreq, u_char qtype, sdk_avp_t*avp)

UsageDeletes the A-V pair from authreq’s list of qtype.

NOTE: Even if the A-V pair is deleted, the memory is not freed. You must free thememory for the deleted A-V pair.

Inputauthreq A pointer to an authreqqtype The type of list to be accessed. It can be one of the following types:


avp The pointer to the A-V pair to be deleted.ReturnReturns one of the following values:• SDK_SUCCESS if the operation succeeds• SDK_INVALID_ARG if the arguments are invalid

int sdk_insert_avp()int sdk_insert_avp (sdk_authreq_t *authreq, u_char qtype,sdk_avp_t *loc_avp, u_char position, sdk_avp_t *new_avp)

Usage


Inserts an A-V pair into the A-V pair list of type qtype in authreq. Table D-1 liststhe different insertions that this API performs, based on the values of the loc_avpA-V pair.

Table D-1 Actions Performed as a Result of the loc_avp A-V Pair

ActionParameter Value

The new_avpA-V pair is inserted before loc_avp.The loc_avp A-V pair in the list is valid and thevalue of the position parameter is INSERT_BEFORE.

The new_avp A-V pair is inserted after loc_avp.The loc_avp A-V pair in the list is valid and thevalue of the position parameter is INSERT_AFTER.

The new_avp A-V pair is prepended to the list.The value of the loc_avpA-V pair is null and thevalue of the position parameter is INSERT_BEFORE.

The new_avp A-V pair is appended to the list.The value of the loc_avpA-V pair is null and thevalue of the position parameter is INSERT_AFTER.

Inputauthreq A pointer to an authreqqtype The type of list to insert the A-V pair into. It can be one of the following

types:• AUTHREQ_REQUEST_QUEUE• AUTHREQ_REPLY QUEUE• AUTHREQ_CHECK_QUEUE• AUTHREQ_DENY_QUEUE

loc_avp A pointer to one A-V pair that is already in the list or NULL.position An integer to specify the insertion location. The insertion location can

be INSERT_BEFORE or INSERT_AFTER.new_avp A pointer to the A-V pair that must be inserted.ReturnReturns one of the following values:• SDK_SUCCESS if the operation succeeds• SDK_INVALID_ARG if the arguments are invalid

int sdk_get_authreq_info()int sdk_get_authreq_info (sdk_authreq_t *authreq, u_charinfotype, uint32_t *len, void **value)

UsageObtains information from an authreq.Inputauthreq A pointer to an authreq.


infotype The information type interested. Table D-2 lists the various informationtypes.

Table D-2 Information Types

DescriptionInformation Type

Code: The packet type, one ofAccess-Request, Access-Accept as defined

AUTHREQ_CODE

in RFC 2865. The code has a type ofunsigned short.

Forward ID: A locally generated sequencenumber for a request to be forwarded. Theforward ID has a type of unsigned short.

AUTHREQ_FWD_ID

Request ID: A unique number used by theHP-UX AAA Server to identify an

AUTHREQ_REQ_ID

authentication request. This ID is differentfrom the identifier in a RADIUS packet.The request ID has a type of unsigned64–bit integer.

The authentication vector in the RADIUSpacket. Its 16 byte and used for passwordhiding algorithm.

AUTHREQ_AUTHENTICATOR

The time to live (in seconds) of anauthentication request. The request is

AUTHREQ_EXPIRE_TIME

removed from the authentication requestqueue when the specified time elapses. Thetime to live has a type of unsignedcharacter.

The client UDP port where the requestcame from. The port has a type of unsignedshort.

AUTHREQ_CLIENT_PORT

IPv4 address: The IPv4 address of thenetwork device where the request came

AUTHREQ_CLIENT_IPADDRV4

from. The address is a 4 byte numeric valuein network-byte order.

IPv6 address: The IPv6 address of thenetwork device where the request came

AUTHREQ_CLIENT_IPADDRV6

from. The address is a 16 byte numericvalue in network-byte order.

len The address of a variable to store the length of the concerned value.value The address of a pointer that points to the content of the valueOutputlen The input integer stores the length of the value (in bytes).


value The input pointer points to the content of the value for non-scalar types ofdata. You must copy the contents that are of value. The memory for the valuemust not be freed after you copy the contents. The input pointer points toNULL if the client uses an IPv4 address and the user input argument isAUTH_CLIENT_IPADDRV6. The input pointer also points to NULL if the clientuses an IPv6 address and the user input argument isSDK_AUTH_CLIENT_IPADDRV4.

ReturnReturns one of the following values:• SDK_SUCCESS if the operation succeeds.• SDK_INVALID_ARG if the arguments are invalid.

Logging APIsThis section discusses the APIs that can be used to customize the logging functionalityof the HP-UX AAA Server.

NOTE: The HP-UX AAA Server supports two logging subsystems that are usedsimultaneously. There is a standard logging subsystem that can be directed to a AAAlog file, stdout, or syslog, and a debug log file that can be used for troubleshootingand debugging.

int sdk_logit()int sdk_logit ( int level, const char *format, /* [arg,], */...)

UsageLogs the provided log message to the logging facility specified while starting the HP-UXAAA Server. It can be one of the HP-UX AAA log files, syslog or stdout. By default,log messages are logged in the HP-UX AAA log files (the /var/opt/aaa/logs/directory is the default location).Inputlevel Log level from syslog.h. You can use one of the following log levels from

/usr/include/syslog.h:• Use LOG_EMERG if the system is unusable• Use LOG_ALERT if action must be taken immediately• Use LOG_CRIT for critical conditions• Use LOG_ERR for error conditions• Use LOG_WARNING for warning conditions• Use LOG_NOTICE for normal but signification conditions• Use LOG_INFO for informational conditions


NOTE: To use the above log levels, you must include syslog.h in yourprogram.

format A printf-style format string.arg Arguments to replace values in the format string. For more information,

see the printf(3) manpage.

NOTE: If the arguments are insufficient for the format, the behavior canbe unexpected.

ReturnThis API returns one of the following values:0 If the message is logged.1 If the message is queued.-1 If the message is not logged or queued.

int sdk_log_debug()int sdk_log_debug (int level, const char *format, /* [arg,], */...)

UsageLogs the provided debug log message in the HP-UX AAA Server debug log file locatedat /var/opt/aaa/logs/radius.debug.Inputlevel It can be one of the HP-UX AAA Server debug levels. Table D-3 lists the

HP-UX AAA Server debug levels.


Table D-3 HP-UX AAA Server Debug Levels

Level of InformationDebug Level

Minimal information1

2 • Level 1 informationand

• High-level FSM output and limitedfunction tracing


• Full function tracing


• Low-level FSM and configuration fileoutput

format A printf-style format string.arg Arguments to replace values in the format string. For more information,

see the printf(3) manpage.

NOTE: If the arguments are insufficient for the format, the behavior canbe unexpected.

ReturnReturns one of the following values:0 If the message is logged.1 If the message is queued.-1 If the message is not logged or queued.

Asynchronous Event and I/O APIsThe HP-UX AAA Server maintains a global list of file descriptors and calls systemfunctions, to monitor file descriptors for inbound messages. Programmers writing asocket based AATV, or any file descriptor-based AATV, can use the APIs discussed inthis section, to register or unregister the socket (or file descriptor) with the HP-UX AAAServer and schedule an event. This set of APIs can also be used in a scenario whereuser profiles are stored in a repository that the HP-UX AAA Server software does notrecognize. You can write your action to communicate with the data store or anintermediary application through a socket.


int sdk_pollfd_register()int sdk_pollfd_register (int fd, callback_f callback)

UsageRegisters a file descriptor with the HP-UX AAA Server and supplies a callback functionto the HP-UX AAA Server. The socket descriptor and associated callback function areadded to the global list of file descriptors monitored by the server for inbound messages.The callback function is called when data is received on the file descriptor.Inputfd The file descriptor that must be registered.callback The callback function that is called when data is received by the file

descriptor. The callback function takes the file descriptor as the argumentand returns an event code.

ReturnReturns one of the following values:• SDK_SUCCESS if the operation succeeds.• SDK_INVALID_ARG if the arguments are invalid.• SDK_FAILURE if the operation fails.

int sdk_pollfd_unregister()int sdk_pollfd_unregister (int fd)

UsageUnregisters a file descriptor with the HP-UX AAA Server. The HP-UX AAA Serverdoes not monitor the file descriptor for inbound messages once the file is unregistered.Inputfd The file descriptor that needs to be unregistered.ReturnReturns one of the following values:• SDK_SUCCESS if the operation succeeds.• SDK_INVALID_ARG if the arguments are invalid.• SDK_FAILURE if the operation fails.

int sdk_schedule_event()int sdk_schedule_event (sdk_authreq_t *authreq, char *aatv_name,int event_code)

UsageAdds an authentication request and an event to the AAA global authentication requestlist to schedule an event.Inputauthreq A pointer to an authentication request.


aatv_name The name of the AATV supplied for processing the request.event_code The event code to resume processing the request from where it was

left off on the FSM.ReturnReturns one of the following values:• SDK_SUCCESS if the operation succeeds.• SDK_INVALID_ARG if the arguments are invalid.• SDK_FAILURE if the operation fails.

Secondary APIsThis section discusses additional APIs that you can use to customize the HP-UX AAAServer.

sdk_authreq_t *sdk_get_authreq_by_id()sdk_authreq_t *sdk_get_authreq_by_id(uint64_t authreq_id)

UsageObtains the authentication request through the request identifier and returns a pointerto the authreq structure.Inputauthreq_id A number used by the HP-UX AAA Server to uniquely identify an

authentication request.ReturnReturns a pointer to the authreq found or NULL if the operation fails.

char *sdk_get_config_dir()Obtains the AAA configuration directory and returns the name of the configurationdirectory. The default configuration directory is /etc/opt/aaa/.ReturnReturns the name of the configuration directory if the operation succeeds, or NULL ifthe operation fails.

int sdk_set_authreq_infoint sdk_set_authreq_info(sdk_authreq_t *authreq, u_char infotype,uint32_t len, void *value)

UsageSets fields for a request. In the current version of the HP-UX AAA Server, the onlysupported fields are the expiration time for a request, the message type (code) of arequest and the target host to which the request must be sent.Inputauthreq A pointer to an authreq.


infotype The information type. It can be set to one of the following:• AUTHREQ_TTL — the time to live of an authentication request. The

time to live has a type of unsigned character.• AUTHREQ_CODE — the message type or (code) of a request. The

message type (code) has a type of unsigned short.• AUTHREQ_TARGET_HOST — the target host to which the request

must be sent. It has a type of string.len The length of the value to be set in bytes.value A pointer pointing to the value to be set.ReturnReturns one of the following values:• SDK_SUCCESS if the operation succeeds.• SDK_INVALID_ARG if the arguments are invalid.• SDK_FAILURE if the operation fails.

int sdk_get_client_info()int sdk_get_client_info(char *client, u_char infotype, uint32_t*len, void **value)

UsageObtains the configuration information from a client entry with matching host_nameor IP addressInputclient String representation of client IPv4 or IPv6 address, or the fully qualified

domain name of the client.infotype The information type. Table D-4 lists the valid values of the infotype

parameter.

Table D-4 Possible Values of the infotype Parameter

DescriptionInformation Type Value

The shared secret between the client andthe HP-UX AAA Server. The shared secretis a character string.

CLIENT_SHARED_SECRET

The UDP port to which authentication orauthorization messages must be sent. Theport has a type of unsigned short.

CLIENT_AUTHEN_PORT

The UDP port to which accountingmessages must be sent. The port has a typeof unsigned short.

CLIENT_ACCT_PORT

Client types, such asCE_DAS,CE_NAS, andCE_PROXY. For more information on these

CLIENT_TYPE


Table D-4 Possible Values of the infotype Parameter (continued)

DescriptionInformation Type Value

client types, see thesdk.h header file. Theclient type field has a type of uint32_t.

len The address of a variable to store the length of the value interested.value The address of a pointer intended to point to the content of the value

interested.Outputlen The input variable that stores the length of the value (in bytes).value The input pointer that points to the content of the value. You must copy the

contents that are of value. The memory for the value must not be freed onceyou copy the contents.

ReturnReturns one of the following values:• SDK_SUCCESS if the operation succeeds.• SDK_INVALID_ARG if the arguments are invalid.• SDK_FAILURE if the operation fails.

int sdk_decrypt_passwd()int sdk_decrypt_passwd(sdk_authreq_t *authreq, char *enpasswd,uint32_t enpwlen, char *clpasswd, uint32_t *clpwlen)

UsageDecrypts the passwordInputauthreq A pointer to an authentication request.enpasswd A pointer to the encrypted password string.enpwlen Length of encrypted password.clpasswd A pointer to the buffer where the clear text password is to be stored.clpwlen A pointer to an integer, where the size of the clear text password is to be

stored.Outputclpasswd A pointer to the clear text password.clpwlen A pointer to the length of the clear text password.ReturnReturns one of the following values:• SDK_SUCCESS if the operation succeeds• SDK_INVALID_ARG if the arguments are invalid


int sdk_encrypt_passwd()int sdk_encrypt_passwd (sdk_authreq_t *authreq, char *clpasswd,uint32_t clpwlen, char *enpasswd, uint32_t *enpwlen)

UsageEncrypts the passwordInputauthreq A pointer to an authentication request.clpasswd A pointer to the password string that is in clear text.clpwlen The length of the clear text password.enpasswd A pointer to the buffer where the encrypted password is to be stored.enpwlen A pointer to an integer, where the encrypted password is to be stored.Outputenpasswd A pointer to the encrypted password string.enpwlen A pointer to the length of the encrypted password string.ReturnReturns one of the following values:• SDK_SUCCESS if the operation succeeds• SDK_INVALID_ARG if the arguments are invalid

sdk_authreq_t * sdk_authreq_allocatesdk_authreq_t * sdk_authreq_allocate()

UsageAllocates memory for a request.ReturnReturns a pointer to the allocated authreq structure or NULL if there is not enoughmemory.

void sdk_authreq_freevoid sdk_authreq_free(sdk_authreq_t * authreq)

UsageFrees the memory allocated for a request.Inputauthreq A pointer to an authreq.

int sdk_enqueue_authreqint sdk_enqueue_authreq( sdk_authreq_t * authreq)

Usage


Enqueues the request to a request queue.Inputauthreq A pointer to an authreq.Returns one of the following values:• SDK_SUCCESS — if the operation succeeds.• SDK_INVALID_ARG — if the arguments are invalid.• SDK_FAILURE — if the operation fails.


E Syntax of the Decision Files in Earlier Versions of theHP-UX AAA Server

This appendix describes the syntax of the decision files that are present in earlierversions of the HP-UX AAA Server. While decision files created using this syntax aresupported in this version of the HP-UX AAA Server, HP encourages customers to usethe syntax described in Chapter 27 (page 411) to create new decision files. This is becausethe new syntax offers more advanced customization options (such as configuring OTPauthentication).Following is the syntax of a decision file in earlier versions of the HP-UX AAA Server:Group Name { Condition { expression } Reply { reply-items . . . }}

where:Group Name Begins the group entry by specifying a name for the group.Condition Block that contains an expression of A-V pairs. They will evaluate to

true or false to determine if the user belongs to the group. If thecondition is not defined in the group entry, the group matches all therequests.

Reply Block that contains a list of one or more reply items that are added tothe request if the condition evaluates to true.

ExpressionsThe simplest expression is a comparison of two A-V pairs with one relative operator.You can use relative and Boolean operators to create an expression with variouscombinations of A-V pairs. Table E-1 lists the operators that you can use.

Table E-1 A-V Pair Expression Operators

DescriptionOperator

Equal to=

Not equal to!=

Greater than>

Less than<

Greater than or equal to>=

596 Syntax of the Decision Files in Earlier Versions of the HP-UX AAA Server

Table E-1 A-V Pair Expression Operators (continued)

DescriptionOperator

Less than or equal to<=

Logical AND&&

Logical OR||

Logical NOT!

You can also use parentheses to nest expressions. Line breaks are not significant.Table E-2 illustrates some possible expressions that you can use to control accessdepending on the dial-in phone number and time of the call.

Table E-2 A-V Pair Expression Examples

DescriptionExpression Example

Allows access if either the calling number or thecalled number match the specified values.

Calling-Station-Id = 123456789||Called-Station-Id = 8005551212

Allows access if the day of the week is betweenMonday and Friday.

Day-Of-Week => Monday &&Day-Of-Week<= Friday

Allows access when one of the following is true:((Calling-Station-Id = 123456789||Calling-Station-Id = 987654321) • The calling number matches either specified

value, and the called number matches thespecified number.

&&Called-Station-Id = 8005551212)||!(Day-Of-Week => Monday&&Day-Of-Week <= Friday) • The day of the week is not between Monday and

Friday.

Your expressions can be as short or as long as you like. Only one group match can bemade for each request. You can use short expressions, and manage each distinct decision(DNIS routing, dynamic access control, membership in groups, and so on) in a separatefile. Alternatively, you can also create a single file with longer expressions that covera wide range of decision criteria.

Specifying Attributes in Group EntriesYou can create decision groups for provisioning with the A-V pairs that may be usedin a user profile for session logging with accounting attributes. For more information,see Chapter 12: “Logging and Monitoring ” (page 142). In addition, you can use thefollowing attributes to define a group condition or reply.

Dynamic Access ControlDay-Of-Week A string representing the day of the week (spelled out or three letterabbreviation), or a number from 0 to 6, where 0 represents Sunday and 6 representsSaturday. This attribute is compared to the current system clock of the system hostingthe HP-UX AAA Server that is making the comparison.

Specifying Attributes in Group Entries 597

Date-Time 24 hour clock in yyyy:mm:dd:hh:mm format. This attribute is comparedto the current system clock of the system hosting the HP-UX AAA Server that is makingthe comparison.Time-of-Day 24 hour clock in hh:mm format. This attribute is compared to the currentsystem clock of the machine hosting the AAA server that is making the comparison.Hours must be two digits, for example, 08:00, not 8:00.

Internal ValuesDecision Assign a value to this attribute that corresponds to a predefined, or customevent is returned to the FSM when the group entry's condition is evaluated to true.Interlink-Packet-Code An integer value that indicates what type of RADIUSmessage has been received: either 1 (Access-Request) or 4 (Accounting-Request).Interlink-Proxy-ActionA string determined by information in an Access-Requestor Accounting-Request. This indicates the name of the starting event in the FSM whenthe HP-UX AAA Server receives a RADIUS message. You can preempt this value bybeginning radius.fsm with an *.*.ACK event that invokes the POLICY action, whichcan then determine the start event based on a policy decision.User-Id After the HP-UX AAA Server parses the NAI, it assigns the user name tothis attribute.User-RealmAfter the AAA server parses the NAI, it assigns the realm to this attribute.

Using IndirectionYou can also use indirection to compare or assign attribute values to each other. Followa Test Operator $Value$Pos$Len syntax, where Test is the attribute to check or assigna value to, and Value is the attribute with the value to check against or assign to theTest attribute; Operator is the relative or Boolean operator to use. $Pos and $Len areoptional parameters that allow you to test or assign a substring of the specified Valueattribute. Pos indicates the index position in the attribute's value to begin the substringand if specified Len determines the length.When used in the condition section of a group entry, indirection checks values. Whenused in the reply section, it assigns a value.For example, in an expression Port-Id <= $Port-Limit would only allow accessto users who access the server through ports that don't exceed the limit set in theirprofile. As a reply item Decision = $Interlink-Proxy-Action would assignthe current FSM event to the Decision attribute.


Notes:• Test = $Value$Pos$Len will add a new A-V pair to the request. It will not

update an existing pair. For example, when the request includes a Test = “String”A-V pair, the expression Test = $Test$2$3 will append Test = “rin” tothe request, which results in both Test = “String” and Test = “rin” in therequest.

• Because the left-side attribute is handled differently than the right-side attributevalue, multiple attributes in a request can cause some unexpected indirectionresults. Each instance of the left-side attribute is AND'd, but only the value of theright-side attribute's last instance is used. For example, the expression Test <$Test would evaluate to FALSE as (Test1 < 1) && (Test2 < 1) when therequest contains the A-V pairs Test1 = 1 and Test2 = 2.

Example Group EntriesThis section discusses the syntax of sample decision files that are included in earlierversions of the HP-UX AAA Server. For information on using the sample DNIS andDAC decision files present in the current version of the HP-UX AAA Server, see“Modifying the FSM for Specific Customizations ” (page 441)• /opt/aaa/examples/config/DNIS.grp for DNIS routing• /opt/aaa/examples/config/DAC.grp for dynamic access control

DNIS.grp for DNIS RoutingThe following example shows a simple DNIS routing scheme. Refer to For an exampleof a modified radius.fsm file that works with this decision file, see Chapter 12:“Logging and Monitoring ” (page 142).1 Group Controlled-Access { 2 Condition { 3 (Calling-Station-Id = 1234567890) || 4 (Called-Station-Id = 8005551212) 5 } 6 Reply { 7 Authentication-Type = radius 8 Server-Name = flatland.com 9 Server-Port = 1812 10 Decision = Forward 11 } 12 } 13 Group Denied-Access { 14 Condition { 15 Called-Station-Id = 8001234567 16 } 17 Reply { 18 Authentication-Type = blackhole 19 Decision = Abandon 20 }

Example Group Entries 599

21 } 22 Group NORMAL { 23 Reply { 24 Decision = $Interlink-Proxy-Action 25 } 26 }

Line 1 Names the first group entry Controlled-Access.Lines 2 to 5 If the user calls from 1234567890, or calls into 8005551212, the

user belongs to this group.Lines 7 to 9 The Authentication-Type attribute indicates that requests from

members of this group must be proxied. The Server-Name andServer-Port attributes specify flatland.com:1812 as the remoteserver that must receive the proxied request.

Line 10 The Decision attribute returns the Forward value to the FSM asan event. The radius.fsm file must be modified to recognizethis event and to call the RADIUS module when it occurs. Formore information, see Chapter 12: “Logging and Monitoring ”(page 142).

Line 13 Names the second group entry Denied-Access.Lines 14 to 16 If the user calls into 8001234567, the user belongs to this group.Lines 18 The Authentication-Type attribute indicates that the request

must be ignored.Line 19 The Decision attribute returns the Abandon value to the FSM

as an event. Theradius.fsm file must be modified to recognizethis event to end the request when it occurs. For moreinformation, see Chapter 12: “Logging and Monitoring ”(page 142).

Line 22 Names the third group Normal. Requests that do not matchwith the previous two groups are matched to this group, becausethis group entry does not include a condition section.

Line 24 This line uses indirection to pass the current event($Interlink-Proxy-Action) to the FSM. As a result, the HP-UXAAA Server handles the request as if DNIS routing did notoccur.

DAC.grp for Dynamic Access ControlThe example discussed in this section shows a simple DAC decision scheme based onthe value of an Access-Group attribute.• Allow access to users in the weekday group during a weekday• Allow access to users in the daytime group during the day• Allow access to users in the nighttime group during the night• Otherwise, deny access to users


For an example of a modified radius.fsm file that works with this decision file, seeChapter 12: “Logging and Monitoring ” (page 142). This decision file works only if theAccess-Group attribute is added to the dictionary file and user profiles as aconfiguration item. For more information, see “The dictionary File ” (page 531).1 Group Weekday-Access { 2 Condition { 3 (Access-Group = weekday) && 4 ((Day-Of-Week >= Monday) && (Day-Of-Week <= Friday)) 5 } 6 Reply { 7 Decision = ACK 8 Reply-Message = "Weekday access allowed" 9 } 10 } 11 Group Daytime-Access { 12 Condition { 13 (Access-Group = daytime) && 14 ((Time-Of-Day >= 06:00) && (Time-Of-Day <= 20:00)) 15 } 16 Reply { 17 Decision = ACK 18 Reply-Message = "Daytime access allowed" 19 } 20 } 21 Group Nighttime-Access { 22 Condition { 23 (Access-Group = nighttime) && 24 ((Time-Of-Day < 06:00) || (Time-Of-Day > 20:00)) 25 } 26 Reply { 27 Decision = ACK 28 Reply-Message = "Nighttime access allowed" 29 } 30 } 31 Group Denied-by-timed-access { 32 Reply { 33 Decision = NAK 34 Reply-Message = "Time-Based access denied" 35 } 36 }

Line 1 Names the first group entry Weekday-Access.Lines 2 to 5 If the user belongs to the weekday access group and calls on a

weekday, they belong to this group.Line 7 The Decision attribute returns the ACK value to the FSM as an

event, which accepts the request.Line 8 Specifies a message that is sent back to the user.Lines 11 to 30 Define the second and third groups with a structure similar to

the first group entry.

Example Group Entries 601

Line 31 Names the fourth group Denied-by-time-access. Requests thatdo not match with the previous two groups are matched to thisgroup, because this group entry does not include a conditionsection.

Line 33 The Decision attribute returns the NAK value to the FSM as anevent, which rejects the request.

Line 34 Specifies a message that is sent back to the user.


Glossary of TermsA - B

A-V Pair Attribute-value pair.AAA Abbreviation for Authentication, Authorization, and Accounting.AAA Server A software application that performs authentication, authorization, and accounting functions.Access-Accept AAA Server returns an Access-Accept to the client when an Access-Request is valid. The

Access-Accept will containA-V pairs that specify what services the authenticated user is authorizedto use.

Access-ChallengeThe AAA Server returns an Access-Challenge to the client when it is necessary to issue a challengethat the user must respond to. The client will resubmit the request with the user-suppliedinformation to the AAA Server.

Access-Reject The AAA Server returns an Access-Reject to the client when an Access-Request is invalid.Access-Request

Created by the client, the Access-Request contains A-V Pairs, such as the user’s name, password,and ID of the client. The client submits the Access-Request to an AAA Server. If the server canvalidate the client, the server will attempt to match a user entry in its database with informationin the Access-Request to authenticate the user.

Accounting Logging session and usage information for session control and billing purposes.Administrator Special user, known by the system on which the AAA Server is running. The administrator is able

to configure and to manage the AAA Server.ApplicationServiceProvider

Third-party entities that manage and distribute software-based services and solutions to customersacross a wide area network from a central data center, abbreviated as ASP.

ASP Application Service Provider.Attribute-Value Pair

The RADIUS protocol defines things in terms of attributes. Each attribute may take on one of aset of values. When a RADIUS packet is exchanged among clients and servers, one or moreattributes and values are sent pairwise from the client to the server. For the AAA Server software,all valid attributes and values are listed in the dictionary file, abbreviated as A-V pair.

AuthenticationThe process of identifying and proving the identity of an entity, for example, a user, a networkclient, or a network server.

Authorization The process of determining what types of activities is permitted. Usually, authorization is in thecontext of authentication; once users are authenticated, they may be authorized different typesof access or activity.

Bit mask A method for storing settings. A bit mask makes use of the fact that binary numbers are madeup of 1's and 0's. Each digit in a binary number is equivalent to one bit. In the HP-UX AAA Server,bit masks are used to set different configurations while setting up OTP authentication.

603

C - D

Challenge Handshake Authentication ProtocolLog-in security procedure for dial-in access. Rather than send an unencrypted password, a randomnumber is sent to the client as a challenge. The challenge is one-way hashed with the password,and the result is sent back to the server. The server does the same with its copy of the passwordand verifies that it gets the same result to authenticate the user, abbreviated as CHAP.

CHAP Challenge Handshake Authentication Protocol.Client NAS, proxy server, or other networking device that uses the AAA Server services to authenticate

and authorize users.CommonOpen PolicyService

A query and response protocol that can be used to exchange policy information between a policyserver (Policy Decision Point or PDP) and its clients (Policy Enforcement Points or PEPs, such asa router), abbreviated as COPS.

COPS Common Open Policy Service.DHCP(DynamicHostConfigurationProtocol)

Protocol that automatically and dynamically assigns IP addressees.

Dialed Number Identification ServiceEach request is authenticated locally or forwarded to a remote server according to the numbercalled to access a network service.

DNIS Dialed Number Identification Service.DynamicAuthorization

A capability of the HP-UX AAA Server that enables RADIUS-server initiated requests to be sentto the authenticator.

E - F - G

EAP Extensible Authentication Protocol.EAP-AKA EAP Authentication and Key Agreement (AKA) authentication method. EAP-AKA is an

authentication and session key distribution mechanism used in the third generation mobilenetworks: UMTS and CDMA 2000.

EAP-SIM EAP Subscriber Identity Module (SIM) authentication method. An authentication method capableof operating in wireless networks.

Extensible Authentication ProtocolDescribed in RFC 2284, abbreviated as EAP.

Finite StateMachine

The Finite State Machine is the component of the AAA Server software that controls the flow ofaccess request authentication and accounting request handling, abbreviated as FSM.

ForwardingServer

The AAA Server that receives an Access-Request from a client and forwards that request to anotherAAA server for authentication.

FSM Finite State Machine.GTC (GenericToken Card)

Carries user specific token cards for authentication. The main feature in GTC is DigitalCertificate/Token Card-based Authentication.

604 Glossary of Terms

H - I - J - K

Hard token Also called token devices. A physical authentication device such as a SmartCard that displaysthe OTP.

Hint When a user requests access to a service of a specific configuration, a client may provide thisinformation in an Access-Request as a hint to the AAA Server. The server may reject the requestbased on the hints or supply the service as specified by the hints, by the server’s configuration,or by a combination of the hints and the server’s configuration.

IETF Internet Engineering Task Force.IntegratedServicesDigitalNetwork

A digital access line, abbreviated as ISDN.

Interlink Used to connect multiple AAA servers in a fabric with SLAs and to establish policies among them.InternetEngineeringTask Force

Internet standards setting organization, abbreviated as IETF.

InternetProtocol

A Layer 3 (network layer) protocol that contains addressing information and some controlinformation that allows packets to be routed, abbreviated as IP.

InternetResearchTaskForce

A group associated with IETF focusing on research rather than standards, abbreviated as IRTF.

InternetServiceProvider

Communications service company that provides Internet access and services to its customers.ISPs range in size from small independents serving a local calling area to large, establishedtelecommunications companies, abbreviated as ISP.

IP Internet Protocol.IPv6 IPv6 is the new version of the Internet Protocol (IP) that builds on the current version of IP (IPv4).

IPv6 provides improvements in addressing, configuration, and security.IRTF Internet Research Task Force.ISDN Integrated Services Digital Network.ISP Internet service provider.

L - M - N

LAS Local Authorization Server.LDAP Lightweight Directory Access Protocol.LightweightDirectoryAccessProtocol

Used for directories providing naming, location, management, security, and other services forInternet networking, abbreviated as LDAP.

LocalAuthorizationServer

A Local authorization server is the HP-UX AAA code that authorizes, accounts, and bill usersbased on realms, abbreviated as LAS.

MS-CHAP Microsoft Challenge-Handshake Authentication Protocol is an implementation of the CHAPprotocol that Microsoft created to authenticate remote Windows workstations. In most respects,MS-CHAP is identical to CHAP, but there are a few differences. MS-CHAP is based on the

605

encryption and hashing algorithms used by Windows networks, and the MS-CHAP response toa challenge is in a format optimized for compatibility with Windows operating systems.

NAI Network Access IdentifierNAS Network Access Servernavigationtree

Refers to the navigation links on the left side of the Server Manager GUI.

NetworkAccess Server

A device that interfaces telephony circuits to the network, abbreviated as NAS.

Numbers and Symbols

Secure LANAdvisor

The Secure LAN Advisor is an HTML tutorial/help system in the Server Manager GUI that walksyou through the tasks and Server Manager screens for securing WLANs with the HP-UX AAAServer.

O - P - Q

OATH An industry-wide collaboration to develop an open-reference architecture for two-factor and OTPauthentication

OTP One-Time Password. This password is valid for one-time use only. Using an OTP reduces therisk of an unauthorized intruder gaining access to the network.

PAP Password Authentication Protocol.Password Authentication Protocol

A simple password protocol that transmits a user name and password across the network,unencrypted, abbreviated as PAP.

PEAP(ProtectedEAP)

Functionally very similar to TTLS, but does not encapsulate legacy authentication methods. PEAPfeatures include: Dynamic Key Exchange; Mutual Authentication; and, Encrypted Tunnelling.

Point-to-Point ProtocolThe standard protocol for dial-up networking. The family of standards covers many aspectsincluding authentication, encryption, compression, addressing, multi-protocols, etc., abbreviatedas PPP.

Policy Policy is a very broadly used term. To the AAA server, it means the conditionally applicable setof attribute-value pairs that an AAA protocol, such as RADIUS, may support. HP-UX AAApolicies are simple or complex decisions that control the authentication, authorization, andaccounting process for a user's access request.

PPP Point-to-Point Protocol.Protocol A set of rules established between two devices to allow communications to occur.Proxy The mechanism that allows one system to mediate between two other systems in response to

protocol requests. A RADIUS server can act as a proxy client and forward an Access-Request toanother AAA server for authentication. As a proxy client, the server would mediate the requestsand replies between the client where the Access-Request originated from and the server that therequest was forwarded to.

R - S

RADIUS Remote Access Dial In User Service.


RADIUSClient

A NAS or other device that sends requests to an AAA server.

RAS Remote Access Server.Realm A realm is a logical group of users, who usually can be authenticated using one particular method.

Grouping users into realms simplifies the management of those users in a distributed environment.For example, an ISP’s users may be from different organizations located in different cities. Eachorganization already has one way or another to authenticate its users and each corresponds to arealm. Each realm would be responsible for managing its users, providing authentication andauthorization for their access requests. A realm has a name that looks very much like a domainname, but they bear different meanings. Realms are only used by the AAA Server to determinewhere an authentication request should be sent and what kind of authentication to request, etc.Naming a realm with its domain name simplifies things for the users, since their access ids willthen look the same as their e-mail addresses. A realm may also have multiple aliases, providinga way to shorten long realm names.

RemoteAccessDial InUser Service

An authentication and accounting protocol defined by the IETF in a series of RFCs, abbreviatedas RADIUS.

RemoteAccess Server

A service that allows remote clients running Microsoft Windows or Windows NT to dial in to anetwork, abbreviated as RAS.

RemoteServer In the context of a proxied Access-Request, the remote server is the AAA server that receives therequest from the forwarding server. The remote server authenticates the request and sends a replyto the forwarding server.

Request ForComment

The basis for an IETF standard, abbreviated as RFC.

RFC Request For Comment.SAT Simultaneous access token.ServerManager

A Web-based graphical user interface which provides an interface between an administrator andthe AAA servers. In addition to creating, modifying, and deleting entries in many of the server’sconfiguration files, an administrator may start and stop the AAA server, access the server’s statusand system time, retrieve information from accounting and session logs, and terminate sessions.

Service The RADIUS client provides a service to the dial-in user, such as PPP or Telnet.Session Each service provided by the client to a dial-in user constitutes a session, with the beginning of

the session defined as the point where service is first provided and the end of the session definedas the point where service is ended. A user may have multiple sessions in parallel or series if theRADIUS client supports that feature.

SimpleNetworkManagementProtocol(SNMP)

SNMP provides a mechanism for a centrally located management workstation to monitor theactivity of remote computers and network services.

SimultaneousAccess Token

The concept of token helps define and enforce policies in regard to modem pool sharing amongvarious participating institutions. A simultaneous access token is required when a user accessesa non-priority modem. Tokens are allocated to realms and are grouped into pools. The totalnumber of tokens a realm has is defined by the HP-UX AAA server so that the LAS may controlsimultaneous use, abbreviated as SAT.

SLA Service Level Agreement.

607

SLS Service Level Specification.Soft Token Software that enables an existing smart phone or PDA to act as a one-time password tokenSQL Access A feature that allows AAA Server to interact with an SQL compliant database.

T - U - V - W - X - Y - Z

TLS(TransportLayerSecurity)

Uses TLS (also known as SSL) to authenticate the client using its digital certificate. Note: somewireless supplicants require specific extensions to support certificates for EAP. TLS featuresinclude: Dynamic Key Exchange; Mutual Authentication; Digital Certificate/Token Card-basedAuthentication; and, Encrypted Tunnelling.

Token See Simultaneous Access Token.Token Pool A token pool contains a number of tokens belonging to some organization and having a given

name. These tokens may be shared among one or more realms.TTLS (Tunnelled-Transport Layer Security)

Can carry additional EAP or legacy authentication methods like PAP and CHAP. Integrates withthe widest variety of password storage formats and existing password-based authenticationsystems. Wireless supplicants available for a large number of clients. TTLS features include:Dynamic Key Exchange; Mutual Authentication; Password-based Authentication; and, EncryptedTunnelling.

Tunneling A secure connection between a client workstation and an intranet or other network, that providesaVPN to a user. This connection may be a voluntary tunnel initiated by the client or a compulsorytunnel initiated during authentication by a server or other dedicated network equipment.

Users Individuals whom the AAA server must authenticate and authorize before by they can access anorganization’s service, such as Internet access through an ISP.

VirtualPrivateNetwork

A network service offered by public carriers in which the user is provided a network that in manyways appears as if it is a private network (user-unique addressing, network managementcapabilities, dynamic reconfiguration, etc.) but which, in fact, is provided over the carrier's publicnetwork facilities, abbreviated as VPN.

VPN Virtual Private Network.


Index

Symbols3GPP Milenage, 269

AA-V pair

pruning, 533removing, 533

A-V pair, configuration attributes, 548A-V pair, specifying, 546A3, 227A8 , 227AAA proxy, 319AAA Server As A Client Properties, 140AAA Server upgrade, 49aaa.config, 235, 247aaa.config - general information, 520AATV components, 449

action function, 449cleanup function, 450init function, 449timer or callback function, 450

access device screen, Server Manager, 100access device, deleting, 93, 104account logging, Server Manager, 149accounting

log file, 145session record format, 150

acquiring HP-UX AAA Server software, 54action

Check and Reply, 598Action-n - FSM, 398actions, 403adding AAA servers, 82alternate FSM file - specifying, 79attribute

dictionary file, 532attribute functions, 424

count, 424length, 424substr, 426tolower, 429toupper, 430

attribute instance specifications, 422keyword instance, 423no instance, 423numeric instance, 423

authenticationaccess request steps, 42

authentication stages, 43authfile, 229

alternate, 399

auto-starting the server, 80

BBoolean operator precedence and association rules, 433

CCertificate properties, 137Change-Of-Authorization (CoA), 297changing defaults, 63changing defaults, RMI Objects, 64changing defaults, secrets, 64changing defaults, tomcat UID/password, 63Check and Reply Items

decision file attributesgroup entries - action, 598group entries - Date-Time, 598group entries - decision, 598group entries - finite state machine, 598group entries - Interlink-Packet-Code, 598group entries - Interlink-Proxy-Action, 598group entries - User-Realm, 598

clientgeneral information, 526syntax, 526

CLIENT AATV, 292Client Action Properties, 140client functionality, 291configuration

dictionary, 531tokenpool, 536

configuration, loading, 95configuration, saving, 96Conversion Functions, 341

DDate-Time - Check and Reply, 598decision - Check and Reply, 598decision file

expression, 596new syntax, 412old syntax, 596

default realm, 110DHCP, 390DHCP address pools, 390DHCP properties, 133dictionary file

attribute entry, 532general information, 531syntax, 532

digital certificates, 164digital certificates, defining on AAA servers, 167digital certificates, installing, 166

609

digital certificates, self-signed, 165Disconnect, 297DNIS routing, 444DNS properties, 134dynamic access control, 442Dynamic Authorization, 297Dynamic Authorization proxy functionality, 320

EEAP

action, 404EAP AKA, 236EAP, choosing a method, 161EAP, key-exchange, 162EAP, tunneling, 162EAP-AKA user credentials, 239EAP-SIM, 224EAP.authfile, 229, 240event

Check and Reply, 598names - general information, 399

event name - custom, 403event names, 400Event-n - FSM, 398Expiration

event name, 402expression - decision file, 596

FFast re-authentication, 248File size properties, 138Finite State Machine, 396finite state machine

accounting logs, 145Check and Reply, 598general information, 396multiple streams, 539

FMS - Event-n, 398Framed-Protocol

example, 534FSM

Action-n, 398State-name, 398version tracking, 406

GGSM triplet, 229GTC, features, 163GUI icons, 144

Hhardening programs

Bastille, 67HTTPS, configuring, 64HUP processing, 519

IiaaaFile, 230inetd

timeout, 79installing, 54installing, defaults, 56installing, testing, 72Interlink-Packet-Code - Check and Reply, 598Interlink-Proxy-Action - Check and Reply, 598IP addresses, address pools, 390, 391IP addresses, DHCP, 390IPv6 addresses

assigning, 175, 178IPv6 attributes, 528

Kkeyword-value entries, 520

LLAS

codeexample, 534

general information, 535session timing, 535

las.conf - file, 535LDAP, 335

definition, 605LDAP, tunning, 116Livingston style logs, 149Local Authorization Server - authorization, 46Local user file properties, 139log file, 142

accounting, 145log.config - general information, 539logging streams - general information, 539

Mmanaging multiple AAA servers, 93Mapping, 340, 353

Input, 354Output, 354

Mapping Functions, 341Mapping types

DBC, 354DBP, 354DBR, 354RAD, 354target, 354

Maximum logfile size properties, 138MD5, features, 163Merit style logs, 147message handling properties, 135, 136Message-Authenticator, 324MIB objects, 566migrating plug-ins, 448Miscellaneous properties, 138

610 Index

MS-CHAP v2, 182MS-CHAP, features, 163multiple streams

finite state machine, 539logging, 541

Nnon-root processes, 68

OOTP authentication, 162

components, 182flowchart, 183inner and outer realms, 197mapping and conversion functions, 217precedence rules, 195process flow, 181realm-level configuration, 196system-wide configuration items, 195user-level configuration, 198

OTP authentication attributes, 192HOtp-Seq-Counter, 193Otp-ActionId, 194Otp-Add-Checksum, 195Otp-Lookup-Window, 192Otp-Retrieve-TokenInfo-Action Id, 195Otp-Shared-Secret, 193Otp-Token-Length, 193Otp-Token-Lock-Counter, 193Otp-Token-Serial-Number, 193Reply-Egress-ActionId, 195

OTP authentication conceptsusing bit masks, 188

OTP authentication configuration concepts, 187override AAA server defaults, 520

PPEAP (Protected EAP), 576PEAP, features, 163policy

proxy-egress, 45, 438proxy-ingress, 45, 439reply-egress, 437request-ingress, 45, 435user policy, 46, 436Xstring, 399

policy action commandsdelete, 414exit, 418if, 420insert, 415log, 419modify, 417

policy attributes, 440product architecture, 39product structure, 38

PROLDAP, 231ProLDAP properties, 139pruning

example, 534expressions - general information, 533

pseudonyms, 256

RRADIUS overview, 34, 464RADIUS sessions, 36radius.fsm

accounting logs, 146alternate fsm file, 79FSM, 396

radiusd, 77starting, 77

realmadd, 105configuration - LAS, 537configuration example, 537modify, 108

realms screen, Server Manager, 105reload, 76remove A-V pair, 533Replay Protection, 321reply item

authorization, 47Reverse Path Forwarding, 324RMI Objects, 72

Ssample AATV

ACE, 451checkCSI, 451

sample configuration files, 326sample OTP configuration files, 217

oath-prexy-egress.grp, 222oath-reply-egress.grp, 221oath-request-ingress.grp, 221

SDKAPIs, 579

A-V pair APIs, 580Asynchronous event and I/O APIs, 589Authreq APIs, 582Logging APIs, 587secondary APIs, 591

compiling and loading plug-ins, 452concepts, 448creating plug-ins, 451directory structure, 448header files and data structures, 579prerequisites, 448testing and debugging plug-ins, 453

Secure Copy Protocol, 96server

log files, 142

611

starting, 77server connections, 90Server Manager, introduction, 38server properties, 133server properties screen, Server Manager, 133server properties, modifying, 133Server Status Screen, Server Manager, 93session

records - accounting format, 150session limits, 170session logs, Server Manager, 169SNMP properties, 136SNMP, introduction, 386SNMP, setting-up, 386SQL Access, 338

benefits, 338Configuration, 349Conversion Functions, 361Database Client, 347Database Connection, 350Database Server, 346Finite State Machine, 346Global definition, 369Implementation, 342, 348Interaction, 339Mapping functions, 359Mappings

RAD, 355Pre-requisites, 346README, 342Sample Implementing, 342shared library path, 348SQL Actions, 342SQL statement, 362sqlaccess.config, 349

SQL Access AATV, 339SQL Access. See also Mapping, 340SQL Actions, 352sqlaccess.config, 349SSL, 64start

radius server, 77server - general information, 77

starting AAA servers, options, 75starting after reboot, 80state

general information, 396modification tables - example, 406table - custom, 406

state - FSM, 398supported operators, 432

Ttimeout

inactivity, 79option inetd, 80

TLS, features, 163

token administrationchanging token status, 383enrolling tokens (for users), 380validating tokens (for users), 382

tokenpoolconfiguration, 536example, 536

Tomcat, 72Tomcat, AAA server identity, 66Tomcat, starting and stopping, 72troubleshooting

access-reject messages, 494EAP problems, 502flowchart, 469provisioning errors, 506Server Manager, 472server startup problems, 478unresponsive servers, 483

troubleshooting utilities, 509radcheck, 509raddbginc, 510radpwtst, 510radsignal, 511

TTLS, features, 163Tunneling properties, 136

UUser Credential Lookup, 228User Database Administration tool, 374

customizing, 374modifying users, 377viewing user and token information, 383

User database Administration tooladding users, 375

user profiles, deleting, 131User-Realm

Check and Reply, 598users file

default location, 528general information, 528line limit, 528syntax, 528

users screen, Server Manager, 127

Vvalue types, 430

date values, 431integer values, 430named integer values, 430string values, 430

values typesIP address values, 431

vendorfile - example, 538general information, 538specific attributes and pruning, 533

612 Index

VPN, 388VPN tunneling, 388

WWireless LAN planning, 160Wireless LAN preparation, 160Wireless LAN security, 159Wireless LAN, digital certificates, 164Wireless LAN, EAP, 161Wireless LAN, steps to configure, 164WLAN, configuring, 164WLAN, EAP methods, 161WLAN, planning, 160

XXstring - policy, 399

613

HP-UX AAA Server A.08.01 administrator s guideh20628. · HP-UXAAAServerA.08.01 administrator’sguide HP-UX11iv2andHP-UX11iv3 HPPartNumber:T1428-90072 Published:May2010 Edition:Edition10

Documents